Analysis Overview
SHA256
4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
Threat Level: Known bad
The file 4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (61) files with added filename extension
Renames multiple (51) files with added filename extension
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:17
Reported
2024-10-25 21:19
Platform
win7-20241023-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (61) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\omcoUock\zuIwEEIM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\omcoUock\zuIwEEIM.exe | N/A |
| N/A | N/A | C:\ProgramData\fcMMkIkU\eSoowcEw.exe | N/A |
| N/A | N/A | C:\ProgramData\yqowkwcY\aaMwYcII.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuIwEEIM.exe = "C:\\Users\\Admin\\omcoUock\\zuIwEEIM.exe" | C:\Users\Admin\omcoUock\zuIwEEIM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" | C:\ProgramData\fcMMkIkU\eSoowcEw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" | C:\ProgramData\yqowkwcY\aaMwYcII.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuIwEEIM.exe = "C:\\Users\\Admin\\omcoUock\\zuIwEEIM.exe" | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\omcoUock | C:\ProgramData\yqowkwcY\aaMwYcII.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\omcoUock\zuIwEEIM | C:\ProgramData\yqowkwcY\aaMwYcII.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\omcoUock\zuIwEEIM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"
C:\Users\Admin\omcoUock\zuIwEEIM.exe
"C:\Users\Admin\omcoUock\zuIwEEIM.exe"
C:\ProgramData\fcMMkIkU\eSoowcEw.exe
"C:\ProgramData\fcMMkIkU\eSoowcEw.exe"
C:\ProgramData\yqowkwcY\aaMwYcII.exe
C:\ProgramData\yqowkwcY\aaMwYcII.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKMYMQQs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KockMowI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zisEMwAE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LekYQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOEwIgoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScYMoQIE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqIMEwIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMkYwwEs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgkUYMYg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCkAwwsU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUIQUIAI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqMMoYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xosIYsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeMgcUEM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGkkQkYM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGowwAcM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSYQIMwk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSgssYAc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCYQwcIY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQIIAMsY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMUoAUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmEsQwEw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkUgwkQg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyEkQkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYkwYUow.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmMYEokA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYMkYAI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAAUwsgc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "368849097-90857820322741869525245024-397505368-10003923191177738848-1136799963"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYMEMAQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-252006538-475984532476901305-17521886841593770001-453079917-372532228-1576712430"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSMwIcQU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "166204060415219924231354439442-328875319-8542845671389712975-9990329772145319867"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEYgcEMM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2017035578-17696661342049642451209305682-962487188-1577154738-13551900701625763546"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQIQIEss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKIgwUow.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95420411446569418011716650561929935232028696475154675318747277201-942888596"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyAQUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmAcMkIY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1132276778-942335972-1677952922-845744184-1765470137-349231739954433764-510912077"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\euMUYQss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOcAsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqEQQMIs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1922959463-148025358517800555412896889691382288379-16948026801918201715517825726"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1848580955-955573307-876446663-32669080020052134081106598306491580121-45247011"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgUIAIYI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EukMMsAE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1297805733699644872-485853010-17261696761875233926-426537096-904258607-1311181436"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AagsIEAU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "681063206605013326-2041566488-941072574732603072-1656891766-17042069721829349666"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "893975825-4467610-1100742380-110139278711555027471102439971-306511123-1686612680"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIoMcsoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5916484132063508247-919914666-692317821767876076656949977-372288682-584461008"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-730219505183568756-1947979620-373723257-766356538-21374783121596980493-328622819"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSAQUkoY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19922937898585467821224948587-19787458161922808870-107843885-1359925939198822398"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "395560766553504987-10656540845575071191861441617524237888-1380303442-208719497"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuUwcEwU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9335502581415392391-42298945018401043861358082203-2204987102119020550-1258441031"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1401185080219454998-1050455078998040230-212404030420608010981170983873-775435404"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkMwAIcc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1317725264-2387638541556681827733010349-1542634073-16733274839252987891758660220"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2134517076504548527-8967882910417919559895228216108225277022750081099403449"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGUAEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUAgcMEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\swUgoAsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2105152987-1630710192-589011387-1065469491-256521815-1353747337418268480-876614667"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1075353089757062155-201531094629969213-19435644821083968650892636039398880430"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1339884403-987329465-55981027-368154903-209261987-804934592-1089008451237214986"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwswwIkM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1852475528-1066464777-262769258-21473740193568789941686116941-1127726701899405715"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSoscgkY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20662067362019995481208075901-20348895901858965673-22728763318750501931392746926"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "887980474283166264-2070262840480686620-1051165356791298182-1103797211-772051684"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAIQYMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16741239281907603151-1834748464-8771288351901087840-20804937961690819140-1914395701"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcogUcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOsIsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74097662334997021-1291738449-1274490444-1676904100-2076076529-16214985762104182815"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "146569301814125052093271613091469589205337941591675319761-1449575571254560530"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "729907834193266283213984063861428410700222701-10676190421547207792-349090074"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
Files
memory/2092-0-0x0000000000401000-0x0000000000571000-memory.dmp
\Users\Admin\omcoUock\zuIwEEIM.exe
| MD5 | 40d405614bfacdb93010d3221f9de2b4 |
| SHA1 | 5f01480507a5046a8e993b992d1135e4382b7c0a |
| SHA256 | 2ac15180c41af89de2633f7ce15e05da51fe865233473bf3abfb2bbb162d4ffa |
| SHA512 | 951f42e539d4f23ba4f0a7c83becad9929f70960bdf090b095f41d92095debe897006134465159d7f98e482a0d31c1fc01c85cf6ab7858b334b58000185ed4aa |
memory/2564-10-0x0000000000400000-0x0000000000470000-memory.dmp
\ProgramData\fcMMkIkU\eSoowcEw.exe
| MD5 | ba399c520a10f65ef3085c766eba938d |
| SHA1 | 9e2c9d9cea9654e1c88a6b6b842a222b7e7b9f2f |
| SHA256 | 6f3383c6d2868a0440f6f358ef19db5335539211fbeda02033d1b1250386b576 |
| SHA512 | bf03f6f9e46b35b6081abb6e97fcda9fa3bbc46ab290b4d65bf8c5ca5312f097ef6ef0bebec3a34595d217beeac188e0262e7ee523437caec5731f16374aed5c |
C:\ProgramData\yqowkwcY\aaMwYcII.exe
| MD5 | 56afe7c9d837884372fb147cdf8e305f |
| SHA1 | 634871e16b34e6f5ab96cb5040f1cdebbba7fe8c |
| SHA256 | d8c5c392f6ca2b9efd141ad0f6300ee340c16e18b65525d7786860a876d94fc6 |
| SHA512 | 6ebbc8e42aeeba4bf591303a8b24bee52432fa76d0f03b25b67b36175727c8a03a8791c9987d1b3c305655faa6cc5170aa56852a9a6793a104a0b5b643baaf91 |
C:\Users\Admin\AppData\Local\Temp\UgAYMsgs.bat
| MD5 | c8bf96418a72565bd644eb425e529fe2 |
| SHA1 | 5f1cada7b42902fcc216724ea2ebaac842af8282 |
| SHA256 | dd83634e0bb322ee54870cabea8aa659900248737ca8743f3b6b81c509821060 |
| SHA512 | e77f8b702b33a70d30b7cd8344c730e1dd9ace092eca5aa8c6b0de66efdc11179848ce51a1a04b440694455553d9907fedde98fab328c525562f12b5f92046a2 |
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
| MD5 | 7455307d1d96b6df1031eed8d010598e |
| SHA1 | f16374bd24863520bc9cdea1ccfa99a540f991aa |
| SHA256 | 510a270eab4c149d50fc3feba4467d6ad65c55834236dbbb63ec8d47d7d75007 |
| SHA512 | 2b10c850c688f6039cd20cf69067d961d3c4bafb6e9f8ec992459cd48f04009db7661c5595c509e257beade0b8ec987f79a87297084f9af0824b7787e7615cd7 |
C:\Users\Admin\AppData\Local\Temp\qQMoAIgk.bat
| MD5 | 98519441b1481b824d34de4f545ec051 |
| SHA1 | 32faa3f586503607ab5b92606e4e984ad1504433 |
| SHA256 | b69b004fd2179a3e275d5fdbc9cb1befb0b1c30d7ff917a9d3134f0469f18261 |
| SHA512 | baa468f6c8e311cfbf689f7505c32c49f9939eb09b8dc2b172518148a9f147f86fddd780dd255ccc7d83c489dd9a30fda4df0b8afefc36a7029d60678d8b36c6 |
C:\Users\Admin\AppData\Local\Temp\AKMYMQQs.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\AOsQcQUc.bat
| MD5 | 71c5b065d01332d7d7aaeddc6ca3648d |
| SHA1 | 45f3f93ed2978f12623a594a6b575fadbfa7f572 |
| SHA256 | d5c102ea385de554bb1721900223dcd9ecf58a09dde8c32902aede22220c4431 |
| SHA512 | d7326052870e654338d6b58b4b58206a0a00a559ac4a59affd8e1f410c8ee8e6f0dde2ec57a3f4ec339c478c54f50f6e5da64f2700a1d8ebbfe44a89615dde7d |
C:\Users\Admin\AppData\Local\Temp\xKYAMQwA.bat
| MD5 | f2a7b79f745a883b9bb5bd8eed4e4845 |
| SHA1 | 4c6ff75a3d72eea3a87c671469f43e398eac6991 |
| SHA256 | b95d228ecef8c402635e22ce04ed22379f789c58ce16c8c9a9f9cc2dad0e5609 |
| SHA512 | b4f08620febbe1b73728b37da84601a13d94a7cf692a6ed17a0cbe9e1f6cecddab4b963d150e64904a971141408d3d304e1602f06e19de0a92a598b203ab0def |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\FEgMQMMI.bat
| MD5 | 7cf4a0c81693adaa86e27c5b41e26a9d |
| SHA1 | 9fa2b3a82dac1009f6ce11708c81dae9700a5c82 |
| SHA256 | e3ef2d7f0bbb01ff6fbb6804d8121d5d02e4f59329bb735aec82ffd56d0078ef |
| SHA512 | bd030cf235c4c6c7f65aee5fa277955dab2d6063298c25b4719406854b6ce071dcafb102ce3f29487e44dc8a440c3da142d374fb1e0e032b2382192525e871d2 |
C:\Users\Admin\AppData\Local\Temp\XsYUwscs.bat
| MD5 | 36a1d85ac2c3116f1c8dde6ce18ac4f9 |
| SHA1 | dc8bc67dbf817f6181dda874cce22b0fa6e13259 |
| SHA256 | ceba37d5512767d26fe1d23d680826909b966932772652c02468c3d43b7c1042 |
| SHA512 | 757d1286b8f3c2cc528aa3b73cc40003053d3bd2330c943f97fca0867091c1096ef0996c9860d72c86d28225ea4c6dbe6ec5151f731486a64fec6a6ad76d9371 |
C:\Users\Admin\AppData\Local\Temp\VAYoQIsU.bat
| MD5 | 0fee3d481adcde13ca43f9c49f4dcba9 |
| SHA1 | 4c9d8f12d723a3d0ed9d78649323b3883d046359 |
| SHA256 | 33329c0a3771cb043ccd7479fbe2e25fb015b99b5a07aab3293a436f58500e0f |
| SHA512 | 5b092a2e84745e756354dd2dbc958f6a8d39d53f013b8ae8d5aac217658d0f4a97b9ea4940f9ace957d5a3335695789983f22642e59fc228d44a8512b312e063 |
C:\Users\Admin\AppData\Local\Temp\gCwQYgMs.bat
| MD5 | 25e3cae07f36fdc839305bd7f6e3be54 |
| SHA1 | b7f91da9ba5d4ed7b90f5252900978181ceee9e6 |
| SHA256 | 17cfa7bbd631c48d79f930e4241423460d1fb5431f10fed76cae87c78f899016 |
| SHA512 | 484350b1ddd999c20530ff820c1338200e74ea0e23071dcf610a55b08800a8d2ebb5ecb486e17868edbbef8074f6f4fde5cbf0f931adb6e9ced8e4f534a40a32 |
C:\Users\Admin\AppData\Local\Temp\oOowIAsk.bat
| MD5 | a28359e1bc933b73ad5dd23511666b05 |
| SHA1 | c9de9fcfe660168b64800820b8e9d68768102e52 |
| SHA256 | 6e9e8218c52ecb98ee57c4456bdcef476169a59d586677581a177b9a12eda3ab |
| SHA512 | d212bad7f0f081ee6ca42bfdc64a87d272c9720a87ba6e5bf0c729063acc21cc9ae61d5d4d2495ca441c980d0614acdf265882379d501322849961134c39f255 |
C:\Users\Admin\AppData\Local\Temp\AgIAgoUQ.bat
| MD5 | 835698cefab6022834b90ea0e741cf92 |
| SHA1 | 877f22fd198da34215e356121568e4064207d66a |
| SHA256 | ccf088a74b9bafd60db9fb3aeba2fc8d742f20f7533b6d3093ab9e995b8bc651 |
| SHA512 | e43d5730966c450b786b0fd0f6e500c2234601c24e40d7be89983a17b422a38d355e93c1c2912e8ac6fb67110b70139c9cd6feb1a96e88fa01f9bc53400ff6ac |
C:\Users\Admin\AppData\Local\Temp\ZCQYoYoA.bat
| MD5 | ad82e5819dbf7609fa8986c941d195f7 |
| SHA1 | 23be03c937c3c73617bea6adaa4d096e75fd3075 |
| SHA256 | ef9345d58c51d9c0935e2352af6864931b7970268b31091358a9ecae6f89eb60 |
| SHA512 | 13a90ff13cb4e61725a1522c368391d3526249555aa97fb1938403f6d6c8fb1574461c4c2208cee71249501d60a40a2c35687b7731ea521098595111511f848c |
C:\Users\Admin\AppData\Local\Temp\HgUgEwwQ.bat
| MD5 | 4f656966c6d64ebd6318acd0f4a8fb22 |
| SHA1 | 65319a60c888cb657e3fbf37f1c7d37332817b26 |
| SHA256 | 78ba34ab8b07b96071e54d9a564645793b833ac5cc2adbcf068018c85d45ccfa |
| SHA512 | 7697428eca23c8990c35a1d9ec7247db7c0d2968ff104ff4361451879425e0759a639bccc662e7850b9257e800d4be1a5ebe1af73e676616d24d46ea89ca4830 |
C:\Users\Admin\AppData\Local\Temp\TWwwsksM.bat
| MD5 | 3e7816efee157538e361f356651e3945 |
| SHA1 | 686589ab770aad68a1b4d5952b50ea99d9f4280f |
| SHA256 | 3b9e6ccefc539c71ede092b1e473b29884fb972e8b5f034f6756403f79a64ed2 |
| SHA512 | 63b423bd08ce5f5cf83cf1761ed94316332dc6e0f37fafd1eb69b9ff11e9b9c73f2f41f642a5d9a2e048cd7f2f86093ffd57352c3b2a51d0d427f22410e6715f |
memory/2092-281-0x0000000000401000-0x0000000000571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMgQsAAU.bat
| MD5 | a9af9705c2a4dff87cbc631437ef5092 |
| SHA1 | 1101cc1fae132baaafa35f1682722035da468655 |
| SHA256 | 8bb5698ade0aea39d7847281139238dff091542bb4f8edca351b687ec01f9c8f |
| SHA512 | d6044efbc7435a0223cbad4b6c119fc8e733be9b01a27f3950828247da7814cdbee539ac4b068b62482264a16b57fa57ab9120c05782e6042815034bb9bab29c |
C:\Users\Admin\AppData\Local\Temp\yQUIAwoQ.bat
| MD5 | 2292452e995e78fb7b4138b347c6fb97 |
| SHA1 | cb8dde276fe68ef12264cfd7bc030ae910e4b519 |
| SHA256 | 4915f992bb57d8d1668e89e92a209b8bafcc5ba7dadb376710327d592fcc77b3 |
| SHA512 | d25d31aff009c34d6905d235d9602f3c0c16b08a33d0b256878233e8322564e053c8f20e310910dad1745f361e7f9d5b2ce6ab70d1f723666cab12b7292f5c3d |
C:\Users\Admin\AppData\Local\Temp\eYwwgEEM.bat
| MD5 | 9279bcb46e9c90884312d709a6e42a35 |
| SHA1 | 837bf4d0454965e5ce542ac7ce144ce4c8ad9141 |
| SHA256 | 36e84a0bdac09aa9e212e6002dd9679594a65faf22ecaa1af6b6c131c76d6722 |
| SHA512 | b73fce70912f051719900572c9627910a068a4b71a73e3b3d6bd6b06e5e85bf384e647377b0e0b55ee310db128c4f2e22a1bd893114f45e38ff974e25cd52430 |
C:\Users\Admin\AppData\Local\Temp\WUAMMIUI.bat
| MD5 | 2538a0652234fa6995f2cc798f2ce5d4 |
| SHA1 | 2352ea5a55394fa8854606df93eb2e8a65a3e3e6 |
| SHA256 | 5e3a7f6819d15d5cb473762d1300e504f8b6a467dd042e964c3cfcd8a357e9a9 |
| SHA512 | 86a01da273e09fc37392435adee2ae8e288e33eaf311930e958b3e4b4f5d8ea27c4d378d95ccecc582e14d989973212a76102b9169af3e4e7b4f9189501da723 |
C:\Users\Admin\AppData\Local\Temp\LOgwcoMM.bat
| MD5 | 71a105be552ecb7a81e318500a6a3a9d |
| SHA1 | 81072aa120b98266b87fe3ab5b2917ebe22dd987 |
| SHA256 | f1e37b24daa32611e6be774df6a6d431be8b9fa261227b75665dc62103b7424e |
| SHA512 | 61791f22d81d2f0394b2df09fc65efef166aa6233474ae93fb5cc1e803eb591815b78f40463ba05659e42c732714f31cf70e50853364a6a7b02ebef542cc34f4 |
C:\Users\Admin\AppData\Local\Temp\jUQAAccs.bat
| MD5 | 8ea0dfb8f20d0cc313562d99610fe559 |
| SHA1 | de457c997ad1a966df86ae74bbbc7680968c072b |
| SHA256 | 7ea278c6309168ce2f62128b0ed0ebb734dddb28b9d593a372d7c80ad83bb298 |
| SHA512 | dc775569d8e96cf53d8248e94bf61c6b098aedee27602724821ac1cdcee21e1c079825e3a2ac4d9ab42bf3375deffb5086add9ec46539d569a2d4b634941086a |
C:\Users\Admin\AppData\Local\Temp\TAcQskYo.bat
| MD5 | ccb906ecd0c9f6423d99243d924391db |
| SHA1 | 1a73a4d2c0374b09ab1062a94ebe2c5a5f1828dd |
| SHA256 | cfe4bccad2917be866d343eb9ec290cca6ba18e429470f9c450bcaf9e297a22f |
| SHA512 | 803552416e3b3fb3f594ced85b2841cd5fe58e177d98aa00700fdd672740afba761a62eb53a2a8c20b322416fec8fc4ee5ad7daada9d020aecf7bc2f7c21e550 |
C:\Users\Admin\AppData\Local\Temp\GIUcYwQY.bat
| MD5 | b145d8a15d611134381fa75c5a9790d8 |
| SHA1 | 57a4c801ba68673c1b2e847a626debec98480ee2 |
| SHA256 | f12f75cd1f050c69dd738932e69c2d32cb0d74e64de46eca61db2fd346e5dc5b |
| SHA512 | 3ba674afd75f696853dc93a70aa8cb97cbfa0e2693d5b37653d93dd163d1df17dec4b133ca55710d22ec8d4d82c23136a7cd80eb320d2e562ab225afa039eda2 |
C:\Users\Admin\AppData\Local\Temp\moQA.exe
| MD5 | b56a6441c1af10f9d5c8e4806244ff1b |
| SHA1 | 5c6c8b87e8debe6d4876581ec0ebf1ceb07e6e3e |
| SHA256 | e34e200e11c9b2c3275b1eb1ebb7ba8d5994b4a4674dd0a41c079d8181b843a0 |
| SHA512 | 42e4716a1e8184ac08a263233dc9272cf4a5e3daeb2c035504d9ef9b1ffad9390bd1544516d8aba6bb52c6653097769a3d57a77d4da4dea840f61e832c42d9a5 |
C:\Users\Admin\AppData\Local\Temp\mUUa.exe
| MD5 | 32714043ffd2816067f0fe80ebb42adc |
| SHA1 | c516c6d1167709965242e3372592d909be1d6abe |
| SHA256 | efd3fb2eaae3a90d0a01444dd82530e06a4d1a56711c99340e03dec79ebeec91 |
| SHA512 | a34d0e4c082067d21074aebc7a2670fcc972ac68b5e9144a91669b8f60f4e5297dea59a67fc139094aebaa748c01c9e9eab215f5ae5674e70890ca1e4ebbcecf |
C:\Users\Admin\AppData\Local\Temp\wmQsEAoo.bat
| MD5 | 8db9979a3ba85779b98e5a6a43284b42 |
| SHA1 | 355d7b08095956dd92102242a7b8e51c150bbf18 |
| SHA256 | 8cb3ad3a0ff51881547b9d2a0789abcbd9f1d96a3d6dd6d95887fea6a227228d |
| SHA512 | 6f182607214ec08ca87a42017eb5e84e447441f09c8b138bad45607e502a4b4152defafa87be0a67524a73fd27c768443f7fa5711c3b207010cf38a11f441c5c |
C:\Users\Admin\AppData\Local\Temp\AMss.exe
| MD5 | 446718447ac188b15ca726a960b210a9 |
| SHA1 | f0d75efdd88bdfb5a88071f20d58d464266181f0 |
| SHA256 | 9872b8a9fd6055ec967d37b8b913ebaf188d19c43dbe215ca8508ced913459be |
| SHA512 | 0b91f550fd7b7ec68bcdf4751634b9086028eaebd6f73a9f5652e31e767138f4a9f48bb23543f32dabd7bcb5cf0ee9cde80e3a8210dd07d6631117ff575daa95 |
C:\Users\Admin\AppData\Local\Temp\cAQw.exe
| MD5 | 82ce42cfbdf08c9889b446073bf41057 |
| SHA1 | c8cc7a5d68f041c8d3db2f9e0e5e04773f007deb |
| SHA256 | a202138c49d6d24e01696697cb3243487c8b2f8e02ca7e8fce64da78dce63529 |
| SHA512 | 8cf67683e216df99194a4d4019ce9fccb4ad6cc9d6b1e067ada9a80ceb15a4969b9b597fde8e09e31871d59791d9d7719b925e25bed4680ebdeaf92084ec2a18 |
C:\Users\Admin\AppData\Local\Temp\QYQi.exe
| MD5 | ed32fe7b1563c6509fc8f1bbdaf46695 |
| SHA1 | d26b8d76b5ba1c4b840821777336c46c1854152b |
| SHA256 | f1f1fafb8885613f1b35dd165e0b7849ca3551540ca9eff6ea5f695354ad5d89 |
| SHA512 | 5319e492b2855e94be7d189b344c79538a977b7a9b523db8de5f47b99f2dd31f58fdc93a27bd824347648e4f6e98fd2d34aacf6a0a424b74f81c273620743eaf |
C:\Users\Admin\AppData\Local\Temp\iIgAoEco.bat
| MD5 | 34ac807dca4eba11e31261ae3e1d3e4f |
| SHA1 | c5045540db535ebb1267a12d35cfe5b2ac4183f6 |
| SHA256 | f1c92825e62db0f3aab414b95f0acbf5396b7636de61fabc62d44f6d4102e0a8 |
| SHA512 | 25425dbb19d28acbab645a95d261ef3149fdbb92459bdbcbe9274695c2fc7080081adb40c383c7fd4e5ad009d95872b082aa7a99544c880d9127bdee0d148fe6 |
C:\Users\Admin\AppData\Local\Temp\WoEQ.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\EMgc.exe
| MD5 | a513c81c0f774c3a78628eb947dd3c2f |
| SHA1 | 6faf3980b0af840b18089ac7e5609312a59a1bd7 |
| SHA256 | 0b4040a787f36c475db72742b0265299f159034c270dcb0ef6d325b03a26394b |
| SHA512 | 0c4c53de1b9f405d401d1b5ca964398d5b7bf1cd3328514117f9f9f82762e2796c6ca79ce2fb53a030a6beb4e6356deb3deea987ce3522b51c4443b845089157 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 712177089ac9d1ac5ef21f140e8cc9bd |
| SHA1 | 69d4b91548c0fbaa2a292e9a1a17003974d20747 |
| SHA256 | 71f3e58a2e5040b8a9d7a578da532a02cfda588b3d4044dac1f1a31db141e07b |
| SHA512 | 14ea8c0cfe0c83435bb0071f3e2ea74497606a426468f8f6787f0d4e985be2157036fd80cfc2152dddde92ba97acc91adf0dd0605178f6b0d1233b3906319d3b |
C:\Users\Admin\AppData\Local\Temp\Yssm.exe
| MD5 | bdce8e64088e7dc00328063c67174eae |
| SHA1 | bc54cfbd7db7a920bdd3b5619f444e2e1df4c12b |
| SHA256 | 4352ec0123cef204016e32b46d0e8246b62e717b594fdbbf7779b8fc04b016b4 |
| SHA512 | 860047d866e36e5f6667998dbf82454809f5de85b2ea30b49be4325821f1a6b6d84cdbaf20b4e04fc4b2c53550c8e3185f183c59182f5beff0d5c0541034d6e7 |
C:\Users\Admin\AppData\Local\Temp\IgMq.exe
| MD5 | c3bb00c51270c4c8a1298a94bb32c1d9 |
| SHA1 | 87b05c5df2d80943c8342e3d8c7ed4ba79b2b4da |
| SHA256 | ae201a0c7866301eaf7d99c74a4fb532c236cbd94260053c1082c6218c18eea9 |
| SHA512 | e8e1dfddbc1c8811560cfdd8f4303e7ff60c32051650c2b9d1742b8a051be91b5a37c5b132a9501d125c19eefbf2e5b58d43c6b30dbb0f48091d680026c73bee |
C:\Users\Admin\AppData\Local\Temp\KisoQoMs.bat
| MD5 | 35bd3c6a17b6aa19965226a66f502057 |
| SHA1 | d73b54b791ec0ecaac5413052d6655ce5c40a260 |
| SHA256 | ca3c8eee4df3aca46ecd6a393ae80f153937bef48e717da4705c10e7fda7b080 |
| SHA512 | ea0a462a8035f2efd5a9b10e774c171f49612dc92ce6f3740d1a7206cd52b647a61dc05c6b1efbda9ee0f74b2ed75b92cb576b2684db9eb134106ac5ddaaf3d6 |
C:\Users\Admin\AppData\Local\Temp\iEsS.exe
| MD5 | 18e27254f4ac23351d27a46ed396bbe5 |
| SHA1 | 8cdb40c525d639a955dfec57e3659132f7f8b7e1 |
| SHA256 | 0cf7723ad64f822732c1063b3469a7674eff3569ed3c90f9634f658e296f1180 |
| SHA512 | 9a7f4cf23bc2355205e56f5ba5cf13a1c208e7774c90f13a34689201997d24110b0f3177b23532c81dd63c7acecdbec20e02ebc2b070d568246c1148b4d50a86 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | cf8b84d979d1231dbfc3bfc20416758d |
| SHA1 | 76390b71ecd6b96dcb3b910bc467aafadc3c1b55 |
| SHA256 | 086e3a33aca4eb442e972fe89f7ce0e1068444e56c41f179eb10023db350d976 |
| SHA512 | a5037f6830cad4eeee16713bd77dccb8ce362e963c1853745bc47a33967ba9b51fb82946df4422f028635d7c5bc871cdc8e47bb8f0616e56540da8cbbef972e6 |
C:\Users\Admin\AppData\Local\Temp\gYcm.exe
| MD5 | 4bbacf56975761d3ea348d5e8cb4adcc |
| SHA1 | 15b0b1f62bc54aaf2fc883a82ba7e79002cd2fa4 |
| SHA256 | 0abb9d52f9843b580b58db02c20d54156d7667ff6eb015f76a4b48ed13aa13af |
| SHA512 | ba4ca06ee94132ceccc91e39195a7655ef484c073061bfca56fe20d93a43d4a0bd967846c0699cfc48cd4b35b0d137afb187ab2c2ba352e624401ff165f4f1a6 |
C:\Users\Admin\AppData\Local\Temp\EUcu.exe
| MD5 | 0380cb7137dba193514270c8d33c4d7f |
| SHA1 | 9476752607355588e3e61f50fcb88ea3ade9ad2d |
| SHA256 | 01fde3e195a592d1225e33717e4f541ba88242d6174fccaf273bc877f7ab0696 |
| SHA512 | 0678f063b27434e4d332d0b61511b41ad882acf3ded2a1d8d4527a5f471db4e31f3301ed36ee100ccf0327438b4efbeb77d87225cb012850a104e2b53a982f5f |
C:\Users\Admin\AppData\Local\Temp\oAog.exe
| MD5 | 08113230e39a18d3fef555113d18b984 |
| SHA1 | 8777c69f2a81473e116da67ca0beb9ebbfa8c8f4 |
| SHA256 | eeae93e58b070d03d234ea6d5dcf2c7945159184b51ec7920294c1432e758e9e |
| SHA512 | d30ff81b75ba593ba8f57d7f861649324f43634b9f63fa767de9e4932b83c96a457498d73a6178330ac7a06d699090590e819540e0a8825371682f73254c81f0 |
memory/2448-670-0x0000000076F30000-0x000000007704F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEgO.exe
| MD5 | 088c440ce2de2a7e896c844368aa8f0b |
| SHA1 | b406b3945b9e8f684bfd1fba66944542634e8597 |
| SHA256 | 025567dd1c001c9b39eda329ad7c66f4ffa1a5c03de9c4e9cf18c0ae44e2ad08 |
| SHA512 | ca9b1636e0cba4940550316d12e607bcdfd2becf7987cea8fa2d6044420545e6a519e6fbf76d90e4167062e50bda8d6ef9cf995245e50c7e372440d8996c43fe |
memory/2448-671-0x0000000076E30000-0x0000000076F2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fMEUcQos.bat
| MD5 | 2f3c8a4812fbbc05874a5c6a39c0f71a |
| SHA1 | 83cbd038492be8310e455db30dc6c2931d270b19 |
| SHA256 | 6d95fb04f1cf424cd799f99e056e340c6dcbd6cadc4fdbab12b71fc331f20c71 |
| SHA512 | 5ee437e3540daa66329b30bbf4d5a0d0a81094c8eb6f86bf12249d5c72c59ae4dc59f7c711cf77e1a025988632fc15b0ffa323c21b250ad41f43c75bdc383b44 |
C:\Users\Admin\AppData\Local\Temp\KsgU.exe
| MD5 | 030febaaa07e5da234c135e087aafa20 |
| SHA1 | c1e1b4b2bebbb10c283dbc7886e9ed82c9c259d4 |
| SHA256 | 60a1dc8fcc78214db74bd4ed2fd6d9b5b3b165521870ca1c9bb32232f50d5c6d |
| SHA512 | 5a6911d2457072fabf4d864fd99be251cbb48a7ead18db3f4646364c55ada65690ddd84c3f8ccb560cc678dbb87f77e8e64400532802811f06f84cf74c0d1914 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
| MD5 | 593fa9011cca2d14e25d43f99ba03e77 |
| SHA1 | 07287df257b21cc2404ae6d514dbbb10b3fa3013 |
| SHA256 | 5b47095a391d2ba8755159cb0a3c39c99ad55c1e4eb4564c9455731d3dc71388 |
| SHA512 | 583359a2923acf2666a644ed0447ac50eff902d0d9d8c71c615d9c6b7fba0a76e3a00392541f2d8b1b70613c59047f7593bd4ac0679efc4d1d71a36401ce646d |
C:\Users\Admin\AppData\Local\Temp\Sgcy.exe
| MD5 | 4cf90789ac270ac8ee6329f1a1967644 |
| SHA1 | b5bb8bb48da2796b2aa2a36c4f3a008914df2eaa |
| SHA256 | 429d277a01d434ec898b90912b9c02b63d399f9fd8ce335b457908baa07c81db |
| SHA512 | 561defc8819ea0b2f26c563d415065e34efaa11be5359fd3dcccd7dfcb02fb3fe1f68e3cc31ab2ffe3b9c84d28f48d73e2d1c8f66753601c48276d7539755a74 |
C:\Users\Admin\AppData\Local\Temp\SgcE.exe
| MD5 | 997528e1dbe8d0c1e25d9bb86bfcaabf |
| SHA1 | 3c1dde20765d244722293475b4a8c4ed50e0a82e |
| SHA256 | 0df923d8b5ff99c04a4140c5a0b6fa52c0f5e16990661753d2928a8809fe7a80 |
| SHA512 | c1a38e3ed79daa2ba2566ab151874fe38ae08279ccf7170e56fa1cf69e52adf2366d995b22efd81e4c1026dcc5639ecd6a32a0da1b95569feb3d22b0efe92f50 |
C:\Users\Admin\AppData\Local\Temp\JEAsgMEk.bat
| MD5 | e77f794f84a8b669afc90fe29bf9da5b |
| SHA1 | d84769b08810ee34662338eb7db613a8aa01be7d |
| SHA256 | 6087cbd1a94b41d39b6268f36771945e398e0f0531810aeddd49b3e1c2a5e3a4 |
| SHA512 | 9cb988aa1d3e46d9f429785fd216342029c05f3bcddbc88aa11494a492ad6e3cc4ac4eadc6e30b9632c9f2708dc77256608dc93b57adb291570836c185ad8b33 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
| MD5 | 035fa9dad16cd430657494d077fd1ad8 |
| SHA1 | 76e91cfe56eba8fd98de2b1587e22886255de941 |
| SHA256 | e7a948e2a9fb6fe65ec30fb1a6a3e7ad4c5f765657c7c3cb6357cab426bf8c87 |
| SHA512 | 0411f9733121f3bdf18cd55c026f0964e91db968acbb06c73860878a3fdd48990de860ca5d656444947090279a8f7808402c24629a626e4561d1ab0f67d57600 |
C:\Users\Admin\AppData\Local\Temp\SUQu.exe
| MD5 | a1d508b15c25034ecae2934cbca6722b |
| SHA1 | 0b0bbb5499117e1aa0e2ee41e7bb90c13183b521 |
| SHA256 | 365310a6f658832edbad16a99e55782ec8b045972da4373612961294a7c07d63 |
| SHA512 | 36aed4dd422bcfcbb1dad60ab00eb6c70cd7633b7f691979391ceb7e76063d524b099d9d19139917e51ef60bff7ac98525282bd3830afc5e8f83a4bf0b39cf6b |
C:\Users\Admin\AppData\Local\Temp\MUQG.exe
| MD5 | 6174c74b51fac2323e4ae0ed20773302 |
| SHA1 | 1727c57a0102f14b6ca1445a338ddda8ed0a4297 |
| SHA256 | 98363081314ce03c9fb0f18da05d9fdc8fc73fc60e088488d0eec757e82824c3 |
| SHA512 | 1e7d107c61fdeddbbee760f410613b969f5cdc077b5e8202d00291ced0dbb0efd89841d98ee549cd5f3b15244fb70d0a4a7414a3046ccc5f94638e5b8e57a83a |
C:\Users\Admin\AppData\Local\Temp\iMIa.exe
| MD5 | 29c687cbd8a89401c97ef28cf3e8389b |
| SHA1 | f9fadd82b9b57b892924f9656f2ded8446eb54f0 |
| SHA256 | 84e01c5ce54f5414ceaa757707001c2473f19d53e44c7a3b061db29bb6574413 |
| SHA512 | 2f94fbe0d1b48fc7579f4876a2a0605de5d94ce7e43fd7b115b1924b1364ade30ee40356b18da96746de75ac501147c760ddc4a9d67dc9432faad4ddf1c9b795 |
C:\Users\Admin\AppData\Local\Temp\QcYe.exe
| MD5 | 76629d3a9b93fe23481bb50a136c1747 |
| SHA1 | 5f8eadea64af0901255a51f30d8c3b56fcfbc455 |
| SHA256 | 25331bcbcf1ee758d920e1b85d1592eebbe2eebd34969b20c129391d3ee90e06 |
| SHA512 | 2daeca490f4a672a08b873da42e5aa3580e6f4e7d5ac8f304ba9aa73b982296ad6fd0a8729deb0d77cfdd25ddcdd68cf7d3d4aba1a5cb64c44d63e7db305d504 |
C:\Users\Admin\AppData\Local\Temp\EkIa.exe
| MD5 | a9907666443f0398620a5aaeef4a14fa |
| SHA1 | d30bc3a27cf7b8355496a129e0402b7ccbcbc187 |
| SHA256 | 622aa903e4fe9e1794a2c178665fd52d14064aa9e33733e4f6444ffe5ca29993 |
| SHA512 | 7429d983007b5e58f83b0e55e9543b4cca8acc230d27622b1055076cb05af31e521ead21d310219bef57f2f094894e0e1432957ec6371ec39ccce3a11918cac0 |
C:\Users\Admin\AppData\Local\Temp\HKsYYQcs.bat
| MD5 | 30bc8885c67b9b8d7eaa07b414634cb1 |
| SHA1 | e2c76c292dcb41b88b6b8eeed0c3ae15999c7478 |
| SHA256 | 0a2b7cee2a49da0137d948c1882fae541630f248d56455930929425a7f0275dc |
| SHA512 | b1409f3bde2cd1f92b64e5b960554f9891999cb9de4b4c223f9d470cfd2619978667634a40b66d1424f79cb74d1c496ed5b3863e43f79e25c8321ff428de9312 |
C:\Users\Admin\AppData\Local\Temp\ecgG.exe
| MD5 | 50bd445485df7b172e2915076ca5f7ca |
| SHA1 | 9169f9d18c4e4aa18752cf1dbd33ce08350e79de |
| SHA256 | d4501d8c6a123d975fe08d343bb5882c36119cd4a78e6bd99593747ad4835778 |
| SHA512 | b7ff9b76697759f11a680d2cb79944a8bd84934b10f1a6e041882d0b7b728b79dd91b81ead2612d1bbc2aa1cfa6c8cfca2512771c1e95410cf4210b7069c1599 |
C:\Users\Admin\AppData\Local\Temp\gQAY.exe
| MD5 | ccfc9ac7f7252cdd0aa1a4ccf55f9259 |
| SHA1 | ed443819a24f59b6546bfad1716936609befc903 |
| SHA256 | a405a9bd57cf0e2f4eb78a50e595e3f8efc4c72a5a09b76514e9158ae8048291 |
| SHA512 | f5aa2deaaa76737bfd644cd66a24ecc643d1cccd9fb8a7a1c04b8a44f78db2a0355ecd7722be53488c5488a0651870baf91cd3609420662e0d1fe2c54c5be4ee |
C:\Users\Admin\AppData\Local\Temp\sswA.exe
| MD5 | 840fad55c4f858a33042692d7fbd4853 |
| SHA1 | fc734f0bfc7c764af7b391806898be50fabb3e8e |
| SHA256 | 6517f4cc2e1a456e8987adcc7dc3bf9cc8e346bdc3c28a1e400d7698cba5d6fc |
| SHA512 | ad06ded8f9e4a6d5df0a3255a138c3602f4ac61f387c4498530e9b7548d3cfb535218bfd7f8ff92da2d225e7290f9800b3a3053199029eb4d19cc75ed98a5783 |
C:\Users\Admin\AppData\Local\Temp\IIUw.exe
| MD5 | 4c7913178872d7b174c188dd8bbc73f6 |
| SHA1 | 765ab1313d480952e4a009d1a96dcea00a94529e |
| SHA256 | e7fe0305ff5682c31eb107b68ed8b16e8db378a76aef3976822acf12a0fc2a06 |
| SHA512 | 645b5e884553849b78509837158b02b42204c9f786373e21525cb11c751f330b2145e42c10e6bb48fd70e56d874eb2cec149ea9691b3797b5a03c235417e90de |
C:\Users\Admin\AppData\Local\Temp\Okgq.exe
| MD5 | d3828914083f8f176167dee19884f578 |
| SHA1 | 8aff2b0f5b86eb609bdfeb9b1ab41e095f3a75ad |
| SHA256 | d8a28b02b5f5a16db162b0cc67e5a49085e9b5a304dafbe2659cb95b455dc9e9 |
| SHA512 | 8d87c46a9c0efebea0419adcf753ebe46403aa5848c7ef99d0778bfd82e78811c89755ac752e982554923f5045ee7189be44897613e6aa34cbb7ef55816932d3 |
C:\Users\Admin\AppData\Local\Temp\GUwO.exe
| MD5 | 40300daae3df6b55cc1476598c2c7054 |
| SHA1 | 4927244ade1e3a5715e1ee9e0de0d9226137f1c2 |
| SHA256 | 3e5abf4c4520ac4c421ad2de907d33e6e69aca71992d1e84e0979861615a3d61 |
| SHA512 | e7b7f967f4ae0c87655129980e484271200daff5d68388ae44f4751cd32aebb3a65e05ddd92d651a772f82eb17d03590cc6dcd1de60a239be8bae578ba0e903e |
C:\Users\Admin\AppData\Local\Temp\sgoA.exe
| MD5 | 9365647726c4252391ef430616aede62 |
| SHA1 | 2494e24a8bc7e3705250f55a5266dbb61bce7d1d |
| SHA256 | e7422e9f2613069bcf6ca0279886cdc5424bd696e56196fe05b3db341c04ed60 |
| SHA512 | 992d4905042f8d72570fe9fd7bb1c00b7b1e46d70eb02a8b01af096d3b01da9700ab67e72d09ef75f81b8be8163a060b974ea7efa50a66380d15928b64342414 |
C:\Users\Admin\AppData\Local\Temp\QYAQ.exe
| MD5 | 0adf98421737d63531cbcf17499bef2a |
| SHA1 | 972406a776c61d8e2fa611d8992530a85438ac71 |
| SHA256 | ea766aa64ccb0d10354ac458602b0f8da92b2130176d98cbde9cb609f7464547 |
| SHA512 | 5ac0ec361de4675de7a07b0cf345f03220db92155fd74501a81044151eab6d7eb771935b40a474edf22c10e354e545a3988d032e03e88fe4f816a3e920fc652d |
C:\Users\Admin\AppData\Local\Temp\ywkw.exe
| MD5 | 03a49bceb32f6498e3f8f25d0352d992 |
| SHA1 | e5de5e8c2582dbee73698a5a50ec26e3aae65257 |
| SHA256 | c03ee9ea9fd708c56d2af67785fa14680065c8374f40e89daff1386b3da1583e |
| SHA512 | c28a9e7039180300f2310d7b5adca4b47aae2f52177c2bca427f3f2a3ca2f2a90b584b79bebcc35236d4bb5b4d4273667f87c3353d5a85570c84f23c34ac47c5 |
C:\Users\Admin\AppData\Local\Temp\RQAUEoAI.bat
| MD5 | 82387f729ca085779c70ccda757feb88 |
| SHA1 | 2632ccb814ae8be176bdc00e9b038c60ff4d2829 |
| SHA256 | f3ce2f4bb4449342ecf2af7b17c7f7c6bc838a3be4768ccfb4298917120b6bd5 |
| SHA512 | c2b2a138ab8b5ec692178f56b35e3ed9dda2d95e07cedf4da8e3e6a3fc9aec957f5965a0626b95975c6888b9993a9e2a890ed622ce0d2b4f343071060c465c1d |
C:\Users\Admin\AppData\Local\Temp\yYsa.exe
| MD5 | f88c24f961fcd66b7b9788cdd7bb758e |
| SHA1 | 7e347223c6c4fc015f2d801035ae141139212b27 |
| SHA256 | 9db1902ebd7961c39d69d19149103e0479d4a061bedad70cacfea81b97b916c7 |
| SHA512 | bcc58beb9d72cdeb9af353331c4063e427119a2fcc7c2d0456777267d64606ba841a5f0aa24d646b9cc49f24623f12baf180b7aa1c4661f4e3c39bfb155d7b6a |
C:\Users\Admin\AppData\Local\Temp\CYIc.exe
| MD5 | ac5ebd504e056a5865e21af6c1a205d9 |
| SHA1 | e6c2f71871bd6577b988c093b98f3b4f420012a7 |
| SHA256 | e60ceae1b1840dd53a1861b3aded485ebc525e0807260e8d965f82fa12ae17f1 |
| SHA512 | 70e429d4355035c8a1270f2b52c1629991e42dd005dd77099263f95abcbe5911f42e9b7e5f127984a0b12d34e1cfb6b87a16a8c41274b11362300d0ceb96f5f5 |
C:\Users\Admin\AppData\Local\Temp\uoMe.exe
| MD5 | 9d4104b56247f0a67fdb894b46333e98 |
| SHA1 | 9c6dae732aefbf2f0b8fc75b49d03277d2cce0ec |
| SHA256 | 684b3fd800dfe99d7b1a23e4d08630c47212e1aff42e1a3c3376001c1721cc69 |
| SHA512 | 784d0a2d45bdd5cb6ba8ca2f381a208a6601ae1af8083482ea00ec2afb0f5ccbe370e4562b78168c9050b38f280de17cb3d441af0e17ed87d3673fd1d24c3ea0 |
C:\Users\Admin\AppData\Local\Temp\IIQo.exe
| MD5 | 077bdce7fab4a4e3a1d29b6262207ade |
| SHA1 | b3318ec4c6e3a59fc6d64da6a7d65a5946cb8cb8 |
| SHA256 | 8dd3e13c9bce60c5aab39f7bcb0a2b356560a629be8841a86bc2a7338964f787 |
| SHA512 | 88cae7a7a3dec5ef3f5f427189e79cb81d04e16b33954506212f521aa6680b1770169da1cf01d95354d0d3c3ea90caf5e1c090d7e6f018ca108640c66e3095ca |
C:\Users\Admin\AppData\Local\Temp\MkIK.exe
| MD5 | 44a31119e0ae7c97937d65d702233148 |
| SHA1 | 1879052f8ec4d3fea1b6aae3a5eb93f8e0b45b7d |
| SHA256 | 6812cc389a48d1284454c026389ea37532a0ba59fe0168a1b0ba07bc0e600af6 |
| SHA512 | 2621864aa1fd84fee7d68a11e331a9c03a46fde13f6a03c2443b10bbf34bb8c891aa8778981f9bcf2e4a5cb0a11586a5112095507c6404745d3f837739522caf |
C:\Users\Admin\AppData\Local\Temp\IccK.exe
| MD5 | cfb3b5113402dacf390ef5a0bb0ee1df |
| SHA1 | 8750eb673cc054760a72824c0749184f129dd6ab |
| SHA256 | 57ce8cde73cc09b0210e1cd16e7cef0b4ad951ce79074ada3ef4428f9d6e94d6 |
| SHA512 | d760d891eb954da4a21fbc7fc7661388d24037043f9bb025488f12710a47d28cb339b3609306b6b071aa4840dc5cce60a60b9e476666d9cdd9fc66b09d5a59e0 |
C:\Users\Admin\AppData\Local\Temp\yIge.exe
| MD5 | 6b7c1b337daf831dd56d0be06af10301 |
| SHA1 | c39f75d1e08e6e4bec5e193d56213b50cef7d1c1 |
| SHA256 | 20d93b36d3643c598067a42cf719438b88de9701f16460a1e1a4a497b076d7d7 |
| SHA512 | 07bd9a08ffdcd58c02e1d116e406754efa0036bfbbe3258d77060c144f356723d1aa8604a1bccb08c612b2652381445f1e5f7471e58c5e48e986b57f750b2f39 |
C:\Users\Admin\AppData\Local\Temp\KIcc.exe
| MD5 | 83789bf856591fcd213f53333145cec5 |
| SHA1 | b3524c33e3540b0f3e3ba16ff13887ff4575e6e3 |
| SHA256 | 27eafc8c663abd79ea83b72a2077b903f83449e3bb148488fbd641df673c060b |
| SHA512 | 4a06ebe3f2a22d6723506b476c186a54e75dd14701303075d7febbc26d06724d1776de0e4200f00d340e9f7b629e6e3e671b454e31bacccf18419a2947f9470e |
C:\Users\Admin\AppData\Local\Temp\CiowwMMs.bat
| MD5 | d7601268988befb1e98c478ce1a98797 |
| SHA1 | f8692396383f398414c57a4bd4e77e2fb131161d |
| SHA256 | 091844e47d37fb0608c8e02c2af10ea4d8845c500c55a4a6cc5b709d8da0b433 |
| SHA512 | 5cab6c9c1ff97308a26701505a1973f173306be14a7bd343d64f05a97d81001bbffcc5c46409b732f562bf0442e8ada168c016dc7661519f71c58563b8c95ca9 |
C:\Users\Admin\AppData\Local\Temp\gMoo.exe
| MD5 | 65a619269ac9b6f8e78a26619eff32ac |
| SHA1 | 8f5a54ab2510a716bb32d51758a417c1794708b5 |
| SHA256 | 0f4c9ddae7f52e44f0376b09cd7d06bb115e22d90d52f2fe2c5171f6700b1390 |
| SHA512 | bb3bd1ef0692c06b12f6693609694ad8fe28d8a4b6e5f89f5608bfa48cf2dd88a3fac7724111426df37242330d2ced7ed6880d479a1b53f13ec0aec8dcdfd6a1 |
C:\Users\Admin\AppData\Local\Temp\uUME.exe
| MD5 | 4b8b1dbab8546fa4418d4106be065ac3 |
| SHA1 | c1b68158552861d70ed9231b9bf67e2bbcc1f44f |
| SHA256 | e77dc63793333d654addda924c4fe6c5824e3e62386244c3e0c8d064af359393 |
| SHA512 | b1e710a6f78ae5145dd23d3911b0d1fe61be52c5d89d54dc39025b7914fc33ae27d01abb354f5d4af2166cdf41f3d3441134b0b3b5ea23cb7c424f83713333eb |
C:\Users\Admin\AppData\Local\Temp\kgYo.exe
| MD5 | 8592fabb5e81e3cfb461eab3583be05c |
| SHA1 | d7e7ed503e9415c6ed79cccf03bdcf78f41e033b |
| SHA256 | 983832ae3227a5802c08fc7a3cc89403e373ed876d4fa6a0c11b0f6135a219c9 |
| SHA512 | c8efc27d08c8dd93bcf98b45ff7645990b464e2ce6bb03e5aa690bd77c0835d93583eb3aa865aacf99b040f5b26dd1a5b9c83f012001ceaebb5134c75cc54b84 |
C:\Users\Admin\AppData\Local\Temp\wEUc.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\kcIW.exe
| MD5 | ee18e0a4b997970acb8f41e8f38d6057 |
| SHA1 | a5d5a345d7d5bfed8c29b79ba570b13b6567cebd |
| SHA256 | 2f3b087177c405feb0a7a264dac3397efde823ec0091b763e1b047bd13092aac |
| SHA512 | 00b7f55e8e75b33102b150cd524c4e400c5f64e0ff5d6ced6a1b91890ffc53804dab34e04cf50688569144e3200a648849d32f44a6c955f344a5cd5684acfeb6 |
C:\Users\Admin\AppData\Local\Temp\aAAcoQkA.bat
| MD5 | 802a891598f0d3b43335b825c49e3892 |
| SHA1 | 7db452f7fb4edca00a4595f69b6cdc16e6a22f72 |
| SHA256 | 32ab5dcfeb93714f84381b0262e63c452201bacfb8a7033ae061f250c5d3d74a |
| SHA512 | cfa6c2ed59db071c95fe4c166ce23fa1f0f8b25a01d35376a0cdf1ac0780fbe608e9926deeeb3f43e543e8253ba3ea96d8a3490e5a14ca89c9566154cd9c2d76 |
C:\Users\Admin\AppData\Local\Temp\OUQi.exe
| MD5 | deb1886459691ffe5c0d15da988147d1 |
| SHA1 | 716e6d5e4e76edc5b485451922ef65d4bedf5a68 |
| SHA256 | eaec101745db25b6e1ce132a3baac898880b2a9acf2fed87069f339334580f48 |
| SHA512 | f3668d04920bf6643b5bf05ccb7922ca7b4ee6c93557a6676e6cf9a56f91c734e442008b8685e4e7aec34421809314d1d098f8eda6a0526dd661f8778aa552ee |
C:\Users\Admin\AppData\Local\Temp\MkQm.exe
| MD5 | 5fe0f8efb5c95fa7c90d2c8e6e508758 |
| SHA1 | 38e75bf0faefed12a0d654775e72771f422e76ce |
| SHA256 | 0c5e099d42b9cfa9095a72fe0bee966fa25961ea8cc1b6a0e8cf609f35ec7696 |
| SHA512 | 35fc1f4e3be6b7800af7cc5f88d5fbe7ae8d075db8107246098089eaeb4e9c4ff72caef6c81a1a670166031f49dc9e1e4e2597fddc69bb069fd25abb9881cbf1 |
C:\Users\Admin\AppData\Local\Temp\IsMe.exe
| MD5 | e9db6e2c18edd60c33158cd640a773f5 |
| SHA1 | 2e2230782040376724fbb61b42f1bf7461097e16 |
| SHA256 | 70914b431b85343981992badf9937383b07ab7eb44cac5905a95a07a2fadc71d |
| SHA512 | dd5bcf9a9f2b55976021fae9e230a6b5c522916c097fe0bae62da139a2a16add86ae335b179aeca32e794bf2048d3ea4a2ddef606f1a4b7bd6a88b8af8543d83 |
C:\Users\Admin\AppData\Local\Temp\Cwow.exe
| MD5 | a1829c1561e98693124787b7f2968663 |
| SHA1 | 77e09bbc01b85e6b0faa3a03f56823b9278db2d6 |
| SHA256 | edcbef4be5cc252f4e28b996b6082ed05861dc190a004d0f80420828f6446879 |
| SHA512 | 9a654cea6db8363db7335e9f008065b056370bc7a0bfb300f415bff607a3f33232032f8ea5e182d2d316c3a664a07732bdb728fd1983ee574e0b7570ead89593 |
C:\Users\Admin\AppData\Local\Temp\eQMi.exe
| MD5 | 2026873f7f17f9e7d619c6bc5837aa94 |
| SHA1 | 711f6153da5bfd9d1b697d6577b692c65597001f |
| SHA256 | d696f6ecc95a225f4bd8dbb193dc4fdd118a3b453a0b19948d92e734876450e0 |
| SHA512 | e507bfce05f17cbd91044e794419cbacd63e84b73272981c396dda00b8f322be6f766ca0ef99c3adce44c1de45300edda1827e0bf44a398d965aec48b9b9ed83 |
C:\Users\Admin\AppData\Local\Temp\ucce.exe
| MD5 | 380276e138b20d1e7b26207057905966 |
| SHA1 | 4fe92932172070bdfcffbcb91354374141d99863 |
| SHA256 | d7ea994f4c0179ccae09cd8ba5890603bf1382b2390c15c170ba6fb67aa091c7 |
| SHA512 | 1270d14c398103ede9db3e7cd3d70f9630c9ba08c47e74086c5e70676c0c08e05eb9b2cac02c28b07b01171b45fe0e38a3573198078c39910c2f84c239993733 |
C:\Users\Admin\AppData\Local\Temp\cYYO.exe
| MD5 | b57cd0dac3cea3fe57156a7b94eed108 |
| SHA1 | d58b0104ee2f33e3ef0ec89514a91dbe6df7ab13 |
| SHA256 | 088be4c21775378a4562e47c1f116d879b4900c22716ee413a0a2da67093c4c0 |
| SHA512 | a005f745fbf71e0e6e801d1ec544ab3a4d6646be764c4b03311df822f96d8b53101593594da9e2c2d8cebda9c7c0f0344274e7130251147a232dfd7572b2757a |
C:\Users\Admin\AppData\Local\Temp\WAgwAskM.bat
| MD5 | fb6dab3045ac042a3fbfcfee915651d6 |
| SHA1 | 3bc329fe1e81640a0c04c61ca42f129969ff0b34 |
| SHA256 | fc904ea3c3cc4eb5bee1397043302e94ec604609394589d09db56a10dfaf8db4 |
| SHA512 | 45dc0edd8c0fe24c4e593bf91f139fd7980de06a5002397cd49c097de9cd7ddde8189cab9400ab1a2e33b012b8ab8980b4b267bee4949b6f63b40f3f2c56c865 |
C:\Users\Admin\AppData\Local\Temp\uIMU.exe
| MD5 | 3229a8807a0e357c9c128a2e381c8303 |
| SHA1 | 175d82d80aed35ce0d92c1ef5c19e37c5ad55196 |
| SHA256 | 758c152601b14da4eedf9bcc5722855f054776523196377198a61c351da4e797 |
| SHA512 | c5129301793f28acafa4e076c61fa763eebb9247e88c7ba3428904d7ecbc2a8c80eefa88e0fd93203e34471d2ce9fcda63a4c0ed072a4cd94d969b90588806e6 |
C:\Users\Admin\AppData\Local\Temp\swgA.exe
| MD5 | 9f159c59f8ef0076882f717cfbddc8fc |
| SHA1 | 5648a687a720106c8663829ee0d1392686f46064 |
| SHA256 | 22a319d47220428e72c815686e71856d7a6580543c3ab09e3a684dc6738faf2e |
| SHA512 | d3d3e4adfd227326116a9139d343b21babf3aa3b25760947f0af493a27a4cf46141373960920324b82ef84f53e475f6a1dbed5b90bda8560162e9d3e0e661270 |
C:\Users\Admin\AppData\Local\Temp\CAIy.exe
| MD5 | a5fa335a8826b46aea234595d96a42e0 |
| SHA1 | ca837f8d955e2829fd0ece2a953733008c030825 |
| SHA256 | 798c5052fad0d054c9eab006de494b03ed69cdf639e27c543611f480806760ed |
| SHA512 | 5dea6ee0ade16f9bb5eb080f98e3e5ab0d0c3601383ea658707fd222a87289198255b24a4b6960963931e92127131547523db0f75c6963e6d5eb60a9a271f778 |
C:\Users\Admin\AppData\Local\Temp\wIMw.exe
| MD5 | a83d185a443e2cc5160e0257408d99f1 |
| SHA1 | f42e0562284dd24d245fd9548454270b51550433 |
| SHA256 | 5330163856e1748b172b2b5d018e0a2bcb1dad01e907e9e7744ffa86cf6c6d29 |
| SHA512 | c356ec9967e20b82d95e3cbf43dd535f8112263568c99a867c88a0ef2ef0e681507752bb0f3f362bf354580422c9c77a29a282abf2923e63e5ee7c5a23259d20 |
C:\Users\Admin\AppData\Local\Temp\UgUG.exe
| MD5 | 258f91af3d433f0bf894d0880543f5a7 |
| SHA1 | def4ec62bb27ca7d36f63b897631e7c06189ad68 |
| SHA256 | 7333e7557289ef565650f498fd88291846a4e400100902dd2a579bee7a880242 |
| SHA512 | a47a60d460ecdfa3b52bb4996ebe1750aaff58d76c292ecf211e45fec4d76252616f25f125b000cfbc5b24b2ef7395cac197de080d3ed7185109d5baffa30fd0 |
C:\Users\Admin\AppData\Local\Temp\isoi.exe
| MD5 | 8f570ce5dbec1b5f7b37cc4f92147eb0 |
| SHA1 | 0ad0c0f48fb4b922631c03a00c4f8f587e48cded |
| SHA256 | 9aa4285200c148a079e3f30c94493243dbdff7f92ee498c79dd9fefb7f105b5f |
| SHA512 | 6061c0eb28bb7d077768be6e9827e50fd21df0caaac64c95b5d96570092f3ba5313b2e9168bc39f3e64156b3850a8c29d67762e2bdc4945acd46e8a2f44759a5 |
C:\Users\Admin\AppData\Local\Temp\qAIS.exe
| MD5 | 465e5ac9d271d3ab995d300ad7ee6559 |
| SHA1 | 24d9da1df103e610906f3735eaa5d778dcbb62c3 |
| SHA256 | fee62a58f6889a72fb04b1d1fa3453fdea609873df8b20946d40ae4f5b1184c2 |
| SHA512 | 848a68b16f53c3a8046bac02ab6390bedef49a03b3bd1596fab29fc9f38fb3283ecae16a1b6c897cacde250d9d44d800f9eeac73474d4d368acd0f655f969aa1 |
C:\Users\Admin\AppData\Local\Temp\RUIQAowE.bat
| MD5 | 5dacf64d428924c97dbf2ee4bc75b8ba |
| SHA1 | 5bccbaac1924ed16d1ff699063e08630b2d9cb59 |
| SHA256 | bae4751d1a351e5d96950e610d4321d042fc1d5645d17ca0420403dee619b24d |
| SHA512 | a46a89a2479c06651361b643485263c0da2429b098c224c41d2eb9bae0947f24c62a64fc943ec4e3fb228e43539714813a67afbce689f27d8e37462d218841b2 |
C:\Users\Admin\AppData\Local\Temp\ucMM.exe
| MD5 | 9a7f173895b7c1785ded05cb91648ba6 |
| SHA1 | d324582c49a9226e78a9376df639925850125ccf |
| SHA256 | b258c6f6d890b3208f99bb49daee3e65edfac542a2f6b5699c07a35f7712daa2 |
| SHA512 | 5890026cdcf787f017fff7ed4644b93bd227985f86178d5493a1b01b4655d9613061a750a5c4eb491429305a1bc1a164c03508808346ae2c6336e4b50632c719 |
C:\Users\Admin\AppData\Local\Temp\ksMI.exe
| MD5 | 3a587bc63ae45e0fcab0d3bf015344de |
| SHA1 | 85aa4fbc389da65eb5c15f4bd6434c335c3b605b |
| SHA256 | 5bd373506169995332af0ae345fa48943add83a5a502ab43290c54218a639df9 |
| SHA512 | 362695f2d22ff15c038ee935a7565a23f8630dc46639fcbb5a362f7d4a1f2eac47ab686eb1978c2cab31c6bb6da3dd77ec75d3e0b679a948a849171d6941a124 |
C:\Users\Admin\AppData\Local\Temp\sQIc.exe
| MD5 | 9f6f582dbafd046f5414d8d440f97ad5 |
| SHA1 | 2b9ea99de02fdb1bacfaf6d34d761ad155a2fce4 |
| SHA256 | 81bed3020d7f02efbc23d015aaa6baec6c2dfcdf0ea1c1f08cb9973f7b8daad1 |
| SHA512 | 8b4577f26f19dd98f4638d837fc6e8b5cc553a148721ef24c6375cd206c613bf3010e956e1f4088fee9758cfad78e55e91dd0d39a63a9dead676f44605cf0981 |
C:\Users\Admin\AppData\Local\Temp\sQoO.exe
| MD5 | bd7686f16d7e00e7597952dc94301469 |
| SHA1 | 1e6733a58a963245cb98c2677f4ee91de48469f2 |
| SHA256 | 8c3dcebbde82d1e836742679fda4bf5a2ea20f766e23c633ead5d9f3d5402990 |
| SHA512 | 49a8e6f5f3c97d42cb8a922ff0694948ab4b8c3fe561e2a10849f21e82d8ba46ef168021280ac7dc1e37a8748aa8648f21360810eec1191dc17f82ebced4cb49 |
C:\Users\Admin\AppData\Local\Temp\ZgkUcgAY.bat
| MD5 | 666d6d55131c5a7dea390c1fd3ce8259 |
| SHA1 | c0fa4bef6d601447716a3af0c35f0bdeb2179bbe |
| SHA256 | 3983966e2b293976bbcfeb8842edff125e82d07839d494b14c8c2a26b4ed1c97 |
| SHA512 | baab951d3dfd7a6ca7bcf7d6f77d79bae92342cb5a2587f0d3498dd4b91c7ce456e9236f7c211f4d9341595f84db69e053e2d812d47af4e2ac10c765f223bf5d |
C:\Users\Admin\AppData\Local\Temp\Awso.exe
| MD5 | 17db3a7cd2228cd176e5d5e150220f29 |
| SHA1 | 400f415b0263e6b7b5332a7a87738f93dc84ab25 |
| SHA256 | baf9fa1274bb63a003c9aa78cd970995ed483d597fdccd22c338fc5396d80798 |
| SHA512 | 8074f30fdab210bf9de46930a065be46362cbc51cebaa6a33e8f23886ad8994c7873b8d11c03f94d8b876b2ee5ed69b6a03f5154178b858f0ee4452a7c40757c |
C:\Users\Admin\AppData\Local\Temp\MgEe.exe
| MD5 | c20f3ac048282669337ed5c2926309f4 |
| SHA1 | 0109a9c9422b3c58eac93c4119a2f1acd219e5bb |
| SHA256 | 09f0c5da2e1137195aa84097e07ce4cf7277bb00cbf070f57b02f341b518eff5 |
| SHA512 | dbada33a7ffad3e5a910371a54a7bd0cf003811a16f5cae259aef25ffa061e5540abdb0a97688154ad2d4e14e32851948f4e6d5ff05ca1c439dc35b9feb2694f |
C:\Users\Admin\AppData\Local\Temp\aAga.exe
| MD5 | 403ac20a079a5e94902600b3e0e11baa |
| SHA1 | a0986c8e17ceb5445b1f7a0e36b7759a447479e9 |
| SHA256 | 6c9f63308e2b2777dbc127c551e99a78e9b7154f5e054822794e90415958a833 |
| SHA512 | a93c66df80dfa4dea1a0b9c1394dacb8c4377a3cadb05c81f8b169df2ff37252d6894cdc8775184f764d09f07a9200ec0db2eb99b47b59501dba72f8b4a3ae7f |
C:\Users\Admin\AppData\Local\Temp\sUMK.exe
| MD5 | a737b73e7d73e5e774be9ad7016704fc |
| SHA1 | bf8f4521fa3bfd0b42c88e84ecef484ec233ab93 |
| SHA256 | f4ceafd1a6287508b6a93ed7872df272cf80fe6dbbc295cf0ef537b8dc32414f |
| SHA512 | 8396fe7476d21ba30917c88147d273247c5685287daa54b38ed9777b14ddab7bc29d6f4656e1c9102447f70a04d78ecad48414d299e1bca72a557d5bde5e17ca |
memory/2564-1562-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Iooo.exe
| MD5 | 80992350963e338469a6a98bf3d718b9 |
| SHA1 | 1a01ccf92e8594da19563a656088219b481aa0fd |
| SHA256 | 47ecf1b098aeaef05b46c7eb5b8ab99c9735cc97e6c574dcf92a572fd96588bb |
| SHA512 | 1c793c38fb5949db42b5e49d177c2beb613b4a72f765a4889cdcf792ea37a1894f4d936b0d4a821ec9567dca4c34b351d834c2c18ea4527b6cd5836baee3d812 |
C:\Users\Admin\AppData\Local\Temp\wMAQ.exe
| MD5 | 01486c4835a44d1fd6ab5ff956db6d39 |
| SHA1 | 9fde8942ac9ab7346469ad3ee91cee3a09a5e933 |
| SHA256 | c8c002d3db5c79d17282c7c4f3d8879f5ff9b6cb044ce6dd11849109e2eb24ac |
| SHA512 | 4125e0cc59decb2bc5ed320fe54731c55f209b4f98adee1f7c0978f670800e7c7502064ad2ff3ed14c0b65c0b6bf0be2ef9bfe2448298ef21274ac96e888d5d7 |
C:\Users\Admin\Desktop\RenameRevoke.rar.exe
| MD5 | 7ec1214eb69e6dc3245a9f54b04195bd |
| SHA1 | c0ae4575d1a4d826d65d6b10cb89ab6e79f7c016 |
| SHA256 | 774b1256c08ad4a865247072b77ab9022823d287d2d02e4572786bbac8d9e0cc |
| SHA512 | 7ebf2f1a47d3885528d382e94b7f08c4dee73c15206840da5c37732c4b7c952283d792f0306017a6e61effeef945bf9ae6bb2e9609f2a1412761309402e0e76e |
C:\Users\Admin\AppData\Local\Temp\ywMA.exe
| MD5 | 46c9682b5ce800639f01b0e92ed43514 |
| SHA1 | e93d07f7084d5bc62ee2d578e1bb5b281ce428e2 |
| SHA256 | 628fac3d977f1dadb4f814ddf09b169715462526f6faea86505b5d996fee022c |
| SHA512 | a0b22e20aa4cfb9408ee8f964d5f6156b78e70d7bf717abdcf4b6cc51a1e4b938893f9f1478181b9f7cd11f7c067da4675d579775e356004405e81afc4a737b8 |
C:\Users\Admin\AppData\Local\Temp\sMcW.exe
| MD5 | c48745f22633a91db1cb52bcfd09a9c9 |
| SHA1 | fb3275be679086d6273d5e799c422d8230aca73e |
| SHA256 | 677f4573f5b183728063d509efde5036032997dc82c77e943efefd7cee5608a8 |
| SHA512 | 9352aa8b187797311665c866d361220cc6924a2bb45448e40e18a6bd393540804ccb2fbf769746cdaffd94b2f9952c50043f5a0bee322609d13f8d7e38d4a6b5 |
C:\Users\Admin\AppData\Local\Temp\Ugow.ico
| MD5 | 8e03abdaa3016247fdd755b7130384bc |
| SHA1 | 08dd2d9541e1961b06957fe9a19ce83aeff51a5d |
| SHA256 | 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8 |
| SHA512 | e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f |
C:\Users\Admin\AppData\Local\Temp\iscm.exe
| MD5 | 17490e0ff68939958735a6db55296906 |
| SHA1 | e0829ccfaca6c13ce7f4e3d7ddaef76dbf905c60 |
| SHA256 | 404764978e1e21309ac16fdd874a8e41b747630ede0a5fa937e04c7d8bf6b5a8 |
| SHA512 | d6528fe2965f4a865e4de0a3f3505a4433992b083cd01276d495bacd6dc47ee58f2acf47e709ccd241a27980a9adf1c0e02447fa8842d1487dc49c811f930b9e |
C:\Users\Admin\AppData\Local\Temp\UUAAwgAY.bat
| MD5 | 89ed26a6c5738540a5f15f05564b1600 |
| SHA1 | eb09aef38be1f5a4bcdc76f3a6f85b556b01fcfa |
| SHA256 | 6a39de31ff911668c335e75ce0e68998708277e14e23a4f50dae61f69c8160e0 |
| SHA512 | 056ebac872c10af7057371c23393d714985d68b71c9fd08f797c2c022ac1c504435589e907967e0c2c32e5a892586529660e1d918cd090fd8020529fe7bfba28 |
C:\Users\Admin\AppData\Local\Temp\EoMg.exe
| MD5 | b3bf95de7ad9481621528788a0dcf062 |
| SHA1 | 5d122092059410a1b5a5f026bf74c18ca3aa147a |
| SHA256 | dd72f0188940fa90977722d68f03575ac77ba9a005bbf89537cbf854a18232fb |
| SHA512 | 705a0a28762c7f4adae7a4e0f2832b180e1803fbb0692380ba44e0b10b2ac1c8593357155b5a51b63270c6bf816e0ac44fd70770f82fc5d3a3d8f9eee522b910 |
C:\Users\Admin\AppData\Local\Temp\cgIU.exe
| MD5 | d17fc9617cdb5f36341332fe63f4bb75 |
| SHA1 | 8f3cc3ae19bcfe7bd9237324bd42f62c0f1c3978 |
| SHA256 | 1d7c0a76f9e7128a77fdcde83d94f982e4c1685cf442f2ef3bd0519a48c71414 |
| SHA512 | ae3eb697787b3cc108a5364314e9ea36a72fd4ef8b1caf23bfd5c37d2d0f887eed92fe0c2a9bd264f43741e1d262d76d1ad9c9c3cbf2cd50f5a0ab9e77aa072c |
C:\Users\Admin\AppData\Local\Temp\sIsg.exe
| MD5 | 995098ac876479fef9a152891c4ed954 |
| SHA1 | c9efb45f82d0c75dfbf69a7f8c1dc3cc2aaf1bc0 |
| SHA256 | 2e53d8c43f640cdde67016177685e0cc87ef3fee0ab684e5164433771c1bf654 |
| SHA512 | 04dc6e933a767f3f09744d84d5cbc3e4c80f1c75c069376d3c117e35b38705cfd6554a45902f68c794f7e9f6d0b37843a2c9e94154d4e3950f53b99ffb06152d |
C:\Users\Admin\AppData\Local\Temp\eIIE.exe
| MD5 | fa4937b6a49ccb1470287d753e91e000 |
| SHA1 | a6035e8076824814bb312a4a6f02c25807282e31 |
| SHA256 | bdab6a9d657473d34c2bce59d5525da8c18ec8c2ff947ed1e0e21865e16bb94b |
| SHA512 | dff56df6ba3e4054b42d884f121f62b99128672fae1308c2ce8a37aebec3d732b78785f668a808ddc75fab2557c4d6ee18ea1b1db715f7431b9e30886ada8c91 |
C:\Users\Admin\AppData\Local\Temp\YggC.exe
| MD5 | 6ac43ec4bf53be13304cec452d4cf6fe |
| SHA1 | 01b86d679432fef147dbbb0542aee8631768638b |
| SHA256 | 2ed9464faea06bf802f663d531cacb5551feb2732ffe173bfe29c6781b91a3b1 |
| SHA512 | 4685433e5d1184058297fa9d1a0edb737a399df564fc9a21e2bdb014948cc69ce926f03b75ebc8da5696cfea29f3ea7b612c10505721ffb9337ece6a6aeb5973 |
C:\Users\Admin\AppData\Local\Temp\oIQO.exe
| MD5 | 495db058df21c8d26210285b50f69924 |
| SHA1 | 6e81f3967cbac0d7f46bafe2e329ede6068bfc0f |
| SHA256 | ac2ead57432e35c2b4b90b6c60e6fe9ed10a77b7fc86985b1b21b92f93caf4eb |
| SHA512 | 0664013e7f7d3bac28a41ddb69d5f044833e8e28dc196a48ea822b4212e416d39437a33af9e675a2463edb8735419dcdef1e10050c04d006de4fd541b4c8b041 |
C:\Users\Admin\AppData\Local\Temp\QAUQ.exe
| MD5 | 8c19be17963665b9293dd5d75d128b9a |
| SHA1 | da560bb81bbaa0e730363c094e529f75db608778 |
| SHA256 | 392c16cfdad10f63757f5126390fd0d0e9963ab1b7e4904d38707d84352741a3 |
| SHA512 | 97189c20c7f34d8a3c72919f1dd39d011b90b0da3e9b4c9ef4fdb012e2ddb14e76d76cd7c1a6dceb8e2554954b97cfd5df65c04c13021e00f8b28d45457aec1e |
C:\Users\Admin\AppData\Local\Temp\gUMs.exe
| MD5 | bd3a86ff3213cb1c67d1fa9d9e2f0c54 |
| SHA1 | 1159206349c6a942492765d1d816a90193a9fc6b |
| SHA256 | 7c330f05379a5a64647f1afd75f87ed14b6b8ec65de408f6668b63082ad91ee9 |
| SHA512 | 84c5e2ee6fc601123c8e5b1acac2a9b115c1de0efabd0753daac8726b3a3f18cc5823ec5f814d31386061c53e0e6432733d40c7d63681cd7172f4d9c313ccffe |
C:\Users\Admin\AppData\Local\Temp\WagwgoII.bat
| MD5 | 9dce764f25b89c38ced629eaae5dbdd5 |
| SHA1 | a3c9f8f8fed7931b2f8c2918f7ededa219cae9fe |
| SHA256 | c094792b52b87aee1db5dafba629a2ca54d3a71068f3fc3b11af0214f437e973 |
| SHA512 | 1865d0cfd86bbc5b3cb48472bf36ea13a8351166e2398c6a89dbe0dea0de88d659c52f2a7c8a2f870f01f4961fe187b4de81f21ba64cf50c3bb61a2d0792a859 |
C:\Users\Admin\AppData\Local\Temp\cwEA.exe
| MD5 | 2109d2fb66e77e0457ded20d4126a5f4 |
| SHA1 | f6069102562556fbdddaa7bec27054d77a0571b6 |
| SHA256 | b4b3d9717cba80308debda2dddd86016d4047bdc49ed6b1d656f6ddecb1ded82 |
| SHA512 | babc1efc1f9eeecafa83f34ffbe79357d443ff00ea4b3acfa481731a7fd09cd45569a93fb2239252e1a18d86410c1bef9c1d1649daa09a976f5e76b1413718dc |
C:\Users\Admin\AppData\Local\Temp\gwoA.ico
| MD5 | 31b08fa4eec93140c129459a1f6fee05 |
| SHA1 | 2398072762bb4d85c43b0753eebf4c4db093614f |
| SHA256 | bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6 |
| SHA512 | 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d |
C:\Users\Admin\AppData\Local\Temp\oUAEMgIY.bat
| MD5 | 1c753cb3bd0b2a444693fb2e46a7f5d2 |
| SHA1 | baa471a929368ba0540e0f8fecb59c36dd00ad81 |
| SHA256 | 5c96050c020a40b2ad218ed5413d59444fa249d8be33cc9fedf3f61190497596 |
| SHA512 | 033f0e6f3f74b58982d1c9d896d5d039f5d4f1dbc139368b36067b0d1f6ab2569c6dd867ccc3683d875a066ec34dd20d9e0d3f7fcd0dba366b7fd2564e768509 |
C:\Users\Admin\AppData\Local\Temp\MQIe.exe
| MD5 | e1281b7e80686dba49d57bf26ff7ac06 |
| SHA1 | 2f3d026383828d6c92130493a72b90a6150952c9 |
| SHA256 | fed4a1ac3db19eb9fed38cc99653c0bc68a01589ae9384b506e984493c3dca51 |
| SHA512 | 6ef9727c86201b27896100b997101aa008fa89029d57665f22e80383b61dce4a5963cb2ca846becf093df7da252dafe56b0591ab3abdf73ee6784d0d40d060d4 |
C:\Users\Admin\Desktop\SaveImport.xlsm.exe
| MD5 | 34318deaa75497843fa8f83458047071 |
| SHA1 | b75e5fc42e47a8014a7758b382c848083ca35f06 |
| SHA256 | 9369d3e9205daad3c61b6ae7a3fc5fcf632a0a4bb5f8a62b8a3622d7488569cd |
| SHA512 | 3bd65c30dca984727c85ebb7a78c909381d5b35b2afe9912d88413af71f2a526f89c9a4ae90a577994f0cc68ce47eba5ea1947b998102ff7d17e9c5a2e4d1478 |
C:\Users\Admin\AppData\Local\Temp\aQgE.exe
| MD5 | 7c892eb21036ab40d9a22b63a4bf40bb |
| SHA1 | d2b45d08160c68351f524d8852e06e594414f7eb |
| SHA256 | 1ddd1b9f54cbe9ae8a50cab9d0b905b79e72befcbc8d91b8735a8d8165accabc |
| SHA512 | e0709a65159c598d6fefca4b79be61a8f31b82005c78ba4d853c20cfe99029a47c982e62c93de9e4a5aa651a92641df1ac7febbdbeae8f4ef4f872353b98c6df |
C:\Users\Admin\AppData\Local\Temp\UQQe.exe
| MD5 | 24e92c4f01b4fd385f4083dc9ae5d118 |
| SHA1 | bfcdeef4e818c8c88c47a196a91b09ee7060a067 |
| SHA256 | 560f35718d8c91ad5471453be9eb7eb09526c9bad80069412161e8d02cc18e13 |
| SHA512 | 1dd6fdf64bb715e64fd031561a0b0003590308c52b75eb2fa458e3d99321c0b3f9aeab0405d50e6dfb6126833a969fa5a792ebc499eff3527ec8bf6ebd274703 |
C:\Users\Admin\AppData\Local\Temp\cQIS.exe
| MD5 | 2cc8aa0d59ffad09a9ff41a0c8184b6a |
| SHA1 | 7cbba21caeff4f495bb241418bddd535de88e415 |
| SHA256 | 7d5be568fef3fb2bdd9caeda33e728d4c5e263e702b42c810b4da49015a568c7 |
| SHA512 | 14aa3389161df7e9c73f3c18958560df350b4017f6748f273c020b80a5302e0dc3558b79388259d7c4e8b946fe61e825cf4812049837acc3e7590043e57aac40 |
C:\Users\Admin\AppData\Local\Temp\FOEUcgIY.bat
| MD5 | 15badf3110c4f7971a75d092426c300c |
| SHA1 | d9fd8765b5929790d8153c1975cb0ca35b34881c |
| SHA256 | 87aec5210905a86d16d359de1b168d23fa2eec9ce28e19539466873247dbe6db |
| SHA512 | cfc83d979e59cba90a86a9f2c9c7d6fd1a5af3f385d27783e9fee1b4b8b3adc10860993198e03dda28148f90778245be168ccd7ce25bee25ab4f4f4755461255 |
C:\Users\Admin\AppData\Local\Temp\Ikoo.exe
| MD5 | aaf0bce4c231b647e66837e6c30f733f |
| SHA1 | ed58a7b51f2f10940bf4d9bbc2140369e9714072 |
| SHA256 | b4e92b253da238db44fac6b9d1888d3220c5f2524d28f177414ae4ea743dc11c |
| SHA512 | 5bf0781113f55fe5554c71fb6d0d4bf50bf8434b72aa095c7f36c248ffa108a8181b9060030c41e9c15cbb436278236b8f65a4439964aa42e246ef3f0665a972 |
C:\Users\Admin\AppData\Local\Temp\sQga.exe
| MD5 | e88ffd390dc041b12ad320fbb26f5a98 |
| SHA1 | 2b0770408e2c08208e5974c83302ce4995ae07ae |
| SHA256 | 1c003c5ad8783ae3a442efb50dd7690e673c26d503a2e960cadbf2778dd83e3d |
| SHA512 | 701a64a25223375f39ee75317c7038cb195c8a30a6e1baee38e2c15b8a092bc44c04ca09ad58cec7957173d1bfd1a3378538e6e75a49a9bc06c2a5ed761fa219 |
C:\Users\Admin\AppData\Local\Temp\SEQw.ico
| MD5 | 9848e0173c8ca1325db2a20b2d8bff21 |
| SHA1 | c4cff05a5b4bc7cb1dd687e799a6a12d7058f9b1 |
| SHA256 | 8018e3bb08def89f0d13393e54e6b9a8c6e3cdbbb7b9f0b7f49cf228703f9b00 |
| SHA512 | 967d1d3a57b7dac2a5e413f6972278938d7bbab192754498e50d5803b8d7370d48c9ec89938f4d11395c0ae518aa48192143b8621c665eaf1bcdebbbd53caec1 |
C:\Users\Admin\AppData\Local\Temp\fIkEMQAc.bat
| MD5 | 15bcb7cba979661527f49f8a27624cf3 |
| SHA1 | 0792cfc473080ed2e650d2255e8d419399569c24 |
| SHA256 | f05baf1c8deac26e7b1766374b188f10595f5456fb9b5f18ea932a2c0b166acc |
| SHA512 | 14a71b346be93794bf9babd11b35ef468109f0495ee820269e4d1129d9d1a9fd3e0f9bfca6eae8a3307581f202538210262ff70a47b940e9e8f7e72695478cf2 |
C:\Users\Admin\AppData\Local\Temp\esUO.exe
| MD5 | d48daa888f3c583c4af4ae9db781f2ba |
| SHA1 | 475fe3844f4f68813b95ec6851f6a3e0a429b4e1 |
| SHA256 | ec88d3bd58b72742255792051f54572998826b155ae961d687eb0829f66737e2 |
| SHA512 | ffb592505fd4b32377e9bf721f3d32eb667be6df88f61e6f13605dafa0ab116b7fdd7c56fdfbea8445bc4f2dcae14f41de4407888fa5b72594c0626296ff2771 |
C:\Users\Admin\AppData\Local\Temp\yQUs.exe
| MD5 | 9deb21b4498f8c8079e37d10cf9becd5 |
| SHA1 | 8cf73c20331c6de733a7a21eb1a1a69343b8fac7 |
| SHA256 | a2cac384593fa751bf0e0d796b011198a410e65531b946acd73a56c78c969881 |
| SHA512 | 39c67011d4115a40e4c52f7bc2f4b2ff050be5a36fb16accd102f7bbdae556ccdb38339e78795c75682446583655f896b723241338d3b1377b4a485362c13810 |
C:\Users\Admin\AppData\Local\Temp\ucgs.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\GEku.exe
| MD5 | b85789976b996ed0853449e97f0779f9 |
| SHA1 | c0f1e1f75f2a14ce70179f1236efe5cd89b4accb |
| SHA256 | b2d61e79a386881ee445de47c647eba693419fd2d9a22bf5a41c08e87e7672b9 |
| SHA512 | 4cf12244214a8f317fbb024c14144c43e5be2e44662e982f44748f3d8f853aceab84f89a024fb81dbbcd36dd028b7669f1a3e41df26f2199beb99a9b607d2809 |
C:\Users\Admin\AppData\Local\Temp\aQUa.exe
| MD5 | 97f7878b6971ce603863d9848eee63c2 |
| SHA1 | 956bef7fa5ad2b83084680c6b60d02df4481bd3c |
| SHA256 | 5fb662a3eeedb788a21cd87b0beeab3fc7416f5df3de5fd1bcca895219d536f7 |
| SHA512 | 4c0723f938993efdd790448bb232bcdc69b2fb6504d720e2c8e25b9f21ca9954a8abdc72c523adadb9d333841e50efc838c06eaea3373c7c4fc08ed715bf7946 |
C:\Users\Admin\AppData\Local\Temp\MUgE.exe
| MD5 | 1ac68bf43d0a80aa99b2cc1923e0daa3 |
| SHA1 | a85ad7e33d28b97bda43b1f69b2d6f2f88752f51 |
| SHA256 | 14f0101c17320ae2d47dbadab0f613fd18198e222e5745497249fdce29e46779 |
| SHA512 | c4badd56045e124c218f64ee690af940ac59d20a1271746293bfa5b927d146bf2b3769c99fcbd6ffc855e712f22d1907df8f26cf4274713d60471751ecc361c3 |
C:\Users\Admin\AppData\Local\Temp\EUIW.exe
| MD5 | fcd20fd5c60aee0d03ecca31375a4fe6 |
| SHA1 | f07d9d6d772a3b1114bc6f5bb51e1edf81d3cabc |
| SHA256 | 39f97f36d0bdb325f39ee853cdd90d2bd582a2e02402f6e165d19d7c2e7a0109 |
| SHA512 | d04c176a702a1d4802d271207b2c26b8c56c4c69dfa3e7828fdd113c52f711e6c66176c7b88a9238aa86fe2b15fb1a82128cbd79de49f275a5d84b1aa9cb3458 |
C:\Users\Admin\AppData\Local\Temp\MEIA.exe
| MD5 | bbcd6dacf0a3c277acc4c57d9ee390da |
| SHA1 | ce6e4cf595af843f5e12550b067800eb8c7bccdf |
| SHA256 | 5bdb7678cb2bfc5837518c79826b597de2c110e4c8e6c3b9df3cfc91864c4aff |
| SHA512 | a53fdf3d16ea645dae03e123b9de99b9b2d85481cfe548b6467f3f5099320e46a323a3ddf7c09e803d21078de98b84825093158e347261f0c72fc777afd55a11 |
C:\Users\Admin\AppData\Local\Temp\wEEA.exe
| MD5 | ce3c2642cc911b29a4ff2f06bab223ad |
| SHA1 | 251adb68bddc547329ecef6a46c161a7f3e247c3 |
| SHA256 | e3acd06fbb516c10e69bb17233af6092e479fdb7107f69b5103eba1dfbe9a4f1 |
| SHA512 | 1c62f29ab8db8380966cd7d8d9abc81260accee62987b8f5923c251f953f4e7977a2440ac6fb75009deb7346d8674e92045f59993c25433b3157fbbb67678d79 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | fc0ccdfe1fe0e1f7c5bfc852180947b0 |
| SHA1 | c6c4d815c3e2c249047e75a4ce7850a8e295b2d9 |
| SHA256 | 0b63554a6e5fdb083fba9d8af0c4e2812836c9f85d0db15acdcfbd0eef1ee6e7 |
| SHA512 | a298f114e09736f97fed229356982d008a5cdfc566c41f72fea6a07c85a3990a13560ddfaaec1a0df502341a9497346b98a5b4003c77043e1e39f2dbec268a24 |
C:\Users\Admin\AppData\Local\Temp\woEo.exe
| MD5 | 108a6c14eae72d6ab3cf3b178142f9f8 |
| SHA1 | 8f55b8b4cb9841a1e2419bf1dc439a086b676d8f |
| SHA256 | e9449f5ac6a223a42f9118ab091ac043ca485b7c877effccdfb0de47b24116f5 |
| SHA512 | f0bb27c50fb045b53eb24aca2ac571037f7adee0a01766f3c723f5de8c604f7e3ef88d062ac1bad9be98ceee6c7d9c095cd4e2b58965f4f40173e60bc14bede7 |
C:\Users\Admin\AppData\Local\Temp\eYMm.exe
| MD5 | 8759c880b073265aadd4b9584df43fa6 |
| SHA1 | 77cec8942adf57c69958ddb7d96fed6864e5bc1e |
| SHA256 | 7bd86ea5745f5d13a900960725a54dc5b51567045376bb7697bdcb8725d4e4b3 |
| SHA512 | 1c633ff538ea0afcd9229032d087afc5b7705af7d440b6170ac3e1b3e7b10bcf80f733a63e75d25340c71692dcbc99ca5a3fa7ff5ca2fff6324e4c98e2c1d7cf |
C:\Users\Admin\AppData\Local\Temp\ygMs.exe
| MD5 | 7224f54601c2579f466780b3093d9ee7 |
| SHA1 | 0210c5fb1da2f44d6fbfe2fdf191f69efcb1b706 |
| SHA256 | 0fa2882831b013c7a12449dc3e24e0289aeb2e9cb1f7c15d39521a37df6ebd20 |
| SHA512 | b5c1424e3de906ae0b14bbfa414c0402fcb1a3c8f31421da0fff5a71595db68489f313f69979a7a0f6f9955102ff3b10abfb6ee180e319c2ddf5a8fde31482d0 |
C:\Users\Admin\AppData\Local\Temp\WcUE.exe
| MD5 | 5ea0ee5abbef8ad2e76057d6e496c1d6 |
| SHA1 | 53c2e824f5aaf10a5c1ed3c9f36f523ba0b9c9ce |
| SHA256 | d70b4ad5c0852c7e724d21d2640ce4d9b65900baacf09fb6ee129b95a8a647bc |
| SHA512 | ff910c273f7b5916ea9a164521ae9bce73e4e1a9cb5c892b70d2fe2996102aefde147f43a728438d24e89285a62e494befc86b9311961fe60dc636ead42854e8 |
C:\Users\Admin\AppData\Local\Temp\aoIq.exe
| MD5 | 99ee375c6dd62c11e11f81018dea1520 |
| SHA1 | 28125d54a7206b857063eb0a49f1208b1b5426c8 |
| SHA256 | bd0b8438a966a83004482c32bff3677f6644b2964e6618ccb8fc21ed26217cb5 |
| SHA512 | c73f6715e41ca9daf52807a7812aefd7b686f423d84ab2fb2682f3eebf3d3c0719721d5bdd012bff686a23d89a6a14941db29e22ffe7d1c9c5f59aa9c23024b6 |
C:\Users\Admin\AppData\Local\Temp\ccoU.exe
| MD5 | bae26a3860f1fd640c0ee5c66dd9d465 |
| SHA1 | 555f2d7de311cfafbc7eb4a66554bf9806ed697f |
| SHA256 | 2db866f373f0ae8d1da9d8b55a87c41acda55d9f09d0fffc863437febab2f836 |
| SHA512 | 8a32d0e4a1e23aedddb79ba79e0c9b0ea92d1d2cafc3802a1fd4546223ad2663b07f2e4cf1b2452d8471dbb4c9aa9ba93e763ac889cc141fe9036511cefe28e3 |
C:\Users\Admin\AppData\Local\Temp\wYEG.exe
| MD5 | 2257775adef944fc84755353d43d88bf |
| SHA1 | 06453ab9347d54f45790f502b25c958e535dbb35 |
| SHA256 | 06a1f17539a1d61b08499d12990b1670deba1be524d487681f9ff20db875b294 |
| SHA512 | 3dc133c70b8bba648d26491aafaba5f95b86d803a5c0edcec94c33558f174cf720613064f202274615e18066733340127f310f9eb68aa5b3919cccc4a60b101b |
C:\Users\Admin\AppData\Local\Temp\nkUogIIg.bat
| MD5 | 96488cb1e104960c25059e5f61bf1019 |
| SHA1 | c7b43c9348b9da874c5c15e98c1b40ecbdf1d1c8 |
| SHA256 | 2a5717f684ef755085951cc5e6eac0f828e7e54284f2dc10e7a73ed51a2802da |
| SHA512 | 18a56709e03bc3f6a2c8f79ab58060edb94c25cdbe8e3d02f6eb2b0fc86037e2680bdb674dd87f62fc362f36afca9ea6ab88ec06ee9fe5464e7b1795173f3c72 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | e7e506d8826d53c858aff8cd222c38c7 |
| SHA1 | 4326ec2e56959e5f7d0821a3d10360ff76b7116f |
| SHA256 | 15333f04565c4a9dcb540bf1a080272d836c205d4c54e6bc28b47438e0d4f54e |
| SHA512 | 13954acb5ca374946747492ab26f09fbf46a0098145ab563b60b629493bfe3b69d1af9dc89f3619372ed2b1ce74922c8b1a2eebc1266e41acc5d79eb5b094b39 |
C:\Users\Admin\AppData\Local\Temp\UoQo.exe
| MD5 | 6988a4c8652e2d9315f614a973b606be |
| SHA1 | bc70650d763544681d414c4c224040c828d338c2 |
| SHA256 | 6ac8221286424e331ec1781f5c65dffc64f9b79144a5982218692e596ae900ee |
| SHA512 | 5c4d9829d95b0723ac382ab8334be80a4f42d48a6e0144e6c53fd4f53fa483436b8978563c281b75cf9c910274d7f1a02fea5a72049e56406e614b072092d4a6 |
C:\Users\Admin\AppData\Local\Temp\iMoq.exe
| MD5 | 172d02253e52cc5a0d7b8cb2d126d0e0 |
| SHA1 | 98cbf312258296b9c035652eeacf08082bfbc48e |
| SHA256 | 80d256e059d805a8b448b57b901f1791a4b04ffb3666b1a3ec6eb108b8e4bce6 |
| SHA512 | 4e83735798cf0ffb0d5811c6c74cdd188d02d2c6774b33626a2a2f4a3430dbe451fadb9753372394fabad87e764c2aa89f68c3d805867c2759406e0aa22f2fba |
C:\Users\Admin\AppData\Local\Temp\cgsq.exe
| MD5 | 57915681401336b7c26fa6fe42bbabbf |
| SHA1 | eeaf171b332cd714189b7a7cd92c0d1c92529965 |
| SHA256 | ae5f81defa0686773b85a9c84098f6a791898ae53c7efddc3958c2669f1f6c09 |
| SHA512 | 6b5ebee774831025e2b6db9280f6e9c5928c706c69d482b8ab8fac7cdc2127075f42a182918c9eabbcac154cf746fc5e45e54e461a15736680aacfeabdc3a023 |
C:\Users\Admin\AppData\Local\Temp\sEsa.exe
| MD5 | 9bf35ee158909554fc6b48c43ea56279 |
| SHA1 | 8f117a314ef455cbbb0fae71b4c129cffc4c5760 |
| SHA256 | 07108bd9a53893de5a156f7ecc52fc3bc2e2bfabd203a19684941c2355539ed0 |
| SHA512 | 63da60e217a2b9ca0cd8b2187e14e688389af9c0a3b0af44f8677e882179eb422335cdfd04350c77b13153b1a6ecde31e631eb91f79a94ecbcb65ac973eeb0a3 |
C:\Users\Admin\AppData\Local\Temp\wIIE.exe
| MD5 | e1a57a5e15601bc17fd7411dce3c43bd |
| SHA1 | 196cb65a661b8b10f894e46e09b23e89966e21fd |
| SHA256 | 96ff6c77595a41d9b9ab7ae62a1f791f3f0c1a295236b0aae0438d86f09b0124 |
| SHA512 | 1c923a5fc886db8b70bf3560a4ac951e3e01710f5c8832732357bf448447d58393cca3c102c3064e15d713fc4267383aabd267a2c4bd6e9a2864cd79e76d988b |
C:\Users\Admin\AppData\Local\Temp\OYYW.exe
| MD5 | 1810ac2194a8f7e5cf02e7220baeaa16 |
| SHA1 | 4b3850b091e492eb9aa2cfba552e3852f20691d9 |
| SHA256 | 2e7c0f1f89d95cf8b87da1ae36ad005ddac7098492372db5cb83eeaaf9de9f99 |
| SHA512 | 0e9a559b2e0de07955234881eb2ffaf58b80d8deecd7310160d65ff78b8a105b5602e37690c51164b2e526b748250d8cc2ca38584e415db0a6c8bceb78ef94c9 |
C:\Users\Admin\AppData\Local\Temp\gMkq.exe
| MD5 | 7b056118a12990bc75363336cedaf055 |
| SHA1 | 6c1b3fcd52ab1e512abeefe3027fbdde941cb97c |
| SHA256 | 3b27f6aa1c4140300f5e415e85e0e5ec3f898dc88274a63ce984049d5bf35c44 |
| SHA512 | f7a5a19d3c2529de570cee8938ac3a803cb7bdf8fd061e008bb577645caebfd9a8ecbebf457898901c274287861289252de0a3fc5f0c80f7cb4ec5fb89e4042d |
C:\Users\Admin\AppData\Local\Temp\UYcM.exe
| MD5 | eeba28cad53715b52f1d76aa42490c87 |
| SHA1 | b413d242c9f37c0029b7d60c1865b4f3fa47f923 |
| SHA256 | 1c9d8102f8979579a5fcb56d5a2ec3414d52a5c80ba57de855e5db544f2e450b |
| SHA512 | d3db8bc71ea01f2677e255ef9c8b81a5479c7e77a7fd758bb927606c889a147aa3fd9dba97a89a618f2444b912a3fe6d551873f3f9c2a96c881bbe8270aa3350 |
C:\Users\Admin\AppData\Local\Temp\EYAK.exe
| MD5 | 78e54d43499e2b44f430fffe4c17902d |
| SHA1 | e1678fa8ee03837488560d2a5fab72894f4ced05 |
| SHA256 | 9f437d1f8372e081adf6fc742419bed1cc9f70c61fd8f81990ea46fbfd8b7c90 |
| SHA512 | e1ed9787db81f7212894cf9812db5ebbe7aa5ba740100d5bfae7cd025b28cb0a4aa6a1016a114f4af72293215dc3b810d0e5657a01fedabd3bfbde2aa8bdb962 |
C:\Users\Admin\AppData\Local\Temp\nQkMQwMI.bat
| MD5 | bbe0146ce68d63c5ac0f83583d9a37a6 |
| SHA1 | 52a2906070a633d5593d7071a689aa4bdaab591a |
| SHA256 | 25ffdd0572b126f1af4ce8a9e14a10a593fc545ae235e5036be2692bda6c1a08 |
| SHA512 | 0623a38bfdb5ef57de11007120090a75121c1922962603059ad1298e7eee5e36ecb1564159f4b9ee116a8b6c6859bdce0ea34a5af988d22ef6b433a89851afdd |
C:\Users\Admin\AppData\Local\Temp\iEYc.exe
| MD5 | 97df05c7e6795a20cec18790c729025a |
| SHA1 | 3bd28a93a8b2c2057256cc9855a9868c8bd989c5 |
| SHA256 | 020c2acfe63309d34fe004d1731854d159705f2a6cd19c3c8e64a5c43c48cc97 |
| SHA512 | 53926452f871e3fb7e6741ecdcfc29619ef35e1c1350dc8d5cd9d126929a0972fca020f196f63ff00695c5beb055c0f7026a836ad25421d75908bee7e0913224 |
C:\Users\Admin\AppData\Local\Temp\kIoC.exe
| MD5 | bf8945ffb31dd5a8844b3c3b301d30ec |
| SHA1 | 5da291370eb712ee6264e84fa59e1f9e04101e75 |
| SHA256 | 8cc9fe3d54be2146ae7324e416d2eebc40e9f2af1905bf9bd0775f295467479e |
| SHA512 | 7b4305215c54272eaae6a0fab1842b15ab9597d29fe7d1a44cf14f4c94b398f9458e307cdde229e731988a0d1789ae23bd269f2b9be0ffdfdd12a98ff75795e3 |
C:\Users\Admin\AppData\Local\Temp\Wwwi.exe
| MD5 | 5458b9b96aab2d2881b2eed0a424be07 |
| SHA1 | b21abed8cf84daedc8a8c78cec8fd635336bebaa |
| SHA256 | 03c5017674d55b69ecbe3127bc221992b7ba20d5febb7b00424ba418947fbc45 |
| SHA512 | 77829f14b31173b23c1d2d461157bbdba906c5380a5975b8ee408be38b79aee077c706670900a55a87b21282497aa25a7d90e12726e9063f355394e73425dfa4 |
C:\Users\Admin\AppData\Local\Temp\UQQs.exe
| MD5 | 80126a1d94dfdfd63296154972c94710 |
| SHA1 | dc1a4f44bf778f1e02235f25340e1c3b9a2adfec |
| SHA256 | 4e42eaaeaff8749e8ea913844f8603c386adbf008174144c174b2e37895526ef |
| SHA512 | 705123ca518d915f6aadc2d094efdf4bc60b1501b19fa3e95a6405ae63efe0f9ddc9e94c6f330448ec3f1ed6846657a848575524132677644a1e190182bedd1e |
C:\Users\Admin\AppData\Local\Temp\wsEy.exe
| MD5 | 9441671053cb3b51d9f097df61d84c57 |
| SHA1 | 0fd9e202885876c6a6bea31f022d9999e3426414 |
| SHA256 | 7140beae67795d8f8cf0042aedf865b35e749574ddbd4d8afbd0083b550d9107 |
| SHA512 | 717f4fc7733e87ac4b5399d5111d3a7e973286afb020b53f642a2f2dd6e077e2e763016f5223984aba22d51dcdce05f1760c19c6df57969fbee735c867f903f0 |
C:\Users\Admin\AppData\Local\Temp\EkUw.exe
| MD5 | 46c4bc0ceb8327d550e9a6d40600a075 |
| SHA1 | 333a509ef47f51bd0ddf3b56846118feae5442d1 |
| SHA256 | 4a37f1f3c1ede5b457d614ab59641d14d24d08a4d1f9ed079a1d6684c01e8d53 |
| SHA512 | 9eba45336e3482b0a16eb825f46cc19b45aebc8006f060459aa20f37444ae7b5b721899075d5afc4bfe64986680f564b0c59274d5dff757d8b2d43d5c88b24ef |
C:\Users\Admin\AppData\Local\Temp\aMwy.exe
| MD5 | 431cf850a930d3c8057e3c901537c228 |
| SHA1 | 52a74ef3834675f764025c6d614ed64a3d93be03 |
| SHA256 | 469baf25b3beed14ef96b2661fe95829b34f8108adc8a760959132f6db333a39 |
| SHA512 | e1268212cc48acdaa7fd6dd4e658a519eac39faa013cae672cb62646ba2c2043c878d4404db6863e107ce87ff0caf1f5c774212d470376b90a509151dc158854 |
C:\Users\Admin\AppData\Local\Temp\UEwY.exe
| MD5 | 0be29d533bb3749507c37fb168c71ade |
| SHA1 | 43c8271581504613b2a4cace9946db4f7ff54534 |
| SHA256 | ec8d36198092d809a1c2b3aa464c478571e8cc6e8c2f689429fa022c82fde8ad |
| SHA512 | f396db0497e132a71affb0c1ab55e267146db22f81eea433865a2cff27c8fcdc8523aa43c1ee767fbb7e7e7839f210984d9337f5be6eff2ebe4b346792ba4e71 |
C:\Users\Admin\AppData\Local\Temp\ysoS.exe
| MD5 | 1e2648a2786bacfc1176065a2529be0d |
| SHA1 | ef5702737a86badc26f3de92e4f97779e238e723 |
| SHA256 | 326345b724d7536bc8311c37f7304c9a2da9a3bddc5a7752fe0a63fecdd15523 |
| SHA512 | 640be6309655e335066be6c7b59c99b6d889523414eef536e47113434b51716593b36cac91c628869b49d3b0a6041a9156b8a0b5548f83675c7f1d57ed77544b |
C:\Users\Admin\AppData\Local\Temp\mcEi.exe
| MD5 | 9f1b9c2b22539e76e3eac3811b38ad9e |
| SHA1 | 1ecc399993c76d0443f8c1c65164dc3e45e93245 |
| SHA256 | 3de3e23e9aa059fdd02d66c5fad4ad401deb4e98a053e6909c39d4bf8eadfb38 |
| SHA512 | 3b14e942a206b7103d6320bbcfbfeb2807dfbceb8dab073fa178f5b15a1e88b937b1498e59daea9bb4b6731f66792481b18fb87c6f6d0b2eaa3f1a66dcf4b1f9 |
C:\Users\Admin\AppData\Local\Temp\aUwIIIAY.bat
| MD5 | d4324e52ad2366200f9581cc39675ea6 |
| SHA1 | 44bc255b19cd89d596fe428dc5e9d572ef3a3470 |
| SHA256 | 1ddea835fec30e2cb26b7100bc40f0d77648e5e917bdb34caa5f813a4efd3ac2 |
| SHA512 | be9575ff646f887989874dcb4fe076e7a3b9c9604f291f5c2939c760822348b3d78453c47ed3c0b8bc9f6c4a7eeb8b4d3b1d9aef054072f093f1892206ed51b6 |
C:\Users\Admin\AppData\Local\Temp\kEoS.exe
| MD5 | 7a0ee98eb6a53738396b14a6161d0428 |
| SHA1 | b8ba143458dada78ff47f5d9f4d89d88e594cee6 |
| SHA256 | 137d863dfc64d17a7260a36f4e77c65fd0bee7a881d87868cfea7de126f6f338 |
| SHA512 | 94429129ee5714e94df5b8adb4fcf05c7586d7809c9659cacf6e12fb98abd587962af646c3e847a9b24b918ae09b323913d51ab536d0ca478b0f822ff4863be7 |
C:\Users\Admin\AppData\Local\Temp\GcIw.exe
| MD5 | b7a1bdc227ade56546516671345e012d |
| SHA1 | 0126fdf0f5d27a8333cdd2d0d94b3dba5c85e08f |
| SHA256 | 11a3c93b698db0a46b52ee8f4dc578d88631eddecf72bb80847b37d3d406e324 |
| SHA512 | 34ca3b4181817a8503328d455f6e4be0a5e9a224760af0eeaee978834b0994f98360ba1b4cb0302cf6974a5504d5acd6ed8f05726be2c3d51e8c7183ea695cf5 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | 16a14a9e81e5bb6f198a348693e2a120 |
| SHA1 | 3d41a05bb1eae0f667feafbed25ad6317f8704c7 |
| SHA256 | a8e6ab6812878f316a62495c9aa18833b1093fc19fad9564d22295f1f596e59e |
| SHA512 | 1c07b0bbb5eb10db87e7e15feb9d828443f6c62490b79e0a53af4744ac41e468fcdc7fdb794a559d678848db29d18d109daecdb26ac346ce19d2281f9c6283e4 |
C:\Users\Admin\AppData\Local\Temp\yQcQ.exe
| MD5 | 6b148d5016e9720536022261c150a600 |
| SHA1 | 9260edad5c3ea5f76102abae4818a4f9570389cf |
| SHA256 | a3e76d81a7df182b0d9eb36177e1f034675d7e9a83aff38a9e9e5ffe4cb5e85b |
| SHA512 | 17b15df227f1da837ea537c5ca97a4fab08ff8184a33818671d0d77950e2c803c07617d4f9e33337346959cb8a1ddd1b4802c74c4cafd64b9e346f969e7d1d6d |
C:\Users\Admin\AppData\Local\Temp\QYEc.exe
| MD5 | 8ec3aa72f867dfa5f6cce783422688bb |
| SHA1 | c83c89b811c4976b3b3491bca72813865db8b2af |
| SHA256 | e35d8d17f238411d2ebc1299b5ef36f4ca00fdf2b2cb69939a3e50aa16232459 |
| SHA512 | 06809ac8c6376087750a6d123bf2dd54bdf50dfea469f9bdb9a610b167c9b3516283fd3fc4be42b28cbfd1e4fd769e0302af5c82175e13f5f3caed81f6bb920a |
C:\Users\Admin\AppData\Local\Temp\Qwoc.exe
| MD5 | 02b1d249b27b25b6e3eb55327c4d2cbc |
| SHA1 | ede87dfc0ab5ff76d5a40ee52967b763df985851 |
| SHA256 | 45380c60be6b34bb043ebf3c5c9236fafaa293a3cc988d24214f19cee1ff909a |
| SHA512 | 230014d2da823eaa9a886079cf2febc90b28c43da703f00f97e7a942b909f716fee396fda54b094b219236f1b055427083b4b947a012479f13ff75af3308d139 |
C:\Users\Admin\AppData\Local\Temp\KQMk.exe
| MD5 | 72d6f19ce36f6b7a42b2f1f161e06a2d |
| SHA1 | b9cf04e809dcc30e13565a85d2cc5cc1238c3808 |
| SHA256 | 65b971fc7cd7ccd1ae53444f8e6ca3b2814bbe9f70e57995824b183aaaa92ca7 |
| SHA512 | 0646d101be77d35ca47fcf4935dc8bed9999b1165630450680ceba219755c6a6b96fec73cf1e7074b03159d274061768361a2c3d9f64cf48bee6f9205d8bdb2c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
| MD5 | aea96088e6e2d4a3564f33e439a3b03b |
| SHA1 | fa7cefc35b5d698e59a9fa7b4bbb4fb945561f1f |
| SHA256 | 52f94fda6245b5470d1c274d3e854f58a63171e6b5036f09d920f3dc526ba9c9 |
| SHA512 | 2e86f16bccac1267b7bb8b5bae7ebf836662afa32e4a95f3a4b299ff9a41f68b5d755104feaf3187490e5be13b7ce2247526bd1cc9d038ce1745105bf4337c01 |
C:\Users\Admin\AppData\Local\Temp\gGgQkEAQ.bat
| MD5 | 43f68986784e808bd6109701a137bf6b |
| SHA1 | 232dac9b254cf8d9e0025446312b51c9819e8002 |
| SHA256 | 54459d45298b01574ba15cf794ff0927ec56cb7b8d3cf620e7005a5d8da8b4f3 |
| SHA512 | bd2af27bc473db4fb9041551c43811c1b38d3a4a421f086386d6162b79f5665c066acece15d0522725a7ddeb595da8d5bc9d9b9727c28d80ee3676bfb9c52c28 |
C:\Users\Admin\AppData\Local\Temp\cQIK.exe
| MD5 | 317f0099611deb035b63bfc66dbf4dac |
| SHA1 | 1b90ea84f474f0f581f1663c08210513a2962c9c |
| SHA256 | 09a7bad3df16209684a4a3a362bcce780ca5249637759d9cd14857032a6ce089 |
| SHA512 | e34ee1fe84265a15e2584fea48a1b89e31f5b9ce0533ce6eda1f7bfdba42da92fa50e6dc3c3b5b70f340e30388eda6a3fb00d1189b04dfbe70111d25d9fc0aa0 |
C:\Users\Admin\AppData\Local\Temp\IwkC.exe
| MD5 | c746f2fcf393e15e5357779c52b96069 |
| SHA1 | 1e036a9db2fa66a9cfa3816a6dfab447271ce3e1 |
| SHA256 | 9e906f14402df481ef8b74467baac7ab7e474c384841bfb5f28a12a8111821ec |
| SHA512 | 7601352d39cea86680470d0eb3285b1127b9267ebbe0cd0fc7f9d846ef3e154e28ced3e85b3b8002d19bad4d38e5c734b9b559e7051daab58c9e172e85fe63a7 |
C:\Users\Admin\AppData\Local\Temp\iGEY.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\nQEIcMoI.bat
| MD5 | 28d225f7a99f52666d1d1ab1b52aa4f6 |
| SHA1 | 9f04b9d0cbddf50e352280a93982e9cf5a472b7b |
| SHA256 | d0c1fcb85b34f279ce86a4d7bedb802b619a3509a1eef104744ad444b0329f8a |
| SHA512 | d844c45f8ca8d571ac2a2470db549b258513693da2e5188b13255e047ed899fa7227e49a95db49d3aecd05138e0324f9bf8afc1010a6b32e2707c22bbee60e3f |
C:\Users\Admin\AppData\Local\Temp\kkoa.exe
| MD5 | d2c460d1cad1cf0ce149690e620104d9 |
| SHA1 | 24bbb469c8ea95080404938840a75362d33fbf63 |
| SHA256 | 9eae3a3c64c81cb1aa431e1c34a17095cdc93b6c23d5c868408688e6209c188b |
| SHA512 | f9d851b2243c5aeed47f24198995dd0f156eb02f75f121e9893e17b916a01969e5f95a3392d95f4ad0dda637b3666fd8450ea807e667f6374917c8affce2d346 |
C:\Users\Admin\AppData\Local\Temp\qgcW.exe
| MD5 | 6adcc045bf7a3cde964e155fa5c43974 |
| SHA1 | 86f99591028cdb7d6032c0fbd8ea0ee144fe8a13 |
| SHA256 | d7652c6ddd7a28e43071e2efb74bdd8748dd306fd9b55b42728d87a280dc6738 |
| SHA512 | 529d9d935e82f1cdd82fe587a89b2da92de7ac7557cfb759b656b6c3995c22c085f53ff1deae6475695bb4374eb3aa7ea1811f2937fb36b36d12a4bab9e463bb |
C:\Users\Admin\AppData\Local\Temp\CkIC.exe
| MD5 | c6d71a4ea8837d0728f449eb90570130 |
| SHA1 | fe637a1bbe4ae5b8587965056f2b9a0de81b246d |
| SHA256 | dd635c997aeaec6aafa1a6cb0e6073a4f9ec070eadd803808d63d09d4b94d731 |
| SHA512 | 05690d40e52bab78da70cbb714b236f6cdfa2f758fba5901cb9a5f49b89a6555025dd0fd7bf7ef5e61986e66b8c262d5d00d9104857c50890de75fd305d39847 |
C:\Users\Admin\AppData\Local\Temp\qcQE.exe
| MD5 | 3d158ce5a7942c3c3c320051e2bc8bce |
| SHA1 | 5b5ef655f079f4467dd1540c9c28d0e147beb352 |
| SHA256 | bd2c1cf29535f99a2653383769947da6837a8e10b85f18c0cb4134521cb9e3fc |
| SHA512 | ae59b5ba818f3fc7fa21700e2c6d9106230fae111ce17c831f1d80756f60bd10ecb0d32e02599fd78494385361560e40435cadb38610d2a4179caee41dad9921 |
C:\Users\Admin\AppData\Local\Temp\PyEMgcsY.bat
| MD5 | 53162ce90d2213b5f9321b1ef17695e3 |
| SHA1 | 965433bbc62cf59af0594b0ea6c500480f927263 |
| SHA256 | 26bdf8efd4ce1487d1367e942a84a1a8317cdbe15507fbe002f5130d687d2e57 |
| SHA512 | 6afeededdd8c641c41cc59931dbdedf11d83b1fa12cde3e0f7eea44d0b185c2c47b9e2924fe554610d6667a67ebe572be9a29fe4499eb2ee1dce85ceb31bc562 |
C:\Users\Admin\AppData\Local\Temp\IUwK.exe
| MD5 | 9c645293c5c05ad6b6c0b3263e70e610 |
| SHA1 | 8ca8ce0916d8133305b60e1546743407fb339fd8 |
| SHA256 | 69e61291c9d0678153c7a798641c1741fcbbc10a16e712bde679d3c873f82c86 |
| SHA512 | 8a3183047e05196ddd56136f087ea4e3972920d326b1b7a49fd1e81294920a23668177a4dbdccb72df836382bd0d3ac18acf24638b2eccbcdd6168c2d81aa6e0 |
C:\Users\Admin\AppData\Local\Temp\WMok.exe
| MD5 | e1aa292fe78707971a1caab0594d5bd7 |
| SHA1 | 79c1dbb0688f70b159351b47375c802e9736ac2e |
| SHA256 | c85725965916457289487036953abcc84431ceb300c7a1ae3065b06b3ca67283 |
| SHA512 | 0f91da06917af8b56e1a66ba146b714774af0347bd6c55d133a369a636bafe3992bc39457f615d4ee2db540aff7234b95c417085ed6be29afc1bfd2510fcbd22 |
C:\Users\Admin\AppData\Local\Temp\mwsQ.exe
| MD5 | 15cb250c2ed727691d81ca84b679f32d |
| SHA1 | ff288db6bdddea7dc23de0151774fa2a336a3911 |
| SHA256 | 3261e2ee541008d6fbe1d851220b1a98fc91ad3cb9a65324f5ca8205b52e1dd8 |
| SHA512 | 28017f8e25880ca9d49537fcfd5622e42ef9377f27fcd8e3ffc60670e46be9fb7e9a2eb174e9bbcc3e78bb50a12d765b651ffb5803d8492501c25f212614db73 |
C:\Users\Admin\AppData\Local\Temp\KwcM.exe
| MD5 | d891200b348ca6f54c9b9b8e8b436d08 |
| SHA1 | 98300aac1a6b1dc43c45e735c0861dab9061a81f |
| SHA256 | c86a9a24703a5ed7d278b7987a190db81548f17f2440939e9c2f0e8c6ee52b1f |
| SHA512 | 13c25aa904bb2ed67415b181ebe219553d25cd5e2cf717e0ac04367ba45c3e062d28140364d5fc7bcbc1247743973697b268cbdd57e8180a2dc497bc43803126 |
C:\Users\Admin\AppData\Local\Temp\pkcwQscc.bat
| MD5 | 1a74055f24d3ebbeed6550a1099e9649 |
| SHA1 | 7a279c6ff9ebca2af1a9224e079f6c6f61ea5bed |
| SHA256 | 1763d99e69cfb7203e95e8948b6603d5b9779540d73c7bc37cdf70ef40cd59d9 |
| SHA512 | dff0a2ce9670f149069d54999d0abe96c50abadf364fd957fd10acc36a71be90e15348404df7af54ac32a1c032fd9e7cea5238a9aa5ca5cad337a63ad3f883e1 |
C:\Users\Admin\AppData\Local\Temp\yEkU.exe
| MD5 | f5b2592b9b95e74dfcf54048481cc9d1 |
| SHA1 | fd4bda23e6c5e3331020d59c23787f7a85f43afe |
| SHA256 | a2c4e0261bc6d993c914ab7823dd252ef819480ec6c0729b37bc710ded6680dd |
| SHA512 | 2f8b18b1bcebea2ba5246fb75d49cae2eb294fab2740df2e742ad7523cb47ebe77fd502e03b576299be591b86fa34de990f78853f22c782b7470565fbf1ff35a |
C:\Users\Admin\AppData\Local\Temp\Wcsw.exe
| MD5 | f87883be859d65b33bfd7f7be794ce04 |
| SHA1 | da0e7fdb64c763c63011d0548b503b4c8bb61f36 |
| SHA256 | 2101f67e24859e42a6db0b688d669fb83ab0869f40b8c43cd0a65031616f2a7e |
| SHA512 | 85eec46e853c8b8e9aa3124049f74182c7ab03dfd65846436a5082d48cc9c3da97fd4fc688d3d57b0eb88c3b80d8d36093b9fc943d4500adff04e1a1a16ab24a |
C:\Users\Admin\AppData\Local\Temp\sAAQ.exe
| MD5 | d0fa503b6aaabffc4fb7fcf5ca958fc3 |
| SHA1 | fb3df5841940f5b26a21bfccd3fcb86f6e33de01 |
| SHA256 | b2ad591bd9ae90d05774eb0270847656ebad8ccbbb2e47a6644c3e7a1e6302df |
| SHA512 | f40ad4690228837ee1dd9e4711638d5b8a5a66add8c7ed8bf32b6852b85273cf0d35125b1efddd107052891fb9c584d3d954207b0e430f806674b3683f0cae5b |
C:\Users\Admin\AppData\Local\Temp\DWQgUgwc.bat
| MD5 | b40ffbe08f4aba83de6f8fcbcf2f58c7 |
| SHA1 | 223d791c6d61de12f5d0f48457b40a9ec6cb7bd8 |
| SHA256 | f36d4d286ef26507dd87eda15ac2e47259664462a703cb44bb6388ae2d47c6d9 |
| SHA512 | 45d1c44ace11bd61f730c0eda44350cbf18206d9f7b59169714c334e14f67a26cd16279b346aa2e3de04f0740e9acd12f10da0035644505eb7133613e2e0567b |
C:\Users\Admin\AppData\Local\Temp\iagUEkUU.bat
| MD5 | 504829fa75123164a33e8bc86ac1c083 |
| SHA1 | 6225594a1fbe230ebcb3ea708e03ee1f47059920 |
| SHA256 | b1d46725aabee454118f567808b3015c98fc0aa69927cdb09c2780f8f63a86ef |
| SHA512 | 203a25af93f252e0dafefcf66c4e3905a13c954dd8a93afc8dc0eae937b1ad5e770f5a15b2a885eb09949b0d208d733d0b9903865ba92f72088ea74a61886466 |
C:\Users\Admin\AppData\Local\Temp\WkUwssgk.bat
| MD5 | 44b50c1d974e28a181332e93a6517c10 |
| SHA1 | 50306bd28863ec7df613c61546916ad833157ece |
| SHA256 | 454ff34aec5f4dceb1b065af21596e39202e135d611a69405e2865a5fd7c2c18 |
| SHA512 | 37458943209e5e6a0f5a613bef3373895e13444075ac5a96cde2d262fc4ef98d137841d7d049697721a5fa8f36c001dfde15762679ecd774e81a099467a3fefb |
C:\Users\Admin\AppData\Local\Temp\msUMcsMM.bat
| MD5 | 38759ff7e3c200fb13d39ea9a2a00761 |
| SHA1 | bd9e02f7b6260bae68cc70a7f33a4ab7021a8578 |
| SHA256 | 99d95f23fea06536cbfc2f5ad7860229646e8c6dd3209440b29cb3f2b62b37bc |
| SHA512 | b13fde18dd4602a6b77ca9ff32608c265800c9d953949e898be0b7adfdf2e87b8a0157f5404dce34058b5b59ba4864ba45751c808eb4d16171ea6c626d7f25ba |
C:\Users\Admin\AppData\Local\Temp\BKEQwsks.bat
| MD5 | 7a32d14d3d7268fd7cb79d73683c02c1 |
| SHA1 | 9acbefd61732aca941d0d1b0703ba66957bb9545 |
| SHA256 | e560a67bd3ff83805b66fe36d5bb07edb911ed83f5d19f4fc70c423dec70704a |
| SHA512 | 9d90700eef94aa61e7762f3b660e818966bf8111072dd3d100ea7b820fa5aeaaa4f906c7f68919a469d1fc0ce6eaf4d835ae3caa09e2dc5fed8ecb3d4596a97a |
C:\Users\Admin\AppData\Local\Temp\lWEMIsAw.bat
| MD5 | a6bd8233fede344357130b3b8a78d4bb |
| SHA1 | 4931e75ab5afcb43406c67fadad521d464f3d075 |
| SHA256 | 228954eb37fbd5b8264c4e7196bd2c71c41ab3816548975c53ecc1d5e34af0e7 |
| SHA512 | a8ce5e2789a0f68d7413b3538f08e55523b481ed3e85a7603f8768fc54fbf054242d7bb92a353ab6346dad40051baacaedaa05ea54c95bd066145f6d9cfe2b21 |
C:\Users\Admin\AppData\Local\Temp\NUsgckgs.bat
| MD5 | 31d79090d43772ed89e266bed1563f8a |
| SHA1 | 5996be4940bff8429fa45dd5727725bf59e486f5 |
| SHA256 | 4371542dc2e6d7343496018b6dca07e7e16f42a44ebc65a2c5e3d443fbaa20f7 |
| SHA512 | d70bf0729cb58fc9061c62370d705ec34dc57267e7671df738156a928f5e3158aea0f053ebd37a8e2e56e559251218b4f3b3f1496bec0d581972a0d1146169ed |
C:\Users\Admin\AppData\Local\Temp\mOUUMYgU.bat
| MD5 | f7d8bf658a652ea61ed0a6dfb725cb55 |
| SHA1 | 0a8018b714937577c32c201a38ff8b7f2178e378 |
| SHA256 | bd836a73f5832f4f1ef7cbf9250c3e170618ff660a55986fc5cb91e750662512 |
| SHA512 | b2603796e7c9ef58b3cba6c960b1b701c66c1452ab5e3ed8a0001804b71b71b9c84ab6f66f8e7f00fd104195c1bf5c4f9936a8e9f71dfe14ed581a66573604cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:17
Reported
2024-10-25 21:19
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (51) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\tsMwAAEs\HugoQgEk.exe | N/A |
| N/A | N/A | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| N/A | N/A | C:\ProgramData\GwEsUcgY\igcckQEo.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" | C:\ProgramData\GwEsUcgY\igcckQEo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HugoQgEk.exe = "C:\\Users\\Admin\\tsMwAAEs\\HugoQgEk.exe" | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HugoQgEk.exe = "C:\\Users\\Admin\\tsMwAAEs\\HugoQgEk.exe" | C:\Users\Admin\tsMwAAEs\HugoQgEk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\tsMwAAEs\HugoQgEk | C:\ProgramData\GwEsUcgY\igcckQEo.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheEnableDismount.zip | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheOutCompare.docx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSelectProtect.docx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnprotectBlock.xlsx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnregisterNew.mpg | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheCopyHide.doc | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shePublishCompress.docx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\tsMwAAEs | C:\ProgramData\GwEsUcgY\igcckQEo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheCopyTest.wma | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheProtectStop.docx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheTestCompare.ppt | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheWaitAdd.docx | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\taswkokg\lWYgEQEE.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"
C:\Users\Admin\tsMwAAEs\HugoQgEk.exe
"C:\Users\Admin\tsMwAAEs\HugoQgEk.exe"
C:\ProgramData\taswkokg\lWYgEQEE.exe
"C:\ProgramData\taswkokg\lWYgEQEE.exe"
C:\ProgramData\GwEsUcgY\igcckQEo.exe
C:\ProgramData\GwEsUcgY\igcckQEo.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yygMkEoU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOMcIsgg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwcYsEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMMMkkUM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWMkwwQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEMIgQAg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mskQMAEI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCIcsIgM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQkoMgYo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyAMoUQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecowQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIIIYck.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqsEkosw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqkEcMoY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAoIwQko.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYoMAEMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYcUMgEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEIUcUU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCoIEsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEgoYIIk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGAkYEYg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYEkMIEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAgkUEoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEYQAksA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgkYsQQA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HygYAgwo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEYUEEsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWQIkoII.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAsQMsss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOcMgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwUggYI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOMsUYIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGsMsUUI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQAcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOgsYkIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWwYQYsI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCoUkscw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIUUQgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwgAEkw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coAIAowE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQMIUMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YicUkMkA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoMgQQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcMcEosM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roocoMQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fksswwsI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuYkQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUIUIgo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsYoEMYc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUsIsMoI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HucwwoQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwcYgMo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcsQkMEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMscQQws.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skoIMgsA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyoQMQEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYUQEwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQswQYs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIAIYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUAgQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAUMoAoI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UakAQkIM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkcEsUAg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQwoogw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAoMUoUE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIcUosU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCUMAcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysIgUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMcMgIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMEUYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeQcYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcMQAUQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEMIYQgY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giwAocgs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ltf9G5mI50OlS9qeMkC8Qg.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.108.222.173.in-addr.arpa | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3112-0-0x0000000000401000-0x0000000000571000-memory.dmp
C:\Users\Admin\tsMwAAEs\HugoQgEk.exe
| MD5 | 65caa52ae2a20af17093ae0cef9e5cf7 |
| SHA1 | 5f2b607ce5d4725835c97c5758c226d855534869 |
| SHA256 | 95cb4342f208f137d3df755f4a79724fa83ff786e21e02d651b2dfdcb6c9bd07 |
| SHA512 | 6f3591d650793258f725f323f69f456b638b06e2603b2a5382e7522b54369eafd903cfbbf43eb1ca5416170392e2616de2318e463c0cdae342122d5e816be096 |
memory/4252-6-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4172-14-0x0000000000400000-0x0000000000470000-memory.dmp
C:\ProgramData\taswkokg\lWYgEQEE.exe
| MD5 | 2f5c4c69dfa34ac653d5b911f22629fc |
| SHA1 | b4277b88b2aaca76ff3c540c7a7be7d20af01b61 |
| SHA256 | 560e92ab1d171a9d94ba28739803034a551d8359a11a0f1624ae53b483357e5a |
| SHA512 | 7a598e452ef3461be1c81d77f5fad32cdd995e01be235135bf8346e4bb8c0cc279254757301e8db0bcd9131e735ae84b4c1113449dfe38319f7e48e941f07b64 |
C:\ProgramData\GwEsUcgY\igcckQEo.exe
| MD5 | 3a8593f6ec71b474f2183f2750538e9c |
| SHA1 | f1f8a28f5fbbf5f705c79f2ce9d033762e8d4a92 |
| SHA256 | 7185f2ccdddc6bd2d29958b0198fe3e0f2db3b9a811f76c16aa2e8d6264fc66e |
| SHA512 | 4ac6aa5b2eccfa1f5476c486c65df58a983d2722f3e1180fc1e7bc73f0d22d9108bed716a3a827720e0ef500583a7ee5e135774e16bbf744f70cf7631a703e44 |
C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
| MD5 | 7455307d1d96b6df1031eed8d010598e |
| SHA1 | f16374bd24863520bc9cdea1ccfa99a540f991aa |
| SHA256 | 510a270eab4c149d50fc3feba4467d6ad65c55834236dbbb63ec8d47d7d75007 |
| SHA512 | 2b10c850c688f6039cd20cf69067d961d3c4bafb6e9f8ec992459cd48f04009db7661c5595c509e257beade0b8ec987f79a87297084f9af0824b7787e7615cd7 |
C:\Users\Admin\AppData\Local\Temp\yygMkEoU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\YYUq.exe
| MD5 | 6cf404102971bdc9a1e587ddcf9a7b14 |
| SHA1 | 1f27cba31a505e38905beebcca971c861545f254 |
| SHA256 | 4e3a63fcaa625954833a472932c534e3029a6aa18867af9492fb6c056b157302 |
| SHA512 | 2ed81ddaaa8cf39cb5231bf417f87e314b7e1a1cf0fa4209c356971b6dd9df32a0d971b74f79e9c9803a49266da02d66bc3ffb06847e504bc0f467dff9404472 |
C:\Users\Admin\AppData\Local\Temp\assq.exe
| MD5 | 5278f902b2a27f676d9be952d5d8a1b0 |
| SHA1 | 3e60391b15d70b5d4d43198beaa2450d79b7e191 |
| SHA256 | b22d058cc5782f075efad1984a40befc7c2da152934b4bb1d05ed29ec536e06a |
| SHA512 | 5d42066ab330de00307b2ce630916ac07e9c37009129c55a66e51f583a4ab1f1e2698def34924ebe4c59fc00f43df3c206e05768ea602faf1a6b258f98f83003 |
C:\Users\Admin\AppData\Local\Temp\OIQG.exe
| MD5 | 3acc519a3c3fa7e2c22466f82cec4178 |
| SHA1 | 3f14aa5a2878a6ec401f05a0df40081df14a0800 |
| SHA256 | 60d3f94bd90d024d9038bcd00cb3d1931d7f25d0bbc914c7ab660cf861f72939 |
| SHA512 | 2ea562f22299563e3302aabe95dbe64686cfd96a188e88308921f9a15afab6079c958ae28e5ef3bcaaef4313d6772acf5a4614d5cfd0c366053c4418bb9be6c5 |
C:\Users\Admin\AppData\Local\Temp\UCAs.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\Ugoi.exe
| MD5 | b23b9ed86f5b8cdfb4abcf0e6f6ec93b |
| SHA1 | 8ed0b5ac31d4eb8c730109af8416fa9efc2d6d4b |
| SHA256 | e280aac43c8e6d49fe2bbbe06e7382ae188cee6a2083df3cb991c6ab1f2239b2 |
| SHA512 | 0f6dcf93ea60d3c9b8417507087d6b68716350a2ff30e1ca11426451e0fda957753f5f6aba0a3c5ddd554ad5d42753021f4f48967168322d18eb568675ebbf4a |
C:\Users\Admin\AppData\Local\Temp\ccsq.exe
| MD5 | aa97411c2efbb0e6dd543dc50b7b760f |
| SHA1 | 1ad9be88dafc0057115ec7ad1b1ba1666109fb10 |
| SHA256 | 2595825232eda9e14a1082870e516cfeb1cddf26c6b5081a9dfcd549fd321f3c |
| SHA512 | 2e7d9db447c9156f95ac99f44cc3ed9b6f4671f5f3e4f7ff151415a0e8215a4e62a1f89dbaecc82dc18d07c13bb79ebac6d374c287458b52648e96582ae53557 |
C:\Users\Admin\AppData\Local\Temp\kIEE.exe
| MD5 | ab6fa3e2b7472b648de3ea6574a7451e |
| SHA1 | 6c3f50ce137ebd8b8eec695e1692734878b1925a |
| SHA256 | e3d692ea24303b3250db372b4c258fb8674c7bbdb724542964b404ff5ba0df1f |
| SHA512 | f7588339e9d5e998989c9ff3d259275f80b870545fbc226492bff6a19308dc3195bd03e1fb83ba06e866701ee4f76e5b9d3b441481c3265c629ced876a4694a1 |
C:\Users\Admin\AppData\Local\Temp\kAQa.exe
| MD5 | 01ccec55a2427d255f1a48556a1dd078 |
| SHA1 | de95b58bc666a7ed890240fd98f2d36db2e0ba7f |
| SHA256 | 286ec6ecdb4c839c140c5aff95ad12e8e9fd581430120d2e596490c125a6070e |
| SHA512 | f658a872056a307ebd2232b187cfe11f1dd988c3a023ffeac45c0a5700aaee12d786bd78e3c7c42d1a1eb9e639a4311b0e764c1398517fc3cc3baf20195dd616 |
C:\Users\Admin\AppData\Local\Temp\icwQ.exe
| MD5 | 769f59b3c0431e2efc43c39c1ddd4d2f |
| SHA1 | e85153f570c2c128066e25f68da47da1233b5396 |
| SHA256 | 90e5813e5c544d5c56f17bdb5903bf644166fb63014e1e55bde6af95e5172412 |
| SHA512 | 6807ee3c93dc4a5021fecfd463a4b79b6bd19d43620b55b06559d5c08d90bf0f023dcac54dd6903dce75bad139bc1be510c40a122c1e0e73daef7a3b2ec7c05b |
C:\Users\Admin\AppData\Local\Temp\igga.exe
| MD5 | 946929403d69e864653d1d55378739ed |
| SHA1 | 5bcaf0199260a6027cba352a0d29cf757be43d53 |
| SHA256 | d88e03591979fe28f7b554915ee86025fb6bc3a219f587e3e13d594065eba06b |
| SHA512 | 7cf15ccf5a628e9dafdfa956e17fd6da37d49bf2146127624b66871023fe428219dee922564e46e10e86ebcf3e17dde61f94c5cffe36a6dc0f66345306a7c43c |
C:\Users\Admin\AppData\Local\Temp\woEc.exe
| MD5 | 8e8e2f1e846d1717799518836cbaf6fc |
| SHA1 | 25b2946180d372aeed3371217a254bb10cdcb033 |
| SHA256 | a84e06f835d70c80cbec68e2aca0f9c0df6e3c2c5113be60e837da8a1a50a9bd |
| SHA512 | 844673dfc3f879e7f0f84d1b03765005698d3d3f597ab4a068a2b028fa65f705ba94fc81c1de9c18360825cd214db51287f0e26bf64a38ca724051135b7e0d5a |
memory/3112-318-0x0000000000401000-0x0000000000571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MAgW.exe
| MD5 | f33aadc095f257874d0ede7e3dd9227e |
| SHA1 | 08b1829892f640d39ad126ac26619ed9c3bef1eb |
| SHA256 | 7fc2111535d562395fac65df38450beecf754a6d76cecef422353b36ea568926 |
| SHA512 | df0e893defe358fa7d2808a04eb4f03767774b171af547214a3eff439fe4385fb9ebe30e9b410817443ab12cc3c4b4e3c515891178789f32ec82b8df28f7db66 |
C:\Users\Admin\AppData\Local\Temp\AUwk.exe
| MD5 | 6eab5844d2daa1fa37704a17e1e4bfd5 |
| SHA1 | 26f30025ad19235a3e020766bc583b0e4ad23caa |
| SHA256 | cd3c2ebde6e6dfb6bcdbf3d3d99358b40242611ed9ad5b9e9658674f57ed233b |
| SHA512 | 840566118f70b3b692850a3ecc16942cb8bccb16d229c485b87f3bbaf8304b16db463b5134b33abdf5f77d67e682eaa45b215081b6820cbd0239afeb77073b11 |
C:\Users\Admin\AppData\Local\Temp\yyMs.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\iEIE.exe
| MD5 | 0e454e0e7107fde3298ae7948499f7f0 |
| SHA1 | f07cc3a03a5b4d6c591e5370e675cda4e8bbc341 |
| SHA256 | e1495b2a753843d7adf4ecf0c1fcbd33e3194f5f6f3d2a4ad61e5080b66b2fe6 |
| SHA512 | 692f77a1808f423251bae5ca8bf72bf95fc84899259ebb16d9c4855e8514c2c05447d206da09315c973493ba4db164b01f9ff659e2800fa11cabb4b88487d832 |
C:\Users\Admin\AppData\Local\Temp\gwwa.exe
| MD5 | 56bde9b332ab81c35876be5d5438a4aa |
| SHA1 | 391d6af4d507c6b7c5584d26e4e9282b59a6a366 |
| SHA256 | 6d95a9e8d4e054a132909d247c38fa01b1e30956b9c6fbde5b2e4092f48ce775 |
| SHA512 | 26e95693eae081ceb01c6dd09902207f25e535f6e72e14d979378df4b66e2ce4af4e121a93dc7ae0ca63df16fa972e2c2b2ecf8d227e8b4ae1465111fa300e96 |
C:\Users\Admin\AppData\Local\Temp\OIYE.exe
| MD5 | d92f2ff59af71e428513cad36bf37060 |
| SHA1 | 2afe1ab3254c73a148459daf141ba80369fcda2e |
| SHA256 | 48f0044b42dec1a8eaf09f81dab1c5436d25150af1973658460abc0defec97ae |
| SHA512 | d1cafb60f2f54f959ce8c8b548d7c9951b19f494ef9b5f0d16f9df714da91db6d219a37e7c8531df98e10298cc7efe3b5c44cb0ed0b9f55cdf6825f5c783c048 |
C:\Users\Admin\AppData\Local\Temp\UYkm.exe
| MD5 | c6b8b31a79968c2884758eb0a50ce6e5 |
| SHA1 | 78dcab13612897ea8d7213138b2afffac228bdc5 |
| SHA256 | c26d79c54429eab03fd2e0c9f9ecaaa49b5dd5ec4121153c90c4fdcb72e7d3c9 |
| SHA512 | e8f739e182883a99c736bdb6c6479ee24391383684ae6b02301b09d48f7cae71e05f63a63d7f804de8a5bb94f58f46d884177ed7aeb50b42a2368a53e1a91b4b |
C:\Users\Admin\AppData\Local\Temp\YQAG.exe
| MD5 | 03dffae139d01b07158c28beb9f53744 |
| SHA1 | 8829942bbbe78f37e3e837630ac4da685a1b263f |
| SHA256 | 955a9db33ce73ad87a4852adcaf4d01d5f4ec3e3b8871315e5f3b00862ef605a |
| SHA512 | 34fd4a41a81b1dc1cd7f6627b9cb1067af0c5c460b3e8c26263ef1f26d47feab265235b82164ee71a58ed4ba8ecef9a850a5e2c48d109528e759eea818b7c096 |
C:\Users\Admin\AppData\Local\Temp\KsUy.exe
| MD5 | 491c5f0bb71295c6c9a4510fd477736d |
| SHA1 | 8164baf2c3eab5c2084de524b0246581b80354ac |
| SHA256 | 9f9123dad4f5dadbf7cc397d09fa19f981bc91616078bc18814cf47a5e1975de |
| SHA512 | 62ba7dba4c018e80474242eb18016b221f53c51e8579e6a419c212350ed9160616fb7c814f95e8da003730717e067013a87b37e368142c9e0277d629e0a229af |
C:\Users\Admin\AppData\Local\Temp\iIku.exe
| MD5 | 131ca7ad1db89c86d71fe1ed93e5f886 |
| SHA1 | a092cd917b9bcf40774c89d8ca4158d881b2760e |
| SHA256 | d0d1205c603acb7ea68a210630ec3d69f42a7470f97ac216eec3bd05cbe0521d |
| SHA512 | db9aed2f34aaef4ebbcbd6d369d0876b808f54639ce0f91583ce60320e48dc0934d32a8acfb83654b2b8931896dc07e10370dc90adee9f1fab9691a8b5c4a58c |
C:\Users\Admin\AppData\Local\Temp\WQQE.exe
| MD5 | b762dcae35dc278ae2182429793e3b56 |
| SHA1 | 473c9518abd58aa1c4be5eb70d2d215b579c0dfc |
| SHA256 | 085e9374456afb039f5c98bcbcdc30408216850c75d3d375d4a0f5f96389ab99 |
| SHA512 | 8b5bee3eda442acc7d8fe9fe4c1470b295b140fd48f1637a7766abcab99558aa1f1deae2362cc4905b45102dd2c585cdcc83a2764eca18208d064cc77164a6b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe
| MD5 | 0eeb44cb2c01e66fc955a862bf782e99 |
| SHA1 | 1a390eb4eea9e53343163db98a76b2d7f4d8a42d |
| SHA256 | da1382816ac86e06d1df0b933cf60bc67e4b47de758c168ec3c2c926034e1a72 |
| SHA512 | 6ffa70ab90fd7755e34a09345e905e2c11ce6fa0074b39be14b00d8e9367256d78153138a4a150d710477fea0d27ae1b676fdc981b730aabc51aef971c957508 |
C:\Users\Admin\AppData\Local\Temp\oUku.exe
| MD5 | ef9acaa64d61c3e1af1c675d68684726 |
| SHA1 | eff6c56ebf72b81de68e42b99fbb7afd8c779eda |
| SHA256 | b3e3f8665a5ac1449882d7afecd5433f696024bebf04dd5becdaf207e31ce867 |
| SHA512 | 70b7a941ff4dc1acffdc50ef09813fb5d3e08d2df560417b0b9ed4cb7fc69951e737095f7f04dd98064f4ba3c9dab279f65c39d4578a85e2798d8862e126d878 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
| MD5 | 7f6e1c2c277bde34ce5a3ddb16b258e6 |
| SHA1 | 35d74a4b6444f790505fc9cdc664d74b8d93f9c5 |
| SHA256 | d2dd6ab70e889e3af6a1ea5c9d55182398312347a2d8632c5184ea72137d3faf |
| SHA512 | d88e8f4233a19698c416f2cc28e2900ea9bf335ba97b5700a8cfb7dac8ac93fd36f5df3d10181d5fc671f3fbb927c16194f9945a8f398d091805c914315cfcd2 |
C:\Users\Admin\AppData\Local\Temp\ugoy.exe
| MD5 | def75633aacf055a2e5749f4c4b62397 |
| SHA1 | 27ecb3ca5ad546d20eb04ae83dab539054a987fa |
| SHA256 | d8958bf8f3f840176d958a31e07bc3673b8514d6da8875cb6446f6e380064838 |
| SHA512 | 4a2ec1d3e398f2a303d564049c7ca46678d72ece8bd4878987ecde59aeab8a193541a272cd5b6a618507440fc100b78799626e96cf40158e41062ec75683ed52 |
memory/4252-555-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kIIu.exe
| MD5 | 37d3c5367753289244488d4136b10e12 |
| SHA1 | 1c6728e35413c46a002205b71b7349d9325b02c3 |
| SHA256 | 58ddd870440e4846cc843d50a46d868c80ef91c8bb64b6d5d0a8b8b3f9bc0e37 |
| SHA512 | d5e0ff40b98a16b40e9a6587afc9f7ed0eb1098613249d52aa46c33aaa9d58277187d6ea6f77fdfe600c19e722b5e18a8d2e20e795ead8a7f006e452f2312f0a |
C:\Users\Admin\AppData\Local\Temp\IwQA.exe
| MD5 | 0888c9a592d85e7fa65c9a0d10e1445e |
| SHA1 | 0283e0dbf842cb9ce505bc9a52dee2e05a27aa98 |
| SHA256 | b6b004df156bb3acc5e2c2e02f87e22741797bf3394650ea6dfd440be55d19f4 |
| SHA512 | 8f1ac7b3fc68d0897355fae4f87376b41e775045db17b6082c072b9d722927d58d108ee55ef7701bef50d9d0333e9929b3e0e5754f1a89cb50f99f98ebcbf848 |
C:\Users\Admin\AppData\Local\Temp\swAY.exe
| MD5 | 4c62df07d2fdfef60ec9ec0e4208ebbf |
| SHA1 | ca4403c8b7a5187f9aecccc5782166ad12c15628 |
| SHA256 | 22011dbc2da7d6978918c9a746c1e1bc19786650dd17ec7c6164751120fea5d1 |
| SHA512 | 25aebaa7296de5af5d3e9d5a8a0d10bf37bd150f67e7cab67dbf1b44db5c960f7d64313b6126e032f78d6c732ca11efc75d8229c70d1fb593b6366387d84b94b |
C:\Users\Admin\AppData\Local\Temp\ysMW.exe
| MD5 | ee0bdf1b2546d1a7ffd1407a4eac0cd9 |
| SHA1 | 1cf5af43bb4519b8789154f45d56272da51c2b76 |
| SHA256 | 0f34e82de0f337bc02ecdfa053e520052b5bc32e5986795bf057f2c135a50226 |
| SHA512 | d201436056933059c343753d0504d9c0b8bd4c95ca45cb9c3fe3e61044e1c42bda5f37ce314921a89db190b4972db4439f106faaabb5b5dbcf6ed05c09c1211e |
C:\Users\Admin\AppData\Local\Temp\uEks.exe
| MD5 | de94a711aeaa46d63036d0c9e97932f1 |
| SHA1 | 5395d9eebb025710821de933951934294dfb9e8d |
| SHA256 | b777035df3cd484cdb93f4ec43c198522583c235ff393de9423b2bb2c11ddfef |
| SHA512 | a65e53fd99e54aa444bb321769060107ea944bee3c751237df7c4c2b653fa1343eeaa9d299352f6ca085ff16ec6e3567879d5b60fd9bac6c0921b216f2c1ed31 |
C:\Users\Admin\AppData\Local\Temp\SsAo.exe
| MD5 | 740adff9925f7f2290462dde53e1377b |
| SHA1 | 20de427eca9ca066a2e1a14ea5ab3a37a5ac4eb3 |
| SHA256 | 93f7418c1667c87ebf4959c1695cab1f8dbf9d51b5031be2f4f7ab1af5fb2c92 |
| SHA512 | 2ed3c486717bc85b717cf78ef921fbb675e9e51573f9bbda00b6f41b3e8eb49e232274abeea23f38a5989b76821ca70c190d3920b91434f1e87ee6860795c991 |
C:\Users\Admin\AppData\Local\Temp\UYcG.exe
| MD5 | 2bb528d8694ea850d8f5a9be3b12a634 |
| SHA1 | 2f00e1d3d7b1f41fa0a7ecaed9abde98c7fa7ea6 |
| SHA256 | b7e31c07048a8d8dbbd622f51f2245e9a78da6d8c593ecd77ab24aac76ec9b29 |
| SHA512 | 112826c659d7d159644c5021790371318d83ba6963f735ce95e58eb9db2038d17e2d3cf053ce784685e96e3a0625220f19782386c4b6f0076ce8ccf561c5639d |
C:\Users\Admin\AppData\Local\Temp\uowm.exe
| MD5 | c3dd19ef19d9083ab01784e89e7f8708 |
| SHA1 | 5ec3499e56565f9b6fbe2582f889580212081432 |
| SHA256 | 9c511686f0356a8fe6c0abf8b2d0a5d2efb5a3ccdcd42704ced8977c24e24293 |
| SHA512 | 0cd9d62a7f8f2681d7c47678c9c4a709812568d9e4fc1a7a700dcf40b1b1fbc94df8a89c7052410bad4edd324ccb435f39436d07a69938ded8d516bd2452616c |
C:\Users\Admin\AppData\Local\Temp\SIAk.exe
| MD5 | 82b426d0860212cf718b1b4d382e301b |
| SHA1 | a7d59d6b1404a314bb9a03c4898ae01bc8e78ed9 |
| SHA256 | 5fac1a054225f46a09c588ebeaa10e2c4919573c1378de69c78f5ebe89fc28dc |
| SHA512 | f648e6615804a230feaa057df278c58cc86c3eb327dc2656137ac70fdb9f42852039ff4283a0927a8f54b75a5e3aa2b05ba364989ef0d2334de6e8979cd6ec1f |
C:\Users\Admin\AppData\Local\Temp\WoYC.exe
| MD5 | f2ebd561191dc9c75d20be9af41691a4 |
| SHA1 | 556ff7edb871d5a65c0d499ca4a9e9d7cadbf1d5 |
| SHA256 | 79dae787df9fd5679f65e234691bb560769d6dfeb970e8cec851bd71a1a74e7c |
| SHA512 | 05b88d69e8e330512fbaa443f3abfe4145aafd58a98b8fc212c27c5b78fd9446ce949e39fedaac6d37894d424f0ff71b1a536d10fabf3cf87b04ba4b91ed98a6 |
C:\Users\Admin\AppData\Local\Temp\EMgQ.exe
| MD5 | 64c87677b77e0c46aad3bca3578748ff |
| SHA1 | c988b2f1aafbf28194ffc1d534c5311321dcef5a |
| SHA256 | 4271c8086a86b3500f36089a50592e67c0fcddba82566ffb9cdb99c860e68e18 |
| SHA512 | b38e8f92975f85a042e28f3817db7c818f8b76e73291e02bbe3d2973f2f012b272ead94df311a355c43eeaf66f311f37b80ccc4bd347ee8755834be74fc68b7f |
C:\Users\Admin\AppData\Local\Temp\soIg.exe
| MD5 | 940e4ed1f1319bad325dc57f6d5284f1 |
| SHA1 | d11ffcad49ab7c20c692325fad7c1893bc78b7b1 |
| SHA256 | 7a66218829173963b08f4edf523600db9690bc22ea19e259b7eb9681288ebb4b |
| SHA512 | c16d289dc9752ec8b4421c42c2379e245952bff71c63129ea055ef7b85535c45027eab43f12ad027388b02a19ae94f871aa5eccd14dc7d665c98939625e9be22 |
C:\Users\Admin\AppData\Local\Temp\Swws.exe
| MD5 | b8f8cf7dd36ec79821b152372c48dcd3 |
| SHA1 | 22120fb7a5fa6bbc7ce1fa04eb54a5e752050d7b |
| SHA256 | 3116620bdb68ff9d7f1f82d88345f0a8139c49ec7927157286b0b1fb9230f7d3 |
| SHA512 | fcb327e5b8d41ccf6770d0168b9b923b4349bdd6b1cbc02026fc1347743ff352b7967943c6fc7551ae7809c3bb0a109ba492e563a69bfe5cd48f0ea83bc4e7bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
| MD5 | 6b5a8f01b5ab8924c43e27462e789710 |
| SHA1 | 5a4d2cd68deca3ddab8e18c947e547b9dd8e6e1b |
| SHA256 | ee597ce9505d65fb90ab263d4f4b539db038d81b7c59bb08c33c1d7d1bce1f44 |
| SHA512 | 33f3130853a35e28835a6f23dce51e23a7d7f23ff7994d0aaa329b4c529cb9e41abe03edaa5163d2782956f9bc4da67d06c3882a9f9d9f0413a8c14d1b06a0d5 |
C:\Users\Admin\AppData\Local\Temp\wwci.exe
| MD5 | 319a513c5d046d2d90ff340f4c0a6a99 |
| SHA1 | fe69f52b33b64311132617c98fdea12d26dcfd43 |
| SHA256 | c267b7c1e66405992cc8407259ce27d838ce5df353061f9157236f3aea65f235 |
| SHA512 | d1b64592a73fe0064457a209f97b5f0ab6a40ee0c506e7d4a1e12b74abc46a4b2f168c9d39ef432cbd5940ee178f4253ce875ef9f99633962362042f2aadbf57 |
C:\Users\Admin\AppData\Local\Temp\Wwgy.exe
| MD5 | 96f00e0fcc82b261c523c9b4d257e58e |
| SHA1 | d5b31ac9f46eba334c3d7ce909f622f1b89d86c6 |
| SHA256 | 72c2bb4bd5c00a7381d8ed9b04b1c28237b3ff771e23b58fbcd4d9b53110d0fb |
| SHA512 | 7ab0fc6a5a88de54310089402644ca5d667da6206394ca194b5bc4fc49ee727bdbe4c05a7c12689e7d3cdaa60e9394a4519e94b6ba98ff4b70192be5296ae7ad |
C:\Users\Admin\AppData\Local\Temp\CwQM.exe
| MD5 | b550f59b04a83cb38bfd1d77eabb2a6b |
| SHA1 | 3a9d43e524579c8d605ae6fe1ae0a280e4967221 |
| SHA256 | 754fbde231d9f1028147b184894d4c733fdd9ae1c5404f9b5c39e6f1fd5b88c0 |
| SHA512 | f53a132cd8de74c788e9c66e87a3e1f29d20be89547bf09002b66e88bee149541b6b3aa6e3be3dcadf68495c258eab7cee3d2eb433ecfd49f72de4d1a0cbd721 |
memory/4172-799-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qEUu.exe
| MD5 | 01c5f34859698d093e317744cf8c4dd8 |
| SHA1 | d21cf436fdffe2d370da7d4e54b85a07761cc827 |
| SHA256 | d7d2458b20642d3d9291069ae5f3bd57c2add52e3968d1e24c10e9181eec0d51 |
| SHA512 | 7521fa8a3eba87d644b4f6b53843e59292c8855a0923bceb3d94dbfc926e9c72232c236d7d17cb2ce53d4bd59bc09c7a41b4843b2418e0009ace02e0b2fd3b36 |
C:\Users\Admin\AppData\Local\Temp\YYIm.exe
| MD5 | dddc2207b194ccdaf868d4d07c0722d0 |
| SHA1 | 8d29b6edbdab78ca95e9747e91dc9f2eec0eb43b |
| SHA256 | 37092ba1260a460944cf7ba420783ba302079a0d3ab3b2280e58e4a97e5ee943 |
| SHA512 | 591ea8de0e91d4004f318ee4e1cfc591122f3668927cd20da99656ba421f485c5c42ac1984660ba87096ca018df499160ec4e2971d17b765105a5448015363c5 |
C:\Users\Admin\AppData\Local\Temp\YMoY.exe
| MD5 | c88dbc2a644062e077713e6c51b167a2 |
| SHA1 | 5d6ecb82d503f9b01dc33d933f424afcb8c1c390 |
| SHA256 | e6bb43d7e144bf1919286043479fda7d87d3d4248723b9f61b27a5fbf41db027 |
| SHA512 | cf01237a26b6c1b9ce87204e9dd25facb0b979983f7f1f2d25a660fb0dbe90d4632dc94f573651bc9b9b7a09ff5a532c764352d1996deb06ce4dffa5a26aad34 |
C:\Users\Admin\AppData\Local\Temp\kwMm.exe
| MD5 | eaf2f88a4c49aab3bc0dbf4d2a36e495 |
| SHA1 | 862b0912ff071ba238717bf79a33f45c576aacf6 |
| SHA256 | 518fc06f38351dc232d4491615d51dd9332930b1103d05bc2798005751b314ef |
| SHA512 | b6b076d9e8c33d07dc4ca80dd0225cc666cc80d552531b0c927bcaed9260e09621ad793131b93116c9981f13e3733f4273a9b4cf51994977d6f0defcd172755a |
C:\Users\Admin\AppData\Local\Temp\Csoo.exe
| MD5 | 4f7f1e808d2440fca6c4972810272c97 |
| SHA1 | 03ac696f462782d3a5b8cc18f8e5b49810b0ad7a |
| SHA256 | cc1752758c0d43da0be98b645cde4f7dc1bdedada8efd941357edaa7bc31cbbf |
| SHA512 | 3a2646a8f8e40ba1de33d34b9a85d5867d273492deb22c5703bf4cfc0c7eca75b58bd23fe3d43c69d856e4ad72a048c774ce0340b9ede50be868724cbca6045d |
C:\Users\Admin\AppData\Local\Temp\wcUQ.exe
| MD5 | a450c76a2d2c3f9df0db75fa7cb9f755 |
| SHA1 | b86fbcd141524b408102f163909a0606425dd757 |
| SHA256 | 8a6cb6a35f100d698c1f9f8806dde6c72e0925c7647ae5220c30e2f29caee897 |
| SHA512 | 9f24dc76da6a66f2b22a786356ee1567e6bebd20308f1c28862a48a8c2f15e94706c5d1c5711e5b144de5d9a8dc2a9c549126d7b7b80bc302433910d8b0ee392 |
C:\Users\Admin\AppData\Local\Temp\OUgC.exe
| MD5 | b21cac4e2eab51f9c6d02612990f793d |
| SHA1 | a823dd606f61e512a21ba3cb7b582aa17259d28a |
| SHA256 | f32ab10590ceeeeb6283233d9b5f87643ff375305f3b730189cdb76494ecc9a0 |
| SHA512 | fb8eeb43ce4564dd17fa77cb6c9c01d584c5ed4f983b6d3f49b5913e97fcbccd373604100007184e21031a9ae9e595d091a6d87086283e603a121cb1721feb28 |
C:\Users\Admin\AppData\Local\Temp\QAcK.exe
| MD5 | b0a725b17bd5646ca9fdbb49674a3b2f |
| SHA1 | faacf456ac263dae52c0690196bd2da37ec626e7 |
| SHA256 | af8719280f1e6f905d1939d3b6e20c55993e9d30e0d990896d2521f1bf41b315 |
| SHA512 | 7e242e98aeaa4312d4447b9f248e757d0792567abc6ef5bf8e750074bf6c2a2168fcb930ad84afd05a6a49e8de25b7088dde20e644e3e3927d2c2d19f0287002 |
C:\Users\Admin\AppData\Local\Temp\aoUY.exe
| MD5 | 4092d2f4b206dd7e1d3daab7228d4ee9 |
| SHA1 | 1630ee6d88eed7e2cd11f7067194fcf3f83aafb6 |
| SHA256 | 3c65cfe9edaba6e804c3ba7bd319ecccbc3f4a26a1ce3c47d632596d146d0cfe |
| SHA512 | 98d41a7d74f9500f031cec6fafe813f7c452f487e8b8022f31d959653edfe59977310485687b2c05752dd7a1e2ef060867d4b1acf71876ab104534006cc54728 |
C:\Users\Admin\AppData\Local\Temp\qQwe.exe
| MD5 | d6c2c49170ddfea2771cd8770860b085 |
| SHA1 | d629c9a6282a3fc13c5b30eea31bcb11ffedd59d |
| SHA256 | 2f6cc3670d6e33279e3d39c48e791425cbdfe8dec8a7f881950d9897ae2fb35a |
| SHA512 | 229fd03064b080c87d45b01460253670f4a4b0e5482c23036c273c01b197e984ed9ee05679c678b64adab1971fe464afe71f11dd8b0d175feecff08d68a70e8c |
C:\Users\Admin\AppData\Local\Temp\KEge.exe
| MD5 | 3cfd4ad99afbddaec41efd5d72b8b598 |
| SHA1 | 58152ca2c5a2242b5b2ae4c6a23aef6b72b4113c |
| SHA256 | 3f2b987f0f12d9389fb4e54503fbd206751e9289a36132ed92a01cc2c1fada15 |
| SHA512 | 65f0a321926e070d1b931875492c4c745ce64f99388391a2ff27dd55b1957397419cd4b93c635e9f613b4125a793dd1852b82e6d2d40bc283461fac3ce59963a |
C:\Users\Admin\AppData\Local\Temp\qkQE.exe
| MD5 | 0a219da747b231b7fcd183b40f69e62b |
| SHA1 | ff4d5f06abfd06dbb675f23dc58e8e5cfe89a03c |
| SHA256 | 9537586a67aa3d2c4b530858d14390844df219282fdf1546d0733886f1c3d1bc |
| SHA512 | 0c96a219137c97a37144a317211b5963862e6887a7e6caabe606c8260b25cf4c48f76dd60b05d19d9b9ce9e6a9751124b330976104a62c75d79f60aa9e968261 |
C:\Users\Admin\AppData\Local\Temp\WMAS.exe
| MD5 | 04fcf7727a22576dee7927a4dcd320b2 |
| SHA1 | fd08078094eded14df87644c92055d31d553d99d |
| SHA256 | 265ccf53584b4ea3db3b1a2680bc1acda157a5fe743b0cfc6dddbd64a85477bd |
| SHA512 | b329894b870e6d97ef6e83b7bed5a6bf65434eeb6fad8bc41f2e84e72980f2fb52bdc44279e3f749437957b975a00f77e33ab2b30c7da48d2b3368a032ead7da |
C:\Users\Admin\AppData\Local\Temp\OEAK.exe
| MD5 | ef8b03b079f0a15e3db2b0088aa6ad7b |
| SHA1 | 31aad7b82e158964ab8a0ad321767a9a66c197ee |
| SHA256 | 8619e82f2600f70aac4dcc329ec06b991e5bceb179f5fd8507c388676626e335 |
| SHA512 | 07a3598ab30dea7e2c2ae072f81adb1125174fd273b43fc44f2090961c9fbd9c7c30987cdc95a8df516e7f393279c7c34f41078d808ccefe7e190ece6ce6c745 |
C:\Users\Admin\AppData\Local\Temp\kwAY.exe
| MD5 | cf99665117764ae6ae803b107bdfcf01 |
| SHA1 | efcb8168576d378a0ca8a527b39e6ae75acf097b |
| SHA256 | 2641fdfa15987b66a66bc317d4bc03b1d0a22a5db8d15f32674d3141b4351435 |
| SHA512 | 755fb6a275d54004f75a10ced01f7b1c2d61e8c7d3824842d5a446a0427aec52511aa9a76b8e9be305612627a171935ea88c64e7b64491881b7998a9bedbcb24 |
C:\Users\Admin\AppData\Local\Temp\qYkg.exe
| MD5 | 1f5c5068d32ebe0df23153e4cfa002a2 |
| SHA1 | 904fd609cd1652240bd27ff1fdef350f227325fd |
| SHA256 | 6ba2907ff465f6623c29e1f9c8478baf7400fe42defbcf1f9e377e51f634765b |
| SHA512 | 10aec1e9528be39e457d256890bc5a4f8590f7b2d8dc9c7273086c69b0fc9d4c7a666b1f78e167e67845d97e9b426f8bd61d7eaa3e98b6d4c26f4f1362bc46fe |
C:\Users\Admin\AppData\Local\Temp\eYIW.exe
| MD5 | 62307837657d106210f51f3ffbc566d2 |
| SHA1 | 7d9e612bd7efeeaceb5042e66613c61905cea80b |
| SHA256 | 375e11d9b6caa94a20c3642e9526b7a2280696fb3d3bafa6a9c055392056913b |
| SHA512 | 996cb791d938e32a47748a3dde6b50314f740d5795cf7a181a2ca0c2bad55169607b39336c6a520d5494812d0d14e96dd7ca1c5ac14de27cd4ba6f28267ed552 |
C:\Users\Admin\AppData\Local\Temp\wQsY.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\sYkw.exe
| MD5 | 26a75b4471f106a14bdaa1987c9fb215 |
| SHA1 | 78192888353017b4407e5ad929c60f1f0746669d |
| SHA256 | 3d6448c77f055d6080b171ac21568232a360dd876ffcc292a5924cc70b0c49de |
| SHA512 | 8ed59876b8f9840d56fc6591e8138ff425da88a2ce1ba94f94e59120195073f4067e7b1689593d06ba4cfd2882ebe7352ba6f7ffc5650a26cabda6f25b003e60 |
C:\Users\Admin\AppData\Local\Temp\ycIO.exe
| MD5 | 52135d15055ffb108f348cd6a655ebb9 |
| SHA1 | b4bf8343b592f4aec57b8860c0b5146a1880c1d2 |
| SHA256 | f60cb38b6fecb5f3b5cbb740abf44b6ec41564b889a3d129847f2e50e673d4cd |
| SHA512 | 5660a721cdead0c11802dd61b42f74d1b36ab602a64c28691861d8078d1088d52ac7895aa9988ba56c70070603a0e2f043cfb42ea8dcfacb24232a05ac81eaff |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
| MD5 | 4924ca1627f53acf84d5ef7eb76551f9 |
| SHA1 | b8654e10b7fce63a579066e59b2b6c890c0f321d |
| SHA256 | 2020cd8f1e840e2583168d254a857d6f0f3e6b15d48981a091d5d08c9013ac4e |
| SHA512 | bd4886f3446352b55eaf6c3addb3c8164e01157487286c24295d88119fc4d086eab2363bbd194cc8b72a1365650d447dc33071602ee971a4241c667547a307ec |
C:\Users\Admin\AppData\Local\Temp\oAMw.exe
| MD5 | a7d75b20ed442ec8461f71a9870aee58 |
| SHA1 | 83d76f8289447fadca796a24ae85324c6536773e |
| SHA256 | 41e3495677eee78902201b617a924fa9cf242c7e725dad266e29a5166eac87c8 |
| SHA512 | 5eaf880106616625636729c4304253700af63ab3840d7bb0ae05c806efcd136dc79fcee41f6ae662326ae774faa4d9576bafc9c8f8de13af83c29df97969a585 |
C:\Users\Admin\AppData\Local\Temp\CwgU.exe
| MD5 | c3672aea2069545b332e09f28f3f5c5a |
| SHA1 | 146037d20d78141e9669995b9a0a50cd1112a4cd |
| SHA256 | 2f8e14efae6b92b85c3d67764ae6ee8f07ee9fb8f4993b7f4d9086efdec3f475 |
| SHA512 | 732f04b22f2812a3a8fb66b0558890832e542a180aec4f6e66b2fdfc82a91c3bdb9afa28dce00cbb1279c2b94f49e58423d6c7bff61e5123268456fdb6320345 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 28c450a88add7b4c8d1e6027c352f199 |
| SHA1 | eeede4dab105da6f3697a84f94ffe1dfba823f69 |
| SHA256 | b8aa87835a8094b6942e809d0754e30d5beaa427ec9d4673a5e629782006b9c3 |
| SHA512 | 8356578af449ee99dc510e6d684a94c1da4b4e5a55451f949c56ca57f4e5a69b1553136f5e602bc79f6e3cefb5ccdfaf555814f03c537bd6afd9c0d60a623b5b |
C:\Users\Admin\AppData\Local\Temp\kAUS.exe
| MD5 | c1117a22c55ab05cb5764bdd8419739f |
| SHA1 | 5ee0ce2d600687036a9910df22ce25dff839a722 |
| SHA256 | de9b998368855a358b841aea76769972b5ac2d9d8df7580618a3d28392925702 |
| SHA512 | ff07def4df3d711767570d2dffea6a7cd3f6ce8cb84ec9d399cb096745fa6400a91dc07c4d3dd006fe0fce3295ccd12e27266a1ec019bbccf3f4ddc6f7b95f67 |
C:\Users\Admin\AppData\Local\Temp\ysYM.exe
| MD5 | 3f71c674f1b8673f4fe6768e9ce30b1d |
| SHA1 | 54d0147671de0cc7c46d1f1ffcb9b58de0a0d160 |
| SHA256 | 2711e4d4a57aeae7f3b4b718930ee2eae8be501e700d034958ba7667db2eb785 |
| SHA512 | 4e426c0bb01978ef3366fafcfd1cfee2765b2d7a2617403d0fce9aa3ea4ef36981e2da57bf00899009fc5ed0589899d550b0281dd2db7b013055a2e2a48624f4 |
C:\Users\Admin\AppData\Local\Temp\IIgo.exe
| MD5 | b185724b78263db8231db9fbace2b881 |
| SHA1 | 2c31e6c78582885ed3333f240a758789aae729c8 |
| SHA256 | 39809378b4cb3794d33bf8e91789c0a864237c04eb07601ae12a53053189f40f |
| SHA512 | 9843b4b3b480be91b57ff23048c682d18888876dcca46aaa33dba7db79a42befcc12db8d63973ec3f048df289566e3a4d8a948c7e8a7cb1eb54c97a147afcdab |
C:\Users\Admin\AppData\Local\Temp\QQcI.exe
| MD5 | 8f7d8272b29ddf03b3473ffc21ea68fb |
| SHA1 | d6aa7c80e8b39fb29b28cb705fbac5b6231cfd42 |
| SHA256 | 1ff53a23274dc53b91d4213a25d03862920082c0fc578418958798b09714ea6e |
| SHA512 | f116f00350fb97f9d3e54d2ff6a4e51a569f761b2c582e554691a01574f5847be8326763e5b7cbe0e63a054ac4a3f480f5db8400abbd87715f1958d42856bab7 |
C:\Users\Admin\AppData\Local\Temp\kIYQ.exe
| MD5 | 85a5de47def7de1fca01bab83e5c7221 |
| SHA1 | 81d8ef0ecec826cdc715bcef5402218cab24ae57 |
| SHA256 | 19204b128e30b263c0c558968be467b5f6271ddd64d5a72fc566e104cd41b8b8 |
| SHA512 | 4ef26dfcef83ee5cf4260dc13ecdfbc6931713b381553f6f1e1643a97ae38bf9799d81b4b82d8fe12f25647794656933b7656f1c9faf3ce0589d8c3b150d4078 |