Malware Analysis Report

2025-03-15 04:27

Sample ID 241025-1q6arssrew
Target 84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N
SHA256 84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6

Threat Level: Known bad

The file 84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

UAC bypass

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:52

Reported

2024-10-25 21:54

Platform

win7-20240903-en

Max time kernel

41s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\XYIwYgEY\\aIUIwwoQ.exe," C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\XYIwYgEY\\aIUIwwoQ.exe," C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe N/A
N/A N/A C:\ProgramData\dakIcggU\sGgwYMgs.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
N/A N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIUIwwoQ.exe = "C:\\ProgramData\\XYIwYgEY\\aIUIwwoQ.exe" C:\ProgramData\dakIcggU\sGgwYMgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\rWosMcgA.exe = "C:\\Users\\Admin\\swMIQIQg\\rWosMcgA.exe" C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIUIwwoQ.exe = "C:\\ProgramData\\XYIwYgEY\\aIUIwwoQ.exe" C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\rWosMcgA.exe = "C:\\Users\\Admin\\swMIQIQg\\rWosMcgA.exe" C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIUIwwoQ.exe = "C:\\ProgramData\\XYIwYgEY\\aIUIwwoQ.exe" C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\swMIQIQg C:\ProgramData\dakIcggU\sGgwYMgs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\swMIQIQg\rWosMcgA C:\ProgramData\dakIcggU\sGgwYMgs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dakIcggU\sGgwYMgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\swMIQIQg\rWosMcgA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\swMIQIQg\rWosMcgA.exe C:\Users\Admin\swMIQIQg\rWosMcgA.exe
PID 2696 wrote to memory of 2624 N/A C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2696 wrote to memory of 2624 N/A C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2696 wrote to memory of 2624 N/A C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2696 wrote to memory of 2624 N/A C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe
PID 2028 wrote to memory of 2656 N/A C:\ProgramData\dakIcggU\sGgwYMgs.exe C:\ProgramData\dakIcggU\sGgwYMgs.exe
PID 2028 wrote to memory of 2656 N/A C:\ProgramData\dakIcggU\sGgwYMgs.exe C:\ProgramData\dakIcggU\sGgwYMgs.exe
PID 2028 wrote to memory of 2656 N/A C:\ProgramData\dakIcggU\sGgwYMgs.exe C:\ProgramData\dakIcggU\sGgwYMgs.exe
PID 2028 wrote to memory of 2656 N/A C:\ProgramData\dakIcggU\sGgwYMgs.exe C:\ProgramData\dakIcggU\sGgwYMgs.exe
PID 2172 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2224 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2224 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2224 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 1572 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 1572 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 1572 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 1572 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 1572 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

"C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Users\Admin\swMIQIQg\rWosMcgA.exe

"C:\Users\Admin\swMIQIQg\rWosMcgA.exe"

C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe

"C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe"

C:\Users\Admin\swMIQIQg\rWosMcgA.exe

WLQI

C:\ProgramData\dakIcggU\sGgwYMgs.exe

C:\ProgramData\dakIcggU\sGgwYMgs.exe

C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe

PFAA

C:\ProgramData\dakIcggU\sGgwYMgs.exe

XWYZ

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-908145496-9592224773925706381306587756-1400438408-502055748-1135006586197040"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "52202231-838926768-8083544171496921526-1502340111524388551451285804381655747"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-893114620-6195818921022975652-1847455534-1247669471725679905-2121562318712700651"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10999434051921087197-2961300061682114384652310374701882104-595479334-209256316"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1739241674-3314512401678029456-1350924534-1905034678-1070437908-1003053231-580914083"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-908938755-644339696-257306661650868344168433792313006095085256851231792366360"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1250601683-1141499452053755200-19680725911325893557969534199-13044370891968268592"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1197111520331438923804795613-1198797084240574792199371600717153277051684862450"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-229798111753486572124357859160950544014282096441943714414431390601-1627739883"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2530675101386304112-3642870211448007291621638235-466013776-761837946-867474753"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "764681326124091108-827928944-1340859319-935052951-6322041551569139825-186206820"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 api.bitcoincharts.com udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp

Files

memory/2172-0-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2688-1-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2688-4-0x0000000000400000-0x00000000004B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6NYZXW

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/2172-6-0x0000000000401000-0x00000000004AD000-memory.dmp

\Users\Admin\swMIQIQg\rWosMcgA.exe

MD5 2737b8452419bd7450270abc47302200
SHA1 83a383082a80aee1fc4136e594b302fce22adc01
SHA256 a67db665c6890c25f174660c7a376bf2343e3f9025ed222ce52424aa43bf08fb
SHA512 a8eaf60c91256cfe9ffcbceacdfae42bba6dbdcc76b70be06a13b98f8ce8809ffa4cba1fc6fe14d7c8efd29ebab04b22b7cedfbb7223c09e6b28598b3caa3249

memory/2856-18-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2172-17-0x0000000004750000-0x0000000004805000-memory.dmp

memory/2172-16-0x0000000004750000-0x0000000004805000-memory.dmp

C:\ProgramData\XYIwYgEY\aIUIwwoQ.exe

MD5 a9923abc40f830bc0f507241a1dec36f
SHA1 487f365317d2b320f1091d27ffcd014c30b14c82
SHA256 076c1bf9c3df5cd1508a80ff5bc38ec13b9539be62ca6512425c7febca45ba8a
SHA512 39bd4ef437e729ebba085f726e9b174c6353cfa00a6d30fb2cc5f90623860e3e4335735ca1d2bdb86d080a6144a2750358cae51d2cd6af90f285cdf321c63f77

C:\ProgramData\dakIcggU\sGgwYMgs.exe

MD5 037c6f80982eb5e29c0156b698b45483
SHA1 eb990cb4cb23679633c4e06aba3b4721519e8745
SHA256 9a8361e19c25fe1da061ee3b9f635005f733f188e5d064cae01a65e131c69d73
SHA512 b8209365948bb6259c12e573ac1b98007ebd067c22d180da24281b0634785b1bd87208f2b9ac11e8a426626e4e5a7e08e7981491cbdaa5b16fbe600af816890f

memory/2028-33-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2172-32-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2696-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2624-38-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2172-37-0x00000000002E0000-0x0000000000399000-memory.dmp

memory/2924-40-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2856-48-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2172-47-0x0000000004750000-0x0000000004805000-memory.dmp

memory/2028-46-0x0000000000910000-0x00000000009C5000-memory.dmp

memory/2172-45-0x0000000000401000-0x00000000004AD000-memory.dmp

memory/2624-51-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2656-55-0x0000000000400000-0x00000000004B5000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

C:\Users\Admin\AppData\Local\Temp\uYwE.exe

MD5 728e3295dda2004f057fc20f1a733675
SHA1 300f59129969c3ce7d5c9a99a859962278cc34ff
SHA256 9f0f3bf0eb287577ac81cb37ec98b78dbfc81c0e1ebe92cdfb746d9fdd09d221
SHA512 57d1ae0f7cab661247bbc0c2d93366482840c65f355a60c752bd89db9202a655e443de9252565b3f77dbcf193233b62de1519de001dff26b40de140827fcf353

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\oAww.exe

MD5 52a17e73b09e623c760a9a035ac7b3cc
SHA1 5cdaabc240bcbdfb66633d23497dc92171395b1a
SHA256 ea9c1b0b20f827363ecc08a00cf9979f1d4d1046ab46c75a53f9ebc5b66f0549
SHA512 d360296276f7f1afe97ba7a4b6534665380ff8b8492612fb1726722b5e72fab90af75d33f69737e889e3953cfcd77c4161217ea43f73f571a10dcb70c21be288

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 2ee16fac1094949190093940ec4e0964
SHA1 eb764415bafa524436e1730d32a2ff6740441bdb
SHA256 d6417369cb945fe8736a801bdec9575e123eb695d318ed4be49ff4e078b4412c
SHA512 cba6b3d58a46d2dd78e6496bf82234ffe7474ea64f5901c2ed806937edc499abf8c16657821ebaed24fc65a5e28f69a6c094f58c2600430348f065a1ae05d456

C:\Users\Admin\AppData\Local\Temp\GUEa.exe

MD5 3b18fd2eefcdbdfa8557f863969f7c9c
SHA1 5cd0715300dc4ca08ce5fdf6ef90589fd1fe2c07
SHA256 47349dc4a0cf67ee3955daf3e7ce7526d2997e2aad88b760e0d2062285fa9776
SHA512 96eab4b73b5e818254c8f8f0118c89ff6b6283e009737e79e7cd56cbadfcc624aafb978e02badc6ef52f877bf5dfcea6dff5c9c5c0a271ab175e19fdb9906627

C:\Users\Admin\AppData\Local\Temp\Qskk.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\wgsQ.exe

MD5 c3752c3edf974742bb887154ff047bcf
SHA1 81dab0e81b4edd527d79e0176aa40f29963c60d4
SHA256 89008124c7a46479e074e32851866937721dd11d8767ca789fdb1645ca22d7be
SHA512 6d6ffae2f09b2371dbacc0b0cd4f1de3787785a56d176d4226d6c76b93a3b96b540c13e1721ff988baeef301aecb5dd2d3497376ab87ead5c16bf20e2f08eed0

C:\Users\Admin\AppData\Local\Temp\yUsi.exe

MD5 fb273201aa4ff9d351f13d9161308173
SHA1 18b62e3705c291840a6e7f12656ddc62fb916195
SHA256 8583d4c726e35ba5704c1b70b1b5e4a59b557be7d97cb886c73a72417d1a701a
SHA512 0095600db218f89289f518c46f919135cbb1e9894a977b873a3d6b6a6b6711906c1c5b1d56f70370c3243b8cb7e0c5fbaa9acbd10b699d3001ff8c05057c787c

C:\Users\Admin\AppData\Local\Temp\BIsYgcMU.bat

MD5 a5940649742bea6429716edc011fa6ae
SHA1 86c4a8e5e712a293463321a10be8f858c968b19b
SHA256 fe6490b43f771152482287e7ef8f6448b18a30adc063e3744fd319a9f12d1429
SHA512 fe3da12166852ad22a3d9df7270bb20192ba66cd9e7960ffd323ca9bd50dddee0544e3584a82bc3ed674529a1004694a99ddcdfa99b5d38d135c8d12abf6a7da

C:\Users\Admin\AppData\Local\Temp\cMAM.exe

MD5 f0cfb3c02f06cdb38ac2daab36815208
SHA1 f26d3b972350ddf1a09e2332bf066e2b7cff576c
SHA256 3337b19092d2d1f0f1653c56426dceea95edfa4d020c547a6150ae5180e6dda0
SHA512 26e23f2aa81039a05a7a40849cf07e1589d0ac2a561582dc2c90f1270bcfdeca4ce8156f30528ec36d56ed43e6e63b6e2a710a5b5406e35639872db702cde82c

memory/2696-178-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igQC.exe

MD5 f9a533250c13ccbfbba9be8963dcd1a1
SHA1 5972f8630a211d60f5f00b08f9e5e1040cf44e94
SHA256 e01a604dd1ac5b8a5e7f16f214282176f834caabc499dd222010fb808b9b003c
SHA512 22ed2f0d440cd6c99cd7996fa051aed15e1dcf789a9f8aa798716fcef0d25745d84f7f602e0f94c496e70a09baad24ef23944301ccffd45dce1c8f627ee00f39

memory/2172-171-0x0000000004750000-0x0000000004805000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YgUy.exe

MD5 60a8a17dd28b9193421929cf331b0332
SHA1 e44b89199e4bb9af99e070ac6fd5e3dc786981d5
SHA256 2f6bf6dfe9f50ec60e94cb9967175521724c9cdffeb983d50e10d0eb22648224
SHA512 2bd0f2f03bb33ab29e4aed8875da816c4ee7cde42f85b5951adc3c2dc5a88e0ab176df2dab288884b32704795fb8d49974c673b685d22a08c4837d78ebc86fbf

memory/2856-214-0x00000000002D0000-0x0000000000385000-memory.dmp

memory/1572-213-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2224-212-0x0000000000460000-0x0000000000519000-memory.dmp

memory/2224-211-0x0000000000460000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KMwi.exe

MD5 6b98cba6cfe0770fb6c4437ef90a16d5
SHA1 beacce9ce2b34183fce9c12f2a9a7fb7d8de58bd
SHA256 054e15397938b5fb3fccb22583dd4875dbd510ce2ff2a7109eaa4f555939b40f
SHA512 2e05672c99caa6bc54193512b2112ead416db3e9779c1083b3d90e3ef171c48c4dc45cc5988cd42960b1d25291246840b7d29b69d0b166c04fc3ba3677d5d380

C:\Users\Admin\AppData\Local\Temp\WQMI.exe

MD5 d561f05185f310e280dad67ed324f20f
SHA1 05106b673bf45b5e5dc537a3d88ff8ed988ea236
SHA256 447ced20a7ac1858b86b892fa301d1198ba2eda9dd14e872cc4b02c151056e70
SHA512 873aa069d7b7008c04ce8bf6b5290dfbbb71a423e7ef15fefb8663e16a029d3890adffe31e6bfa47bc44f60e79075afe40fe4ec6ef650ffab7f527877bc711a3

C:\Users\Admin\AppData\Local\Temp\oIYI.exe

MD5 bab15d7d07b33b9bbc8a2bbcbe78bc58
SHA1 d7c75bb5fcf9dcdfe4c536b92ea7b29945e4f5c6
SHA256 2fce6de17714d2c67151f8fd0746afc953e17049ee958d6fc9c02041f2af5861
SHA512 a3fd299b0d3ad3d771e32f066242ce4f2e8fbaa608ff9d0cfaa249dfe24b870fd21552200ad392787443c995a3aad4fa3702a49dff29963cf67b7464ce9369e4

C:\Users\Admin\AppData\Local\Temp\WosW.exe

MD5 c57bfc9b88e2039df8f717936395173e
SHA1 46eb6fb385f154f43f8ad68ba732070b134a981a
SHA256 4de9e22ad5ca18135e140275e07eed1957d4225c9223cd2a606692df7d40d112
SHA512 95690dd7c0ece615b622ca4e61075dbb4ca65850eb3b4e6f8094dd64fc648e0bbbdfcfa39f371d8ac3628f5c9de6a3d7716590a6c1bdf5f14538bf090224da64

C:\Users\Admin\AppData\Local\Temp\GwsC.exe

MD5 c86cea292c2c2dc4e17bce5c8ca34b11
SHA1 9f299a9c479f7798233ce0e721fff8aa8605f32e
SHA256 d2a5b01ec08b8d21ae1e272c53121d606e6c07bb5284eefd4942f3d79b2de780
SHA512 6452bf7a130f581d8095095c9fcf357fa592d872d49741756b2bbba726a8dd02bb2aeb05fdc446e300475e0d65253613ec41c2b2d8cfa04d44bc5a0c05c8ea4b

C:\Users\Admin\AppData\Local\Temp\eYwe.exe

MD5 a8d5fba112229c058ee336024e02e3e3
SHA1 8e0f71dc474fa21225c3f872319a500cafd1350c
SHA256 4dcc81abe5cbdda4559f3c34dac35e71c503b264c3a50be0a5bd41e4536dd57d
SHA512 de0c7035698b4d0c3fc45a958ace8f866d767564d7bf77db982dd6969e6dcdd944be566ae0685b6ea286459ea49ee3eef43625c756c4d08345bcd96cfeac6d30

C:\Users\Admin\AppData\Local\Temp\wsMg.exe

MD5 cff1edb7e272b9db17967c4972c2d3a4
SHA1 3db89d364d98c4262c74515c290a062c8738a04d
SHA256 27a586f35d9c53da37e009179c429b32c77f9a4e554d035f9df00e787ae57b36
SHA512 bdae8ebcf09679e68945665a8467309e1f4b2e5cb45126c070f0a5ee15005b4a9c19addf57e5dd81d6662de685a7864f6469cffceab1e9fb6f019b5aa2e41378

C:\Users\Admin\AppData\Local\Temp\SsQM.exe

MD5 3eb6bf5cc9fa93405295becfb108f12f
SHA1 7c423f9260fb5007a1dcd3cab25dc95f70450f0c
SHA256 2171de2b31d16a29576b335b17614d71c132c66ba7b25f86f2e51e49368edbb6
SHA512 4a166876ef4e47ac8e0cd6565e84f8075c72bb2eb6e495b46eb397b06ac1590b9ea18efff6fa8f4025f0d8abdf39c9028866dd0f63a7f336c61a2955c5ba279b

memory/1572-355-0x0000000000230000-0x00000000002E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwou.exe

MD5 36fab805c9f91915e9960519ee469cad
SHA1 bd4ab579dced65f1849fee260621138a252ad4b2
SHA256 f504ade02e0e10ecb158b6f3ae94aa70275d42c8f062058957a5263902f97413
SHA512 77273452cac30375c05bf1798698bddc00d6f93da51e1683d6491998ac30cbcadd3d38751b533eda99225c9caf1d1c6a295e9827ec378d6cc6a9f1c73bd4be73

C:\Users\Admin\AppData\Local\Temp\CYkU.exe

MD5 03ec390b2f21fac1033f3d8d2e183c8a
SHA1 77757dd7fa8785dbdc6e54fe63f98cd7dad9e287
SHA256 84a0e5f15c5349a4ff92a415f76694658b63df3abbbfd1a671a571a3cde6a1ee
SHA512 2851e9ac1b1e92d520ac51e485e0e4eef0033143499bb76d8284ce0ac3a54b8e30eda88280a3cd9f5887f856ab139298f047169ac0afc5dc70e3ac8e4d0f0673

C:\Users\Admin\AppData\Local\Temp\cQIg.exe

MD5 94472240117b9819d1c4e2ad3026cbf1
SHA1 40d078d84118ff40d5d83e2337a24ad36b94d5db
SHA256 17c6718408f636c143c797f7695e23c2b0abed3e3ebcdbf9667ce4f226c31916
SHA512 962ed2f8c621dda0d569e80dd12c9ab64f89e04a8a6bf496011c112cf6afbeeab5f38f82035d0251b752d2600a2fc7c72e8dd35397c376fdb972d6ba742c5b63

C:\Users\Admin\AppData\Local\Temp\KYAW.exe

MD5 8696d715ad31fb7af50e9e86d180f458
SHA1 19952419ccbf63ccc59f6d6ec3c7bcfcd2100ef5
SHA256 b392dadfda1dac571b8ce211686369ca0c8f23eae81476e9049d9de85994b063
SHA512 97a16b9b16e3897550f29d2e37a0114af4d714fd555de4e144d644dab0f425509ef2bb841e42076e8e66a5ba7ab0ed8de834cc3817f5c2d60aab7853e6d09b77

memory/2028-370-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aggK.exe

MD5 011de2321e3b83b68926696f7ca626f4
SHA1 1a8e63be7b6cae1a47b1cbba703e60efb2b65d99
SHA256 e647329560363f25bad1ad0e0d9ea3fba9ac052b48f40376e6c7f71d3be9a60a
SHA512 0a5016bd079c5b5ff030dc2537082a66355e1e84d8f67719ec5ee38f317047b31c3f3d47000b0fa3075f43ce2371bfa079a46bbe94edc029c76fb838943683e6

C:\Users\Admin\AppData\Local\Temp\wAAC.exe

MD5 12dcc9e032b627f83cac7eac664847fe
SHA1 2ace0bc4bdb25ce8d7f07dd65d5b5f9a8b5dd712
SHA256 d1b7dacd8420a3bf8860922fa17c16710e91b853d63de0dc991c96eba89a6909
SHA512 ebf9d6e645fb552a1a3455f54d0ae8f530016917e62bb906a7aadaecc34f2eed6956669f51f31fd8d6b5e9fdee6a49abd4e1af0144fd5b102ba376195722cadc

C:\Users\Admin\AppData\Local\Temp\CIoQ.exe

MD5 7f67a7d1ba22a48bec43d4104c3d5d8a
SHA1 cd8d1ab9c9022d6147ddc883b5e408e7999ed911
SHA256 cbd5d75aba93179b136da780dd0da0eea5fd4174acb047ad76f180f6f513395e
SHA512 d4f6a981176a7f746b54898bed0f0f51c72cb9edb2586a34290c7ddcb7f925085fbc221e7b72003189b5b3287cc6f81774bc95a6d54dfe260277876c7399cd83

C:\Users\Admin\AppData\Local\Temp\wkIU.exe

MD5 9ea5487debddd8d64498e745fd14e76f
SHA1 081c34a7c122e069781d15200d8a0fa7ea4300e6
SHA256 4c8d1565d43ecd650486c240dca45ae3d9af5d50f2b05f738681761b017fe1d1
SHA512 5e7e97f04c926c0c287607d8b4a6b847c3c65da04ca1a76e52bc2fffc40074eee6813e07bc0c26ef5da3f9e484eb2e32b74330c98ec5056bf00b6e1ae15b7988

C:\Users\Admin\AppData\Local\Temp\ewQy.exe

MD5 0192b51d5c22aadbc7fb0fb9c2d52939
SHA1 b5512875829a911ba5aa366ba5ddd93247431493
SHA256 ccf7c3b31af82ccf09ff05c501a19a01774b76ad8cdadbbc2bdec88a19acb7c8
SHA512 0af80e9901242226fb5b1042f854a048a30674c93e700fc4d95010d1c910ac8dd35d7cdf98a2dccb83ff82db426a52cef0cd3e72343cd53ec6dfe65ef35ced25

C:\Users\Admin\AppData\Local\Temp\OQcu.exe

MD5 5589cac2cdc62d882cb083176790bbe1
SHA1 ff7e167799aa104af166523a35751850555417fe
SHA256 13616d2529fb3ed35eeb3d36857368467dcfbf1584a742dcacdd841216b65236
SHA512 d880a1a5bcc3f05c214b73401d2c809e6588c5cd285882d419009966310fb7f6a91435d4cee358ba0f4e58d6247e857ffa98762e30c8facf7f4a7d4371bc14d7

C:\Users\Admin\AppData\Local\Temp\WsAW.exe

MD5 1bd1526e836b6136b9eabdf96b220fb0
SHA1 cef8b39b1d951c5a9147335e4964a92b2305999a
SHA256 4803351b392ab826a2c8078c506c438a0f545088cbdc1de86ee9718a7afba43c
SHA512 23730672b5990a5dc8aa0a3fadbf59ec9f5e2c3f9007cec77ef6bea39c756596d6061813e2eb471c0582248c54b7c0f717916810c0413b09e46a3555b3328ae9

C:\Users\Admin\AppData\Local\Temp\GAMs.exe

MD5 8fcf9df73ae609eae98a05ab5201e8a6
SHA1 355fd32d5f6da19b13b9f51ea8e7ca27c0a2050e
SHA256 214712e341b11562306d96163b937e23d0efda1d117c49f7696e395e156f9e3f
SHA512 e0495a5c736034a6903c66a1f066b1f5983390713b489d1a7edd93f08d6b7133a2abc39928dea88d25f9556e81a45acf09f353dfbb6f971fee4ba0c750476599

C:\Users\Admin\AppData\Local\Temp\SwIw.exe

MD5 c50fc162cdc8579f7ea9603ebc3aabf7
SHA1 8f6afcfd5ad494c17568fd9950d136b76a5cd8f6
SHA256 8d7deb63950e52c39f2080bee77838a486b069a7c1f24e2d212dcb6f46e59b43
SHA512 804081835afde4c97530a0df5c824a5534c800a418bda035197cb199ab887759deafd4fc4ac275845fb009074828c8951e76c2abb3f28a62dad4a11b7577bb9e

C:\Users\Admin\AppData\Local\Temp\Ygcm.exe

MD5 847ab44152b0a0c41ebd305db23c60f5
SHA1 e2820040713ab9342eca1dca6b42ab37a723e246
SHA256 3a060b5700219885de9a53db8a18f4ac629449f58a983918d0a8f2292c1412c2
SHA512 11b218ffad9c51e0260b2519a8db537d76b835c6c5bf93979a937ec20bb9a3f911a4d8c1727592a7911f95590fff165c72c282a964b3313cb597f333d0496f2a

C:\Users\Admin\AppData\Local\Temp\CsMm.exe

MD5 ff7dc9965274fd25d71bc8bfb97c1376
SHA1 18be1b787ab4cc643eb95343f068026f5d62076b
SHA256 604bae0e3164fcfef268a00d49476f8a70902eefdd91f5f3b3ccc6e096b47967
SHA512 a76731d7a2cf31e41d78c4b9401d9ebfd1876d7366f957fb1d3d6085f16c1fa28941a52fbdf62f72e62c11bafb741b32a128067d3c0f27bf0deb114e75a9bf43

C:\Users\Admin\AppData\Local\Temp\esYW.exe

MD5 8a1db23f732bc47557e98d4496aa0b5c
SHA1 9d268401584b95355b07c7ac2eff0b1206990bd9
SHA256 b3e4b6b62bfc6c70304e9729440760fa0be71b27269ead6ec35b28f1282fb11b
SHA512 ea2ee30366c915a91ca183d4373ed9d14d3952d81d077564c5b8f1b67be4874c006c026cd5e28b5b2f81320e02f420afcca902ec7ce89940fb3297b8d8d94c47

C:\Users\Admin\AppData\Local\Temp\QoQg.exe

MD5 3348d1e881f9adab888329cd0c9162ee
SHA1 28b85d891b1c96aee1e3472e795f85f34a1202ad
SHA256 70c6c18a6c045a0e6826807b1e18ed8b7c572afaab250f390e108e6083a5400a
SHA512 6a4c7bbdc9cc9fa720b143476763a20e1f947b620ca0493f5e526f48eed067a2dbaefd754f993baadac0191b8dff2d398de33a8010278b5633de44379cdc7de7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 5370d89481b0234809a9f7f0d32c3191
SHA1 c694ed6909b332a44a2934928060a609fe13dc3d
SHA256 c516253ff331040b6172d94e4e2e825a15d1cde1ab56dbc5e3eefa3268c6a873
SHA512 f7cb37e30ad2c169d582f3e06dddb3dcbfb01801700ed6cc3c9eb98eefc9cb4f82f22a2bca9bbc1dac58c8fd0efed1b0816b0981477cc44e0cd135f58e457411

C:\Users\Admin\AppData\Local\Temp\AwAU.exe

MD5 4bf0161841e87bca7a5bd59ac3930695
SHA1 c5b0c1428f0df27714f151265b727c7d50df5fd4
SHA256 ae6ad71880f5a511d05d84732951bbba314464330d66e9722845b7bf88a7dd00
SHA512 f606e2e370f10bc41c1534009bcf87096b52ead3a172f5d4649382ae7a5237216fd2a3bce562981b2516b8d6a3b5ed79a6a6cbc3149a0fad3e0a960bd7755c1f

C:\Users\Admin\AppData\Local\Temp\ewkK.exe

MD5 835b2d2420add3d775b4ac6c3e40d241
SHA1 ccd5e5118a5b83d73d30c88344c40cc1bf29ad9b
SHA256 87ed73665ec847281b60feb51d22b4c04a1ff20a8a25a0af532dfffa86283eab
SHA512 3573f9c09b37043de7b1a6b53779a257d50c0d7ec7ac7e4756fb9c98ba3c4befccf717a2ca1712219367df2e76f1da25389374eb6af5fd86faa1ce782f64c025

C:\Users\Admin\AppData\Local\Temp\moMO.exe

MD5 2ae8550a3b270a7203613f274e52f186
SHA1 e71a62afb820c52869bdf74f312cf60fba3b12c2
SHA256 aab4c5213552b47d1251722419edeb8f379f1dc2396e3f0b6eb99361eee8cac1
SHA512 daab80c7c7c4f51f3564b84b0ffafb97da71b8a64856c2bce9832b68e6dbecc5af53c96626696a25d0d7568ac3ed4603bba6353fa07ff7c0d13141ab1d906918

C:\Users\Admin\AppData\Local\Temp\SUQo.exe

MD5 0badd97d39560ca19fa3a64281400a2b
SHA1 32b601d6f682c22d93cc878ec7d9c01aec36f70a
SHA256 9aa7877977ded7bca049969bb9cf4d2766706e764d4c0e7599440920e1aef17a
SHA512 bac46b6a3eecb90fd91f0977eb348be321ffd3e0306277f222fd55066e70c0887ed521da12525d7cac3aedefb17fab557d26a7e29286bed11e8633c66e13f0af

C:\Users\Admin\AppData\Local\Temp\mscI.exe

MD5 7a7c00a72552ad5a0eaa17088b29cc9b
SHA1 bcf995940d56869cf0d66fa7eaa47a22c6770277
SHA256 703cbe6a5b38a84a224cab062f543e16fe8c637bf98409cd3c82a215c8f19fc7
SHA512 d78e9cfbde492982016d4a5351a09c0941cd9fd6b8a8227fd78c5d7cde9b0178039cf847786e76f505dc10e0ed1f896aa53eeea5271806521f67134d6464cd95

C:\Users\Admin\AppData\Local\Temp\GgUA.exe

MD5 a950e3a065f0946629c74c9e49649569
SHA1 321bfa92427768a1579e099c67ce893773979eab
SHA256 dc8e00692bd22e008b3ebfcc049c69083f33b25d50653cf27edb2c7c5bdb83db
SHA512 28918ca78ab492c3da3fbf855e43b8a32f23395389cbd4b9a7c87530898d4be6141c144ae142ed2c7cedf293b9f7e75d95b15b66f44249996562b85d56d56bb9

C:\Users\Admin\AppData\Local\Temp\AEgK.exe

MD5 aff2a1b57149760666607bdbf775dad4
SHA1 e876f59e3b33e628ff26a23d2e667d0cd46b2cbf
SHA256 33c46b290a60e25bf44713c1befeea4739995fd78e73fada2e0c5164b430958d
SHA512 852c31908c5e6eafec1a6a0be97b5fb306652ffa5121e33fdf608837e6dbf91425991a425581653a64ee6867f8d5aada6c854c5891aafd3a243241717d9b0d01

C:\Users\Admin\AppData\Local\Temp\AgUw.exe

MD5 fcc9975788b690af73d0e8f4a1427881
SHA1 bae8153e3766dc5a01cc1352e971a1b5a067c713
SHA256 2c9dfa9a3afacc561a8403495dfdb202b94e36b9c1c74e2d7f8d964e5521ea41
SHA512 3009ba6f28aeece3f53f8deb7c1106dfc260abf4a131d28f2b8c1c692b6da9006d2a478461a8c8586c99498f6979b3200b4a1ad0aae2f3f4d83d6bc6003adae7

C:\Users\Admin\AppData\Local\Temp\GYsU.exe

MD5 4989d4ee2d1147820f855ed162a9f567
SHA1 d4b54e275319571966c37098fcbbd6d4e7698de9
SHA256 bdcc7b704d20109babcd70da779d9c525797a9b4dab366183c879ec3bd407985
SHA512 2c9a32f61a0b191a125706c57227be04900f7dda52a083f6139aa4de19cd02eaa6c7f340634f4cdeb29b611e3c9fe921201da7df7042f47046e1c738d9f58d58

C:\Users\Admin\AppData\Local\Temp\ksgW.exe

MD5 e43d3ea0df6856ff7facf1cd6aa41295
SHA1 83e3fae17ff98997c094fe603c80f7b53154ccc4
SHA256 c297e795dc6e6e71ca17d3bba039dd2d5f868989b7a54e4cf8aa7c6849818a1b
SHA512 595ceda9a80cdc1301b12034bc3316ea17fd6691e248a3bf4729fb8c6910bccfeefb380a77e979027a1ddbbb12f633596c0b69ba803ac68ef491c2f03d838513

C:\Users\Admin\AppData\Local\Temp\wIcE.exe

MD5 78d7019a324962667bc537689a3f5769
SHA1 1319a0c128893689ea9c4bfec767bb0bad756aa1
SHA256 4167247f4e6501ada17994ff4c0ac2f73841cf01386417e7bc2178a8f50a84de
SHA512 4225a04315838f0682f3365b5092bfb97387627d47ea710d2abd48ac9c6bf446f66dffd69e25e066a0f60662a13ecc9aa79d3aecafcd82d8ba7ec8a49e794014

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\AQkc.exe

MD5 e1b46d18703af5073f57abc6c67cc4fe
SHA1 340d45b42dbb3ce5d5e40648b759582f6e23c5ff
SHA256 753bf655744afa7a37736e4e21b50c70d0275c25383a7602052836d8bbbc4313
SHA512 f8f54961c8e298b6e4d576ca2f82490375cf94b5d0c7fe163fda48e1e813e907c055835896021392e4ae8a96e629978ecd07d4ec54e7dada23f41238f3349c71

C:\Users\Admin\AppData\Local\Temp\IYQI.exe

MD5 4646f48bd2678b3dd7a9582bbd3db14f
SHA1 6bd1f85297f964a21096e2a8fd2c9284af2c12b0
SHA256 f7a8a40bafb14b87a503c1851d84d962bc528e0338785ad145730d58300ff3a8
SHA512 2eb3beb152da69d3faa8c25d642a61447bfbdf0e8779f2535c9b94500fd81e69d2a4ff933d67c97785c65e467ed09fe75a047444cd3bc9ef207004d3e02ffe2d

C:\Users\Admin\AppData\Local\Temp\YwIc.exe

MD5 3971192aaba0a269a4d79c1ca8f7794a
SHA1 4a7273616f52bb0b53a3a9d3f1845e93a4c2332b
SHA256 b7f1cd9cd5adaa17225b42ea37dd47391dd5c48f8ebf2fdb2fd57ee469e05cde
SHA512 7d71a24b7e9c6e6da1973f8299ddab80f0b5c3915b3d25ef7cabbf4444507e244817531582c6c11441a70ece7aff958a25a20959bafeb521a966556c41303638

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\SQgW.exe

MD5 e74b6f63e210285c1b6ca87ac4482142
SHA1 272fe8a7dbc7960672042289e9f46d3bb35bf169
SHA256 dd7774fffca221990738aea16e122c6bb2ab742567aa9d14fcab23d63d25a881
SHA512 4536e192ec6b42ca1af1cc54f6006803ab3d37cd41573d33eb3a7f892e7d604b0fb1fbaa5018cc189884ba2d8d6deda6eb17fea963c2b15cc1e3a178b370d680

C:\Users\Admin\AppData\Local\Temp\CkYG.exe

MD5 f0f5d06cc8c6216c71257a25fbb80a0f
SHA1 d3ce93707acde48384f3735efdc6f9e5d60accd1
SHA256 6d9325fac5501cf1e9b698166c0e793da13842f1f1392b6662a56322d51292de
SHA512 13d544ea0801d8880e5acb521657dba37f0374c672c99c31731cc3af6dbf6e66f8c4c34f2306cb901f3eac8c0967e12f01e2ef29de21d5910e4839bbce3a4dce

C:\Users\Admin\AppData\Local\Temp\YcAk.exe

MD5 3143604204c26920da862b477c943ac6
SHA1 4c7bb99e51c60380afa347498019ab398ab3e7bb
SHA256 30da08e36b25be5f9f3d7221902dfbc54e9c0b4b4e1dd92dbd370a2c9ccbf6eb
SHA512 3133d040c62b54ba8bce708493831ce486ca6c519cc0a6016edf5fca244b7056f17728b19027cd2ef7f98a5cd474ca973b3927e8a739cbb0d177fe37f63edf9a

C:\Users\Admin\AppData\Local\Temp\SIIq.exe

MD5 f9b43bc0effc214fd85c06ec0844e2d7
SHA1 3f7e790b0e7ba430ff689dacec007f15d850810e
SHA256 76197b80e7cc47f14f8da54cda368499c7f31fbd087527427c5135cc98e1845a
SHA512 de66d856b044ede59b00040b9f25c30adfd1ce56525bdf44a5c062994bfea502a512c88ed956c70c3340a642ce652735ff04ca82f0b68928ca8de643f4c45fc2

C:\Users\Admin\AppData\Local\Temp\qsYs.exe

MD5 9441c0dea498e43bafe6260ca9c28580
SHA1 dce802449321ae859358e27ceb3d1ba4efef5f58
SHA256 c26ffae00aa333b6384c7d995bf1eca2b19a3e43c3bb645f6541fab7244b1436
SHA512 fcce861b422f08690d262c86030e4b6b430bc432b385b0b59bc12c82cfaddb8dcfbca7289b18b81298bf217c5f1bd78eb8c8522d8ee147c3ca2b8e8e4499de41

C:\Users\Admin\AppData\Local\Temp\yAAE.exe

MD5 7fa3d5c1dccf13d1c2bf1a82bcb9be2f
SHA1 632d166c731ab09fa9ae045d28401de3d7bd021a
SHA256 2bcd1589367b4a7a281d9483ec2a877ff65f722fdbacf10d9b9aa027902fe738
SHA512 bcd2e8b53dbd73a4302bbee608dc6b791cbbbf4c0d72864d22114f6e31830192f25e3fe5b7c3a4d6e5f2b1370b84249a77b7162813a3d302b0e78ec9e54578f2

C:\Users\Admin\AppData\Local\Temp\EkAu.exe

MD5 820ca775889ddc8dcce23d55dec4ce81
SHA1 22ff21e374aee519451e9f75460902060b7cbbd4
SHA256 154360cb3c81bac62beb322a7738aaa3ca4c9ec298167ebc50510d965985e556
SHA512 aaadc2245b6a6aa70bca5c5a23c377ae32d4961031c356cb11d3286989d98e848ae8bbfd624bed104032253f32e0913712def975d03f32ea59deda72095026f6

C:\Users\Admin\AppData\Local\Temp\AEoM.exe

MD5 da5cf78b2e616cdc38b105b8207fd780
SHA1 c775d14dd998cfb0dee7ae1dbf1052c6f5983ca4
SHA256 5dbaf5002b457140f8410147f8314a3f34fd8f910f0a28be66f8889355e2051f
SHA512 cd56383301a47703e5f9879ffed6415d3309f92c7ba8fe7de0fce2112b453382ecc362f256686bbe2e8fe79426c3a33da4186317297da7cf9eeaf366e6d8194b

C:\Users\Admin\AppData\Local\Temp\uEAg.exe

MD5 52806a222e9414da12cbda484aeb1c30
SHA1 38ab1971f986dbe01d88bafae16ba00c15f53694
SHA256 5553d6127ace021b44d39ee3208794858a78c1c63a7d3f999ccaa25dcbd93c4a
SHA512 037f679ee560cd456b066b81b967d249ca993a020091f6aa5b6cb1aa461c611536e142ae0db6bcb12d4df2b8321d4085f14136a12e724fbdab29b434e1a04044

C:\Users\Admin\AppData\Local\Temp\KIgI.exe

MD5 2b216e683724009a7f444ab4914f82de
SHA1 c035b0b45ca87d0d6b368ee735535254202c0b04
SHA256 2ccb6ca7f0090ce0b781f13edf9312a76b588df5277f5c0284d6e87ac4aa2893
SHA512 08e5c22c2ddcca1c0ae40d609ca93891372c4d04da1c094ebe7229992808e8f934286fd74e674768073302e87a17aadb2917aa84c452ba4275876025a46ac54e

C:\Users\Admin\AppData\Local\Temp\kccm.exe

MD5 9b0167bd40899df660127564f771e035
SHA1 75e4543ce7a3f9ba85ffde4ca040afee1527d570
SHA256 8ba79a597c8572f191bd10426eaa56019754ab135e91d0f9214ce3093f442454
SHA512 474392f97d224ce6a5869294d3b83da24bbb737293606c830be1a0884efaf1dd86fd549010c0223e3e54e29e11db3e026b1987987647e1fecb8693692bc0b0de

C:\Users\Admin\AppData\Local\Temp\QQQK.exe

MD5 866f0bcf1e4b672ae0bb7503ef5114e1
SHA1 617fbc8031411f02b5420250382643dbff24413c
SHA256 9eba0875219b9b1643071a96722b00b48af10b574ad97ab77ee8b95a52e55a69
SHA512 fd56ad36298cb0d6de60a0330cd6ee02fb14087a95c3a273176c4af7364fc4af17682e08a4d1ab1c70370d083511a8c369e8b6d126b2e02b359b0e85d27f74cf

C:\Users\Admin\AppData\Local\Temp\yccQ.exe

MD5 328ed484dc52d56fe0c96f2e23b7b03e
SHA1 145a6bbb9312e195ec86896c5c35c12e85de22e8
SHA256 02a1977c343c95a69e54b7bfbf2eecc1bffefda65c56a49f4617eecd5abc7919
SHA512 637058c0cccb84f0b3ec840a7677999887b9dadf85ed554f41db052304c6676be5afee21c6aee3681e4abc7df00d07dec0a82a36ce936a4f98a56aa088697b03

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\IEkm.exe

MD5 7720ca767b3601cf4da3451c9167d52c
SHA1 bde4ad3f566d7da7826030dc627a6cba9c8340cd
SHA256 1f9c751f10d1c6916e8cf2ce9a2f960f2443bf98f5bbed5239faa4e5df5394d5
SHA512 8ec5dcad527f5f8d0c20b65482caaf96a84f07e9118bd78abcc4dec74a673bd3605687c308ac7a414286bc39e26b79e1854a1bfff2082ace2a53b9f35ce37be5

C:\Users\Admin\AppData\Local\Temp\AKgY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

memory/2696-978-0x0000000000230000-0x00000000002E5000-memory.dmp

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\KMYo.exe

MD5 851cecb01a0bea51cdcd5f6c9196765c
SHA1 d51b86ad59ec4db2bb8e2a6d090f1eed56fdebe1
SHA256 e022210a7c48ea3bd19cc8c30f19f5f115539f29f5ba3617e6efdcd48cd9ff24
SHA512 d12b2ebd1cb8b51bbc7349d99ad994b17a786d947f21b7fb2b826806044c8a721174f1bbc4b59faf3c253383b5a365c7b4bca778b55ad455ac9f6d1fbdcb6b1d

C:\Users\Admin\AppData\Local\Temp\pqswsUwE.bat

MD5 8f9a5a07bb68f79861ca4ca798a4860d
SHA1 f73dd4d367e1636131247c65d5ab19afc3818c7c
SHA256 a75a15f319b8b896b68016d27c352482a166ed5f316957374da8fd5f4bb8be29
SHA512 f931d590ec5918718e35896a36ea064ba005cf060ab73c9170293bc315a50c7ef2f334537916f99626f7bbe237674974f8719590eddfe8e0dd52405f8045aae6

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

MD5 bdf926b971c6dacb62c5c764b548f850
SHA1 daf9c28f324a1b0d9886021ad63d84b468cbac20
SHA256 8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda
SHA512 cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

memory/2028-990-0x0000000000910000-0x00000000009C5000-memory.dmp

memory/2316-989-0x0000000002300000-0x00000000023B9000-memory.dmp

memory/2316-988-0x0000000002300000-0x00000000023B9000-memory.dmp

memory/2916-992-0x0000000000230000-0x00000000002E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rAAkwkwc.bat

MD5 b86fdc5802aab635a5ff994c0cbcc73d
SHA1 6324cc001bdb705c4cb2b06e6b414c13227c1b80
SHA256 3d9f5a3bfc3e57637b77154cf8ab3aed64e4730d99b5ed56d9062f3a53651690
SHA512 62364a989bb6cb7651593ac20f3c2a123b1826e85b41f5fe1db44a3b360322ecb1cd8069aa90f326bfd2b551a6b141a00881ef27efa8d53f6cdf54ce67cbd728

memory/2868-1008-0x00000000003A0000-0x0000000000459000-memory.dmp

memory/1572-1007-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1572-1009-0x0000000000230000-0x00000000002E9000-memory.dmp

memory/2224-1006-0x0000000000460000-0x0000000000519000-memory.dmp

memory/2224-1005-0x0000000000460000-0x0000000000519000-memory.dmp

memory/1576-1010-0x0000000000250000-0x0000000000309000-memory.dmp

memory/2916-1014-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2316-1013-0x0000000002300000-0x00000000023B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DUcsMUEU.bat

MD5 ae78e95e241b15ef49b2b023f04721a5
SHA1 4b458313e5251f02528921092c2def88f394ea89
SHA256 f307778fbfb7f3214a6bdf25cf3f7f77c5d51a84d8d6c9d23618144ad14dd265
SHA512 ee2540eb2869a2b2f0f0d72bcef08877015e94225097d5fc0548aca03447d2076082b425237ab7d3acb55895d6dd42af496221da322cd1515ca120ec0379bfce

memory/2916-1026-0x0000000000230000-0x00000000002E9000-memory.dmp

memory/3040-1025-0x0000000000360000-0x0000000000419000-memory.dmp

memory/3040-1024-0x0000000000360000-0x0000000000419000-memory.dmp

memory/2584-1028-0x00000000002D0000-0x0000000000389000-memory.dmp

memory/2868-1032-0x00000000003A0000-0x0000000000459000-memory.dmp

memory/2868-1031-0x00000000003A0000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ngQkcEIY.bat

MD5 6cccdfbdee279e8cc940de6a82bd342c
SHA1 c14808cdb40de0f17fe117f96e50f15178b534f3
SHA256 86302c072449be53eebbbedf23e3ac178b480c40e21f9637c4ed0dc7adbdd44e
SHA512 56f5e98ef325719ee9a1f6b660114880b85371a8fb12a95777c5e937526d54a9ae404be16543a484102a00691e0eff44cce8f095d20ebc489c2ac219ce0bb7c3

memory/2960-1044-0x0000000000500000-0x00000000005B9000-memory.dmp

memory/1576-1042-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1004-1046-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1576-1045-0x0000000000250000-0x0000000000309000-memory.dmp

memory/1004-1047-0x00000000004C0000-0x0000000000579000-memory.dmp

memory/2464-1048-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2584-1053-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/3040-1052-0x0000000000360000-0x0000000000419000-memory.dmp

memory/3040-1051-0x0000000000360000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwYUwwkI.bat

MD5 dfc2ab4adf8e12096a56b8b804cdc51b
SHA1 1d3ca7e047847f2940b4e25904e8d791351b7a82
SHA256 ac1e4bcf370710ae0dc6ffa958f79f7c472072d0b16c0d5f406bdcbd10ca3478
SHA512 300b88d649768104b40bea30904d1a416daa74858bf5cdd7043b1125495c7cb78ba4428b4b3f95bda52e8664813e42fbd87a9b31063fcf729a6cc0402e5197d0

memory/2584-1066-0x00000000002D0000-0x0000000000389000-memory.dmp

memory/1280-1065-0x00000000005B0000-0x0000000000669000-memory.dmp

memory/1280-1064-0x00000000005B0000-0x0000000000669000-memory.dmp

memory/2960-1068-0x0000000000500000-0x00000000005B9000-memory.dmp

memory/1968-1067-0x0000000000720000-0x00000000007D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZqkIgoUs.bat

MD5 7b5e041926acfeb3ad13b436a1adcb7d
SHA1 ea280376767b305bb66075801e02567dc0831d17
SHA256 d8c79cf7f30d9e136e3b6265d49c6f4f85dcc5015c12dcd88382b6a69b86016d
SHA512 14435e67cae6003d782c3331efafa9fd6e638500b4644da0db4667a2fb8e74ba0e58091dd9c73aabf7fc5ccde110c5ff5c2f4539c678f731f681fe1a483e6c9f

memory/1004-1083-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2756-1082-0x0000000002400000-0x00000000024B9000-memory.dmp

memory/2756-1081-0x0000000002400000-0x00000000024B9000-memory.dmp

memory/2960-1080-0x0000000000500000-0x00000000005B9000-memory.dmp

memory/1004-1085-0x00000000004C0000-0x0000000000579000-memory.dmp

memory/1876-1089-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2604-1088-0x00000000002B0000-0x0000000000369000-memory.dmp

memory/1968-1094-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1280-1093-0x00000000005B0000-0x0000000000669000-memory.dmp

memory/1280-1092-0x00000000005B0000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lWAgMocY.bat

MD5 95a77383f975fb0d02412b5d85f2b79a
SHA1 7f4eb1258164513d5e88f66403fde31c401b7ab8
SHA256 e0d438400c03b81e272e2d67508d6a32df5923c9ad0a5d90ff8624881dafa131
SHA512 d53ff1d0ea7cbcdc6f582e7cca073110951902ec39c4c0e4d0730c469cb962199969712ee5729db507b5f56a169f4f3e3b0b66d2c4d187c74fb3be70cba1215b

memory/1968-1106-0x0000000000720000-0x00000000007D9000-memory.dmp

memory/1132-1105-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2180-1104-0x0000000000450000-0x0000000000509000-memory.dmp

memory/1132-1108-0x0000000001CC0000-0x0000000001D79000-memory.dmp

memory/2756-1111-0x0000000002400000-0x00000000024B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qSwsUQsY.bat

MD5 f0e2603699c3d7699b236be51d889597
SHA1 deae95f1d81ce8329b75ef018d63f17226048c6d
SHA256 4a30a307e440149580a981b2ffd62f41331f1e4aefe594dca28bb3fe0b0a2a67
SHA512 d4dbd8e4ed69a4b5ab458345071bd9d85e40dfd5f7292317553a04955e19dbfaf3fc3102d1ae44e9e1181f3c7c25d198a1773b3b7c37fcf51c5ffd9d43da3a6d

memory/2604-1123-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1316-1122-0x00000000001F0000-0x00000000002A9000-memory.dmp

memory/1316-1121-0x00000000001F0000-0x00000000002A9000-memory.dmp

memory/2472-1127-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2712-1126-0x00000000002A0000-0x0000000000359000-memory.dmp

memory/2604-1125-0x00000000002B0000-0x0000000000369000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIgksYUY.bat

MD5 8ba24c392a213c55bb5dd0e52d4c5102
SHA1 c31fcea10e91398c8c04564d9e1389444d90d047
SHA256 1fb90f16807cede6fccffdf4e30b8f4cc1d5b3d236972dc19703a72be7ef4bb8
SHA512 f04b40c76a3b2fc623c34588f186f310160203504990bdaa2b814a7062ad498069243145ad862f9f01a27d5906a0bc087d8d0ff9f230f699b49873822598d7e7

memory/1132-1140-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/820-1142-0x0000000000120000-0x00000000001D9000-memory.dmp

memory/820-1141-0x0000000000120000-0x00000000001D9000-memory.dmp

memory/2180-1139-0x0000000000450000-0x0000000000509000-memory.dmp

memory/1132-1143-0x0000000001CC0000-0x0000000001D79000-memory.dmp

memory/2724-1145-0x0000000000530000-0x00000000005E9000-memory.dmp

memory/2712-1150-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1316-1149-0x00000000001F0000-0x00000000002A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hKkYsIwc.bat

MD5 7a12856ca6fff666a450e446c39c598d
SHA1 b3b077cc37db1ada8628b0fa24554e9255d16808
SHA256 74c9c38b223ab7a17c5253e187f097c1b7e7a77be478dad8244d4967a173d73e
SHA512 d763448c37b14db87e052a9947022175352f05bef487bbbcd80f93919165dcb8d178757628e15f0ad132edd47f40829a94d44666856b503ee4caebc4a52ee945

memory/2712-1162-0x00000000002A0000-0x0000000000359000-memory.dmp

memory/2564-1161-0x0000000002410000-0x00000000024C9000-memory.dmp

memory/2564-1160-0x0000000002410000-0x00000000024C9000-memory.dmp

memory/1960-1164-0x00000000002D0000-0x0000000000389000-memory.dmp

memory/820-1167-0x0000000000120000-0x00000000001D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nKwoIEgI.bat

MD5 6b315bda449ba7f625755e3d12a78498
SHA1 49cdbb782e71d4575861b53f90b49493fd539d1b
SHA256 a4604826e11c34e47bc7639f1061bf54a14f3c560358b7a156effc1ef21815bf
SHA512 13664e4d17c04a579ae8b4e07ba3482d658e3c6459aa92a7455cfe7e919b663481b2941aadecfbd1d4ed92d39e10800126c6483a6094276314dc8d792c3ad532

memory/408-1178-0x0000000000260000-0x0000000000319000-memory.dmp

memory/820-1177-0x0000000000120000-0x00000000001D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DwogAgUs.bat

MD5 57ac28ad984656b49c1130b6a4522be9
SHA1 4d68a00ef6f0522928baf29bc708d4feb52f6c44
SHA256 6c30ae7021c94ed93305b2ec5816b98f62fb8e5ecdfc48762b82a2d2c012a7a9
SHA512 0e3b5d0393d01a98d5c4e00d581d2d01fa60558b4d015da7461a4ee379dd4ce3fcc2e37f8fdb468029746e463d256b09eca790580b155f0d22e4090279dfc266

C:\Users\Admin\AppData\Local\Temp\GkQIEIoQ.bat

MD5 2465f60a9cd5e20be49c0e7220ca7d20
SHA1 e9ab8f7559673a77629f00686dfd2b29af969851
SHA256 e91dc7e4eae523c44b2f7ea29e3e42e7b64db2800cc4d08dea582d94bd5bfc9b
SHA512 92b10ea630da7e27e6b8adb5061424504a712ad57a54e5fd6b1991f13ff65807bf6bbeac74b16d92b736140e5c148470ed6e55ece608b46c5b51a9f75cf37a10

C:\Users\Admin\AppData\Local\Temp\mmwMEAcM.bat

MD5 4dac0e1bb5da3fde3aa2069e137fdf3c
SHA1 cb275c0b2b8c554797e914408e18bd026858276d
SHA256 6a6db9f950fcc8f485f60038cb0896b747a905c599446c047fb16d9b8594bee9
SHA512 80a719e3c6bdc541bd2ce9ecb65f5a5ba9a1247ae697bf9ad0c17d41fa1e11182561f5f851b5950898a3f716b8008d4eb05354eee9a6e0c61d6e5775eb384fb0

C:\Users\Admin\AppData\Local\Temp\PgsswssA.bat

MD5 f5eceaeab5773d2f467ca53a1f0573fc
SHA1 1b3befd0e1407c82d4fc4e2f5f587d5ad7748fa3
SHA256 3f7ff82c23e75329f066524b3fcf3f51094445bcc42dc1a4cfd70038b8c5ab1e
SHA512 86162285105dcd940a8a5720e8b4e12d332a89b4ac73dee802334d8d6040af1237da487dfb1db3f9af885f834d11b328255b73ab916015e9f268860eb48e75de

C:\Users\Admin\AppData\Local\Temp\bCMAUUsw.bat

MD5 8a1a3bbf26fee8718736193fb5f2c748
SHA1 88fff55b67366ba11c93e5bb87b592f428a33068
SHA256 cd265b00f1a23559c75eb0d8235a28c48d2d3ce56e57371bbcdc044728677204
SHA512 482fdbb240126259bcdc3bc2f8f5dbf5739f03dea8c7ea6cebf96dd99a877a74b6e1abf6072f55e391ad3fc18552a1c011fe122cd94325c4eb5ba62b7d1ca3c5

C:\Users\Admin\AppData\Local\Temp\hKAMYccY.bat

MD5 57c690df1f4e31a8a01da326e2f93d73
SHA1 f61fa5a7b9ec3b3e92e25482146dbe0655d3cf46
SHA256 4435a3ac88e64871e9e6dbb7824107b3f9a9617db54463cc7aa5166f4a763b9e
SHA512 018d72f60add411f6afd8fc2306a6797041d96427919ab1459337a3f201b4cb59a9c696ff6cf488af5a58bf57834731ed50a73b70eae831000c7a0fe8c8518ec

C:\Users\Admin\AppData\Local\Temp\AiIoMkgw.bat

MD5 5d8abdf54ea083022cbda3160376df61
SHA1 ca4ce7e00510abc55177daec5f80b68622ddc16c
SHA256 f845ec1d71f9715513357fe5f3313ace2a9634cc6fe398a2885358cbd3fe5e48
SHA512 6267ef00a129828290b9cfc1b9c349c9f4d09743a48d9f0e763151337cfb1ed31ac07c37dc3f63277f4c481d2822adbc4b54d0d6c76454693696f022271b16ea

C:\Users\Admin\AppData\Local\Temp\OCEkcgIU.bat

MD5 e76cae0de1e59f9676179e8ab75dcbb8
SHA1 a229ea391e5ec0dce077552221e3f1153b61261a
SHA256 5c62ece72d0dd3816b8a74602a289ae6d737295082df635ce738d848a9a5ed81
SHA512 00f572b6caa8a0fdfb677bd3e98735c7bdc9d59331efcfb5c4da3afa7e8a1a6ce5cbc9f6f6f149031b9f6a82b93945d7e73e1776425fd62e7db3208cef077850

C:\Users\Admin\AppData\Local\Temp\XiEEEAgY.bat

MD5 705f9956dc69110b3bae6e3b51507538
SHA1 7de68f7da0ae213ed4e7c4c463889e9ea9bf7970
SHA256 8e8a9a8004aca44d43a9dc489d64441cbfa7962cf3ad1cb2727d3c682b4aea0c
SHA512 79e9e369048bb3b02d8887775aa46e37eb29e202adfc415d4a6c54c8c9392ee5a19bcd1edfc0e44995c6ea4ae0c53ef139c894cb2887d6f26aab233abda6fa07

C:\Users\Admin\AppData\Local\Temp\bowsEwgQ.bat

MD5 e949ecf5e8587c27bcb9f7ad6f17724a
SHA1 ff5ac0b6df7b059b8e5ab877efe8b9abb0e275aa
SHA256 e8a796ff21e2011dbac34e4e31989fa2c789bc0e0e0b0428bba36c5c3931033c
SHA512 b45f6fb4cf93e302297cf628a03728a58617582e0159f20b7c160a3ce085d005c69b113b2743d7be4d2e0218804b86ef90965200524bcfc6c6a394b2a1f7e8bc

C:\Users\Admin\AppData\Local\Temp\ZykwgAYk.bat

MD5 e668fdebebda4256b5d1097f910efc38
SHA1 e757d31fac40c54bcda82680606dc908672388dd
SHA256 61a2237b061d10b99fc5f3e91d89f9360a850affb73de23c96dc09c0ffd5c695
SHA512 1f3c89ec1a246d4972c9f81b8dbc6b729cce0e991bf90d59b64d37b99cd98d2122265d9ddd3e3cdf31b413796ea9e0e3f68c7c1c78b39e6e26effb28d2b9fb93

C:\Users\Admin\AppData\Local\Temp\fAkEQMQk.bat

MD5 10370cd632bc333312655ee409147bc7
SHA1 24c44d1a09bd9579ef0f66b4e9259c6d8983806e
SHA256 0e36cc419da0fec08889939559e5d106182ad971dc1f70ace1bab092430db58b
SHA512 a631f4e4c53a368946c2b1d4b7c8640624fdd5d1cb70a5b6623091e8b49e2669f1bc9c91181cbdde6e8fee8568d9a60ca05fd3daf52c65b29d333b2be22628ae

C:\Users\Admin\AppData\Local\Temp\EycEcAwQ.bat

MD5 d3e1c4de7370eba24d47405f4aaf87db
SHA1 9e843eb9e1d76010a5be599400608eebb3ac0b7e
SHA256 a2999b451648ad8eadc1f27d670de4662645258bfbd1b55cdc6832f54a9adb65
SHA512 2fa7938fdc278b32a5cb6d23a58ec1b58e0e097c057717263fec8b4e4ee44e73632ffb74995304841eba8b31a7b9dc4d8b427a13eda4fd1ca8cb5e96bfc3b665

C:\Users\Admin\AppData\Local\Temp\oKIgckgI.bat

MD5 f953f2e14636525475f483bd7eb0467a
SHA1 c9c086550195a855ea605831a47fd0414762be2b
SHA256 23340bc7dcb04694787e21b694b64731ee4232ef8107e33b4cec0f83959b3aaf
SHA512 78b7be0befb973ab1cada3a75439ccad5becd6d7d883e7c48c39ce49807649074eb0e4ceadd6b5b214c63d3528361e195ee0f2ab14db712ba37a750372fbb379

C:\Users\Admin\AppData\Local\Temp\zKEQwkco.bat

MD5 8c85b277aee0b5ee5bfe59fb5f5cce91
SHA1 a6d1433ef5eee7b6c9f329f5a3e4dd1e312eed84
SHA256 e47d8b0ce605651faaa47697d0be7ce94c40d7cd6b3284f4fa0c2779698e41d9
SHA512 e1b81f88d6240be72ad17d690bd8c99692986bf2a9b89c7877b9612cd5a340a9b3df24c679714080710ff8e68fc1af57553f420bdd1f515c6ed1f57f6449302a

C:\Users\Admin\AppData\Local\Temp\TugEQMMc.bat

MD5 418c6f8cfc8d2e300685ad138a18b663
SHA1 8221f12d899a3b5f226f92c37c6a2f3ea0036103
SHA256 30afce19651c44522de00c10a66e7ef627688ec496bd259fb36f5f5a12e56a08
SHA512 697f9fbdef50ad89c2c5a437d676bc8cb90293f6c46412f744b61879f9ac849fdc28f52ab42721c8beabea91671610ca6f782e1f070eebddea06db5282557a2b

C:\Users\Admin\AppData\Local\Temp\DcMsYkgg.bat

MD5 24dec31ec0f96f7de1eba1c88b4831d3
SHA1 d3a3cc2d3e807e77ef9ff80096b9159597e3f31b
SHA256 4ddeb35b3801106da19c3a7492cd8dfce05fec7599bdafa3452be9207e0f6a8a
SHA512 2838a3102dbbf1696afb8384237b23b2b7445df0a0783dcfb5d76b68fd4508a405322a04150311e47cc1a09814e85a67ccbecd846c2dcf607cfd52e6207af84e

C:\Users\Admin\AppData\Local\Temp\GwUoIMco.bat

MD5 24dd5c11961612b1049d546f59120aa3
SHA1 c3295a7272c2b9a71db017f97a47349b9ab40cbb
SHA256 61349f8c27472673313ef879e58464b632cd7fcfa6f842f4720deedf52944f92
SHA512 de0f7002b20a41f1543490e0cbcfd08bed875870701ce08c3284f1c125e9323c4b0db6ccbd73053299ac03029b3866e7b0089eef5f416966109963344a9ea8c8

C:\Users\Admin\AppData\Local\Temp\IAAwYQAI.bat

MD5 4e048f2ba597a4db908da285b97628ff
SHA1 983f4dff44b5729e88387eb09563c3cbd810b08d
SHA256 5c1bc8f321362422e38cd9129cc5093650dc756350a1674bfbbfa31532bb77c1
SHA512 bf80af8911d97c7e247187f78fc3b2c13db9c85339c4814b36dc1650a70982a6c1fdf6de9a4e402e2e58b1a8a68ca6a1b8b9bbf58bdf5db9d854497e9c51dce7

C:\Users\Admin\AppData\Local\Temp\tAIkoAoE.bat

MD5 d28297d911a0d07ec1b33cb6174844d4
SHA1 d7c29a7c6e241b12745d1d58bc0b2eb876cb4af4
SHA256 8f0477809d28c421d0dcbe9f27fc175868175cd372ddf4aa0ba3c5c9eaf21b91
SHA512 8d69a8f047e62d598ff3faec1c91a78e189d081dd84a19a29fd7a61d2904e081fa00c5fb9f69165ba264399dea55dd19fad383b9d8e5f91122d53113fe1d78ce

C:\Users\Admin\AppData\Local\Temp\fYAYYIEU.bat

MD5 f1daa383b5e6e68ef6755a6779017798
SHA1 666b8fd31af80326e457bf984bcde953f75753f0
SHA256 a5572463e19d7ec687a3bd93f425bc55bce6146386ad210355d5ca130da84bb1
SHA512 4af488e4bde92071cc1fdf6128afe9ea66dada0faeed83db30165ef6d4636f365c89b8eab633de2027fdbadf50083dd488c2a05ed81dc1f42e61fca32afcae54

C:\Users\Admin\AppData\Local\Temp\JykgEwsw.bat

MD5 c98fa34defbfc5a8b9955f69fba88b81
SHA1 23f920f3391ac7c2fac204afd86828d53bfc5b39
SHA256 d09a611e5b41912f60c1a2407522258e4d96ea7d08b5a5a47d87ec9e388dcd95
SHA512 ced729c73c40bf195f34620e96f46650eec386fd70ce36e38de875b5898b91a7e3bd249f5b13e10cd65ffe67ad4fe777d927d471fb54d61dd2407a6e3de4cdd0

C:\Users\Admin\AppData\Local\Temp\SoYAcQUI.bat

MD5 ab3c525da0d61da665154f0f8ffde56c
SHA1 8218e7021a31cdddfe4fa0ae15a088e63e61d3ba
SHA256 7250772b9517cb13be618cdf239166957f69041f2fec62bb4a01914ca874c9c9
SHA512 5e1c3e4ec0bc9dd3de4dd1570af8bba23fd5d63f7ed6674e8ae1be3ae50c945f7e3ed34b62284f704037cc3186fbdbe949881e09044bb99f106e6387681720a2

C:\Users\Admin\AppData\Local\Temp\GiIgIgAY.bat

MD5 9b5562ed37a3d202fad6f25c8d55d2a2
SHA1 0be674c682cc8907e81f892120ff0e546b149939
SHA256 7a36283903cdf18c8ddd4f159259aef3e8ddec9d19ed2489cdbcb91e9f4d2c05
SHA512 b4515df220e27c7169e2a4c9f4c4280039c7bc44278a1c3b378682bf22066a60cc4aafb8155b5ece817dc8f0ea455aea44ecc6f26f592a0df1da88fbedbd1bf9

C:\Users\Admin\AppData\Local\Temp\uYoowAUs.bat

MD5 5173339d3a6eda907fb9f1f6388260c3
SHA1 36d78625ae10815d7b25432bee53318e30aa9d74
SHA256 2308340cb4702ba157eaf52bb3d1fd6861ab801037e48da7b4ac0a1c9cf4cade
SHA512 732d885bc5ccd995ed7fc9e6149c638b1ae83875a549db03a2b3be6b33d3a73aa3d53b0f7b9626c8121dfe605168d0f940aada20cabcb978fb7f5a3232619dea

C:\Users\Admin\AppData\Local\Temp\vgMkEYso.bat

MD5 254228a535fbe5ec9dcff416c6a10ba4
SHA1 7a5303648473872c43b69d63765b9b4a27fd87b8
SHA256 5f41ed6b895e984caa39546e78bcb22c4e7af989d2f692762d7c49348540845d
SHA512 3457d027310ecd270a6a5a72f28460776a3479329cbd2c5fbce55289211cc08fdd481620fbecf1e25fb626677858650374a67b107f0d17abb4172fb53457a4b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:52

Reported

2024-10-25 21:54

Platform

win10v2004-20241007-en

Max time kernel

11s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\huMwQAoc\\PYssUsks.exe," C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\huMwQAoc\\PYssUsks.exe," C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEwMYYog.exe = "C:\\Users\\Admin\\SCQUcogk\\WEwMYYog.exe" C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PYssUsks.exe = "C:\\ProgramData\\huMwQAoc\\PYssUsks.exe" C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEwMYYog.exe = "C:\\Users\\Admin\\SCQUcogk\\WEwMYYog.exe" C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PYssUsks.exe = "C:\\ProgramData\\huMwQAoc\\PYssUsks.exe" C:\ProgramData\huMwQAoc\PYssUsks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PYssUsks.exe = "C:\\ProgramData\\huMwQAoc\\PYssUsks.exe" C:\ProgramData\FIwcocYA\yKokEkwk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\SCQUcogk C:\ProgramData\FIwcocYA\yKokEkwk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\SCQUcogk\WEwMYYog C:\ProgramData\FIwcocYA\yKokEkwk.exe N/A
File opened for modification C:\Windows\SysWOW64\sheEnableApprove.xlsx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File opened for modification C:\Windows\SysWOW64\sheImportClose.docx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUninstallInvoke.xlsx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File opened for modification C:\Windows\SysWOW64\sheGetConfirm.docx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File opened for modification C:\Windows\SysWOW64\sheOutRename.docx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
File opened for modification C:\Windows\SysWOW64\sheRestoreMerge.docx C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\huMwQAoc\PYssUsks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\FIwcocYA\yKokEkwk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\SCQUcogk\WEwMYYog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 3164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 3164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 3164 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 3164 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 3164 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 3164 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 3164 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 3164 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 3108 wrote to memory of 5000 N/A C:\Users\Admin\SCQUcogk\WEwMYYog.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 3108 wrote to memory of 5000 N/A C:\Users\Admin\SCQUcogk\WEwMYYog.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 3108 wrote to memory of 5000 N/A C:\Users\Admin\SCQUcogk\WEwMYYog.exe C:\Users\Admin\SCQUcogk\WEwMYYog.exe
PID 228 wrote to memory of 4804 N/A C:\ProgramData\huMwQAoc\PYssUsks.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 228 wrote to memory of 4804 N/A C:\ProgramData\huMwQAoc\PYssUsks.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 228 wrote to memory of 4804 N/A C:\ProgramData\huMwQAoc\PYssUsks.exe C:\ProgramData\huMwQAoc\PYssUsks.exe
PID 5076 wrote to memory of 1260 N/A C:\ProgramData\FIwcocYA\yKokEkwk.exe C:\ProgramData\FIwcocYA\yKokEkwk.exe
PID 5076 wrote to memory of 1260 N/A C:\ProgramData\FIwcocYA\yKokEkwk.exe C:\ProgramData\FIwcocYA\yKokEkwk.exe
PID 5076 wrote to memory of 1260 N/A C:\ProgramData\FIwcocYA\yKokEkwk.exe C:\ProgramData\FIwcocYA\yKokEkwk.exe
PID 3164 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 4464 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 4464 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 3164 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 3164 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 3164 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 3164 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\System32\Conhost.exe
PID 3164 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\System32\Conhost.exe
PID 3164 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\System32\Conhost.exe
PID 4524 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 4524 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 4524 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 4524 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2544 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2544 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2332 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2332 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe
PID 2332 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

"C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Users\Admin\SCQUcogk\WEwMYYog.exe

"C:\Users\Admin\SCQUcogk\WEwMYYog.exe"

C:\ProgramData\huMwQAoc\PYssUsks.exe

"C:\ProgramData\huMwQAoc\PYssUsks.exe"

C:\ProgramData\FIwcocYA\yKokEkwk.exe

C:\ProgramData\FIwcocYA\yKokEkwk.exe

C:\Users\Admin\SCQUcogk\WEwMYYog.exe

OUKF

C:\ProgramData\huMwQAoc\PYssUsks.exe

ZXWY

C:\ProgramData\FIwcocYA\yKokEkwk.exe

DZKS

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N"

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N.exe

YZXW

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 api.bitcoincharts.com udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 maps.google.com udp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
GB 142.250.178.14:443 maps.google.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3164-0-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1944-1-0x0000000000400000-0x00000000004B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6NYZXW

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/1944-4-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/3164-5-0x0000000000401000-0x00000000004AD000-memory.dmp

C:\Users\Admin\SCQUcogk\WEwMYYog.exe

MD5 f379004b766a65a1744d2dea2b933122
SHA1 415a6cd25342cc4c3cbffb6124dc56ecef3f067e
SHA256 0cf1f12dda25629893de279c4d545555832882fd0b477ae8eef8dcbe320ffe57
SHA512 23dca4c1d9863db7a775e3e7c1905ee325a25a01d688b0dff7486e6b2a56bd837d4b8cbf79507ea6f30f6d40f4c987092f3608db42fca5112678fc083e613138

C:\ProgramData\huMwQAoc\PYssUsks.exe

MD5 41ed38f36867638bbeae5381932411f1
SHA1 7cce1f2d17b7707b3d2dae4226950057451204a9
SHA256 d967ee5f2c8fea6011d9b49312e1e5ec45e2967ba7b63b87a2535c096d6ce6eb
SHA512 1f14708d249543b9107506f7bcea02d34c973e5da2bfde20678b62d678e8d956b15d1ea200246dfd2a6c95fe6d155b03b79cfd1a3f95be0b8337b818b2ef79f7

memory/228-16-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\ProgramData\FIwcocYA\yKokEkwk.exe

MD5 0e1639ec3aa296b099180cb4baa433d1
SHA1 bd9f8e0d5012bd0835ffa59ef40ee70a659d0b96
SHA256 5afb18a844002983db6f7d9ce1f35b7fbb92bba94e43eeac67223075bd98dec4
SHA512 7aafb54956ef47611901997c4beb8a6503f903bb3f7819d5cc19599c1505b29a9faf0993b0e8a1478969af9b8f991b037ddcd4084d5a43d925b35086498ddab8

memory/5076-19-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3108-13-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1260-23-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4804-24-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4804-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5000-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1260-33-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3164-35-0x0000000000400000-0x00000000004B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUga.exe

MD5 9e48d0dab2e8e4bef3da5c6551cb93e2
SHA1 a79a70613c038c3ba46b6ce5b21c79ac61c1875e
SHA256 66df068f9bbe4dc514227b8909a5caf6b06fd541f8580b1baab1fb2863c15bfb
SHA512 96f4a548dacfd0369df4aa9dcc5d747b74c4471ef351400d84dac0073ec16ceb44abe6f4a62de5ff8a942d9a741dacd7b57074495c8afb05a598881df9be6f41

C:\Users\Admin\AppData\Local\Temp\MgYW.exe

MD5 2bcaf3f55c11d50d0832f578725175ae
SHA1 8d9d44e3f6860f6a20b2db460a0252cf56b25500
SHA256 29fb211db2efe75dc55f4e3ae79a9fbafa2f3322bc0917b7d2300b83d20ed3ad
SHA512 c08655ddf13474eb7f650f20dc70a1fd9afeee7ef60f06efaacd7ab879e1c309e2f35599a53d95217d4ec8661a6c0c2a1ce47b44eda009a274c232ff95bd32fe

C:\Users\Admin\AppData\Local\Temp\mUAY.exe

MD5 a7070c6aac45b8f3fafb6c6a65635104
SHA1 ded31f0fd4ffb8d3b6b5c4b269f49e66199e7868
SHA256 81cd87899b410d9e5decbb00865f3734b4f0b78db73447edf2a2aa05ea3e708c
SHA512 7a71be15a08606063e3cbab6e56672e01c20b36d1c80dd0a99f33f894d9f7aac57ed7e86298ead31812d8000be716c3be91134ddb384c868700e9c9c5e357bca

C:\Users\Admin\AppData\Local\Temp\YWAQ.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\wIAU.exe

MD5 d3bb68798ef7bc792d9ccdbb0852d4ba
SHA1 50b466e0814e6bceedf2c3fc0e6099cacbd2f904
SHA256 61d3789151af6b0e71525560b663bf8c11952861876b35c2206a2ffad87a095d
SHA512 fb51fa7354258ac10fe5cfd9ce8840d1e3141e5a5bbb4f485421a1f47087cc783150987dfff10c714dd1488ab37fc5119ba14a63b9a5990a2e880a9af9c46c71

C:\Users\Admin\AppData\Local\Temp\YkYK.exe

MD5 dcb42befdaf0e8e7fb3916df5b86c486
SHA1 9dc65c3bdd645d492016eaf8da6281c02e25ea54
SHA256 4a6ea196cd41deaccbefd177b873842e6c7e572f59b1575d0bddbc1295a33844
SHA512 78b186d911f0edb3b7dd303746a8505f1e4671f363210b22c07050d81f77f6e6d1b43307417ef073a1729a0096ab448b40c71b71aeb48dc2f2cfdcfee7e110de

C:\Users\Admin\AppData\Local\Temp\gcAA.exe

MD5 60f30c1e32ea47905fcde43c4e9d768a
SHA1 798ba706384d6287ffc6dbb2a3b623d234a9d98e
SHA256 020b37a0f21b3c2cd991eee8d463f80fc2fd88845f5d70a65e637c4a315296c4
SHA512 e299c7a86e8754a65716bbfd09e5151c5abbe3b409f28b8b61b39e8acf92aec6befadcb546767717a5f5c78060febcfc18b00b46ded287763639cca95871e277

C:\Users\Admin\AppData\Local\Temp\aUkg.exe

MD5 d527bd372f8e97985c0f39ce467b9035
SHA1 a7feeaa46ea3c7401f2355c365f5fa5d3157631a
SHA256 170d1e8e041685509076c2457e0912d6c7a35d3d4b026c03ec82cc6d8d01594a
SHA512 ad7237dd7a67a8e3504eeb22e727afea9f511443dc409662691657c1d74164c18d84f9d27aa1f9570ea53b36bf3d14450efab07fcda837da25601705eaefd538

C:\Users\Admin\AppData\Local\Temp\asEW.exe

MD5 437c1ef6887d80cf882ad8d3f7c6054e
SHA1 33b7d72977e13dc384c3e45f800afc61dceee8e4
SHA256 425e69069b849017ead1e1fde7765ee9ddfd767dcbf8ef0d4c62877cdd862fcc
SHA512 92035a5185119f7be689e3c55afa1bed999026ab0cddb94be7343750a5ff814659326299c75f057ec0eed018a3a8e2b68751d24bac503e88cf840f04ff2f8e0a

C:\Users\Admin\AppData\Local\Temp\GkUQ.exe

MD5 8e578c3ba79b99eb0efca61ccee56f50
SHA1 e5ed7e3272991cf167deeb814bd582675307386f
SHA256 847cf96feb34f66f14c15d55a1e3e374f02e81db7d1587a418295ce1b38231dc
SHA512 524a4383b025baaa257ecc453036c2044ce377b51b95ebabd7d14024b3bc7b6da4a0a8b9c5b89771739a8ec244d5f0e036eaca0cd4809d36232eb977dfbbb9ac

C:\Users\Admin\AppData\Local\Temp\yAgs.exe

MD5 b3051397092484b7b7785cc3de86d637
SHA1 1682406bfe29fb9e4ad1f23b85cdb628d9c4920b
SHA256 64da0d3283b4e7f0d2eb3c9e05c468889a06cb2c178ea2a5b50f0a22dd914b72
SHA512 5110cb9aa7c28739cd4901be61341d52af881a7b00c3f25da36b3fb20377068e48643f2494b762deb8275d52564c9d184fa8da529c294d385f612d987e11335e

C:\Users\Admin\AppData\Local\Temp\msEk.exe

MD5 1eca6be2177326b46b16fd2798600bc6
SHA1 a0a5f560d0ad26683c7a423b5eaf079f72169fe8
SHA256 10110d4c45d941715ba812f2a84e3221e90c8ebf7fe3dbf59f16715c36931dd3
SHA512 a91df68fd1e7582fa52aa15809e9c879b0b46c11847cdcb40c9f817b6d4d2b80c1106192f29f008c04b3949b511912f87600ff87200f4cd80745e5f4765826cb

C:\Users\Admin\AppData\Local\Temp\yEgA.exe

MD5 db848cf3d46d78a46b918c48e2b08fa5
SHA1 2844585bdf49c0add08d1742f50b3c3a725678d5
SHA256 137b3d296b32c544babdffa6f0fff513335ac7396767b84949d19285085257d8
SHA512 5719658a00b6a3dd1483fda25f0843cad74becd71b23b489effaf14da38645d4b6fd0e4b5721f27efe2b5e58d222775e9e312160cc2e4dd1b1e01cca2e8ebde9

C:\Users\Admin\AppData\Local\Temp\YQIq.exe

MD5 359c4821b3e0a1bec68d05d58d112830
SHA1 0fb1032799b1407091da3e01f1806b921faaea22
SHA256 b6fadff778e0727139b4df18e4cafd27c07a801555b4c338f82eebfa9032ed84
SHA512 a194bc7f6131f18f43a3c108e592eda1a58fbb1f3a58832e11c50c498cda5a3cdb882c00c0ac1622d88f82f329b46e6beff82d93fea31036ebc3e22c445cab11

C:\Users\Admin\AppData\Local\Temp\iAgY.exe

MD5 46694b8ec89f6b419f3ce9a03dcef4da
SHA1 715d0a4a6376c0c3f95bb4e7699111a6fa1f7ce6
SHA256 acdb804149808743a98bae265b15c329e1ab708b8b0470679195bdd5879536d9
SHA512 080781293966a6f22e95005cefbf7d49e952cb21f2fb90ecb68d0fde6e2ccb1e3f45bc13d47fd9566e0ea9bab888a9ebd6136b2a580ca7b07e2a57bf72663b96

C:\Users\Admin\AppData\Local\Temp\ckwO.exe

MD5 e3f477fa8ba2bd7ec4b187aa475e000a
SHA1 eb2d684907f20c6e3516d7c8298b727f1c7943b8
SHA256 6e544d9e6ede298952e8dabb472b1189338e46c7f888de0d28299512348202c3
SHA512 418b37428ce41dab343a8517b27d81763e7cac11e13198d84500a2cb906d69684a01682152091f7d45379e2001fddb03f0906e113f0ccae378fa30b75d0ed30a

C:\Users\Admin\AppData\Local\Temp\WMQA.exe

MD5 0d1caacb534fbda7b37f9a8ef7c7e99f
SHA1 fc7612056372c1dd500f7311b55248667078cd00
SHA256 a76f1aff8ae503cd2ad1814fc88f4f1327479d3b31d229b96e18fe3bd21d8411
SHA512 4f29bc26e7a763c42469cfdfd963982f7d344b168a97cb42cc45119f995efa906a22fc2a88125d2bf14fc966d9c068d99cb6a76c4a60e181e46fcbd14719172b

C:\Users\Admin\AppData\Local\Temp\aMAM.exe

MD5 cd748f22119a515bc92bcef57c47f778
SHA1 920cd4171804e637a285a1e563e05bf1bd8e56be
SHA256 eb5d8e841b03b9e9cac5f847d411f0d6c1332aef7ca0c65dcec1e3dc566be1e1
SHA512 2cfa02dc358f2660f47aabc41c2e15915e26b62af3cf5ffafde23de54454d7753200520179cd580396544866fc8c83ec1a09e38a5b2671844007684f085d7044

C:\Users\Admin\AppData\Local\Temp\oUME.exe

MD5 84b20d0535d71dcc9d5786aa5be11f35
SHA1 0ad2e3a38cf0c17bce231ad7a7fe3bfb51820e4f
SHA256 4a587edf4d49ef31895470c3a2fb46a2dbcd6b9610e4e1922e096802a4304cc4
SHA512 4c6f7e6372ffd639f0b6ec471d14a89310cd5ba602f6b528f321ca74d9095b01a49a3e74a0ef1b6ca609c123aeb1124891cf2f86797e3ef6a5fe4bf5651b2f18

C:\Users\Admin\AppData\Local\Temp\UYwK.exe

MD5 15d9ac62e7871ef5044da3d5557be79e
SHA1 18761ac894cf5a317da7a1f7670dc8001df7d388
SHA256 ce7e34311cc643322899571f0cbeeae4a79ce3b96e65ca63f92fa79e3ec967b8
SHA512 b59ef67318722fd20da08003d466edb19cb0f0b8d0cfd8e5a498680ca424bab365062eddba1898b9f2963c1090ecb903e753df4428cd225993ed946acae33531

C:\Users\Admin\AppData\Local\Temp\msUa.exe

MD5 efbe877beb1523dd2bf00ee721bc00dc
SHA1 5b1f13834cfaddb7ea59a746e20258a905681e13
SHA256 bb87346b3f0577ac5c74ae2c8b28f433900a3e26b6b1c8cf3011e84734cdaddb
SHA512 a62f003638621256ec6d6f1dffc24cb89680aa5b12a5d21cd4d438b6b4ccd851513c52b207abbc1c7957b25ced0742a82e939241af0bfc551c8b563721914bf3

C:\Users\Admin\AppData\Local\Temp\skMS.exe

MD5 fc3a9f744ec4a1a46e3c5667dec89b2a
SHA1 245648e1e87c1a4b20622b72b912dc0c1500f88f
SHA256 d72106902c04e48107ae7bf4347c0d704c22923b892121f216c5a1fc82da6aea
SHA512 e944cea1d9da5bc7ce719af73b1321bbe39bc4717eef31f9d1e36ca7620662b004c27c4da3c19169cb1d291d07ea13dd10be299d8a19ab1969a7526a5273c2e5

C:\Users\Admin\AppData\Local\Temp\EAYk.exe

MD5 4e7ae325b4c2e1f6766e1ee0f34419f7
SHA1 a01a758a071b1a173238eaa434f63c9a448a7135
SHA256 ceb3564d1fba5ced8c5d7f3844f93f4d67fa92d5cb5d01bff50a230544269215
SHA512 93c068a4aa3ddf15da1f14120e83868443d201a181cb3d5c27de75b8878e4972171db3e7aeadd4cc1fae3e2f7fa9adf26cd6549d813585b475a7847ce50be88b

C:\Users\Admin\AppData\Local\Temp\qQAO.exe

MD5 eb89b671e704566ba7f257f65b987fc6
SHA1 243dcfac1d255062a85233550f170fd191ec6cf3
SHA256 1f0cd1db9d89f198d1a0d64259be2785c5e097a0a8f6317b8a168595a1434ebf
SHA512 c7beb0890e98f7776c2c8047b5d502cf9341a70d9ed151e9dc6f9396f9b1cdeea1e50d694efbd94dbd51a33cc02532e351b4d961dc1daa3a697ba168530d8a2a

memory/3164-387-0x0000000000401000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUEo.exe

MD5 fe594a2b19621f6c40ccfac3c01f5fb7
SHA1 c5c88261ee3ea5e3c0ef48036c6d79b3e12eb6da
SHA256 fcfb63985dab0de501d788535d906fc3b840669cea312f30d22f03b778ca686d
SHA512 da011a7bd92b68b1a8bf6293979b95639e5186fdf071b832d686a2150b7b484a7c26dd87705660b8aa9ddbc268483643ec860537ffb01af2f516b623419fe5d7

C:\Users\Admin\AppData\Local\Temp\ScAE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qcwI.exe

MD5 f08d68749a32bf0185e15eb2cc83a486
SHA1 0f71b7e09763882819f78915044eabf7045b35b1
SHA256 3a56b896961b98b880c9ca3f28fb8f969cebae88bfde158bf2c7559227a2c50b
SHA512 9cedde8921e6fd36c843bbf123a815e550c5454fd13f62fffad1e0b5e85beab3568e1f2c8b549304d5078a35a4dab522e8439cf1775f353a62d202a64767a491

C:\Users\Admin\AppData\Local\Temp\GskQ.exe

MD5 b0444ade049ce6d1906f66f350bc244d
SHA1 b138e5d1605329d7a519aca38b3283e2091dbbb1
SHA256 4d2740e1fbd9ae4ded983f7c2def1023f26c5938527c753cdd6ea1de457da353
SHA512 f1ec6bd5b3e844b611adf0ff0c44004ca306cb886ec4375c1e4ca5f34b271b7ac32cc62bb772953117105bfeffc6b0366a0017e7e9ff8b24190d5e50e5d94f53

C:\Users\Admin\AppData\Local\Temp\WoEi.exe

MD5 6d04bd68d617d78793014372bc215e2f
SHA1 5150a86f30d19c39d09e4562755c2ab9a4e950cc
SHA256 227e8a51a23d04b72144de155abcbec9489f6d79a8bf0f9a3127a134c5c9dd45
SHA512 c84d8b0d77e3f4d8814a9ba4e9f4f25ef25b2e198c22ac8f606eb63b5918b315536e4e59eafd986fc5e63dc7843edd5477af9f15c1a6124bfa9d382be74e144f

C:\Users\Admin\AppData\Local\Temp\ykkG.exe

MD5 8d8d03ab948d1c4c97d4129a1e3b2090
SHA1 82b5c1b8b00b6d4dcc5475e60296348d233e84a0
SHA256 a9cf392767903c432037b846abda99147331d9b4296cc9b2fa4e00f5bbc6cfa5
SHA512 43183a84042c982536d897c0b6db3333f4e8798258ed544914a00e53a513c34db81f0516c05fa67ebd65ed79c2704f045834a00770c69ec434500b8422736bb8

C:\Users\Admin\AppData\Local\Temp\oIMo.exe

MD5 8af6cfda9563ef9ab2122f9267eebd96
SHA1 69020aa482f80b782a639e105815dfeb3b86347a
SHA256 02376c081f3b6ec8c12d460c16bfe9ec51ba00e27b0a3fd0f0e9122f2c2713b3
SHA512 84b06879a3959dc69951fe37bdadb93298389820d3dae0ec4aba30e39cdcdf215e473b255fcd625387e176ffa4716a2ed0626805591a751c4331f6508e319e64

C:\Users\Admin\AppData\Local\Temp\cowA.exe

MD5 23b2b49eb54dbfc111aa29db7e2a9ea3
SHA1 3b4a29395abc31c2bd6a2a0406cc60188888c11f
SHA256 0b26d5812ed2dcecbe6688d53935773b0961d4eeabfe27db2715b9d6ec5d6e56
SHA512 e3d96222b8bad16a80504e6cf8577e7f6b544121bd3d7b07e3b1bdb5400c3ea94f0ce9ba5b5e0c55f81a0bce3667876ccb4775e491f0aeadb9fb5af6ea2a4229

C:\Users\Admin\AppData\Local\Temp\uAgi.exe

MD5 533b646a1c2932d2e7c8827e80339b1e
SHA1 cb77a0008b964a6a10da0e49eaf9cef045882b4c
SHA256 3fe8f895e05a5630f6c38e66d42edcd3947d5913cf1b8178010bb7a77c95586a
SHA512 097ba73daaef91167ce504790de51996efe7c76f78f1208557ed70ae5b1e817edf4fe60b19e7240d2fe830aa12cf8e953365e59ef7887b06f439ad5de9721300

C:\Users\Admin\AppData\Local\Temp\KsQM.exe

MD5 0b744aea05c42ae0be1f098abca3634f
SHA1 69b0aecbaf2ca640e5572c276a5f8e0d4857e27d
SHA256 7d3ee11d9490ac60bd56f5698c842961af70da0638cabcb56f18eade6346eb5e
SHA512 f86502fb1ea6eeaa4fcbb15f2481799d8a12d4c1e4cd1c3aa3727c8f97998fa3a522b2ea2b28d9ea19e7f96984cc455432ad0b8a0c5e9029a2a52dc8937a0ea4

C:\Users\Admin\AppData\Local\Temp\sYwe.exe

MD5 de53f7e021de5fb60b3a3a601d7e4277
SHA1 9695c9a3f72ce4d2100915fcdd0dd989ccb828ee
SHA256 1f16f884baffd7ec989e0ecbf8e1b517535edfb361ee4da8022010ca15484c9d
SHA512 3bb775b3475ae6764160c2a96f4b24fcc8ff7e9fba939fd67913081b1182510e6a9a8f38b332865b48219d462455d2062f3e6ebe69d63f8f86a33ca959f08c3f

C:\Users\Admin\AppData\Local\Temp\CUQA.exe

MD5 aafda2c1595ae461a58da4151090b1e3
SHA1 5dd21b182c622cd753a9d88666b2570d0eb5a14b
SHA256 3232b998b9cdff259e4ed6e733993d1144f141063b5e8ca51fa65a04a3495508
SHA512 8e200e8dad9eb55c045c3c87dde189112b7a2e5bec227a14389aaff97d5f86a1703173f16f09a3ecfb239a29f7aee3bb5fc4c8727b581a7360d35cb9d43bedc7

C:\Users\Admin\AppData\Local\Temp\KoUk.exe

MD5 3c2e83f4636bd4aee827b9566cd10741
SHA1 e188e510c3727b9bb60837d4e57de6ce37cb6f1c
SHA256 0df2c4e6590eac722bfd7ecd27b9fdf4d369cac19b6602bb9ffa227edea1845e
SHA512 8e7ade6db6a0e95afde5c376512607433fca941683422ef7b2eca9ee4a6e76b90b8d98666d6d3bcf58ce012561980a6f3aed00d6f763f32d9d4e8a16e4ab0c2b

C:\Users\Admin\AppData\Local\Temp\owcC.exe

MD5 8509cb3d72948880bf62e1c7053f900c
SHA1 07e298bf02c41f5f12cacd450322d4566f8ee9e4
SHA256 b30bd233038aa5b3a180040d7333c0ddaedff23f4324333dabe5aacad80c77fc
SHA512 d5a70e2062f4ae0c6bcbd0a02c9de0aacb9a807ad7ab69dec7ae7bd67c49e2d8e163069899a4bcadde7d9a3de1f1b5df06acf8bbc874ac9551b0ffeff4aee3f2

memory/3108-580-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\McAg.exe

MD5 5d51cf3586c135dcf23905c1d3d89781
SHA1 46d84bb7728ad5a077eba314c18c5e4ea112ace7
SHA256 db95d180d2ffb24258f5107539ef18b3074387bd188e6e461796880bb2f34624
SHA512 e530bfefcf23d5597018c87cd6303cd9e8e3d033d2413502e4f0da2b6447f6e3309c39e8ae6148f68d5a1b3eac8eb148027e6e32a72fb09e62380b627bfcc21d

C:\Users\Admin\AppData\Local\Temp\IIQk.exe

MD5 1cb12223e3840cbc3cb020cf06119b2a
SHA1 4d5fb542964efc0e64eb36e0fd02cda24430a3aa
SHA256 0f7f7dfcc582e1534f956fc8d77d042b169f2771dd337cf701c7f373df1b0341
SHA512 743a29aa482a4cd01439492b2cba3c7e7682fbea7b3325606f1b15bc2116c5879fbe2fd4db4325580ba36088021725faaad72eeea6094225e57a4505eb2c2962

C:\Users\Admin\AppData\Local\Temp\WksQ.exe

MD5 eeb61233610a7f1c9f27a162755554e8
SHA1 c67b1cd304d531a009293f5ec1ba8efddc0e2dcf
SHA256 8c8f07ab23bf5d8f5d2baca377f1fa725d78e4ad89b965d5cb454c7a4d55c053
SHA512 f3e6f6302a6f03354efcd0cdddd96433fa016f608d27492733560c4ac2761efe1633698ff84ee018226a24cd780c9e292aa930593be0175633ce7fb8482e71e7

C:\Users\Admin\AppData\Local\Temp\YkQi.exe

MD5 6994f95611184f6dea4c232a40b88d7a
SHA1 d6f963b0f01b8c094cf4165d28f6703ff163ba83
SHA256 aae0fb43b8f4700324146842b3dc7211f7180f15034b594baf784e1265faa571
SHA512 c40ba2b9d6807967945690b0301246c5339633c76325e28de425dedda0b62b9624493ce507de8a64b41139b6376a33958a2dcf7fbdac7656f747a6a4475db41c

C:\Users\Admin\AppData\Local\Temp\EgQg.exe

MD5 662ddeedddcfbec3c066606ca8c55c1f
SHA1 10b0093dd5f4454a556bd58345c91f3724e362c2
SHA256 a8faa6201d491b94a2cf3e6ac0b8fee82d469dbfa7850448e800e443170941cf
SHA512 eb943a063a3b889c2b601a908c0b50c4e98d9c3fd1208aaa614805aa754274a7aa6d47ee0a1e6e7b99fa8b5d419931eb0903c149658b872af03e74f8e3469d4b

C:\Users\Admin\AppData\Local\Temp\WgIo.exe

MD5 fdb0578a952736c352ef0703d3773729
SHA1 46b77108947370e33e398ae345b612edf91257ff
SHA256 98ed781ba24cbaff5b266bc00d59dd338d5ec3318e079402a176ba7aec282f43
SHA512 2fb0a32a2f447f5378fd3ad404b1832586fc23372c7d0b300bea547f644aacda043df8ee78a84c7f4cc34baccab7ac355f4c34436c368d21026a05ac6ef06c85

C:\Users\Admin\AppData\Local\Temp\uIsu.exe

MD5 8133de948a68420d72e05942f0806fd5
SHA1 ef83391d7f48e8413f2d9bd1489b8ee31bed74dc
SHA256 9626a3dfbb80b207313fa39cd06cc83f232aca089aa2c6a96269c8851edb8ab4
SHA512 0aa31402208c2be1fc9f0bc08fccbbb0c9980d8f358425d5b5fb8e323230a8dedf1de31cec0e8d0581e4bf434c18481269282d221515272bf5f5e8b61ca763c5

C:\Users\Admin\AppData\Local\Temp\QEMa.exe

MD5 415e425cc1da62d4d5ef17535820a2d2
SHA1 8746601aa3033699a78f9ff51b31255f9ab2aae4
SHA256 eaead602c2a79232d8a7a3e6f3f1d6713af8fdf5db0dc2a0a413053754224bc5
SHA512 f87ebcfe0c7536e12005852d8486d5c851d5bd508a7b1ebab253c6a91104f9371bd75f9c2a617bc70068464fa7e5c0d03f97319ac4986f1638c4138fe60a66f8

C:\Users\Admin\AppData\Local\Temp\MoUS.exe

MD5 9f0e779fd0ee4b237312b0041c023768
SHA1 a03a6642d50cb1836c55f9647bceced1266203bf
SHA256 2a839af2a91df5584bad35317717451c3f06bbed9ac0c11e99d15da83e4898fa
SHA512 ef97b2d1ec8dc2e5fdd2248f536f72b91c5b3fe359b0ea29d42855f5aca3f24e8d1b5e70aff14fa9939e34dd3584ef6cf436790e30536bcd002c6e69a6f5c8c5

C:\Users\Admin\AppData\Local\Temp\WssK.exe

MD5 215a86c3395dd0e4471efc5d56015e77
SHA1 12519bb2f7a55923ee6b5d506c7fa57a876907ea
SHA256 b9c8b48289f1601129c1c13450eabc2eb8fcc37dce6e081596abfbd42ba2ce7e
SHA512 b539fad5ce8ec3937ec648da27c7da37dd11e3a452dc17e1415d043a96029759ae486b9b082567591a1d116869e5a7fd1f152cbce41fec5755d49d0d9f363f92

C:\Users\Admin\AppData\Local\Temp\UgUu.exe

MD5 ec001a893f3e91a135c40ecaa7f04589
SHA1 fdaa32599b7808d25f32df858dbd1078307dc084
SHA256 cdacd5c6f462b1565dc3b2bcc8c413ce7293b76fce7a7b14bf4cc6a906343528
SHA512 e8282ef14f71062d8c1ea7e1f98324da169e1601f0a3ae25067279acadca831f79a57e2c60d77a529c4505abf171cf06b038e958c3b092778e9df14327b016aa

C:\Users\Admin\AppData\Local\Temp\soky.exe

MD5 f2c30e299ae7c653517813ccafdd0de4
SHA1 08f0ca90a1f198511c52da9e1a465da8e2228bbc
SHA256 0ab96932897f7fed9a1fbe16c0be34cebafc425c0060e26dcf1f9f32bd436507
SHA512 d940e28e709317a6c41dc1f85e4c2e253fd845fa36f2306552f27a4baedb21681321c4a9d64dc191fe3a7445a9aab2d08840c0ca249a51351c5e223f4584ae3d

C:\Users\Admin\AppData\Local\Temp\Kcse.exe

MD5 c0ad1fe0e98e04e688827f2a5fc0e197
SHA1 50fc553d8d4103cb79ebc32a220e725a0b26ff55
SHA256 c05bfa6f4e737472d794a6f070af443804dcbbc10bb2f2bbdac9b875f8bcf454
SHA512 4bb63b9dec710b9c48e1995a8f4572681292ee0f66a46da358299ea3139386a0fadb588b37003cce9a42e4c8c954e5e6ab31812f27e1ec4a6e78822ebcd6be5c

C:\Users\Admin\AppData\Local\Temp\OsIi.exe

MD5 55bc9d71a0be471dcf0bec81c3ae6630
SHA1 fe87272cc1d1c06ec6febf0f96b37860e130f451
SHA256 c104f4be0bbfc29f2e585370db4bf7997fa7aadd8778168972f0d09baae79e9c
SHA512 b14128cf93902017b8cf8b2136acd7380b47aac9d7af99c8bf3283d7f9651f72c5c23efcb63dd3dec9311a82088e1140d75a977e2321b3d6712acf4e4979b1a8

C:\Users\Admin\AppData\Local\Temp\YswY.exe

MD5 a3a17b2e5b2fae92bc89e019628811c0
SHA1 3bcfe3fc55549cbae827e4c44dce83310bf6d1a1
SHA256 4b80e5433888343c2a8e2b2d9aff12ec5ea4a6fe648372a73f3787c34fff385a
SHA512 8f750d7958ea7fba37d2c699954eb35b4b9bb3fbe1faacdb9c8327205bc8f5bec5702c8d6a537582f3ed7d5e9762b6e702be3e1b25f800ede142aeb30d763a75

C:\Users\Admin\AppData\Local\Temp\EYEa.exe

MD5 b5e7befb2ad87785a851a5d14d01da9f
SHA1 3fd2fc3caca5e0c23da4affee174b71895333bc6
SHA256 cccc4bb25782696a3d57a8bc4554e378c17c31e40cf72d65aca389344fecfc06
SHA512 d437022e76788afb781f41c3fe0b7dd9a959d2be3ae3041f8441f1368962f055cf4d1bfd7afa61e9eb2f82baf0552c597bfad682a2941ae81d91325036055b91

C:\Users\Admin\AppData\Local\Temp\koQS.exe

MD5 a28e2e53fe4e63db252361f036ea25c2
SHA1 e9d4e46d86e4ba208f4908beb2c017913632e0ef
SHA256 582288acc10b809ea0ad4cdefd9d2fcdf38a8f9cd3b70225aeb2d475c09c345f
SHA512 1611d37256e39b66cc73c8b87ebae9bf738145f121d2993bb9b445043625c90fb1adb796c4c40dced463fed29e63be6c58b3f0ef01ed66d07224a618ebe8426c

C:\Users\Admin\AppData\Local\Temp\YYgU.exe

MD5 72c0d06a8152c2ea3e0c4acfe710d87b
SHA1 0862f16ca1b942ef980961401dc93e250d832709
SHA256 7af144ebf09ee615db256340df7eb65b26f28c086f17df131af36010e4fcff93
SHA512 f92cc5cd4573da471995c103daa2f586e2a84535874bf73227cbcab16bfd2f8869afb5226b657ee0138d946173ba7a934d8dc27a9a64e76838d742b6e29d8d41

C:\Users\Admin\AppData\Local\Temp\GEAU.exe

MD5 e44c87bfd54553888e7a12a35edf3a77
SHA1 b4dff17012f646cc51497c3edbbe47ee36ad552b
SHA256 172f8cede5293edf3280c99baa20540dbc86fdda18172aead8ea6fdb0ef257fe
SHA512 048987d82a7294684c18dd0534dc9c7bbb08242e2a145c825b174c770ad723669fa160d1ed6b184007bcdd5f777080e0db0f68a3e167aa84dc126520c0f7a327

C:\Users\Admin\AppData\Local\Temp\wsck.exe

MD5 965021311d6fba45f130cccf18080fc8
SHA1 52140ee830e4ac1ece473603b008f6a17aef461e
SHA256 5afa171445990bfa9f06fa33a147afb381b0ebcac0c8232319ceedda735c1578
SHA512 a259401f965d3d573062d390d368cb72863495be20e08166d0a833217756c1d92e8f67b7603fe946865ac13705595ca08cbec781e0d258a7587a8f1f053cee9c

C:\Users\Admin\AppData\Local\Temp\sAke.exe

MD5 7408c25c385a15888ca38919163da055
SHA1 baeffdff84da94d53905ebb785a0246165d01737
SHA256 29c62de846722a9289e667a5f098366c081e2764c79a883b4f1f81717f6681d9
SHA512 a9b0d55f4bcab5ce258209b6df4736fb399628141f8945151173ab9e7255058344f2b975d1e2abc580ab02ff21e12fd7dfb2b140ace2b1124a51d3475b37eb70

C:\Users\Admin\AppData\Local\Temp\sQcs.exe

MD5 4ab9077318431acc2ac2408ef7bdac0a
SHA1 858980c15367c8f6f122cf1bf19f4190a118ab5b
SHA256 e90cd2e9a2e45b5f2fea4f28a5b27115d1dd31bdabe57531766da8e25678b068
SHA512 2e5f2ee55b7359c4b2dc260417fc7893b4dfc150f14192fc4484bbf0781e497bf5dd7a777aa6c344160f1959ce95573c81b6ae56762ec5d4994bfca24ad8bef6

C:\Users\Admin\AppData\Local\Temp\kkou.exe

MD5 d019a059abd1f17d67b0429df96f22a0
SHA1 968bfa3385215bee41b1155bb74804a00eddb7db
SHA256 54c27e7e5b52d58950576bbb41f032efe2ebc943f200c50651e52e18ab736abf
SHA512 ec342722d8ed96caeb92c48fb48a015782a11e5551c37034b969ab98755a4d154e6b5fd2a80af477ed660c7f8a18f8e6f7e7c45470e871d22a2bc8ee50c3ee0d

C:\Users\Admin\AppData\Local\Temp\WoAW.exe

MD5 3b9ccdf42b8d80e3a467e697bf399c2a
SHA1 daf419062d9e13fdbafcaf5d6d7bd0be009bd41f
SHA256 c3af3b800c7cd4ba8d5108870122a855103d3e03ee1b8263f78bf4717efd62ca
SHA512 12232e878f046a4ca4c5fa3445926fa85d07cf9b84c0108c9ef54e5d37637bad7cb96e1cb3c9f1cea29f47511fb6e8ba7dcfddae775375e824226a7c2613b867

C:\Users\Admin\AppData\Local\Temp\IwQY.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\AIou.exe

MD5 165433d9e1fe88f69e44e5746c8faec3
SHA1 4695493b556703048f5e4aa7bd2b8785c2aa572f
SHA256 ac8ce5e2a69db9e3c429e8f5afe82a8e153441506c0c2e2a5018542cda8ab259
SHA512 59731eaa52e9682a78bc1bee8ebd8827ce1be49e78d143ac4958ed8c0652ab90bfb27430f04488c5f83cd8b72b21f8422af77272040a7b2681d48580e7f89cc3

memory/228-960-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\owkE.exe

MD5 e2c74fccd50258a57ff3847eea3e7faf
SHA1 307e3a24079d4fd7c0a4d867a2659f1fb522e759
SHA256 36c283473f03c847ac9bd0dd9e707e74f82d8a0aa325c5228c3004d03dd64957
SHA512 c8e9998c6c29faccf24f8e9e9078782d65bff0940017c3a3f89e3e0b0f4665f307caf871ef528c3615b202b28290f903d522f2fa9928104ad52ddc0e84f08ed8

C:\Users\Admin\AppData\Local\Temp\goky.exe

MD5 e12c4deb96d69cafb37f732cac30898c
SHA1 4950f6e64172689f926f36489d7950cba9c303ca
SHA256 f66d3f7a134181567bf23a3011da9b0c07f900ea6ec72378916194e0e0220c97
SHA512 f55072705e7b7f91262d572352c1f59e2c0c76e6e795db2c752d458bd43f32645fc1014f6dbaaf4856e872c41a40843bf43a14acd06dc455a155dd87ab6b6647

C:\Users\Admin\AppData\Local\Temp\qEcK.exe

MD5 ef17d91064ad3be81e4be026c04484f5
SHA1 ebe1df2c72e7257f24ea45da8bb2ea7023ad431d
SHA256 5ed1116918714d0cecef060221c4d6946aa0497a7bc5697b07703ab3a96f981d
SHA512 01a2e54ebc68c8a1f25423bc7b13a4f72b0d25e65d1477746093f2367ab71fd1b80fe9290f7978bc0a54f06c50eb59cb602ccd2926aae6d87dc63ca362a31003

C:\Users\Admin\AppData\Local\Temp\WYQc.exe

MD5 2def2a3331f04f57a95a9d3c6b7ec359
SHA1 a086035f8fb2919ce5bf7cff125a3c51b012b99c
SHA256 443fcf58e2eb1d3dfe99d934c1a8e894473b5bcf8211e1e4db2b60f58e2af646
SHA512 b62dc292b825a39e3670305ce1b30006d41e83be03719deedad770c94ab5441a1274cb717fe19745d8dd6d8658f1975c68de5a027846b93b2fcc019e299d3804

C:\Users\Admin\AppData\Local\Temp\84bec7aa3d679064295ae98cd46401dc432f94a75ddbe6fd3f8e7d83d8e38ee6N

MD5 bdf926b971c6dacb62c5c764b548f850
SHA1 daf9c28f324a1b0d9886021ad63d84b468cbac20
SHA256 8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda
SHA512 cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

C:\Users\Admin\AppData\Local\Temp\ggUm.exe

MD5 a85aaacc1e29e2b9a229c69fa4c84f19
SHA1 fbadd614a774d3cecca2bff18db7406382339957
SHA256 803d7bce849860d2e8b27e6e1f7d3aba51017b908629565b3bc38d6b321d365b
SHA512 00fafb5a19bab38393eb77334df067fbd8142c886644827ece705cde8afec8a286ab3d1ba2db1658c70cbbda113ab109ab67906025ef2389c1cbb914fef67f11

memory/5076-1036-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4524-1051-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2332-1060-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/1436-1061-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/4512-1070-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/3516-1069-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/4932-1078-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/304-1087-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/4736-1091-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/296-1092-0x0000000000400000-0x00000000004B9000-memory.dmp

memory/2956-1093-0x0000000000400000-0x00000000004B9000-memory.dmp