Malware Analysis Report

2025-03-15 04:27

Sample ID 241025-z41rrsvdmg
Target 4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
SHA256 4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

Threat Level: Known bad

The file 4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (61) files with added filename extension

Renames multiple (51) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:17

Reported

2024-10-25 21:19

Platform

win7-20241023-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (61) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\ProgramData\fcMMkIkU\eSoowcEw.exe N/A
N/A N/A C:\ProgramData\yqowkwcY\aaMwYcII.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuIwEEIM.exe = "C:\\Users\\Admin\\omcoUock\\zuIwEEIM.exe" C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" C:\ProgramData\fcMMkIkU\eSoowcEw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" C:\ProgramData\yqowkwcY\aaMwYcII.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuIwEEIM.exe = "C:\\Users\\Admin\\omcoUock\\zuIwEEIM.exe" C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eSoowcEw.exe = "C:\\ProgramData\\fcMMkIkU\\eSoowcEw.exe" C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\omcoUock C:\ProgramData\yqowkwcY\aaMwYcII.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\omcoUock\zuIwEEIM C:\ProgramData\yqowkwcY\aaMwYcII.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A
N/A N/A C:\Users\Admin\omcoUock\zuIwEEIM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\omcoUock\zuIwEEIM.exe
PID 2092 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\omcoUock\zuIwEEIM.exe
PID 2092 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\omcoUock\zuIwEEIM.exe
PID 2092 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\omcoUock\zuIwEEIM.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\fcMMkIkU\eSoowcEw.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\fcMMkIkU\eSoowcEw.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\fcMMkIkU\eSoowcEw.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\fcMMkIkU\eSoowcEw.exe
PID 2092 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2780 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2780 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2780 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2092 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2356 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2356 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2356 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2856 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1860 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1860 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1860 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2820 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 1716 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 1716 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 1716 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"

C:\Users\Admin\omcoUock\zuIwEEIM.exe

"C:\Users\Admin\omcoUock\zuIwEEIM.exe"

C:\ProgramData\fcMMkIkU\eSoowcEw.exe

"C:\ProgramData\fcMMkIkU\eSoowcEw.exe"

C:\ProgramData\yqowkwcY\aaMwYcII.exe

C:\ProgramData\yqowkwcY\aaMwYcII.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKMYMQQs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KockMowI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zisEMwAE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LekYQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOEwIgoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScYMoQIE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqIMEwIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMkYwwEs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgkUYMYg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCkAwwsU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUIQUIAI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqMMoYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xosIYsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeMgcUEM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGkkQkYM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGowwAcM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSYQIMwk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSgssYAc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCYQwcIY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQIIAMsY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMUoAUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmEsQwEw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkUgwkQg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyEkQkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYkwYUow.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmMYEokA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYMkYAI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAAUwsgc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "368849097-90857820322741869525245024-397505368-10003923191177738848-1136799963"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYMEMAQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-252006538-475984532476901305-17521886841593770001-453079917-372532228-1576712430"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSMwIcQU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "166204060415219924231354439442-328875319-8542845671389712975-9990329772145319867"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEYgcEMM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2017035578-17696661342049642451209305682-962487188-1577154738-13551900701625763546"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQIQIEss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKIgwUow.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "95420411446569418011716650561929935232028696475154675318747277201-942888596"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyAQUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmAcMkIY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1132276778-942335972-1677952922-845744184-1765470137-349231739954433764-510912077"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\euMUYQss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOcAsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqEQQMIs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1922959463-148025358517800555412896889691382288379-16948026801918201715517825726"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1848580955-955573307-876446663-32669080020052134081106598306491580121-45247011"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgUIAIYI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EukMMsAE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1297805733699644872-485853010-17261696761875233926-426537096-904258607-1311181436"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AagsIEAU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "681063206605013326-2041566488-941072574732603072-1656891766-17042069721829349666"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "893975825-4467610-1100742380-110139278711555027471102439971-306511123-1686612680"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIoMcsoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5916484132063508247-919914666-692317821767876076656949977-372288682-584461008"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-730219505183568756-1947979620-373723257-766356538-21374783121596980493-328622819"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSAQUkoY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19922937898585467821224948587-19787458161922808870-107843885-1359925939198822398"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "395560766553504987-10656540845575071191861441617524237888-1380303442-208719497"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuUwcEwU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9335502581415392391-42298945018401043861358082203-2204987102119020550-1258441031"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1401185080219454998-1050455078998040230-212404030420608010981170983873-775435404"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkMwAIcc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1317725264-2387638541556681827733010349-1542634073-16733274839252987891758660220"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2134517076504548527-8967882910417919559895228216108225277022750081099403449"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGUAEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUAgcMEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\swUgoAsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2105152987-1630710192-589011387-1065469491-256521815-1353747337418268480-876614667"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1075353089757062155-201531094629969213-19435644821083968650892636039398880430"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1339884403-987329465-55981027-368154903-209261987-804934592-1089008451237214986"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwswwIkM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1852475528-1066464777-262769258-21473740193568789941686116941-1127726701899405715"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSoscgkY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20662067362019995481208075901-20348895901858965673-22728763318750501931392746926"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "887980474283166264-2070262840480686620-1051165356791298182-1103797211-772051684"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAIQYMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16741239281907603151-1834748464-8771288351901087840-20804937961690819140-1914395701"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcogUcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOsIsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-74097662334997021-1291738449-1274490444-1676904100-2076076529-16214985762104182815"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "146569301814125052093271613091469589205337941591675319761-1449575571254560530"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "729907834193266283213984063861428410700222701-10676190421547207792-349090074"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp

Files

memory/2092-0-0x0000000000401000-0x0000000000571000-memory.dmp

\Users\Admin\omcoUock\zuIwEEIM.exe

MD5 40d405614bfacdb93010d3221f9de2b4
SHA1 5f01480507a5046a8e993b992d1135e4382b7c0a
SHA256 2ac15180c41af89de2633f7ce15e05da51fe865233473bf3abfb2bbb162d4ffa
SHA512 951f42e539d4f23ba4f0a7c83becad9929f70960bdf090b095f41d92095debe897006134465159d7f98e482a0d31c1fc01c85cf6ab7858b334b58000185ed4aa

memory/2564-10-0x0000000000400000-0x0000000000470000-memory.dmp

\ProgramData\fcMMkIkU\eSoowcEw.exe

MD5 ba399c520a10f65ef3085c766eba938d
SHA1 9e2c9d9cea9654e1c88a6b6b842a222b7e7b9f2f
SHA256 6f3383c6d2868a0440f6f358ef19db5335539211fbeda02033d1b1250386b576
SHA512 bf03f6f9e46b35b6081abb6e97fcda9fa3bbc46ab290b4d65bf8c5ca5312f097ef6ef0bebec3a34595d217beeac188e0262e7ee523437caec5731f16374aed5c

C:\ProgramData\yqowkwcY\aaMwYcII.exe

MD5 56afe7c9d837884372fb147cdf8e305f
SHA1 634871e16b34e6f5ab96cb5040f1cdebbba7fe8c
SHA256 d8c5c392f6ca2b9efd141ad0f6300ee340c16e18b65525d7786860a876d94fc6
SHA512 6ebbc8e42aeeba4bf591303a8b24bee52432fa76d0f03b25b67b36175727c8a03a8791c9987d1b3c305655faa6cc5170aa56852a9a6793a104a0b5b643baaf91

C:\Users\Admin\AppData\Local\Temp\UgAYMsgs.bat

MD5 c8bf96418a72565bd644eb425e529fe2
SHA1 5f1cada7b42902fcc216724ea2ebaac842af8282
SHA256 dd83634e0bb322ee54870cabea8aa659900248737ca8743f3b6b81c509821060
SHA512 e77f8b702b33a70d30b7cd8344c730e1dd9ace092eca5aa8c6b0de66efdc11179848ce51a1a04b440694455553d9907fedde98fab328c525562f12b5f92046a2

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

MD5 7455307d1d96b6df1031eed8d010598e
SHA1 f16374bd24863520bc9cdea1ccfa99a540f991aa
SHA256 510a270eab4c149d50fc3feba4467d6ad65c55834236dbbb63ec8d47d7d75007
SHA512 2b10c850c688f6039cd20cf69067d961d3c4bafb6e9f8ec992459cd48f04009db7661c5595c509e257beade0b8ec987f79a87297084f9af0824b7787e7615cd7

C:\Users\Admin\AppData\Local\Temp\qQMoAIgk.bat

MD5 98519441b1481b824d34de4f545ec051
SHA1 32faa3f586503607ab5b92606e4e984ad1504433
SHA256 b69b004fd2179a3e275d5fdbc9cb1befb0b1c30d7ff917a9d3134f0469f18261
SHA512 baa468f6c8e311cfbf689f7505c32c49f9939eb09b8dc2b172518148a9f147f86fddd780dd255ccc7d83c489dd9a30fda4df0b8afefc36a7029d60678d8b36c6

C:\Users\Admin\AppData\Local\Temp\AKMYMQQs.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\AOsQcQUc.bat

MD5 71c5b065d01332d7d7aaeddc6ca3648d
SHA1 45f3f93ed2978f12623a594a6b575fadbfa7f572
SHA256 d5c102ea385de554bb1721900223dcd9ecf58a09dde8c32902aede22220c4431
SHA512 d7326052870e654338d6b58b4b58206a0a00a559ac4a59affd8e1f410c8ee8e6f0dde2ec57a3f4ec339c478c54f50f6e5da64f2700a1d8ebbfe44a89615dde7d

C:\Users\Admin\AppData\Local\Temp\xKYAMQwA.bat

MD5 f2a7b79f745a883b9bb5bd8eed4e4845
SHA1 4c6ff75a3d72eea3a87c671469f43e398eac6991
SHA256 b95d228ecef8c402635e22ce04ed22379f789c58ce16c8c9a9f9cc2dad0e5609
SHA512 b4f08620febbe1b73728b37da84601a13d94a7cf692a6ed17a0cbe9e1f6cecddab4b963d150e64904a971141408d3d304e1602f06e19de0a92a598b203ab0def

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FEgMQMMI.bat

MD5 7cf4a0c81693adaa86e27c5b41e26a9d
SHA1 9fa2b3a82dac1009f6ce11708c81dae9700a5c82
SHA256 e3ef2d7f0bbb01ff6fbb6804d8121d5d02e4f59329bb735aec82ffd56d0078ef
SHA512 bd030cf235c4c6c7f65aee5fa277955dab2d6063298c25b4719406854b6ce071dcafb102ce3f29487e44dc8a440c3da142d374fb1e0e032b2382192525e871d2

C:\Users\Admin\AppData\Local\Temp\XsYUwscs.bat

MD5 36a1d85ac2c3116f1c8dde6ce18ac4f9
SHA1 dc8bc67dbf817f6181dda874cce22b0fa6e13259
SHA256 ceba37d5512767d26fe1d23d680826909b966932772652c02468c3d43b7c1042
SHA512 757d1286b8f3c2cc528aa3b73cc40003053d3bd2330c943f97fca0867091c1096ef0996c9860d72c86d28225ea4c6dbe6ec5151f731486a64fec6a6ad76d9371

C:\Users\Admin\AppData\Local\Temp\VAYoQIsU.bat

MD5 0fee3d481adcde13ca43f9c49f4dcba9
SHA1 4c9d8f12d723a3d0ed9d78649323b3883d046359
SHA256 33329c0a3771cb043ccd7479fbe2e25fb015b99b5a07aab3293a436f58500e0f
SHA512 5b092a2e84745e756354dd2dbc958f6a8d39d53f013b8ae8d5aac217658d0f4a97b9ea4940f9ace957d5a3335695789983f22642e59fc228d44a8512b312e063

C:\Users\Admin\AppData\Local\Temp\gCwQYgMs.bat

MD5 25e3cae07f36fdc839305bd7f6e3be54
SHA1 b7f91da9ba5d4ed7b90f5252900978181ceee9e6
SHA256 17cfa7bbd631c48d79f930e4241423460d1fb5431f10fed76cae87c78f899016
SHA512 484350b1ddd999c20530ff820c1338200e74ea0e23071dcf610a55b08800a8d2ebb5ecb486e17868edbbef8074f6f4fde5cbf0f931adb6e9ced8e4f534a40a32

C:\Users\Admin\AppData\Local\Temp\oOowIAsk.bat

MD5 a28359e1bc933b73ad5dd23511666b05
SHA1 c9de9fcfe660168b64800820b8e9d68768102e52
SHA256 6e9e8218c52ecb98ee57c4456bdcef476169a59d586677581a177b9a12eda3ab
SHA512 d212bad7f0f081ee6ca42bfdc64a87d272c9720a87ba6e5bf0c729063acc21cc9ae61d5d4d2495ca441c980d0614acdf265882379d501322849961134c39f255

C:\Users\Admin\AppData\Local\Temp\AgIAgoUQ.bat

MD5 835698cefab6022834b90ea0e741cf92
SHA1 877f22fd198da34215e356121568e4064207d66a
SHA256 ccf088a74b9bafd60db9fb3aeba2fc8d742f20f7533b6d3093ab9e995b8bc651
SHA512 e43d5730966c450b786b0fd0f6e500c2234601c24e40d7be89983a17b422a38d355e93c1c2912e8ac6fb67110b70139c9cd6feb1a96e88fa01f9bc53400ff6ac

C:\Users\Admin\AppData\Local\Temp\ZCQYoYoA.bat

MD5 ad82e5819dbf7609fa8986c941d195f7
SHA1 23be03c937c3c73617bea6adaa4d096e75fd3075
SHA256 ef9345d58c51d9c0935e2352af6864931b7970268b31091358a9ecae6f89eb60
SHA512 13a90ff13cb4e61725a1522c368391d3526249555aa97fb1938403f6d6c8fb1574461c4c2208cee71249501d60a40a2c35687b7731ea521098595111511f848c

C:\Users\Admin\AppData\Local\Temp\HgUgEwwQ.bat

MD5 4f656966c6d64ebd6318acd0f4a8fb22
SHA1 65319a60c888cb657e3fbf37f1c7d37332817b26
SHA256 78ba34ab8b07b96071e54d9a564645793b833ac5cc2adbcf068018c85d45ccfa
SHA512 7697428eca23c8990c35a1d9ec7247db7c0d2968ff104ff4361451879425e0759a639bccc662e7850b9257e800d4be1a5ebe1af73e676616d24d46ea89ca4830

C:\Users\Admin\AppData\Local\Temp\TWwwsksM.bat

MD5 3e7816efee157538e361f356651e3945
SHA1 686589ab770aad68a1b4d5952b50ea99d9f4280f
SHA256 3b9e6ccefc539c71ede092b1e473b29884fb972e8b5f034f6756403f79a64ed2
SHA512 63b423bd08ce5f5cf83cf1761ed94316332dc6e0f37fafd1eb69b9ff11e9b9c73f2f41f642a5d9a2e048cd7f2f86093ffd57352c3b2a51d0d427f22410e6715f

memory/2092-281-0x0000000000401000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMgQsAAU.bat

MD5 a9af9705c2a4dff87cbc631437ef5092
SHA1 1101cc1fae132baaafa35f1682722035da468655
SHA256 8bb5698ade0aea39d7847281139238dff091542bb4f8edca351b687ec01f9c8f
SHA512 d6044efbc7435a0223cbad4b6c119fc8e733be9b01a27f3950828247da7814cdbee539ac4b068b62482264a16b57fa57ab9120c05782e6042815034bb9bab29c

C:\Users\Admin\AppData\Local\Temp\yQUIAwoQ.bat

MD5 2292452e995e78fb7b4138b347c6fb97
SHA1 cb8dde276fe68ef12264cfd7bc030ae910e4b519
SHA256 4915f992bb57d8d1668e89e92a209b8bafcc5ba7dadb376710327d592fcc77b3
SHA512 d25d31aff009c34d6905d235d9602f3c0c16b08a33d0b256878233e8322564e053c8f20e310910dad1745f361e7f9d5b2ce6ab70d1f723666cab12b7292f5c3d

C:\Users\Admin\AppData\Local\Temp\eYwwgEEM.bat

MD5 9279bcb46e9c90884312d709a6e42a35
SHA1 837bf4d0454965e5ce542ac7ce144ce4c8ad9141
SHA256 36e84a0bdac09aa9e212e6002dd9679594a65faf22ecaa1af6b6c131c76d6722
SHA512 b73fce70912f051719900572c9627910a068a4b71a73e3b3d6bd6b06e5e85bf384e647377b0e0b55ee310db128c4f2e22a1bd893114f45e38ff974e25cd52430

C:\Users\Admin\AppData\Local\Temp\WUAMMIUI.bat

MD5 2538a0652234fa6995f2cc798f2ce5d4
SHA1 2352ea5a55394fa8854606df93eb2e8a65a3e3e6
SHA256 5e3a7f6819d15d5cb473762d1300e504f8b6a467dd042e964c3cfcd8a357e9a9
SHA512 86a01da273e09fc37392435adee2ae8e288e33eaf311930e958b3e4b4f5d8ea27c4d378d95ccecc582e14d989973212a76102b9169af3e4e7b4f9189501da723

C:\Users\Admin\AppData\Local\Temp\LOgwcoMM.bat

MD5 71a105be552ecb7a81e318500a6a3a9d
SHA1 81072aa120b98266b87fe3ab5b2917ebe22dd987
SHA256 f1e37b24daa32611e6be774df6a6d431be8b9fa261227b75665dc62103b7424e
SHA512 61791f22d81d2f0394b2df09fc65efef166aa6233474ae93fb5cc1e803eb591815b78f40463ba05659e42c732714f31cf70e50853364a6a7b02ebef542cc34f4

C:\Users\Admin\AppData\Local\Temp\jUQAAccs.bat

MD5 8ea0dfb8f20d0cc313562d99610fe559
SHA1 de457c997ad1a966df86ae74bbbc7680968c072b
SHA256 7ea278c6309168ce2f62128b0ed0ebb734dddb28b9d593a372d7c80ad83bb298
SHA512 dc775569d8e96cf53d8248e94bf61c6b098aedee27602724821ac1cdcee21e1c079825e3a2ac4d9ab42bf3375deffb5086add9ec46539d569a2d4b634941086a

C:\Users\Admin\AppData\Local\Temp\TAcQskYo.bat

MD5 ccb906ecd0c9f6423d99243d924391db
SHA1 1a73a4d2c0374b09ab1062a94ebe2c5a5f1828dd
SHA256 cfe4bccad2917be866d343eb9ec290cca6ba18e429470f9c450bcaf9e297a22f
SHA512 803552416e3b3fb3f594ced85b2841cd5fe58e177d98aa00700fdd672740afba761a62eb53a2a8c20b322416fec8fc4ee5ad7daada9d020aecf7bc2f7c21e550

C:\Users\Admin\AppData\Local\Temp\GIUcYwQY.bat

MD5 b145d8a15d611134381fa75c5a9790d8
SHA1 57a4c801ba68673c1b2e847a626debec98480ee2
SHA256 f12f75cd1f050c69dd738932e69c2d32cb0d74e64de46eca61db2fd346e5dc5b
SHA512 3ba674afd75f696853dc93a70aa8cb97cbfa0e2693d5b37653d93dd163d1df17dec4b133ca55710d22ec8d4d82c23136a7cd80eb320d2e562ab225afa039eda2

C:\Users\Admin\AppData\Local\Temp\moQA.exe

MD5 b56a6441c1af10f9d5c8e4806244ff1b
SHA1 5c6c8b87e8debe6d4876581ec0ebf1ceb07e6e3e
SHA256 e34e200e11c9b2c3275b1eb1ebb7ba8d5994b4a4674dd0a41c079d8181b843a0
SHA512 42e4716a1e8184ac08a263233dc9272cf4a5e3daeb2c035504d9ef9b1ffad9390bd1544516d8aba6bb52c6653097769a3d57a77d4da4dea840f61e832c42d9a5

C:\Users\Admin\AppData\Local\Temp\mUUa.exe

MD5 32714043ffd2816067f0fe80ebb42adc
SHA1 c516c6d1167709965242e3372592d909be1d6abe
SHA256 efd3fb2eaae3a90d0a01444dd82530e06a4d1a56711c99340e03dec79ebeec91
SHA512 a34d0e4c082067d21074aebc7a2670fcc972ac68b5e9144a91669b8f60f4e5297dea59a67fc139094aebaa748c01c9e9eab215f5ae5674e70890ca1e4ebbcecf

C:\Users\Admin\AppData\Local\Temp\wmQsEAoo.bat

MD5 8db9979a3ba85779b98e5a6a43284b42
SHA1 355d7b08095956dd92102242a7b8e51c150bbf18
SHA256 8cb3ad3a0ff51881547b9d2a0789abcbd9f1d96a3d6dd6d95887fea6a227228d
SHA512 6f182607214ec08ca87a42017eb5e84e447441f09c8b138bad45607e502a4b4152defafa87be0a67524a73fd27c768443f7fa5711c3b207010cf38a11f441c5c

C:\Users\Admin\AppData\Local\Temp\AMss.exe

MD5 446718447ac188b15ca726a960b210a9
SHA1 f0d75efdd88bdfb5a88071f20d58d464266181f0
SHA256 9872b8a9fd6055ec967d37b8b913ebaf188d19c43dbe215ca8508ced913459be
SHA512 0b91f550fd7b7ec68bcdf4751634b9086028eaebd6f73a9f5652e31e767138f4a9f48bb23543f32dabd7bcb5cf0ee9cde80e3a8210dd07d6631117ff575daa95

C:\Users\Admin\AppData\Local\Temp\cAQw.exe

MD5 82ce42cfbdf08c9889b446073bf41057
SHA1 c8cc7a5d68f041c8d3db2f9e0e5e04773f007deb
SHA256 a202138c49d6d24e01696697cb3243487c8b2f8e02ca7e8fce64da78dce63529
SHA512 8cf67683e216df99194a4d4019ce9fccb4ad6cc9d6b1e067ada9a80ceb15a4969b9b597fde8e09e31871d59791d9d7719b925e25bed4680ebdeaf92084ec2a18

C:\Users\Admin\AppData\Local\Temp\QYQi.exe

MD5 ed32fe7b1563c6509fc8f1bbdaf46695
SHA1 d26b8d76b5ba1c4b840821777336c46c1854152b
SHA256 f1f1fafb8885613f1b35dd165e0b7849ca3551540ca9eff6ea5f695354ad5d89
SHA512 5319e492b2855e94be7d189b344c79538a977b7a9b523db8de5f47b99f2dd31f58fdc93a27bd824347648e4f6e98fd2d34aacf6a0a424b74f81c273620743eaf

C:\Users\Admin\AppData\Local\Temp\iIgAoEco.bat

MD5 34ac807dca4eba11e31261ae3e1d3e4f
SHA1 c5045540db535ebb1267a12d35cfe5b2ac4183f6
SHA256 f1c92825e62db0f3aab414b95f0acbf5396b7636de61fabc62d44f6d4102e0a8
SHA512 25425dbb19d28acbab645a95d261ef3149fdbb92459bdbcbe9274695c2fc7080081adb40c383c7fd4e5ad009d95872b082aa7a99544c880d9127bdee0d148fe6

C:\Users\Admin\AppData\Local\Temp\WoEQ.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\EMgc.exe

MD5 a513c81c0f774c3a78628eb947dd3c2f
SHA1 6faf3980b0af840b18089ac7e5609312a59a1bd7
SHA256 0b4040a787f36c475db72742b0265299f159034c270dcb0ef6d325b03a26394b
SHA512 0c4c53de1b9f405d401d1b5ca964398d5b7bf1cd3328514117f9f9f82762e2796c6ca79ce2fb53a030a6beb4e6356deb3deea987ce3522b51c4443b845089157

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 712177089ac9d1ac5ef21f140e8cc9bd
SHA1 69d4b91548c0fbaa2a292e9a1a17003974d20747
SHA256 71f3e58a2e5040b8a9d7a578da532a02cfda588b3d4044dac1f1a31db141e07b
SHA512 14ea8c0cfe0c83435bb0071f3e2ea74497606a426468f8f6787f0d4e985be2157036fd80cfc2152dddde92ba97acc91adf0dd0605178f6b0d1233b3906319d3b

C:\Users\Admin\AppData\Local\Temp\Yssm.exe

MD5 bdce8e64088e7dc00328063c67174eae
SHA1 bc54cfbd7db7a920bdd3b5619f444e2e1df4c12b
SHA256 4352ec0123cef204016e32b46d0e8246b62e717b594fdbbf7779b8fc04b016b4
SHA512 860047d866e36e5f6667998dbf82454809f5de85b2ea30b49be4325821f1a6b6d84cdbaf20b4e04fc4b2c53550c8e3185f183c59182f5beff0d5c0541034d6e7

C:\Users\Admin\AppData\Local\Temp\IgMq.exe

MD5 c3bb00c51270c4c8a1298a94bb32c1d9
SHA1 87b05c5df2d80943c8342e3d8c7ed4ba79b2b4da
SHA256 ae201a0c7866301eaf7d99c74a4fb532c236cbd94260053c1082c6218c18eea9
SHA512 e8e1dfddbc1c8811560cfdd8f4303e7ff60c32051650c2b9d1742b8a051be91b5a37c5b132a9501d125c19eefbf2e5b58d43c6b30dbb0f48091d680026c73bee

C:\Users\Admin\AppData\Local\Temp\KisoQoMs.bat

MD5 35bd3c6a17b6aa19965226a66f502057
SHA1 d73b54b791ec0ecaac5413052d6655ce5c40a260
SHA256 ca3c8eee4df3aca46ecd6a393ae80f153937bef48e717da4705c10e7fda7b080
SHA512 ea0a462a8035f2efd5a9b10e774c171f49612dc92ce6f3740d1a7206cd52b647a61dc05c6b1efbda9ee0f74b2ed75b92cb576b2684db9eb134106ac5ddaaf3d6

C:\Users\Admin\AppData\Local\Temp\iEsS.exe

MD5 18e27254f4ac23351d27a46ed396bbe5
SHA1 8cdb40c525d639a955dfec57e3659132f7f8b7e1
SHA256 0cf7723ad64f822732c1063b3469a7674eff3569ed3c90f9634f658e296f1180
SHA512 9a7f4cf23bc2355205e56f5ba5cf13a1c208e7774c90f13a34689201997d24110b0f3177b23532c81dd63c7acecdbec20e02ebc2b070d568246c1148b4d50a86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 cf8b84d979d1231dbfc3bfc20416758d
SHA1 76390b71ecd6b96dcb3b910bc467aafadc3c1b55
SHA256 086e3a33aca4eb442e972fe89f7ce0e1068444e56c41f179eb10023db350d976
SHA512 a5037f6830cad4eeee16713bd77dccb8ce362e963c1853745bc47a33967ba9b51fb82946df4422f028635d7c5bc871cdc8e47bb8f0616e56540da8cbbef972e6

C:\Users\Admin\AppData\Local\Temp\gYcm.exe

MD5 4bbacf56975761d3ea348d5e8cb4adcc
SHA1 15b0b1f62bc54aaf2fc883a82ba7e79002cd2fa4
SHA256 0abb9d52f9843b580b58db02c20d54156d7667ff6eb015f76a4b48ed13aa13af
SHA512 ba4ca06ee94132ceccc91e39195a7655ef484c073061bfca56fe20d93a43d4a0bd967846c0699cfc48cd4b35b0d137afb187ab2c2ba352e624401ff165f4f1a6

C:\Users\Admin\AppData\Local\Temp\EUcu.exe

MD5 0380cb7137dba193514270c8d33c4d7f
SHA1 9476752607355588e3e61f50fcb88ea3ade9ad2d
SHA256 01fde3e195a592d1225e33717e4f541ba88242d6174fccaf273bc877f7ab0696
SHA512 0678f063b27434e4d332d0b61511b41ad882acf3ded2a1d8d4527a5f471db4e31f3301ed36ee100ccf0327438b4efbeb77d87225cb012850a104e2b53a982f5f

C:\Users\Admin\AppData\Local\Temp\oAog.exe

MD5 08113230e39a18d3fef555113d18b984
SHA1 8777c69f2a81473e116da67ca0beb9ebbfa8c8f4
SHA256 eeae93e58b070d03d234ea6d5dcf2c7945159184b51ec7920294c1432e758e9e
SHA512 d30ff81b75ba593ba8f57d7f861649324f43634b9f63fa767de9e4932b83c96a457498d73a6178330ac7a06d699090590e819540e0a8825371682f73254c81f0

memory/2448-670-0x0000000076F30000-0x000000007704F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEgO.exe

MD5 088c440ce2de2a7e896c844368aa8f0b
SHA1 b406b3945b9e8f684bfd1fba66944542634e8597
SHA256 025567dd1c001c9b39eda329ad7c66f4ffa1a5c03de9c4e9cf18c0ae44e2ad08
SHA512 ca9b1636e0cba4940550316d12e607bcdfd2becf7987cea8fa2d6044420545e6a519e6fbf76d90e4167062e50bda8d6ef9cf995245e50c7e372440d8996c43fe

memory/2448-671-0x0000000076E30000-0x0000000076F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fMEUcQos.bat

MD5 2f3c8a4812fbbc05874a5c6a39c0f71a
SHA1 83cbd038492be8310e455db30dc6c2931d270b19
SHA256 6d95fb04f1cf424cd799f99e056e340c6dcbd6cadc4fdbab12b71fc331f20c71
SHA512 5ee437e3540daa66329b30bbf4d5a0d0a81094c8eb6f86bf12249d5c72c59ae4dc59f7c711cf77e1a025988632fc15b0ffa323c21b250ad41f43c75bdc383b44

C:\Users\Admin\AppData\Local\Temp\KsgU.exe

MD5 030febaaa07e5da234c135e087aafa20
SHA1 c1e1b4b2bebbb10c283dbc7886e9ed82c9c259d4
SHA256 60a1dc8fcc78214db74bd4ed2fd6d9b5b3b165521870ca1c9bb32232f50d5c6d
SHA512 5a6911d2457072fabf4d864fd99be251cbb48a7ead18db3f4646364c55ada65690ddd84c3f8ccb560cc678dbb87f77e8e64400532802811f06f84cf74c0d1914

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 593fa9011cca2d14e25d43f99ba03e77
SHA1 07287df257b21cc2404ae6d514dbbb10b3fa3013
SHA256 5b47095a391d2ba8755159cb0a3c39c99ad55c1e4eb4564c9455731d3dc71388
SHA512 583359a2923acf2666a644ed0447ac50eff902d0d9d8c71c615d9c6b7fba0a76e3a00392541f2d8b1b70613c59047f7593bd4ac0679efc4d1d71a36401ce646d

C:\Users\Admin\AppData\Local\Temp\Sgcy.exe

MD5 4cf90789ac270ac8ee6329f1a1967644
SHA1 b5bb8bb48da2796b2aa2a36c4f3a008914df2eaa
SHA256 429d277a01d434ec898b90912b9c02b63d399f9fd8ce335b457908baa07c81db
SHA512 561defc8819ea0b2f26c563d415065e34efaa11be5359fd3dcccd7dfcb02fb3fe1f68e3cc31ab2ffe3b9c84d28f48d73e2d1c8f66753601c48276d7539755a74

C:\Users\Admin\AppData\Local\Temp\SgcE.exe

MD5 997528e1dbe8d0c1e25d9bb86bfcaabf
SHA1 3c1dde20765d244722293475b4a8c4ed50e0a82e
SHA256 0df923d8b5ff99c04a4140c5a0b6fa52c0f5e16990661753d2928a8809fe7a80
SHA512 c1a38e3ed79daa2ba2566ab151874fe38ae08279ccf7170e56fa1cf69e52adf2366d995b22efd81e4c1026dcc5639ecd6a32a0da1b95569feb3d22b0efe92f50

C:\Users\Admin\AppData\Local\Temp\JEAsgMEk.bat

MD5 e77f794f84a8b669afc90fe29bf9da5b
SHA1 d84769b08810ee34662338eb7db613a8aa01be7d
SHA256 6087cbd1a94b41d39b6268f36771945e398e0f0531810aeddd49b3e1c2a5e3a4
SHA512 9cb988aa1d3e46d9f429785fd216342029c05f3bcddbc88aa11494a492ad6e3cc4ac4eadc6e30b9632c9f2708dc77256608dc93b57adb291570836c185ad8b33

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 035fa9dad16cd430657494d077fd1ad8
SHA1 76e91cfe56eba8fd98de2b1587e22886255de941
SHA256 e7a948e2a9fb6fe65ec30fb1a6a3e7ad4c5f765657c7c3cb6357cab426bf8c87
SHA512 0411f9733121f3bdf18cd55c026f0964e91db968acbb06c73860878a3fdd48990de860ca5d656444947090279a8f7808402c24629a626e4561d1ab0f67d57600

C:\Users\Admin\AppData\Local\Temp\SUQu.exe

MD5 a1d508b15c25034ecae2934cbca6722b
SHA1 0b0bbb5499117e1aa0e2ee41e7bb90c13183b521
SHA256 365310a6f658832edbad16a99e55782ec8b045972da4373612961294a7c07d63
SHA512 36aed4dd422bcfcbb1dad60ab00eb6c70cd7633b7f691979391ceb7e76063d524b099d9d19139917e51ef60bff7ac98525282bd3830afc5e8f83a4bf0b39cf6b

C:\Users\Admin\AppData\Local\Temp\MUQG.exe

MD5 6174c74b51fac2323e4ae0ed20773302
SHA1 1727c57a0102f14b6ca1445a338ddda8ed0a4297
SHA256 98363081314ce03c9fb0f18da05d9fdc8fc73fc60e088488d0eec757e82824c3
SHA512 1e7d107c61fdeddbbee760f410613b969f5cdc077b5e8202d00291ced0dbb0efd89841d98ee549cd5f3b15244fb70d0a4a7414a3046ccc5f94638e5b8e57a83a

C:\Users\Admin\AppData\Local\Temp\iMIa.exe

MD5 29c687cbd8a89401c97ef28cf3e8389b
SHA1 f9fadd82b9b57b892924f9656f2ded8446eb54f0
SHA256 84e01c5ce54f5414ceaa757707001c2473f19d53e44c7a3b061db29bb6574413
SHA512 2f94fbe0d1b48fc7579f4876a2a0605de5d94ce7e43fd7b115b1924b1364ade30ee40356b18da96746de75ac501147c760ddc4a9d67dc9432faad4ddf1c9b795

C:\Users\Admin\AppData\Local\Temp\QcYe.exe

MD5 76629d3a9b93fe23481bb50a136c1747
SHA1 5f8eadea64af0901255a51f30d8c3b56fcfbc455
SHA256 25331bcbcf1ee758d920e1b85d1592eebbe2eebd34969b20c129391d3ee90e06
SHA512 2daeca490f4a672a08b873da42e5aa3580e6f4e7d5ac8f304ba9aa73b982296ad6fd0a8729deb0d77cfdd25ddcdd68cf7d3d4aba1a5cb64c44d63e7db305d504

C:\Users\Admin\AppData\Local\Temp\EkIa.exe

MD5 a9907666443f0398620a5aaeef4a14fa
SHA1 d30bc3a27cf7b8355496a129e0402b7ccbcbc187
SHA256 622aa903e4fe9e1794a2c178665fd52d14064aa9e33733e4f6444ffe5ca29993
SHA512 7429d983007b5e58f83b0e55e9543b4cca8acc230d27622b1055076cb05af31e521ead21d310219bef57f2f094894e0e1432957ec6371ec39ccce3a11918cac0

C:\Users\Admin\AppData\Local\Temp\HKsYYQcs.bat

MD5 30bc8885c67b9b8d7eaa07b414634cb1
SHA1 e2c76c292dcb41b88b6b8eeed0c3ae15999c7478
SHA256 0a2b7cee2a49da0137d948c1882fae541630f248d56455930929425a7f0275dc
SHA512 b1409f3bde2cd1f92b64e5b960554f9891999cb9de4b4c223f9d470cfd2619978667634a40b66d1424f79cb74d1c496ed5b3863e43f79e25c8321ff428de9312

C:\Users\Admin\AppData\Local\Temp\ecgG.exe

MD5 50bd445485df7b172e2915076ca5f7ca
SHA1 9169f9d18c4e4aa18752cf1dbd33ce08350e79de
SHA256 d4501d8c6a123d975fe08d343bb5882c36119cd4a78e6bd99593747ad4835778
SHA512 b7ff9b76697759f11a680d2cb79944a8bd84934b10f1a6e041882d0b7b728b79dd91b81ead2612d1bbc2aa1cfa6c8cfca2512771c1e95410cf4210b7069c1599

C:\Users\Admin\AppData\Local\Temp\gQAY.exe

MD5 ccfc9ac7f7252cdd0aa1a4ccf55f9259
SHA1 ed443819a24f59b6546bfad1716936609befc903
SHA256 a405a9bd57cf0e2f4eb78a50e595e3f8efc4c72a5a09b76514e9158ae8048291
SHA512 f5aa2deaaa76737bfd644cd66a24ecc643d1cccd9fb8a7a1c04b8a44f78db2a0355ecd7722be53488c5488a0651870baf91cd3609420662e0d1fe2c54c5be4ee

C:\Users\Admin\AppData\Local\Temp\sswA.exe

MD5 840fad55c4f858a33042692d7fbd4853
SHA1 fc734f0bfc7c764af7b391806898be50fabb3e8e
SHA256 6517f4cc2e1a456e8987adcc7dc3bf9cc8e346bdc3c28a1e400d7698cba5d6fc
SHA512 ad06ded8f9e4a6d5df0a3255a138c3602f4ac61f387c4498530e9b7548d3cfb535218bfd7f8ff92da2d225e7290f9800b3a3053199029eb4d19cc75ed98a5783

C:\Users\Admin\AppData\Local\Temp\IIUw.exe

MD5 4c7913178872d7b174c188dd8bbc73f6
SHA1 765ab1313d480952e4a009d1a96dcea00a94529e
SHA256 e7fe0305ff5682c31eb107b68ed8b16e8db378a76aef3976822acf12a0fc2a06
SHA512 645b5e884553849b78509837158b02b42204c9f786373e21525cb11c751f330b2145e42c10e6bb48fd70e56d874eb2cec149ea9691b3797b5a03c235417e90de

C:\Users\Admin\AppData\Local\Temp\Okgq.exe

MD5 d3828914083f8f176167dee19884f578
SHA1 8aff2b0f5b86eb609bdfeb9b1ab41e095f3a75ad
SHA256 d8a28b02b5f5a16db162b0cc67e5a49085e9b5a304dafbe2659cb95b455dc9e9
SHA512 8d87c46a9c0efebea0419adcf753ebe46403aa5848c7ef99d0778bfd82e78811c89755ac752e982554923f5045ee7189be44897613e6aa34cbb7ef55816932d3

C:\Users\Admin\AppData\Local\Temp\GUwO.exe

MD5 40300daae3df6b55cc1476598c2c7054
SHA1 4927244ade1e3a5715e1ee9e0de0d9226137f1c2
SHA256 3e5abf4c4520ac4c421ad2de907d33e6e69aca71992d1e84e0979861615a3d61
SHA512 e7b7f967f4ae0c87655129980e484271200daff5d68388ae44f4751cd32aebb3a65e05ddd92d651a772f82eb17d03590cc6dcd1de60a239be8bae578ba0e903e

C:\Users\Admin\AppData\Local\Temp\sgoA.exe

MD5 9365647726c4252391ef430616aede62
SHA1 2494e24a8bc7e3705250f55a5266dbb61bce7d1d
SHA256 e7422e9f2613069bcf6ca0279886cdc5424bd696e56196fe05b3db341c04ed60
SHA512 992d4905042f8d72570fe9fd7bb1c00b7b1e46d70eb02a8b01af096d3b01da9700ab67e72d09ef75f81b8be8163a060b974ea7efa50a66380d15928b64342414

C:\Users\Admin\AppData\Local\Temp\QYAQ.exe

MD5 0adf98421737d63531cbcf17499bef2a
SHA1 972406a776c61d8e2fa611d8992530a85438ac71
SHA256 ea766aa64ccb0d10354ac458602b0f8da92b2130176d98cbde9cb609f7464547
SHA512 5ac0ec361de4675de7a07b0cf345f03220db92155fd74501a81044151eab6d7eb771935b40a474edf22c10e354e545a3988d032e03e88fe4f816a3e920fc652d

C:\Users\Admin\AppData\Local\Temp\ywkw.exe

MD5 03a49bceb32f6498e3f8f25d0352d992
SHA1 e5de5e8c2582dbee73698a5a50ec26e3aae65257
SHA256 c03ee9ea9fd708c56d2af67785fa14680065c8374f40e89daff1386b3da1583e
SHA512 c28a9e7039180300f2310d7b5adca4b47aae2f52177c2bca427f3f2a3ca2f2a90b584b79bebcc35236d4bb5b4d4273667f87c3353d5a85570c84f23c34ac47c5

C:\Users\Admin\AppData\Local\Temp\RQAUEoAI.bat

MD5 82387f729ca085779c70ccda757feb88
SHA1 2632ccb814ae8be176bdc00e9b038c60ff4d2829
SHA256 f3ce2f4bb4449342ecf2af7b17c7f7c6bc838a3be4768ccfb4298917120b6bd5
SHA512 c2b2a138ab8b5ec692178f56b35e3ed9dda2d95e07cedf4da8e3e6a3fc9aec957f5965a0626b95975c6888b9993a9e2a890ed622ce0d2b4f343071060c465c1d

C:\Users\Admin\AppData\Local\Temp\yYsa.exe

MD5 f88c24f961fcd66b7b9788cdd7bb758e
SHA1 7e347223c6c4fc015f2d801035ae141139212b27
SHA256 9db1902ebd7961c39d69d19149103e0479d4a061bedad70cacfea81b97b916c7
SHA512 bcc58beb9d72cdeb9af353331c4063e427119a2fcc7c2d0456777267d64606ba841a5f0aa24d646b9cc49f24623f12baf180b7aa1c4661f4e3c39bfb155d7b6a

C:\Users\Admin\AppData\Local\Temp\CYIc.exe

MD5 ac5ebd504e056a5865e21af6c1a205d9
SHA1 e6c2f71871bd6577b988c093b98f3b4f420012a7
SHA256 e60ceae1b1840dd53a1861b3aded485ebc525e0807260e8d965f82fa12ae17f1
SHA512 70e429d4355035c8a1270f2b52c1629991e42dd005dd77099263f95abcbe5911f42e9b7e5f127984a0b12d34e1cfb6b87a16a8c41274b11362300d0ceb96f5f5

C:\Users\Admin\AppData\Local\Temp\uoMe.exe

MD5 9d4104b56247f0a67fdb894b46333e98
SHA1 9c6dae732aefbf2f0b8fc75b49d03277d2cce0ec
SHA256 684b3fd800dfe99d7b1a23e4d08630c47212e1aff42e1a3c3376001c1721cc69
SHA512 784d0a2d45bdd5cb6ba8ca2f381a208a6601ae1af8083482ea00ec2afb0f5ccbe370e4562b78168c9050b38f280de17cb3d441af0e17ed87d3673fd1d24c3ea0

C:\Users\Admin\AppData\Local\Temp\IIQo.exe

MD5 077bdce7fab4a4e3a1d29b6262207ade
SHA1 b3318ec4c6e3a59fc6d64da6a7d65a5946cb8cb8
SHA256 8dd3e13c9bce60c5aab39f7bcb0a2b356560a629be8841a86bc2a7338964f787
SHA512 88cae7a7a3dec5ef3f5f427189e79cb81d04e16b33954506212f521aa6680b1770169da1cf01d95354d0d3c3ea90caf5e1c090d7e6f018ca108640c66e3095ca

C:\Users\Admin\AppData\Local\Temp\MkIK.exe

MD5 44a31119e0ae7c97937d65d702233148
SHA1 1879052f8ec4d3fea1b6aae3a5eb93f8e0b45b7d
SHA256 6812cc389a48d1284454c026389ea37532a0ba59fe0168a1b0ba07bc0e600af6
SHA512 2621864aa1fd84fee7d68a11e331a9c03a46fde13f6a03c2443b10bbf34bb8c891aa8778981f9bcf2e4a5cb0a11586a5112095507c6404745d3f837739522caf

C:\Users\Admin\AppData\Local\Temp\IccK.exe

MD5 cfb3b5113402dacf390ef5a0bb0ee1df
SHA1 8750eb673cc054760a72824c0749184f129dd6ab
SHA256 57ce8cde73cc09b0210e1cd16e7cef0b4ad951ce79074ada3ef4428f9d6e94d6
SHA512 d760d891eb954da4a21fbc7fc7661388d24037043f9bb025488f12710a47d28cb339b3609306b6b071aa4840dc5cce60a60b9e476666d9cdd9fc66b09d5a59e0

C:\Users\Admin\AppData\Local\Temp\yIge.exe

MD5 6b7c1b337daf831dd56d0be06af10301
SHA1 c39f75d1e08e6e4bec5e193d56213b50cef7d1c1
SHA256 20d93b36d3643c598067a42cf719438b88de9701f16460a1e1a4a497b076d7d7
SHA512 07bd9a08ffdcd58c02e1d116e406754efa0036bfbbe3258d77060c144f356723d1aa8604a1bccb08c612b2652381445f1e5f7471e58c5e48e986b57f750b2f39

C:\Users\Admin\AppData\Local\Temp\KIcc.exe

MD5 83789bf856591fcd213f53333145cec5
SHA1 b3524c33e3540b0f3e3ba16ff13887ff4575e6e3
SHA256 27eafc8c663abd79ea83b72a2077b903f83449e3bb148488fbd641df673c060b
SHA512 4a06ebe3f2a22d6723506b476c186a54e75dd14701303075d7febbc26d06724d1776de0e4200f00d340e9f7b629e6e3e671b454e31bacccf18419a2947f9470e

C:\Users\Admin\AppData\Local\Temp\CiowwMMs.bat

MD5 d7601268988befb1e98c478ce1a98797
SHA1 f8692396383f398414c57a4bd4e77e2fb131161d
SHA256 091844e47d37fb0608c8e02c2af10ea4d8845c500c55a4a6cc5b709d8da0b433
SHA512 5cab6c9c1ff97308a26701505a1973f173306be14a7bd343d64f05a97d81001bbffcc5c46409b732f562bf0442e8ada168c016dc7661519f71c58563b8c95ca9

C:\Users\Admin\AppData\Local\Temp\gMoo.exe

MD5 65a619269ac9b6f8e78a26619eff32ac
SHA1 8f5a54ab2510a716bb32d51758a417c1794708b5
SHA256 0f4c9ddae7f52e44f0376b09cd7d06bb115e22d90d52f2fe2c5171f6700b1390
SHA512 bb3bd1ef0692c06b12f6693609694ad8fe28d8a4b6e5f89f5608bfa48cf2dd88a3fac7724111426df37242330d2ced7ed6880d479a1b53f13ec0aec8dcdfd6a1

C:\Users\Admin\AppData\Local\Temp\uUME.exe

MD5 4b8b1dbab8546fa4418d4106be065ac3
SHA1 c1b68158552861d70ed9231b9bf67e2bbcc1f44f
SHA256 e77dc63793333d654addda924c4fe6c5824e3e62386244c3e0c8d064af359393
SHA512 b1e710a6f78ae5145dd23d3911b0d1fe61be52c5d89d54dc39025b7914fc33ae27d01abb354f5d4af2166cdf41f3d3441134b0b3b5ea23cb7c424f83713333eb

C:\Users\Admin\AppData\Local\Temp\kgYo.exe

MD5 8592fabb5e81e3cfb461eab3583be05c
SHA1 d7e7ed503e9415c6ed79cccf03bdcf78f41e033b
SHA256 983832ae3227a5802c08fc7a3cc89403e373ed876d4fa6a0c11b0f6135a219c9
SHA512 c8efc27d08c8dd93bcf98b45ff7645990b464e2ce6bb03e5aa690bd77c0835d93583eb3aa865aacf99b040f5b26dd1a5b9c83f012001ceaebb5134c75cc54b84

C:\Users\Admin\AppData\Local\Temp\wEUc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\kcIW.exe

MD5 ee18e0a4b997970acb8f41e8f38d6057
SHA1 a5d5a345d7d5bfed8c29b79ba570b13b6567cebd
SHA256 2f3b087177c405feb0a7a264dac3397efde823ec0091b763e1b047bd13092aac
SHA512 00b7f55e8e75b33102b150cd524c4e400c5f64e0ff5d6ced6a1b91890ffc53804dab34e04cf50688569144e3200a648849d32f44a6c955f344a5cd5684acfeb6

C:\Users\Admin\AppData\Local\Temp\aAAcoQkA.bat

MD5 802a891598f0d3b43335b825c49e3892
SHA1 7db452f7fb4edca00a4595f69b6cdc16e6a22f72
SHA256 32ab5dcfeb93714f84381b0262e63c452201bacfb8a7033ae061f250c5d3d74a
SHA512 cfa6c2ed59db071c95fe4c166ce23fa1f0f8b25a01d35376a0cdf1ac0780fbe608e9926deeeb3f43e543e8253ba3ea96d8a3490e5a14ca89c9566154cd9c2d76

C:\Users\Admin\AppData\Local\Temp\OUQi.exe

MD5 deb1886459691ffe5c0d15da988147d1
SHA1 716e6d5e4e76edc5b485451922ef65d4bedf5a68
SHA256 eaec101745db25b6e1ce132a3baac898880b2a9acf2fed87069f339334580f48
SHA512 f3668d04920bf6643b5bf05ccb7922ca7b4ee6c93557a6676e6cf9a56f91c734e442008b8685e4e7aec34421809314d1d098f8eda6a0526dd661f8778aa552ee

C:\Users\Admin\AppData\Local\Temp\MkQm.exe

MD5 5fe0f8efb5c95fa7c90d2c8e6e508758
SHA1 38e75bf0faefed12a0d654775e72771f422e76ce
SHA256 0c5e099d42b9cfa9095a72fe0bee966fa25961ea8cc1b6a0e8cf609f35ec7696
SHA512 35fc1f4e3be6b7800af7cc5f88d5fbe7ae8d075db8107246098089eaeb4e9c4ff72caef6c81a1a670166031f49dc9e1e4e2597fddc69bb069fd25abb9881cbf1

C:\Users\Admin\AppData\Local\Temp\IsMe.exe

MD5 e9db6e2c18edd60c33158cd640a773f5
SHA1 2e2230782040376724fbb61b42f1bf7461097e16
SHA256 70914b431b85343981992badf9937383b07ab7eb44cac5905a95a07a2fadc71d
SHA512 dd5bcf9a9f2b55976021fae9e230a6b5c522916c097fe0bae62da139a2a16add86ae335b179aeca32e794bf2048d3ea4a2ddef606f1a4b7bd6a88b8af8543d83

C:\Users\Admin\AppData\Local\Temp\Cwow.exe

MD5 a1829c1561e98693124787b7f2968663
SHA1 77e09bbc01b85e6b0faa3a03f56823b9278db2d6
SHA256 edcbef4be5cc252f4e28b996b6082ed05861dc190a004d0f80420828f6446879
SHA512 9a654cea6db8363db7335e9f008065b056370bc7a0bfb300f415bff607a3f33232032f8ea5e182d2d316c3a664a07732bdb728fd1983ee574e0b7570ead89593

C:\Users\Admin\AppData\Local\Temp\eQMi.exe

MD5 2026873f7f17f9e7d619c6bc5837aa94
SHA1 711f6153da5bfd9d1b697d6577b692c65597001f
SHA256 d696f6ecc95a225f4bd8dbb193dc4fdd118a3b453a0b19948d92e734876450e0
SHA512 e507bfce05f17cbd91044e794419cbacd63e84b73272981c396dda00b8f322be6f766ca0ef99c3adce44c1de45300edda1827e0bf44a398d965aec48b9b9ed83

C:\Users\Admin\AppData\Local\Temp\ucce.exe

MD5 380276e138b20d1e7b26207057905966
SHA1 4fe92932172070bdfcffbcb91354374141d99863
SHA256 d7ea994f4c0179ccae09cd8ba5890603bf1382b2390c15c170ba6fb67aa091c7
SHA512 1270d14c398103ede9db3e7cd3d70f9630c9ba08c47e74086c5e70676c0c08e05eb9b2cac02c28b07b01171b45fe0e38a3573198078c39910c2f84c239993733

C:\Users\Admin\AppData\Local\Temp\cYYO.exe

MD5 b57cd0dac3cea3fe57156a7b94eed108
SHA1 d58b0104ee2f33e3ef0ec89514a91dbe6df7ab13
SHA256 088be4c21775378a4562e47c1f116d879b4900c22716ee413a0a2da67093c4c0
SHA512 a005f745fbf71e0e6e801d1ec544ab3a4d6646be764c4b03311df822f96d8b53101593594da9e2c2d8cebda9c7c0f0344274e7130251147a232dfd7572b2757a

C:\Users\Admin\AppData\Local\Temp\WAgwAskM.bat

MD5 fb6dab3045ac042a3fbfcfee915651d6
SHA1 3bc329fe1e81640a0c04c61ca42f129969ff0b34
SHA256 fc904ea3c3cc4eb5bee1397043302e94ec604609394589d09db56a10dfaf8db4
SHA512 45dc0edd8c0fe24c4e593bf91f139fd7980de06a5002397cd49c097de9cd7ddde8189cab9400ab1a2e33b012b8ab8980b4b267bee4949b6f63b40f3f2c56c865

C:\Users\Admin\AppData\Local\Temp\uIMU.exe

MD5 3229a8807a0e357c9c128a2e381c8303
SHA1 175d82d80aed35ce0d92c1ef5c19e37c5ad55196
SHA256 758c152601b14da4eedf9bcc5722855f054776523196377198a61c351da4e797
SHA512 c5129301793f28acafa4e076c61fa763eebb9247e88c7ba3428904d7ecbc2a8c80eefa88e0fd93203e34471d2ce9fcda63a4c0ed072a4cd94d969b90588806e6

C:\Users\Admin\AppData\Local\Temp\swgA.exe

MD5 9f159c59f8ef0076882f717cfbddc8fc
SHA1 5648a687a720106c8663829ee0d1392686f46064
SHA256 22a319d47220428e72c815686e71856d7a6580543c3ab09e3a684dc6738faf2e
SHA512 d3d3e4adfd227326116a9139d343b21babf3aa3b25760947f0af493a27a4cf46141373960920324b82ef84f53e475f6a1dbed5b90bda8560162e9d3e0e661270

C:\Users\Admin\AppData\Local\Temp\CAIy.exe

MD5 a5fa335a8826b46aea234595d96a42e0
SHA1 ca837f8d955e2829fd0ece2a953733008c030825
SHA256 798c5052fad0d054c9eab006de494b03ed69cdf639e27c543611f480806760ed
SHA512 5dea6ee0ade16f9bb5eb080f98e3e5ab0d0c3601383ea658707fd222a87289198255b24a4b6960963931e92127131547523db0f75c6963e6d5eb60a9a271f778

C:\Users\Admin\AppData\Local\Temp\wIMw.exe

MD5 a83d185a443e2cc5160e0257408d99f1
SHA1 f42e0562284dd24d245fd9548454270b51550433
SHA256 5330163856e1748b172b2b5d018e0a2bcb1dad01e907e9e7744ffa86cf6c6d29
SHA512 c356ec9967e20b82d95e3cbf43dd535f8112263568c99a867c88a0ef2ef0e681507752bb0f3f362bf354580422c9c77a29a282abf2923e63e5ee7c5a23259d20

C:\Users\Admin\AppData\Local\Temp\UgUG.exe

MD5 258f91af3d433f0bf894d0880543f5a7
SHA1 def4ec62bb27ca7d36f63b897631e7c06189ad68
SHA256 7333e7557289ef565650f498fd88291846a4e400100902dd2a579bee7a880242
SHA512 a47a60d460ecdfa3b52bb4996ebe1750aaff58d76c292ecf211e45fec4d76252616f25f125b000cfbc5b24b2ef7395cac197de080d3ed7185109d5baffa30fd0

C:\Users\Admin\AppData\Local\Temp\isoi.exe

MD5 8f570ce5dbec1b5f7b37cc4f92147eb0
SHA1 0ad0c0f48fb4b922631c03a00c4f8f587e48cded
SHA256 9aa4285200c148a079e3f30c94493243dbdff7f92ee498c79dd9fefb7f105b5f
SHA512 6061c0eb28bb7d077768be6e9827e50fd21df0caaac64c95b5d96570092f3ba5313b2e9168bc39f3e64156b3850a8c29d67762e2bdc4945acd46e8a2f44759a5

C:\Users\Admin\AppData\Local\Temp\qAIS.exe

MD5 465e5ac9d271d3ab995d300ad7ee6559
SHA1 24d9da1df103e610906f3735eaa5d778dcbb62c3
SHA256 fee62a58f6889a72fb04b1d1fa3453fdea609873df8b20946d40ae4f5b1184c2
SHA512 848a68b16f53c3a8046bac02ab6390bedef49a03b3bd1596fab29fc9f38fb3283ecae16a1b6c897cacde250d9d44d800f9eeac73474d4d368acd0f655f969aa1

C:\Users\Admin\AppData\Local\Temp\RUIQAowE.bat

MD5 5dacf64d428924c97dbf2ee4bc75b8ba
SHA1 5bccbaac1924ed16d1ff699063e08630b2d9cb59
SHA256 bae4751d1a351e5d96950e610d4321d042fc1d5645d17ca0420403dee619b24d
SHA512 a46a89a2479c06651361b643485263c0da2429b098c224c41d2eb9bae0947f24c62a64fc943ec4e3fb228e43539714813a67afbce689f27d8e37462d218841b2

C:\Users\Admin\AppData\Local\Temp\ucMM.exe

MD5 9a7f173895b7c1785ded05cb91648ba6
SHA1 d324582c49a9226e78a9376df639925850125ccf
SHA256 b258c6f6d890b3208f99bb49daee3e65edfac542a2f6b5699c07a35f7712daa2
SHA512 5890026cdcf787f017fff7ed4644b93bd227985f86178d5493a1b01b4655d9613061a750a5c4eb491429305a1bc1a164c03508808346ae2c6336e4b50632c719

C:\Users\Admin\AppData\Local\Temp\ksMI.exe

MD5 3a587bc63ae45e0fcab0d3bf015344de
SHA1 85aa4fbc389da65eb5c15f4bd6434c335c3b605b
SHA256 5bd373506169995332af0ae345fa48943add83a5a502ab43290c54218a639df9
SHA512 362695f2d22ff15c038ee935a7565a23f8630dc46639fcbb5a362f7d4a1f2eac47ab686eb1978c2cab31c6bb6da3dd77ec75d3e0b679a948a849171d6941a124

C:\Users\Admin\AppData\Local\Temp\sQIc.exe

MD5 9f6f582dbafd046f5414d8d440f97ad5
SHA1 2b9ea99de02fdb1bacfaf6d34d761ad155a2fce4
SHA256 81bed3020d7f02efbc23d015aaa6baec6c2dfcdf0ea1c1f08cb9973f7b8daad1
SHA512 8b4577f26f19dd98f4638d837fc6e8b5cc553a148721ef24c6375cd206c613bf3010e956e1f4088fee9758cfad78e55e91dd0d39a63a9dead676f44605cf0981

C:\Users\Admin\AppData\Local\Temp\sQoO.exe

MD5 bd7686f16d7e00e7597952dc94301469
SHA1 1e6733a58a963245cb98c2677f4ee91de48469f2
SHA256 8c3dcebbde82d1e836742679fda4bf5a2ea20f766e23c633ead5d9f3d5402990
SHA512 49a8e6f5f3c97d42cb8a922ff0694948ab4b8c3fe561e2a10849f21e82d8ba46ef168021280ac7dc1e37a8748aa8648f21360810eec1191dc17f82ebced4cb49

C:\Users\Admin\AppData\Local\Temp\ZgkUcgAY.bat

MD5 666d6d55131c5a7dea390c1fd3ce8259
SHA1 c0fa4bef6d601447716a3af0c35f0bdeb2179bbe
SHA256 3983966e2b293976bbcfeb8842edff125e82d07839d494b14c8c2a26b4ed1c97
SHA512 baab951d3dfd7a6ca7bcf7d6f77d79bae92342cb5a2587f0d3498dd4b91c7ce456e9236f7c211f4d9341595f84db69e053e2d812d47af4e2ac10c765f223bf5d

C:\Users\Admin\AppData\Local\Temp\Awso.exe

MD5 17db3a7cd2228cd176e5d5e150220f29
SHA1 400f415b0263e6b7b5332a7a87738f93dc84ab25
SHA256 baf9fa1274bb63a003c9aa78cd970995ed483d597fdccd22c338fc5396d80798
SHA512 8074f30fdab210bf9de46930a065be46362cbc51cebaa6a33e8f23886ad8994c7873b8d11c03f94d8b876b2ee5ed69b6a03f5154178b858f0ee4452a7c40757c

C:\Users\Admin\AppData\Local\Temp\MgEe.exe

MD5 c20f3ac048282669337ed5c2926309f4
SHA1 0109a9c9422b3c58eac93c4119a2f1acd219e5bb
SHA256 09f0c5da2e1137195aa84097e07ce4cf7277bb00cbf070f57b02f341b518eff5
SHA512 dbada33a7ffad3e5a910371a54a7bd0cf003811a16f5cae259aef25ffa061e5540abdb0a97688154ad2d4e14e32851948f4e6d5ff05ca1c439dc35b9feb2694f

C:\Users\Admin\AppData\Local\Temp\aAga.exe

MD5 403ac20a079a5e94902600b3e0e11baa
SHA1 a0986c8e17ceb5445b1f7a0e36b7759a447479e9
SHA256 6c9f63308e2b2777dbc127c551e99a78e9b7154f5e054822794e90415958a833
SHA512 a93c66df80dfa4dea1a0b9c1394dacb8c4377a3cadb05c81f8b169df2ff37252d6894cdc8775184f764d09f07a9200ec0db2eb99b47b59501dba72f8b4a3ae7f

C:\Users\Admin\AppData\Local\Temp\sUMK.exe

MD5 a737b73e7d73e5e774be9ad7016704fc
SHA1 bf8f4521fa3bfd0b42c88e84ecef484ec233ab93
SHA256 f4ceafd1a6287508b6a93ed7872df272cf80fe6dbbc295cf0ef537b8dc32414f
SHA512 8396fe7476d21ba30917c88147d273247c5685287daa54b38ed9777b14ddab7bc29d6f4656e1c9102447f70a04d78ecad48414d299e1bca72a557d5bde5e17ca

memory/2564-1562-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iooo.exe

MD5 80992350963e338469a6a98bf3d718b9
SHA1 1a01ccf92e8594da19563a656088219b481aa0fd
SHA256 47ecf1b098aeaef05b46c7eb5b8ab99c9735cc97e6c574dcf92a572fd96588bb
SHA512 1c793c38fb5949db42b5e49d177c2beb613b4a72f765a4889cdcf792ea37a1894f4d936b0d4a821ec9567dca4c34b351d834c2c18ea4527b6cd5836baee3d812

C:\Users\Admin\AppData\Local\Temp\wMAQ.exe

MD5 01486c4835a44d1fd6ab5ff956db6d39
SHA1 9fde8942ac9ab7346469ad3ee91cee3a09a5e933
SHA256 c8c002d3db5c79d17282c7c4f3d8879f5ff9b6cb044ce6dd11849109e2eb24ac
SHA512 4125e0cc59decb2bc5ed320fe54731c55f209b4f98adee1f7c0978f670800e7c7502064ad2ff3ed14c0b65c0b6bf0be2ef9bfe2448298ef21274ac96e888d5d7

C:\Users\Admin\Desktop\RenameRevoke.rar.exe

MD5 7ec1214eb69e6dc3245a9f54b04195bd
SHA1 c0ae4575d1a4d826d65d6b10cb89ab6e79f7c016
SHA256 774b1256c08ad4a865247072b77ab9022823d287d2d02e4572786bbac8d9e0cc
SHA512 7ebf2f1a47d3885528d382e94b7f08c4dee73c15206840da5c37732c4b7c952283d792f0306017a6e61effeef945bf9ae6bb2e9609f2a1412761309402e0e76e

C:\Users\Admin\AppData\Local\Temp\ywMA.exe

MD5 46c9682b5ce800639f01b0e92ed43514
SHA1 e93d07f7084d5bc62ee2d578e1bb5b281ce428e2
SHA256 628fac3d977f1dadb4f814ddf09b169715462526f6faea86505b5d996fee022c
SHA512 a0b22e20aa4cfb9408ee8f964d5f6156b78e70d7bf717abdcf4b6cc51a1e4b938893f9f1478181b9f7cd11f7c067da4675d579775e356004405e81afc4a737b8

C:\Users\Admin\AppData\Local\Temp\sMcW.exe

MD5 c48745f22633a91db1cb52bcfd09a9c9
SHA1 fb3275be679086d6273d5e799c422d8230aca73e
SHA256 677f4573f5b183728063d509efde5036032997dc82c77e943efefd7cee5608a8
SHA512 9352aa8b187797311665c866d361220cc6924a2bb45448e40e18a6bd393540804ccb2fbf769746cdaffd94b2f9952c50043f5a0bee322609d13f8d7e38d4a6b5

C:\Users\Admin\AppData\Local\Temp\Ugow.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\iscm.exe

MD5 17490e0ff68939958735a6db55296906
SHA1 e0829ccfaca6c13ce7f4e3d7ddaef76dbf905c60
SHA256 404764978e1e21309ac16fdd874a8e41b747630ede0a5fa937e04c7d8bf6b5a8
SHA512 d6528fe2965f4a865e4de0a3f3505a4433992b083cd01276d495bacd6dc47ee58f2acf47e709ccd241a27980a9adf1c0e02447fa8842d1487dc49c811f930b9e

C:\Users\Admin\AppData\Local\Temp\UUAAwgAY.bat

MD5 89ed26a6c5738540a5f15f05564b1600
SHA1 eb09aef38be1f5a4bcdc76f3a6f85b556b01fcfa
SHA256 6a39de31ff911668c335e75ce0e68998708277e14e23a4f50dae61f69c8160e0
SHA512 056ebac872c10af7057371c23393d714985d68b71c9fd08f797c2c022ac1c504435589e907967e0c2c32e5a892586529660e1d918cd090fd8020529fe7bfba28

C:\Users\Admin\AppData\Local\Temp\EoMg.exe

MD5 b3bf95de7ad9481621528788a0dcf062
SHA1 5d122092059410a1b5a5f026bf74c18ca3aa147a
SHA256 dd72f0188940fa90977722d68f03575ac77ba9a005bbf89537cbf854a18232fb
SHA512 705a0a28762c7f4adae7a4e0f2832b180e1803fbb0692380ba44e0b10b2ac1c8593357155b5a51b63270c6bf816e0ac44fd70770f82fc5d3a3d8f9eee522b910

C:\Users\Admin\AppData\Local\Temp\cgIU.exe

MD5 d17fc9617cdb5f36341332fe63f4bb75
SHA1 8f3cc3ae19bcfe7bd9237324bd42f62c0f1c3978
SHA256 1d7c0a76f9e7128a77fdcde83d94f982e4c1685cf442f2ef3bd0519a48c71414
SHA512 ae3eb697787b3cc108a5364314e9ea36a72fd4ef8b1caf23bfd5c37d2d0f887eed92fe0c2a9bd264f43741e1d262d76d1ad9c9c3cbf2cd50f5a0ab9e77aa072c

C:\Users\Admin\AppData\Local\Temp\sIsg.exe

MD5 995098ac876479fef9a152891c4ed954
SHA1 c9efb45f82d0c75dfbf69a7f8c1dc3cc2aaf1bc0
SHA256 2e53d8c43f640cdde67016177685e0cc87ef3fee0ab684e5164433771c1bf654
SHA512 04dc6e933a767f3f09744d84d5cbc3e4c80f1c75c069376d3c117e35b38705cfd6554a45902f68c794f7e9f6d0b37843a2c9e94154d4e3950f53b99ffb06152d

C:\Users\Admin\AppData\Local\Temp\eIIE.exe

MD5 fa4937b6a49ccb1470287d753e91e000
SHA1 a6035e8076824814bb312a4a6f02c25807282e31
SHA256 bdab6a9d657473d34c2bce59d5525da8c18ec8c2ff947ed1e0e21865e16bb94b
SHA512 dff56df6ba3e4054b42d884f121f62b99128672fae1308c2ce8a37aebec3d732b78785f668a808ddc75fab2557c4d6ee18ea1b1db715f7431b9e30886ada8c91

C:\Users\Admin\AppData\Local\Temp\YggC.exe

MD5 6ac43ec4bf53be13304cec452d4cf6fe
SHA1 01b86d679432fef147dbbb0542aee8631768638b
SHA256 2ed9464faea06bf802f663d531cacb5551feb2732ffe173bfe29c6781b91a3b1
SHA512 4685433e5d1184058297fa9d1a0edb737a399df564fc9a21e2bdb014948cc69ce926f03b75ebc8da5696cfea29f3ea7b612c10505721ffb9337ece6a6aeb5973

C:\Users\Admin\AppData\Local\Temp\oIQO.exe

MD5 495db058df21c8d26210285b50f69924
SHA1 6e81f3967cbac0d7f46bafe2e329ede6068bfc0f
SHA256 ac2ead57432e35c2b4b90b6c60e6fe9ed10a77b7fc86985b1b21b92f93caf4eb
SHA512 0664013e7f7d3bac28a41ddb69d5f044833e8e28dc196a48ea822b4212e416d39437a33af9e675a2463edb8735419dcdef1e10050c04d006de4fd541b4c8b041

C:\Users\Admin\AppData\Local\Temp\QAUQ.exe

MD5 8c19be17963665b9293dd5d75d128b9a
SHA1 da560bb81bbaa0e730363c094e529f75db608778
SHA256 392c16cfdad10f63757f5126390fd0d0e9963ab1b7e4904d38707d84352741a3
SHA512 97189c20c7f34d8a3c72919f1dd39d011b90b0da3e9b4c9ef4fdb012e2ddb14e76d76cd7c1a6dceb8e2554954b97cfd5df65c04c13021e00f8b28d45457aec1e

C:\Users\Admin\AppData\Local\Temp\gUMs.exe

MD5 bd3a86ff3213cb1c67d1fa9d9e2f0c54
SHA1 1159206349c6a942492765d1d816a90193a9fc6b
SHA256 7c330f05379a5a64647f1afd75f87ed14b6b8ec65de408f6668b63082ad91ee9
SHA512 84c5e2ee6fc601123c8e5b1acac2a9b115c1de0efabd0753daac8726b3a3f18cc5823ec5f814d31386061c53e0e6432733d40c7d63681cd7172f4d9c313ccffe

C:\Users\Admin\AppData\Local\Temp\WagwgoII.bat

MD5 9dce764f25b89c38ced629eaae5dbdd5
SHA1 a3c9f8f8fed7931b2f8c2918f7ededa219cae9fe
SHA256 c094792b52b87aee1db5dafba629a2ca54d3a71068f3fc3b11af0214f437e973
SHA512 1865d0cfd86bbc5b3cb48472bf36ea13a8351166e2398c6a89dbe0dea0de88d659c52f2a7c8a2f870f01f4961fe187b4de81f21ba64cf50c3bb61a2d0792a859

C:\Users\Admin\AppData\Local\Temp\cwEA.exe

MD5 2109d2fb66e77e0457ded20d4126a5f4
SHA1 f6069102562556fbdddaa7bec27054d77a0571b6
SHA256 b4b3d9717cba80308debda2dddd86016d4047bdc49ed6b1d656f6ddecb1ded82
SHA512 babc1efc1f9eeecafa83f34ffbe79357d443ff00ea4b3acfa481731a7fd09cd45569a93fb2239252e1a18d86410c1bef9c1d1649daa09a976f5e76b1413718dc

C:\Users\Admin\AppData\Local\Temp\gwoA.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\oUAEMgIY.bat

MD5 1c753cb3bd0b2a444693fb2e46a7f5d2
SHA1 baa471a929368ba0540e0f8fecb59c36dd00ad81
SHA256 5c96050c020a40b2ad218ed5413d59444fa249d8be33cc9fedf3f61190497596
SHA512 033f0e6f3f74b58982d1c9d896d5d039f5d4f1dbc139368b36067b0d1f6ab2569c6dd867ccc3683d875a066ec34dd20d9e0d3f7fcd0dba366b7fd2564e768509

C:\Users\Admin\AppData\Local\Temp\MQIe.exe

MD5 e1281b7e80686dba49d57bf26ff7ac06
SHA1 2f3d026383828d6c92130493a72b90a6150952c9
SHA256 fed4a1ac3db19eb9fed38cc99653c0bc68a01589ae9384b506e984493c3dca51
SHA512 6ef9727c86201b27896100b997101aa008fa89029d57665f22e80383b61dce4a5963cb2ca846becf093df7da252dafe56b0591ab3abdf73ee6784d0d40d060d4

C:\Users\Admin\Desktop\SaveImport.xlsm.exe

MD5 34318deaa75497843fa8f83458047071
SHA1 b75e5fc42e47a8014a7758b382c848083ca35f06
SHA256 9369d3e9205daad3c61b6ae7a3fc5fcf632a0a4bb5f8a62b8a3622d7488569cd
SHA512 3bd65c30dca984727c85ebb7a78c909381d5b35b2afe9912d88413af71f2a526f89c9a4ae90a577994f0cc68ce47eba5ea1947b998102ff7d17e9c5a2e4d1478

C:\Users\Admin\AppData\Local\Temp\aQgE.exe

MD5 7c892eb21036ab40d9a22b63a4bf40bb
SHA1 d2b45d08160c68351f524d8852e06e594414f7eb
SHA256 1ddd1b9f54cbe9ae8a50cab9d0b905b79e72befcbc8d91b8735a8d8165accabc
SHA512 e0709a65159c598d6fefca4b79be61a8f31b82005c78ba4d853c20cfe99029a47c982e62c93de9e4a5aa651a92641df1ac7febbdbeae8f4ef4f872353b98c6df

C:\Users\Admin\AppData\Local\Temp\UQQe.exe

MD5 24e92c4f01b4fd385f4083dc9ae5d118
SHA1 bfcdeef4e818c8c88c47a196a91b09ee7060a067
SHA256 560f35718d8c91ad5471453be9eb7eb09526c9bad80069412161e8d02cc18e13
SHA512 1dd6fdf64bb715e64fd031561a0b0003590308c52b75eb2fa458e3d99321c0b3f9aeab0405d50e6dfb6126833a969fa5a792ebc499eff3527ec8bf6ebd274703

C:\Users\Admin\AppData\Local\Temp\cQIS.exe

MD5 2cc8aa0d59ffad09a9ff41a0c8184b6a
SHA1 7cbba21caeff4f495bb241418bddd535de88e415
SHA256 7d5be568fef3fb2bdd9caeda33e728d4c5e263e702b42c810b4da49015a568c7
SHA512 14aa3389161df7e9c73f3c18958560df350b4017f6748f273c020b80a5302e0dc3558b79388259d7c4e8b946fe61e825cf4812049837acc3e7590043e57aac40

C:\Users\Admin\AppData\Local\Temp\FOEUcgIY.bat

MD5 15badf3110c4f7971a75d092426c300c
SHA1 d9fd8765b5929790d8153c1975cb0ca35b34881c
SHA256 87aec5210905a86d16d359de1b168d23fa2eec9ce28e19539466873247dbe6db
SHA512 cfc83d979e59cba90a86a9f2c9c7d6fd1a5af3f385d27783e9fee1b4b8b3adc10860993198e03dda28148f90778245be168ccd7ce25bee25ab4f4f4755461255

C:\Users\Admin\AppData\Local\Temp\Ikoo.exe

MD5 aaf0bce4c231b647e66837e6c30f733f
SHA1 ed58a7b51f2f10940bf4d9bbc2140369e9714072
SHA256 b4e92b253da238db44fac6b9d1888d3220c5f2524d28f177414ae4ea743dc11c
SHA512 5bf0781113f55fe5554c71fb6d0d4bf50bf8434b72aa095c7f36c248ffa108a8181b9060030c41e9c15cbb436278236b8f65a4439964aa42e246ef3f0665a972

C:\Users\Admin\AppData\Local\Temp\sQga.exe

MD5 e88ffd390dc041b12ad320fbb26f5a98
SHA1 2b0770408e2c08208e5974c83302ce4995ae07ae
SHA256 1c003c5ad8783ae3a442efb50dd7690e673c26d503a2e960cadbf2778dd83e3d
SHA512 701a64a25223375f39ee75317c7038cb195c8a30a6e1baee38e2c15b8a092bc44c04ca09ad58cec7957173d1bfd1a3378538e6e75a49a9bc06c2a5ed761fa219

C:\Users\Admin\AppData\Local\Temp\SEQw.ico

MD5 9848e0173c8ca1325db2a20b2d8bff21
SHA1 c4cff05a5b4bc7cb1dd687e799a6a12d7058f9b1
SHA256 8018e3bb08def89f0d13393e54e6b9a8c6e3cdbbb7b9f0b7f49cf228703f9b00
SHA512 967d1d3a57b7dac2a5e413f6972278938d7bbab192754498e50d5803b8d7370d48c9ec89938f4d11395c0ae518aa48192143b8621c665eaf1bcdebbbd53caec1

C:\Users\Admin\AppData\Local\Temp\fIkEMQAc.bat

MD5 15bcb7cba979661527f49f8a27624cf3
SHA1 0792cfc473080ed2e650d2255e8d419399569c24
SHA256 f05baf1c8deac26e7b1766374b188f10595f5456fb9b5f18ea932a2c0b166acc
SHA512 14a71b346be93794bf9babd11b35ef468109f0495ee820269e4d1129d9d1a9fd3e0f9bfca6eae8a3307581f202538210262ff70a47b940e9e8f7e72695478cf2

C:\Users\Admin\AppData\Local\Temp\esUO.exe

MD5 d48daa888f3c583c4af4ae9db781f2ba
SHA1 475fe3844f4f68813b95ec6851f6a3e0a429b4e1
SHA256 ec88d3bd58b72742255792051f54572998826b155ae961d687eb0829f66737e2
SHA512 ffb592505fd4b32377e9bf721f3d32eb667be6df88f61e6f13605dafa0ab116b7fdd7c56fdfbea8445bc4f2dcae14f41de4407888fa5b72594c0626296ff2771

C:\Users\Admin\AppData\Local\Temp\yQUs.exe

MD5 9deb21b4498f8c8079e37d10cf9becd5
SHA1 8cf73c20331c6de733a7a21eb1a1a69343b8fac7
SHA256 a2cac384593fa751bf0e0d796b011198a410e65531b946acd73a56c78c969881
SHA512 39c67011d4115a40e4c52f7bc2f4b2ff050be5a36fb16accd102f7bbdae556ccdb38339e78795c75682446583655f896b723241338d3b1377b4a485362c13810

C:\Users\Admin\AppData\Local\Temp\ucgs.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\GEku.exe

MD5 b85789976b996ed0853449e97f0779f9
SHA1 c0f1e1f75f2a14ce70179f1236efe5cd89b4accb
SHA256 b2d61e79a386881ee445de47c647eba693419fd2d9a22bf5a41c08e87e7672b9
SHA512 4cf12244214a8f317fbb024c14144c43e5be2e44662e982f44748f3d8f853aceab84f89a024fb81dbbcd36dd028b7669f1a3e41df26f2199beb99a9b607d2809

C:\Users\Admin\AppData\Local\Temp\aQUa.exe

MD5 97f7878b6971ce603863d9848eee63c2
SHA1 956bef7fa5ad2b83084680c6b60d02df4481bd3c
SHA256 5fb662a3eeedb788a21cd87b0beeab3fc7416f5df3de5fd1bcca895219d536f7
SHA512 4c0723f938993efdd790448bb232bcdc69b2fb6504d720e2c8e25b9f21ca9954a8abdc72c523adadb9d333841e50efc838c06eaea3373c7c4fc08ed715bf7946

C:\Users\Admin\AppData\Local\Temp\MUgE.exe

MD5 1ac68bf43d0a80aa99b2cc1923e0daa3
SHA1 a85ad7e33d28b97bda43b1f69b2d6f2f88752f51
SHA256 14f0101c17320ae2d47dbadab0f613fd18198e222e5745497249fdce29e46779
SHA512 c4badd56045e124c218f64ee690af940ac59d20a1271746293bfa5b927d146bf2b3769c99fcbd6ffc855e712f22d1907df8f26cf4274713d60471751ecc361c3

C:\Users\Admin\AppData\Local\Temp\EUIW.exe

MD5 fcd20fd5c60aee0d03ecca31375a4fe6
SHA1 f07d9d6d772a3b1114bc6f5bb51e1edf81d3cabc
SHA256 39f97f36d0bdb325f39ee853cdd90d2bd582a2e02402f6e165d19d7c2e7a0109
SHA512 d04c176a702a1d4802d271207b2c26b8c56c4c69dfa3e7828fdd113c52f711e6c66176c7b88a9238aa86fe2b15fb1a82128cbd79de49f275a5d84b1aa9cb3458

C:\Users\Admin\AppData\Local\Temp\MEIA.exe

MD5 bbcd6dacf0a3c277acc4c57d9ee390da
SHA1 ce6e4cf595af843f5e12550b067800eb8c7bccdf
SHA256 5bdb7678cb2bfc5837518c79826b597de2c110e4c8e6c3b9df3cfc91864c4aff
SHA512 a53fdf3d16ea645dae03e123b9de99b9b2d85481cfe548b6467f3f5099320e46a323a3ddf7c09e803d21078de98b84825093158e347261f0c72fc777afd55a11

C:\Users\Admin\AppData\Local\Temp\wEEA.exe

MD5 ce3c2642cc911b29a4ff2f06bab223ad
SHA1 251adb68bddc547329ecef6a46c161a7f3e247c3
SHA256 e3acd06fbb516c10e69bb17233af6092e479fdb7107f69b5103eba1dfbe9a4f1
SHA512 1c62f29ab8db8380966cd7d8d9abc81260accee62987b8f5923c251f953f4e7977a2440ac6fb75009deb7346d8674e92045f59993c25433b3157fbbb67678d79

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 fc0ccdfe1fe0e1f7c5bfc852180947b0
SHA1 c6c4d815c3e2c249047e75a4ce7850a8e295b2d9
SHA256 0b63554a6e5fdb083fba9d8af0c4e2812836c9f85d0db15acdcfbd0eef1ee6e7
SHA512 a298f114e09736f97fed229356982d008a5cdfc566c41f72fea6a07c85a3990a13560ddfaaec1a0df502341a9497346b98a5b4003c77043e1e39f2dbec268a24

C:\Users\Admin\AppData\Local\Temp\woEo.exe

MD5 108a6c14eae72d6ab3cf3b178142f9f8
SHA1 8f55b8b4cb9841a1e2419bf1dc439a086b676d8f
SHA256 e9449f5ac6a223a42f9118ab091ac043ca485b7c877effccdfb0de47b24116f5
SHA512 f0bb27c50fb045b53eb24aca2ac571037f7adee0a01766f3c723f5de8c604f7e3ef88d062ac1bad9be98ceee6c7d9c095cd4e2b58965f4f40173e60bc14bede7

C:\Users\Admin\AppData\Local\Temp\eYMm.exe

MD5 8759c880b073265aadd4b9584df43fa6
SHA1 77cec8942adf57c69958ddb7d96fed6864e5bc1e
SHA256 7bd86ea5745f5d13a900960725a54dc5b51567045376bb7697bdcb8725d4e4b3
SHA512 1c633ff538ea0afcd9229032d087afc5b7705af7d440b6170ac3e1b3e7b10bcf80f733a63e75d25340c71692dcbc99ca5a3fa7ff5ca2fff6324e4c98e2c1d7cf

C:\Users\Admin\AppData\Local\Temp\ygMs.exe

MD5 7224f54601c2579f466780b3093d9ee7
SHA1 0210c5fb1da2f44d6fbfe2fdf191f69efcb1b706
SHA256 0fa2882831b013c7a12449dc3e24e0289aeb2e9cb1f7c15d39521a37df6ebd20
SHA512 b5c1424e3de906ae0b14bbfa414c0402fcb1a3c8f31421da0fff5a71595db68489f313f69979a7a0f6f9955102ff3b10abfb6ee180e319c2ddf5a8fde31482d0

C:\Users\Admin\AppData\Local\Temp\WcUE.exe

MD5 5ea0ee5abbef8ad2e76057d6e496c1d6
SHA1 53c2e824f5aaf10a5c1ed3c9f36f523ba0b9c9ce
SHA256 d70b4ad5c0852c7e724d21d2640ce4d9b65900baacf09fb6ee129b95a8a647bc
SHA512 ff910c273f7b5916ea9a164521ae9bce73e4e1a9cb5c892b70d2fe2996102aefde147f43a728438d24e89285a62e494befc86b9311961fe60dc636ead42854e8

C:\Users\Admin\AppData\Local\Temp\aoIq.exe

MD5 99ee375c6dd62c11e11f81018dea1520
SHA1 28125d54a7206b857063eb0a49f1208b1b5426c8
SHA256 bd0b8438a966a83004482c32bff3677f6644b2964e6618ccb8fc21ed26217cb5
SHA512 c73f6715e41ca9daf52807a7812aefd7b686f423d84ab2fb2682f3eebf3d3c0719721d5bdd012bff686a23d89a6a14941db29e22ffe7d1c9c5f59aa9c23024b6

C:\Users\Admin\AppData\Local\Temp\ccoU.exe

MD5 bae26a3860f1fd640c0ee5c66dd9d465
SHA1 555f2d7de311cfafbc7eb4a66554bf9806ed697f
SHA256 2db866f373f0ae8d1da9d8b55a87c41acda55d9f09d0fffc863437febab2f836
SHA512 8a32d0e4a1e23aedddb79ba79e0c9b0ea92d1d2cafc3802a1fd4546223ad2663b07f2e4cf1b2452d8471dbb4c9aa9ba93e763ac889cc141fe9036511cefe28e3

C:\Users\Admin\AppData\Local\Temp\wYEG.exe

MD5 2257775adef944fc84755353d43d88bf
SHA1 06453ab9347d54f45790f502b25c958e535dbb35
SHA256 06a1f17539a1d61b08499d12990b1670deba1be524d487681f9ff20db875b294
SHA512 3dc133c70b8bba648d26491aafaba5f95b86d803a5c0edcec94c33558f174cf720613064f202274615e18066733340127f310f9eb68aa5b3919cccc4a60b101b

C:\Users\Admin\AppData\Local\Temp\nkUogIIg.bat

MD5 96488cb1e104960c25059e5f61bf1019
SHA1 c7b43c9348b9da874c5c15e98c1b40ecbdf1d1c8
SHA256 2a5717f684ef755085951cc5e6eac0f828e7e54284f2dc10e7a73ed51a2802da
SHA512 18a56709e03bc3f6a2c8f79ab58060edb94c25cdbe8e3d02f6eb2b0fc86037e2680bdb674dd87f62fc362f36afca9ea6ab88ec06ee9fe5464e7b1795173f3c72

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 e7e506d8826d53c858aff8cd222c38c7
SHA1 4326ec2e56959e5f7d0821a3d10360ff76b7116f
SHA256 15333f04565c4a9dcb540bf1a080272d836c205d4c54e6bc28b47438e0d4f54e
SHA512 13954acb5ca374946747492ab26f09fbf46a0098145ab563b60b629493bfe3b69d1af9dc89f3619372ed2b1ce74922c8b1a2eebc1266e41acc5d79eb5b094b39

C:\Users\Admin\AppData\Local\Temp\UoQo.exe

MD5 6988a4c8652e2d9315f614a973b606be
SHA1 bc70650d763544681d414c4c224040c828d338c2
SHA256 6ac8221286424e331ec1781f5c65dffc64f9b79144a5982218692e596ae900ee
SHA512 5c4d9829d95b0723ac382ab8334be80a4f42d48a6e0144e6c53fd4f53fa483436b8978563c281b75cf9c910274d7f1a02fea5a72049e56406e614b072092d4a6

C:\Users\Admin\AppData\Local\Temp\iMoq.exe

MD5 172d02253e52cc5a0d7b8cb2d126d0e0
SHA1 98cbf312258296b9c035652eeacf08082bfbc48e
SHA256 80d256e059d805a8b448b57b901f1791a4b04ffb3666b1a3ec6eb108b8e4bce6
SHA512 4e83735798cf0ffb0d5811c6c74cdd188d02d2c6774b33626a2a2f4a3430dbe451fadb9753372394fabad87e764c2aa89f68c3d805867c2759406e0aa22f2fba

C:\Users\Admin\AppData\Local\Temp\cgsq.exe

MD5 57915681401336b7c26fa6fe42bbabbf
SHA1 eeaf171b332cd714189b7a7cd92c0d1c92529965
SHA256 ae5f81defa0686773b85a9c84098f6a791898ae53c7efddc3958c2669f1f6c09
SHA512 6b5ebee774831025e2b6db9280f6e9c5928c706c69d482b8ab8fac7cdc2127075f42a182918c9eabbcac154cf746fc5e45e54e461a15736680aacfeabdc3a023

C:\Users\Admin\AppData\Local\Temp\sEsa.exe

MD5 9bf35ee158909554fc6b48c43ea56279
SHA1 8f117a314ef455cbbb0fae71b4c129cffc4c5760
SHA256 07108bd9a53893de5a156f7ecc52fc3bc2e2bfabd203a19684941c2355539ed0
SHA512 63da60e217a2b9ca0cd8b2187e14e688389af9c0a3b0af44f8677e882179eb422335cdfd04350c77b13153b1a6ecde31e631eb91f79a94ecbcb65ac973eeb0a3

C:\Users\Admin\AppData\Local\Temp\wIIE.exe

MD5 e1a57a5e15601bc17fd7411dce3c43bd
SHA1 196cb65a661b8b10f894e46e09b23e89966e21fd
SHA256 96ff6c77595a41d9b9ab7ae62a1f791f3f0c1a295236b0aae0438d86f09b0124
SHA512 1c923a5fc886db8b70bf3560a4ac951e3e01710f5c8832732357bf448447d58393cca3c102c3064e15d713fc4267383aabd267a2c4bd6e9a2864cd79e76d988b

C:\Users\Admin\AppData\Local\Temp\OYYW.exe

MD5 1810ac2194a8f7e5cf02e7220baeaa16
SHA1 4b3850b091e492eb9aa2cfba552e3852f20691d9
SHA256 2e7c0f1f89d95cf8b87da1ae36ad005ddac7098492372db5cb83eeaaf9de9f99
SHA512 0e9a559b2e0de07955234881eb2ffaf58b80d8deecd7310160d65ff78b8a105b5602e37690c51164b2e526b748250d8cc2ca38584e415db0a6c8bceb78ef94c9

C:\Users\Admin\AppData\Local\Temp\gMkq.exe

MD5 7b056118a12990bc75363336cedaf055
SHA1 6c1b3fcd52ab1e512abeefe3027fbdde941cb97c
SHA256 3b27f6aa1c4140300f5e415e85e0e5ec3f898dc88274a63ce984049d5bf35c44
SHA512 f7a5a19d3c2529de570cee8938ac3a803cb7bdf8fd061e008bb577645caebfd9a8ecbebf457898901c274287861289252de0a3fc5f0c80f7cb4ec5fb89e4042d

C:\Users\Admin\AppData\Local\Temp\UYcM.exe

MD5 eeba28cad53715b52f1d76aa42490c87
SHA1 b413d242c9f37c0029b7d60c1865b4f3fa47f923
SHA256 1c9d8102f8979579a5fcb56d5a2ec3414d52a5c80ba57de855e5db544f2e450b
SHA512 d3db8bc71ea01f2677e255ef9c8b81a5479c7e77a7fd758bb927606c889a147aa3fd9dba97a89a618f2444b912a3fe6d551873f3f9c2a96c881bbe8270aa3350

C:\Users\Admin\AppData\Local\Temp\EYAK.exe

MD5 78e54d43499e2b44f430fffe4c17902d
SHA1 e1678fa8ee03837488560d2a5fab72894f4ced05
SHA256 9f437d1f8372e081adf6fc742419bed1cc9f70c61fd8f81990ea46fbfd8b7c90
SHA512 e1ed9787db81f7212894cf9812db5ebbe7aa5ba740100d5bfae7cd025b28cb0a4aa6a1016a114f4af72293215dc3b810d0e5657a01fedabd3bfbde2aa8bdb962

C:\Users\Admin\AppData\Local\Temp\nQkMQwMI.bat

MD5 bbe0146ce68d63c5ac0f83583d9a37a6
SHA1 52a2906070a633d5593d7071a689aa4bdaab591a
SHA256 25ffdd0572b126f1af4ce8a9e14a10a593fc545ae235e5036be2692bda6c1a08
SHA512 0623a38bfdb5ef57de11007120090a75121c1922962603059ad1298e7eee5e36ecb1564159f4b9ee116a8b6c6859bdce0ea34a5af988d22ef6b433a89851afdd

C:\Users\Admin\AppData\Local\Temp\iEYc.exe

MD5 97df05c7e6795a20cec18790c729025a
SHA1 3bd28a93a8b2c2057256cc9855a9868c8bd989c5
SHA256 020c2acfe63309d34fe004d1731854d159705f2a6cd19c3c8e64a5c43c48cc97
SHA512 53926452f871e3fb7e6741ecdcfc29619ef35e1c1350dc8d5cd9d126929a0972fca020f196f63ff00695c5beb055c0f7026a836ad25421d75908bee7e0913224

C:\Users\Admin\AppData\Local\Temp\kIoC.exe

MD5 bf8945ffb31dd5a8844b3c3b301d30ec
SHA1 5da291370eb712ee6264e84fa59e1f9e04101e75
SHA256 8cc9fe3d54be2146ae7324e416d2eebc40e9f2af1905bf9bd0775f295467479e
SHA512 7b4305215c54272eaae6a0fab1842b15ab9597d29fe7d1a44cf14f4c94b398f9458e307cdde229e731988a0d1789ae23bd269f2b9be0ffdfdd12a98ff75795e3

C:\Users\Admin\AppData\Local\Temp\Wwwi.exe

MD5 5458b9b96aab2d2881b2eed0a424be07
SHA1 b21abed8cf84daedc8a8c78cec8fd635336bebaa
SHA256 03c5017674d55b69ecbe3127bc221992b7ba20d5febb7b00424ba418947fbc45
SHA512 77829f14b31173b23c1d2d461157bbdba906c5380a5975b8ee408be38b79aee077c706670900a55a87b21282497aa25a7d90e12726e9063f355394e73425dfa4

C:\Users\Admin\AppData\Local\Temp\UQQs.exe

MD5 80126a1d94dfdfd63296154972c94710
SHA1 dc1a4f44bf778f1e02235f25340e1c3b9a2adfec
SHA256 4e42eaaeaff8749e8ea913844f8603c386adbf008174144c174b2e37895526ef
SHA512 705123ca518d915f6aadc2d094efdf4bc60b1501b19fa3e95a6405ae63efe0f9ddc9e94c6f330448ec3f1ed6846657a848575524132677644a1e190182bedd1e

C:\Users\Admin\AppData\Local\Temp\wsEy.exe

MD5 9441671053cb3b51d9f097df61d84c57
SHA1 0fd9e202885876c6a6bea31f022d9999e3426414
SHA256 7140beae67795d8f8cf0042aedf865b35e749574ddbd4d8afbd0083b550d9107
SHA512 717f4fc7733e87ac4b5399d5111d3a7e973286afb020b53f642a2f2dd6e077e2e763016f5223984aba22d51dcdce05f1760c19c6df57969fbee735c867f903f0

C:\Users\Admin\AppData\Local\Temp\EkUw.exe

MD5 46c4bc0ceb8327d550e9a6d40600a075
SHA1 333a509ef47f51bd0ddf3b56846118feae5442d1
SHA256 4a37f1f3c1ede5b457d614ab59641d14d24d08a4d1f9ed079a1d6684c01e8d53
SHA512 9eba45336e3482b0a16eb825f46cc19b45aebc8006f060459aa20f37444ae7b5b721899075d5afc4bfe64986680f564b0c59274d5dff757d8b2d43d5c88b24ef

C:\Users\Admin\AppData\Local\Temp\aMwy.exe

MD5 431cf850a930d3c8057e3c901537c228
SHA1 52a74ef3834675f764025c6d614ed64a3d93be03
SHA256 469baf25b3beed14ef96b2661fe95829b34f8108adc8a760959132f6db333a39
SHA512 e1268212cc48acdaa7fd6dd4e658a519eac39faa013cae672cb62646ba2c2043c878d4404db6863e107ce87ff0caf1f5c774212d470376b90a509151dc158854

C:\Users\Admin\AppData\Local\Temp\UEwY.exe

MD5 0be29d533bb3749507c37fb168c71ade
SHA1 43c8271581504613b2a4cace9946db4f7ff54534
SHA256 ec8d36198092d809a1c2b3aa464c478571e8cc6e8c2f689429fa022c82fde8ad
SHA512 f396db0497e132a71affb0c1ab55e267146db22f81eea433865a2cff27c8fcdc8523aa43c1ee767fbb7e7e7839f210984d9337f5be6eff2ebe4b346792ba4e71

C:\Users\Admin\AppData\Local\Temp\ysoS.exe

MD5 1e2648a2786bacfc1176065a2529be0d
SHA1 ef5702737a86badc26f3de92e4f97779e238e723
SHA256 326345b724d7536bc8311c37f7304c9a2da9a3bddc5a7752fe0a63fecdd15523
SHA512 640be6309655e335066be6c7b59c99b6d889523414eef536e47113434b51716593b36cac91c628869b49d3b0a6041a9156b8a0b5548f83675c7f1d57ed77544b

C:\Users\Admin\AppData\Local\Temp\mcEi.exe

MD5 9f1b9c2b22539e76e3eac3811b38ad9e
SHA1 1ecc399993c76d0443f8c1c65164dc3e45e93245
SHA256 3de3e23e9aa059fdd02d66c5fad4ad401deb4e98a053e6909c39d4bf8eadfb38
SHA512 3b14e942a206b7103d6320bbcfbfeb2807dfbceb8dab073fa178f5b15a1e88b937b1498e59daea9bb4b6731f66792481b18fb87c6f6d0b2eaa3f1a66dcf4b1f9

C:\Users\Admin\AppData\Local\Temp\aUwIIIAY.bat

MD5 d4324e52ad2366200f9581cc39675ea6
SHA1 44bc255b19cd89d596fe428dc5e9d572ef3a3470
SHA256 1ddea835fec30e2cb26b7100bc40f0d77648e5e917bdb34caa5f813a4efd3ac2
SHA512 be9575ff646f887989874dcb4fe076e7a3b9c9604f291f5c2939c760822348b3d78453c47ed3c0b8bc9f6c4a7eeb8b4d3b1d9aef054072f093f1892206ed51b6

C:\Users\Admin\AppData\Local\Temp\kEoS.exe

MD5 7a0ee98eb6a53738396b14a6161d0428
SHA1 b8ba143458dada78ff47f5d9f4d89d88e594cee6
SHA256 137d863dfc64d17a7260a36f4e77c65fd0bee7a881d87868cfea7de126f6f338
SHA512 94429129ee5714e94df5b8adb4fcf05c7586d7809c9659cacf6e12fb98abd587962af646c3e847a9b24b918ae09b323913d51ab536d0ca478b0f822ff4863be7

C:\Users\Admin\AppData\Local\Temp\GcIw.exe

MD5 b7a1bdc227ade56546516671345e012d
SHA1 0126fdf0f5d27a8333cdd2d0d94b3dba5c85e08f
SHA256 11a3c93b698db0a46b52ee8f4dc578d88631eddecf72bb80847b37d3d406e324
SHA512 34ca3b4181817a8503328d455f6e4be0a5e9a224760af0eeaee978834b0994f98360ba1b4cb0302cf6974a5504d5acd6ed8f05726be2c3d51e8c7183ea695cf5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 16a14a9e81e5bb6f198a348693e2a120
SHA1 3d41a05bb1eae0f667feafbed25ad6317f8704c7
SHA256 a8e6ab6812878f316a62495c9aa18833b1093fc19fad9564d22295f1f596e59e
SHA512 1c07b0bbb5eb10db87e7e15feb9d828443f6c62490b79e0a53af4744ac41e468fcdc7fdb794a559d678848db29d18d109daecdb26ac346ce19d2281f9c6283e4

C:\Users\Admin\AppData\Local\Temp\yQcQ.exe

MD5 6b148d5016e9720536022261c150a600
SHA1 9260edad5c3ea5f76102abae4818a4f9570389cf
SHA256 a3e76d81a7df182b0d9eb36177e1f034675d7e9a83aff38a9e9e5ffe4cb5e85b
SHA512 17b15df227f1da837ea537c5ca97a4fab08ff8184a33818671d0d77950e2c803c07617d4f9e33337346959cb8a1ddd1b4802c74c4cafd64b9e346f969e7d1d6d

C:\Users\Admin\AppData\Local\Temp\QYEc.exe

MD5 8ec3aa72f867dfa5f6cce783422688bb
SHA1 c83c89b811c4976b3b3491bca72813865db8b2af
SHA256 e35d8d17f238411d2ebc1299b5ef36f4ca00fdf2b2cb69939a3e50aa16232459
SHA512 06809ac8c6376087750a6d123bf2dd54bdf50dfea469f9bdb9a610b167c9b3516283fd3fc4be42b28cbfd1e4fd769e0302af5c82175e13f5f3caed81f6bb920a

C:\Users\Admin\AppData\Local\Temp\Qwoc.exe

MD5 02b1d249b27b25b6e3eb55327c4d2cbc
SHA1 ede87dfc0ab5ff76d5a40ee52967b763df985851
SHA256 45380c60be6b34bb043ebf3c5c9236fafaa293a3cc988d24214f19cee1ff909a
SHA512 230014d2da823eaa9a886079cf2febc90b28c43da703f00f97e7a942b909f716fee396fda54b094b219236f1b055427083b4b947a012479f13ff75af3308d139

C:\Users\Admin\AppData\Local\Temp\KQMk.exe

MD5 72d6f19ce36f6b7a42b2f1f161e06a2d
SHA1 b9cf04e809dcc30e13565a85d2cc5cc1238c3808
SHA256 65b971fc7cd7ccd1ae53444f8e6ca3b2814bbe9f70e57995824b183aaaa92ca7
SHA512 0646d101be77d35ca47fcf4935dc8bed9999b1165630450680ceba219755c6a6b96fec73cf1e7074b03159d274061768361a2c3d9f64cf48bee6f9205d8bdb2c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 aea96088e6e2d4a3564f33e439a3b03b
SHA1 fa7cefc35b5d698e59a9fa7b4bbb4fb945561f1f
SHA256 52f94fda6245b5470d1c274d3e854f58a63171e6b5036f09d920f3dc526ba9c9
SHA512 2e86f16bccac1267b7bb8b5bae7ebf836662afa32e4a95f3a4b299ff9a41f68b5d755104feaf3187490e5be13b7ce2247526bd1cc9d038ce1745105bf4337c01

C:\Users\Admin\AppData\Local\Temp\gGgQkEAQ.bat

MD5 43f68986784e808bd6109701a137bf6b
SHA1 232dac9b254cf8d9e0025446312b51c9819e8002
SHA256 54459d45298b01574ba15cf794ff0927ec56cb7b8d3cf620e7005a5d8da8b4f3
SHA512 bd2af27bc473db4fb9041551c43811c1b38d3a4a421f086386d6162b79f5665c066acece15d0522725a7ddeb595da8d5bc9d9b9727c28d80ee3676bfb9c52c28

C:\Users\Admin\AppData\Local\Temp\cQIK.exe

MD5 317f0099611deb035b63bfc66dbf4dac
SHA1 1b90ea84f474f0f581f1663c08210513a2962c9c
SHA256 09a7bad3df16209684a4a3a362bcce780ca5249637759d9cd14857032a6ce089
SHA512 e34ee1fe84265a15e2584fea48a1b89e31f5b9ce0533ce6eda1f7bfdba42da92fa50e6dc3c3b5b70f340e30388eda6a3fb00d1189b04dfbe70111d25d9fc0aa0

C:\Users\Admin\AppData\Local\Temp\IwkC.exe

MD5 c746f2fcf393e15e5357779c52b96069
SHA1 1e036a9db2fa66a9cfa3816a6dfab447271ce3e1
SHA256 9e906f14402df481ef8b74467baac7ab7e474c384841bfb5f28a12a8111821ec
SHA512 7601352d39cea86680470d0eb3285b1127b9267ebbe0cd0fc7f9d846ef3e154e28ced3e85b3b8002d19bad4d38e5c734b9b559e7051daab58c9e172e85fe63a7

C:\Users\Admin\AppData\Local\Temp\iGEY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\nQEIcMoI.bat

MD5 28d225f7a99f52666d1d1ab1b52aa4f6
SHA1 9f04b9d0cbddf50e352280a93982e9cf5a472b7b
SHA256 d0c1fcb85b34f279ce86a4d7bedb802b619a3509a1eef104744ad444b0329f8a
SHA512 d844c45f8ca8d571ac2a2470db549b258513693da2e5188b13255e047ed899fa7227e49a95db49d3aecd05138e0324f9bf8afc1010a6b32e2707c22bbee60e3f

C:\Users\Admin\AppData\Local\Temp\kkoa.exe

MD5 d2c460d1cad1cf0ce149690e620104d9
SHA1 24bbb469c8ea95080404938840a75362d33fbf63
SHA256 9eae3a3c64c81cb1aa431e1c34a17095cdc93b6c23d5c868408688e6209c188b
SHA512 f9d851b2243c5aeed47f24198995dd0f156eb02f75f121e9893e17b916a01969e5f95a3392d95f4ad0dda637b3666fd8450ea807e667f6374917c8affce2d346

C:\Users\Admin\AppData\Local\Temp\qgcW.exe

MD5 6adcc045bf7a3cde964e155fa5c43974
SHA1 86f99591028cdb7d6032c0fbd8ea0ee144fe8a13
SHA256 d7652c6ddd7a28e43071e2efb74bdd8748dd306fd9b55b42728d87a280dc6738
SHA512 529d9d935e82f1cdd82fe587a89b2da92de7ac7557cfb759b656b6c3995c22c085f53ff1deae6475695bb4374eb3aa7ea1811f2937fb36b36d12a4bab9e463bb

C:\Users\Admin\AppData\Local\Temp\CkIC.exe

MD5 c6d71a4ea8837d0728f449eb90570130
SHA1 fe637a1bbe4ae5b8587965056f2b9a0de81b246d
SHA256 dd635c997aeaec6aafa1a6cb0e6073a4f9ec070eadd803808d63d09d4b94d731
SHA512 05690d40e52bab78da70cbb714b236f6cdfa2f758fba5901cb9a5f49b89a6555025dd0fd7bf7ef5e61986e66b8c262d5d00d9104857c50890de75fd305d39847

C:\Users\Admin\AppData\Local\Temp\qcQE.exe

MD5 3d158ce5a7942c3c3c320051e2bc8bce
SHA1 5b5ef655f079f4467dd1540c9c28d0e147beb352
SHA256 bd2c1cf29535f99a2653383769947da6837a8e10b85f18c0cb4134521cb9e3fc
SHA512 ae59b5ba818f3fc7fa21700e2c6d9106230fae111ce17c831f1d80756f60bd10ecb0d32e02599fd78494385361560e40435cadb38610d2a4179caee41dad9921

C:\Users\Admin\AppData\Local\Temp\PyEMgcsY.bat

MD5 53162ce90d2213b5f9321b1ef17695e3
SHA1 965433bbc62cf59af0594b0ea6c500480f927263
SHA256 26bdf8efd4ce1487d1367e942a84a1a8317cdbe15507fbe002f5130d687d2e57
SHA512 6afeededdd8c641c41cc59931dbdedf11d83b1fa12cde3e0f7eea44d0b185c2c47b9e2924fe554610d6667a67ebe572be9a29fe4499eb2ee1dce85ceb31bc562

C:\Users\Admin\AppData\Local\Temp\IUwK.exe

MD5 9c645293c5c05ad6b6c0b3263e70e610
SHA1 8ca8ce0916d8133305b60e1546743407fb339fd8
SHA256 69e61291c9d0678153c7a798641c1741fcbbc10a16e712bde679d3c873f82c86
SHA512 8a3183047e05196ddd56136f087ea4e3972920d326b1b7a49fd1e81294920a23668177a4dbdccb72df836382bd0d3ac18acf24638b2eccbcdd6168c2d81aa6e0

C:\Users\Admin\AppData\Local\Temp\WMok.exe

MD5 e1aa292fe78707971a1caab0594d5bd7
SHA1 79c1dbb0688f70b159351b47375c802e9736ac2e
SHA256 c85725965916457289487036953abcc84431ceb300c7a1ae3065b06b3ca67283
SHA512 0f91da06917af8b56e1a66ba146b714774af0347bd6c55d133a369a636bafe3992bc39457f615d4ee2db540aff7234b95c417085ed6be29afc1bfd2510fcbd22

C:\Users\Admin\AppData\Local\Temp\mwsQ.exe

MD5 15cb250c2ed727691d81ca84b679f32d
SHA1 ff288db6bdddea7dc23de0151774fa2a336a3911
SHA256 3261e2ee541008d6fbe1d851220b1a98fc91ad3cb9a65324f5ca8205b52e1dd8
SHA512 28017f8e25880ca9d49537fcfd5622e42ef9377f27fcd8e3ffc60670e46be9fb7e9a2eb174e9bbcc3e78bb50a12d765b651ffb5803d8492501c25f212614db73

C:\Users\Admin\AppData\Local\Temp\KwcM.exe

MD5 d891200b348ca6f54c9b9b8e8b436d08
SHA1 98300aac1a6b1dc43c45e735c0861dab9061a81f
SHA256 c86a9a24703a5ed7d278b7987a190db81548f17f2440939e9c2f0e8c6ee52b1f
SHA512 13c25aa904bb2ed67415b181ebe219553d25cd5e2cf717e0ac04367ba45c3e062d28140364d5fc7bcbc1247743973697b268cbdd57e8180a2dc497bc43803126

C:\Users\Admin\AppData\Local\Temp\pkcwQscc.bat

MD5 1a74055f24d3ebbeed6550a1099e9649
SHA1 7a279c6ff9ebca2af1a9224e079f6c6f61ea5bed
SHA256 1763d99e69cfb7203e95e8948b6603d5b9779540d73c7bc37cdf70ef40cd59d9
SHA512 dff0a2ce9670f149069d54999d0abe96c50abadf364fd957fd10acc36a71be90e15348404df7af54ac32a1c032fd9e7cea5238a9aa5ca5cad337a63ad3f883e1

C:\Users\Admin\AppData\Local\Temp\yEkU.exe

MD5 f5b2592b9b95e74dfcf54048481cc9d1
SHA1 fd4bda23e6c5e3331020d59c23787f7a85f43afe
SHA256 a2c4e0261bc6d993c914ab7823dd252ef819480ec6c0729b37bc710ded6680dd
SHA512 2f8b18b1bcebea2ba5246fb75d49cae2eb294fab2740df2e742ad7523cb47ebe77fd502e03b576299be591b86fa34de990f78853f22c782b7470565fbf1ff35a

C:\Users\Admin\AppData\Local\Temp\Wcsw.exe

MD5 f87883be859d65b33bfd7f7be794ce04
SHA1 da0e7fdb64c763c63011d0548b503b4c8bb61f36
SHA256 2101f67e24859e42a6db0b688d669fb83ab0869f40b8c43cd0a65031616f2a7e
SHA512 85eec46e853c8b8e9aa3124049f74182c7ab03dfd65846436a5082d48cc9c3da97fd4fc688d3d57b0eb88c3b80d8d36093b9fc943d4500adff04e1a1a16ab24a

C:\Users\Admin\AppData\Local\Temp\sAAQ.exe

MD5 d0fa503b6aaabffc4fb7fcf5ca958fc3
SHA1 fb3df5841940f5b26a21bfccd3fcb86f6e33de01
SHA256 b2ad591bd9ae90d05774eb0270847656ebad8ccbbb2e47a6644c3e7a1e6302df
SHA512 f40ad4690228837ee1dd9e4711638d5b8a5a66add8c7ed8bf32b6852b85273cf0d35125b1efddd107052891fb9c584d3d954207b0e430f806674b3683f0cae5b

C:\Users\Admin\AppData\Local\Temp\DWQgUgwc.bat

MD5 b40ffbe08f4aba83de6f8fcbcf2f58c7
SHA1 223d791c6d61de12f5d0f48457b40a9ec6cb7bd8
SHA256 f36d4d286ef26507dd87eda15ac2e47259664462a703cb44bb6388ae2d47c6d9
SHA512 45d1c44ace11bd61f730c0eda44350cbf18206d9f7b59169714c334e14f67a26cd16279b346aa2e3de04f0740e9acd12f10da0035644505eb7133613e2e0567b

C:\Users\Admin\AppData\Local\Temp\iagUEkUU.bat

MD5 504829fa75123164a33e8bc86ac1c083
SHA1 6225594a1fbe230ebcb3ea708e03ee1f47059920
SHA256 b1d46725aabee454118f567808b3015c98fc0aa69927cdb09c2780f8f63a86ef
SHA512 203a25af93f252e0dafefcf66c4e3905a13c954dd8a93afc8dc0eae937b1ad5e770f5a15b2a885eb09949b0d208d733d0b9903865ba92f72088ea74a61886466

C:\Users\Admin\AppData\Local\Temp\WkUwssgk.bat

MD5 44b50c1d974e28a181332e93a6517c10
SHA1 50306bd28863ec7df613c61546916ad833157ece
SHA256 454ff34aec5f4dceb1b065af21596e39202e135d611a69405e2865a5fd7c2c18
SHA512 37458943209e5e6a0f5a613bef3373895e13444075ac5a96cde2d262fc4ef98d137841d7d049697721a5fa8f36c001dfde15762679ecd774e81a099467a3fefb

C:\Users\Admin\AppData\Local\Temp\msUMcsMM.bat

MD5 38759ff7e3c200fb13d39ea9a2a00761
SHA1 bd9e02f7b6260bae68cc70a7f33a4ab7021a8578
SHA256 99d95f23fea06536cbfc2f5ad7860229646e8c6dd3209440b29cb3f2b62b37bc
SHA512 b13fde18dd4602a6b77ca9ff32608c265800c9d953949e898be0b7adfdf2e87b8a0157f5404dce34058b5b59ba4864ba45751c808eb4d16171ea6c626d7f25ba

C:\Users\Admin\AppData\Local\Temp\BKEQwsks.bat

MD5 7a32d14d3d7268fd7cb79d73683c02c1
SHA1 9acbefd61732aca941d0d1b0703ba66957bb9545
SHA256 e560a67bd3ff83805b66fe36d5bb07edb911ed83f5d19f4fc70c423dec70704a
SHA512 9d90700eef94aa61e7762f3b660e818966bf8111072dd3d100ea7b820fa5aeaaa4f906c7f68919a469d1fc0ce6eaf4d835ae3caa09e2dc5fed8ecb3d4596a97a

C:\Users\Admin\AppData\Local\Temp\lWEMIsAw.bat

MD5 a6bd8233fede344357130b3b8a78d4bb
SHA1 4931e75ab5afcb43406c67fadad521d464f3d075
SHA256 228954eb37fbd5b8264c4e7196bd2c71c41ab3816548975c53ecc1d5e34af0e7
SHA512 a8ce5e2789a0f68d7413b3538f08e55523b481ed3e85a7603f8768fc54fbf054242d7bb92a353ab6346dad40051baacaedaa05ea54c95bd066145f6d9cfe2b21

C:\Users\Admin\AppData\Local\Temp\NUsgckgs.bat

MD5 31d79090d43772ed89e266bed1563f8a
SHA1 5996be4940bff8429fa45dd5727725bf59e486f5
SHA256 4371542dc2e6d7343496018b6dca07e7e16f42a44ebc65a2c5e3d443fbaa20f7
SHA512 d70bf0729cb58fc9061c62370d705ec34dc57267e7671df738156a928f5e3158aea0f053ebd37a8e2e56e559251218b4f3b3f1496bec0d581972a0d1146169ed

C:\Users\Admin\AppData\Local\Temp\mOUUMYgU.bat

MD5 f7d8bf658a652ea61ed0a6dfb725cb55
SHA1 0a8018b714937577c32c201a38ff8b7f2178e378
SHA256 bd836a73f5832f4f1ef7cbf9250c3e170618ff660a55986fc5cb91e750662512
SHA512 b2603796e7c9ef58b3cba6c960b1b701c66c1452ab5e3ed8a0001804b71b71b9c84ab6f66f8e7f00fd104195c1bf5c4f9936a8e9f71dfe14ed581a66573604cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:17

Reported

2024-10-25 21:19

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (51) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\ProgramData\taswkokg\lWYgEQEE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tsMwAAEs\HugoQgEk.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\GwEsUcgY\igcckQEo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" C:\ProgramData\GwEsUcgY\igcckQEo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HugoQgEk.exe = "C:\\Users\\Admin\\tsMwAAEs\\HugoQgEk.exe" C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HugoQgEk.exe = "C:\\Users\\Admin\\tsMwAAEs\\HugoQgEk.exe" C:\Users\Admin\tsMwAAEs\HugoQgEk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lWYgEQEE.exe = "C:\\ProgramData\\taswkokg\\lWYgEQEE.exe" C:\ProgramData\taswkokg\lWYgEQEE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\tsMwAAEs\HugoQgEk C:\ProgramData\GwEsUcgY\igcckQEo.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheEnableDismount.zip C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheOutCompare.docx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSelectProtect.docx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnprotectBlock.xlsx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnregisterNew.mpg C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheCopyHide.doc C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\shePublishCompress.docx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\tsMwAAEs C:\ProgramData\GwEsUcgY\igcckQEo.exe N/A
File opened for modification C:\Windows\SysWOW64\sheCopyTest.wma C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheProtectStop.docx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheTestCompare.ppt C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWaitAdd.docx C:\ProgramData\taswkokg\lWYgEQEE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A
N/A N/A C:\ProgramData\taswkokg\lWYgEQEE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\tsMwAAEs\HugoQgEk.exe
PID 3112 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\tsMwAAEs\HugoQgEk.exe
PID 3112 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Users\Admin\tsMwAAEs\HugoQgEk.exe
PID 3112 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\taswkokg\lWYgEQEE.exe
PID 3112 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\taswkokg\lWYgEQEE.exe
PID 3112 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\ProgramData\taswkokg\lWYgEQEE.exe
PID 3112 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 3388 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 3388 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 3112 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3112 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 3596 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 3596 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 4412 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4412 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4412 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\reg.exe
PID 3668 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2740 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 2740 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe
PID 4160 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4160 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4160 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1120 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

"C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe"

C:\Users\Admin\tsMwAAEs\HugoQgEk.exe

"C:\Users\Admin\tsMwAAEs\HugoQgEk.exe"

C:\ProgramData\taswkokg\lWYgEQEE.exe

"C:\ProgramData\taswkokg\lWYgEQEE.exe"

C:\ProgramData\GwEsUcgY\igcckQEo.exe

C:\ProgramData\GwEsUcgY\igcckQEo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yygMkEoU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOMcIsgg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwcYsEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMMMkkUM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWMkwwQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEMIgQAg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mskQMAEI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCIcsIgM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQkoMgYo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyAMoUQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecowQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIIIYck.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqsEkosw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqkEcMoY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAoIwQko.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYoMAEMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYcUMgEU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEIUcUU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCoIEsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEgoYIIk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGAkYEYg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYEkMIEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAgkUEoE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEYQAksA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgkYsQQA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HygYAgwo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEYUEEsw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWQIkoII.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAsQMsss.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOcMgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwUggYI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOMsUYIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGsMsUUI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQAcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOgsYkIg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWwYQYsI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCoUkscw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIUUQgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwgAEkw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coAIAowE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQMIUMk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YicUkMkA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoMgQQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcMcEosM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roocoMQk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fksswwsI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuYkQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUIUIgo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsYoEMYc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUsIsMoI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HucwwoQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwcYgMo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcsQkMEY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMscQQws.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skoIMgsA.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyoQMQEE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYUQEwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQswQYs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIAIYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUAgQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAUMoAoI.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UakAQkIM.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkcEsUAg.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQwoogw.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAoMUoUE.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIcUosU.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCUMAcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysIgUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMcMgIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMEUYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeQcYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcMQAUQc.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEMIYQgY.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giwAocgs.bat" "C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe""

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291.exe

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv ltf9G5mI50OlS9qeMkC8Qg.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3112-0-0x0000000000401000-0x0000000000571000-memory.dmp

C:\Users\Admin\tsMwAAEs\HugoQgEk.exe

MD5 65caa52ae2a20af17093ae0cef9e5cf7
SHA1 5f2b607ce5d4725835c97c5758c226d855534869
SHA256 95cb4342f208f137d3df755f4a79724fa83ff786e21e02d651b2dfdcb6c9bd07
SHA512 6f3591d650793258f725f323f69f456b638b06e2603b2a5382e7522b54369eafd903cfbbf43eb1ca5416170392e2616de2318e463c0cdae342122d5e816be096

memory/4252-6-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4172-14-0x0000000000400000-0x0000000000470000-memory.dmp

C:\ProgramData\taswkokg\lWYgEQEE.exe

MD5 2f5c4c69dfa34ac653d5b911f22629fc
SHA1 b4277b88b2aaca76ff3c540c7a7be7d20af01b61
SHA256 560e92ab1d171a9d94ba28739803034a551d8359a11a0f1624ae53b483357e5a
SHA512 7a598e452ef3461be1c81d77f5fad32cdd995e01be235135bf8346e4bb8c0cc279254757301e8db0bcd9131e735ae84b4c1113449dfe38319f7e48e941f07b64

C:\ProgramData\GwEsUcgY\igcckQEo.exe

MD5 3a8593f6ec71b474f2183f2750538e9c
SHA1 f1f8a28f5fbbf5f705c79f2ce9d033762e8d4a92
SHA256 7185f2ccdddc6bd2d29958b0198fe3e0f2db3b9a811f76c16aa2e8d6264fc66e
SHA512 4ac6aa5b2eccfa1f5476c486c65df58a983d2722f3e1180fc1e7bc73f0d22d9108bed716a3a827720e0ef500583a7ee5e135774e16bbf744f70cf7631a703e44

C:\Users\Admin\AppData\Local\Temp\4684ed29993f94294385dd0e30b0a3228f20f4d867fe8e2b91e27456e1ac7291

MD5 7455307d1d96b6df1031eed8d010598e
SHA1 f16374bd24863520bc9cdea1ccfa99a540f991aa
SHA256 510a270eab4c149d50fc3feba4467d6ad65c55834236dbbb63ec8d47d7d75007
SHA512 2b10c850c688f6039cd20cf69067d961d3c4bafb6e9f8ec992459cd48f04009db7661c5595c509e257beade0b8ec987f79a87297084f9af0824b7787e7615cd7

C:\Users\Admin\AppData\Local\Temp\yygMkEoU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\YYUq.exe

MD5 6cf404102971bdc9a1e587ddcf9a7b14
SHA1 1f27cba31a505e38905beebcca971c861545f254
SHA256 4e3a63fcaa625954833a472932c534e3029a6aa18867af9492fb6c056b157302
SHA512 2ed81ddaaa8cf39cb5231bf417f87e314b7e1a1cf0fa4209c356971b6dd9df32a0d971b74f79e9c9803a49266da02d66bc3ffb06847e504bc0f467dff9404472

C:\Users\Admin\AppData\Local\Temp\assq.exe

MD5 5278f902b2a27f676d9be952d5d8a1b0
SHA1 3e60391b15d70b5d4d43198beaa2450d79b7e191
SHA256 b22d058cc5782f075efad1984a40befc7c2da152934b4bb1d05ed29ec536e06a
SHA512 5d42066ab330de00307b2ce630916ac07e9c37009129c55a66e51f583a4ab1f1e2698def34924ebe4c59fc00f43df3c206e05768ea602faf1a6b258f98f83003

C:\Users\Admin\AppData\Local\Temp\OIQG.exe

MD5 3acc519a3c3fa7e2c22466f82cec4178
SHA1 3f14aa5a2878a6ec401f05a0df40081df14a0800
SHA256 60d3f94bd90d024d9038bcd00cb3d1931d7f25d0bbc914c7ab660cf861f72939
SHA512 2ea562f22299563e3302aabe95dbe64686cfd96a188e88308921f9a15afab6079c958ae28e5ef3bcaaef4313d6772acf5a4614d5cfd0c366053c4418bb9be6c5

C:\Users\Admin\AppData\Local\Temp\UCAs.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\Ugoi.exe

MD5 b23b9ed86f5b8cdfb4abcf0e6f6ec93b
SHA1 8ed0b5ac31d4eb8c730109af8416fa9efc2d6d4b
SHA256 e280aac43c8e6d49fe2bbbe06e7382ae188cee6a2083df3cb991c6ab1f2239b2
SHA512 0f6dcf93ea60d3c9b8417507087d6b68716350a2ff30e1ca11426451e0fda957753f5f6aba0a3c5ddd554ad5d42753021f4f48967168322d18eb568675ebbf4a

C:\Users\Admin\AppData\Local\Temp\ccsq.exe

MD5 aa97411c2efbb0e6dd543dc50b7b760f
SHA1 1ad9be88dafc0057115ec7ad1b1ba1666109fb10
SHA256 2595825232eda9e14a1082870e516cfeb1cddf26c6b5081a9dfcd549fd321f3c
SHA512 2e7d9db447c9156f95ac99f44cc3ed9b6f4671f5f3e4f7ff151415a0e8215a4e62a1f89dbaecc82dc18d07c13bb79ebac6d374c287458b52648e96582ae53557

C:\Users\Admin\AppData\Local\Temp\kIEE.exe

MD5 ab6fa3e2b7472b648de3ea6574a7451e
SHA1 6c3f50ce137ebd8b8eec695e1692734878b1925a
SHA256 e3d692ea24303b3250db372b4c258fb8674c7bbdb724542964b404ff5ba0df1f
SHA512 f7588339e9d5e998989c9ff3d259275f80b870545fbc226492bff6a19308dc3195bd03e1fb83ba06e866701ee4f76e5b9d3b441481c3265c629ced876a4694a1

C:\Users\Admin\AppData\Local\Temp\kAQa.exe

MD5 01ccec55a2427d255f1a48556a1dd078
SHA1 de95b58bc666a7ed890240fd98f2d36db2e0ba7f
SHA256 286ec6ecdb4c839c140c5aff95ad12e8e9fd581430120d2e596490c125a6070e
SHA512 f658a872056a307ebd2232b187cfe11f1dd988c3a023ffeac45c0a5700aaee12d786bd78e3c7c42d1a1eb9e639a4311b0e764c1398517fc3cc3baf20195dd616

C:\Users\Admin\AppData\Local\Temp\icwQ.exe

MD5 769f59b3c0431e2efc43c39c1ddd4d2f
SHA1 e85153f570c2c128066e25f68da47da1233b5396
SHA256 90e5813e5c544d5c56f17bdb5903bf644166fb63014e1e55bde6af95e5172412
SHA512 6807ee3c93dc4a5021fecfd463a4b79b6bd19d43620b55b06559d5c08d90bf0f023dcac54dd6903dce75bad139bc1be510c40a122c1e0e73daef7a3b2ec7c05b

C:\Users\Admin\AppData\Local\Temp\igga.exe

MD5 946929403d69e864653d1d55378739ed
SHA1 5bcaf0199260a6027cba352a0d29cf757be43d53
SHA256 d88e03591979fe28f7b554915ee86025fb6bc3a219f587e3e13d594065eba06b
SHA512 7cf15ccf5a628e9dafdfa956e17fd6da37d49bf2146127624b66871023fe428219dee922564e46e10e86ebcf3e17dde61f94c5cffe36a6dc0f66345306a7c43c

C:\Users\Admin\AppData\Local\Temp\woEc.exe

MD5 8e8e2f1e846d1717799518836cbaf6fc
SHA1 25b2946180d372aeed3371217a254bb10cdcb033
SHA256 a84e06f835d70c80cbec68e2aca0f9c0df6e3c2c5113be60e837da8a1a50a9bd
SHA512 844673dfc3f879e7f0f84d1b03765005698d3d3f597ab4a068a2b028fa65f705ba94fc81c1de9c18360825cd214db51287f0e26bf64a38ca724051135b7e0d5a

memory/3112-318-0x0000000000401000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAgW.exe

MD5 f33aadc095f257874d0ede7e3dd9227e
SHA1 08b1829892f640d39ad126ac26619ed9c3bef1eb
SHA256 7fc2111535d562395fac65df38450beecf754a6d76cecef422353b36ea568926
SHA512 df0e893defe358fa7d2808a04eb4f03767774b171af547214a3eff439fe4385fb9ebe30e9b410817443ab12cc3c4b4e3c515891178789f32ec82b8df28f7db66

C:\Users\Admin\AppData\Local\Temp\AUwk.exe

MD5 6eab5844d2daa1fa37704a17e1e4bfd5
SHA1 26f30025ad19235a3e020766bc583b0e4ad23caa
SHA256 cd3c2ebde6e6dfb6bcdbf3d3d99358b40242611ed9ad5b9e9658674f57ed233b
SHA512 840566118f70b3b692850a3ecc16942cb8bccb16d229c485b87f3bbaf8304b16db463b5134b33abdf5f77d67e682eaa45b215081b6820cbd0239afeb77073b11

C:\Users\Admin\AppData\Local\Temp\yyMs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iEIE.exe

MD5 0e454e0e7107fde3298ae7948499f7f0
SHA1 f07cc3a03a5b4d6c591e5370e675cda4e8bbc341
SHA256 e1495b2a753843d7adf4ecf0c1fcbd33e3194f5f6f3d2a4ad61e5080b66b2fe6
SHA512 692f77a1808f423251bae5ca8bf72bf95fc84899259ebb16d9c4855e8514c2c05447d206da09315c973493ba4db164b01f9ff659e2800fa11cabb4b88487d832

C:\Users\Admin\AppData\Local\Temp\gwwa.exe

MD5 56bde9b332ab81c35876be5d5438a4aa
SHA1 391d6af4d507c6b7c5584d26e4e9282b59a6a366
SHA256 6d95a9e8d4e054a132909d247c38fa01b1e30956b9c6fbde5b2e4092f48ce775
SHA512 26e95693eae081ceb01c6dd09902207f25e535f6e72e14d979378df4b66e2ce4af4e121a93dc7ae0ca63df16fa972e2c2b2ecf8d227e8b4ae1465111fa300e96

C:\Users\Admin\AppData\Local\Temp\OIYE.exe

MD5 d92f2ff59af71e428513cad36bf37060
SHA1 2afe1ab3254c73a148459daf141ba80369fcda2e
SHA256 48f0044b42dec1a8eaf09f81dab1c5436d25150af1973658460abc0defec97ae
SHA512 d1cafb60f2f54f959ce8c8b548d7c9951b19f494ef9b5f0d16f9df714da91db6d219a37e7c8531df98e10298cc7efe3b5c44cb0ed0b9f55cdf6825f5c783c048

C:\Users\Admin\AppData\Local\Temp\UYkm.exe

MD5 c6b8b31a79968c2884758eb0a50ce6e5
SHA1 78dcab13612897ea8d7213138b2afffac228bdc5
SHA256 c26d79c54429eab03fd2e0c9f9ecaaa49b5dd5ec4121153c90c4fdcb72e7d3c9
SHA512 e8f739e182883a99c736bdb6c6479ee24391383684ae6b02301b09d48f7cae71e05f63a63d7f804de8a5bb94f58f46d884177ed7aeb50b42a2368a53e1a91b4b

C:\Users\Admin\AppData\Local\Temp\YQAG.exe

MD5 03dffae139d01b07158c28beb9f53744
SHA1 8829942bbbe78f37e3e837630ac4da685a1b263f
SHA256 955a9db33ce73ad87a4852adcaf4d01d5f4ec3e3b8871315e5f3b00862ef605a
SHA512 34fd4a41a81b1dc1cd7f6627b9cb1067af0c5c460b3e8c26263ef1f26d47feab265235b82164ee71a58ed4ba8ecef9a850a5e2c48d109528e759eea818b7c096

C:\Users\Admin\AppData\Local\Temp\KsUy.exe

MD5 491c5f0bb71295c6c9a4510fd477736d
SHA1 8164baf2c3eab5c2084de524b0246581b80354ac
SHA256 9f9123dad4f5dadbf7cc397d09fa19f981bc91616078bc18814cf47a5e1975de
SHA512 62ba7dba4c018e80474242eb18016b221f53c51e8579e6a419c212350ed9160616fb7c814f95e8da003730717e067013a87b37e368142c9e0277d629e0a229af

C:\Users\Admin\AppData\Local\Temp\iIku.exe

MD5 131ca7ad1db89c86d71fe1ed93e5f886
SHA1 a092cd917b9bcf40774c89d8ca4158d881b2760e
SHA256 d0d1205c603acb7ea68a210630ec3d69f42a7470f97ac216eec3bd05cbe0521d
SHA512 db9aed2f34aaef4ebbcbd6d369d0876b808f54639ce0f91583ce60320e48dc0934d32a8acfb83654b2b8931896dc07e10370dc90adee9f1fab9691a8b5c4a58c

C:\Users\Admin\AppData\Local\Temp\WQQE.exe

MD5 b762dcae35dc278ae2182429793e3b56
SHA1 473c9518abd58aa1c4be5eb70d2d215b579c0dfc
SHA256 085e9374456afb039f5c98bcbcdc30408216850c75d3d375d4a0f5f96389ab99
SHA512 8b5bee3eda442acc7d8fe9fe4c1470b295b140fd48f1637a7766abcab99558aa1f1deae2362cc4905b45102dd2c585cdcc83a2764eca18208d064cc77164a6b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 0eeb44cb2c01e66fc955a862bf782e99
SHA1 1a390eb4eea9e53343163db98a76b2d7f4d8a42d
SHA256 da1382816ac86e06d1df0b933cf60bc67e4b47de758c168ec3c2c926034e1a72
SHA512 6ffa70ab90fd7755e34a09345e905e2c11ce6fa0074b39be14b00d8e9367256d78153138a4a150d710477fea0d27ae1b676fdc981b730aabc51aef971c957508

C:\Users\Admin\AppData\Local\Temp\oUku.exe

MD5 ef9acaa64d61c3e1af1c675d68684726
SHA1 eff6c56ebf72b81de68e42b99fbb7afd8c779eda
SHA256 b3e3f8665a5ac1449882d7afecd5433f696024bebf04dd5becdaf207e31ce867
SHA512 70b7a941ff4dc1acffdc50ef09813fb5d3e08d2df560417b0b9ed4cb7fc69951e737095f7f04dd98064f4ba3c9dab279f65c39d4578a85e2798d8862e126d878

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 7f6e1c2c277bde34ce5a3ddb16b258e6
SHA1 35d74a4b6444f790505fc9cdc664d74b8d93f9c5
SHA256 d2dd6ab70e889e3af6a1ea5c9d55182398312347a2d8632c5184ea72137d3faf
SHA512 d88e8f4233a19698c416f2cc28e2900ea9bf335ba97b5700a8cfb7dac8ac93fd36f5df3d10181d5fc671f3fbb927c16194f9945a8f398d091805c914315cfcd2

C:\Users\Admin\AppData\Local\Temp\ugoy.exe

MD5 def75633aacf055a2e5749f4c4b62397
SHA1 27ecb3ca5ad546d20eb04ae83dab539054a987fa
SHA256 d8958bf8f3f840176d958a31e07bc3673b8514d6da8875cb6446f6e380064838
SHA512 4a2ec1d3e398f2a303d564049c7ca46678d72ece8bd4878987ecde59aeab8a193541a272cd5b6a618507440fc100b78799626e96cf40158e41062ec75683ed52

memory/4252-555-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIIu.exe

MD5 37d3c5367753289244488d4136b10e12
SHA1 1c6728e35413c46a002205b71b7349d9325b02c3
SHA256 58ddd870440e4846cc843d50a46d868c80ef91c8bb64b6d5d0a8b8b3f9bc0e37
SHA512 d5e0ff40b98a16b40e9a6587afc9f7ed0eb1098613249d52aa46c33aaa9d58277187d6ea6f77fdfe600c19e722b5e18a8d2e20e795ead8a7f006e452f2312f0a

C:\Users\Admin\AppData\Local\Temp\IwQA.exe

MD5 0888c9a592d85e7fa65c9a0d10e1445e
SHA1 0283e0dbf842cb9ce505bc9a52dee2e05a27aa98
SHA256 b6b004df156bb3acc5e2c2e02f87e22741797bf3394650ea6dfd440be55d19f4
SHA512 8f1ac7b3fc68d0897355fae4f87376b41e775045db17b6082c072b9d722927d58d108ee55ef7701bef50d9d0333e9929b3e0e5754f1a89cb50f99f98ebcbf848

C:\Users\Admin\AppData\Local\Temp\swAY.exe

MD5 4c62df07d2fdfef60ec9ec0e4208ebbf
SHA1 ca4403c8b7a5187f9aecccc5782166ad12c15628
SHA256 22011dbc2da7d6978918c9a746c1e1bc19786650dd17ec7c6164751120fea5d1
SHA512 25aebaa7296de5af5d3e9d5a8a0d10bf37bd150f67e7cab67dbf1b44db5c960f7d64313b6126e032f78d6c732ca11efc75d8229c70d1fb593b6366387d84b94b

C:\Users\Admin\AppData\Local\Temp\ysMW.exe

MD5 ee0bdf1b2546d1a7ffd1407a4eac0cd9
SHA1 1cf5af43bb4519b8789154f45d56272da51c2b76
SHA256 0f34e82de0f337bc02ecdfa053e520052b5bc32e5986795bf057f2c135a50226
SHA512 d201436056933059c343753d0504d9c0b8bd4c95ca45cb9c3fe3e61044e1c42bda5f37ce314921a89db190b4972db4439f106faaabb5b5dbcf6ed05c09c1211e

C:\Users\Admin\AppData\Local\Temp\uEks.exe

MD5 de94a711aeaa46d63036d0c9e97932f1
SHA1 5395d9eebb025710821de933951934294dfb9e8d
SHA256 b777035df3cd484cdb93f4ec43c198522583c235ff393de9423b2bb2c11ddfef
SHA512 a65e53fd99e54aa444bb321769060107ea944bee3c751237df7c4c2b653fa1343eeaa9d299352f6ca085ff16ec6e3567879d5b60fd9bac6c0921b216f2c1ed31

C:\Users\Admin\AppData\Local\Temp\SsAo.exe

MD5 740adff9925f7f2290462dde53e1377b
SHA1 20de427eca9ca066a2e1a14ea5ab3a37a5ac4eb3
SHA256 93f7418c1667c87ebf4959c1695cab1f8dbf9d51b5031be2f4f7ab1af5fb2c92
SHA512 2ed3c486717bc85b717cf78ef921fbb675e9e51573f9bbda00b6f41b3e8eb49e232274abeea23f38a5989b76821ca70c190d3920b91434f1e87ee6860795c991

C:\Users\Admin\AppData\Local\Temp\UYcG.exe

MD5 2bb528d8694ea850d8f5a9be3b12a634
SHA1 2f00e1d3d7b1f41fa0a7ecaed9abde98c7fa7ea6
SHA256 b7e31c07048a8d8dbbd622f51f2245e9a78da6d8c593ecd77ab24aac76ec9b29
SHA512 112826c659d7d159644c5021790371318d83ba6963f735ce95e58eb9db2038d17e2d3cf053ce784685e96e3a0625220f19782386c4b6f0076ce8ccf561c5639d

C:\Users\Admin\AppData\Local\Temp\uowm.exe

MD5 c3dd19ef19d9083ab01784e89e7f8708
SHA1 5ec3499e56565f9b6fbe2582f889580212081432
SHA256 9c511686f0356a8fe6c0abf8b2d0a5d2efb5a3ccdcd42704ced8977c24e24293
SHA512 0cd9d62a7f8f2681d7c47678c9c4a709812568d9e4fc1a7a700dcf40b1b1fbc94df8a89c7052410bad4edd324ccb435f39436d07a69938ded8d516bd2452616c

C:\Users\Admin\AppData\Local\Temp\SIAk.exe

MD5 82b426d0860212cf718b1b4d382e301b
SHA1 a7d59d6b1404a314bb9a03c4898ae01bc8e78ed9
SHA256 5fac1a054225f46a09c588ebeaa10e2c4919573c1378de69c78f5ebe89fc28dc
SHA512 f648e6615804a230feaa057df278c58cc86c3eb327dc2656137ac70fdb9f42852039ff4283a0927a8f54b75a5e3aa2b05ba364989ef0d2334de6e8979cd6ec1f

C:\Users\Admin\AppData\Local\Temp\WoYC.exe

MD5 f2ebd561191dc9c75d20be9af41691a4
SHA1 556ff7edb871d5a65c0d499ca4a9e9d7cadbf1d5
SHA256 79dae787df9fd5679f65e234691bb560769d6dfeb970e8cec851bd71a1a74e7c
SHA512 05b88d69e8e330512fbaa443f3abfe4145aafd58a98b8fc212c27c5b78fd9446ce949e39fedaac6d37894d424f0ff71b1a536d10fabf3cf87b04ba4b91ed98a6

C:\Users\Admin\AppData\Local\Temp\EMgQ.exe

MD5 64c87677b77e0c46aad3bca3578748ff
SHA1 c988b2f1aafbf28194ffc1d534c5311321dcef5a
SHA256 4271c8086a86b3500f36089a50592e67c0fcddba82566ffb9cdb99c860e68e18
SHA512 b38e8f92975f85a042e28f3817db7c818f8b76e73291e02bbe3d2973f2f012b272ead94df311a355c43eeaf66f311f37b80ccc4bd347ee8755834be74fc68b7f

C:\Users\Admin\AppData\Local\Temp\soIg.exe

MD5 940e4ed1f1319bad325dc57f6d5284f1
SHA1 d11ffcad49ab7c20c692325fad7c1893bc78b7b1
SHA256 7a66218829173963b08f4edf523600db9690bc22ea19e259b7eb9681288ebb4b
SHA512 c16d289dc9752ec8b4421c42c2379e245952bff71c63129ea055ef7b85535c45027eab43f12ad027388b02a19ae94f871aa5eccd14dc7d665c98939625e9be22

C:\Users\Admin\AppData\Local\Temp\Swws.exe

MD5 b8f8cf7dd36ec79821b152372c48dcd3
SHA1 22120fb7a5fa6bbc7ce1fa04eb54a5e752050d7b
SHA256 3116620bdb68ff9d7f1f82d88345f0a8139c49ec7927157286b0b1fb9230f7d3
SHA512 fcb327e5b8d41ccf6770d0168b9b923b4349bdd6b1cbc02026fc1347743ff352b7967943c6fc7551ae7809c3bb0a109ba492e563a69bfe5cd48f0ea83bc4e7bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 6b5a8f01b5ab8924c43e27462e789710
SHA1 5a4d2cd68deca3ddab8e18c947e547b9dd8e6e1b
SHA256 ee597ce9505d65fb90ab263d4f4b539db038d81b7c59bb08c33c1d7d1bce1f44
SHA512 33f3130853a35e28835a6f23dce51e23a7d7f23ff7994d0aaa329b4c529cb9e41abe03edaa5163d2782956f9bc4da67d06c3882a9f9d9f0413a8c14d1b06a0d5

C:\Users\Admin\AppData\Local\Temp\wwci.exe

MD5 319a513c5d046d2d90ff340f4c0a6a99
SHA1 fe69f52b33b64311132617c98fdea12d26dcfd43
SHA256 c267b7c1e66405992cc8407259ce27d838ce5df353061f9157236f3aea65f235
SHA512 d1b64592a73fe0064457a209f97b5f0ab6a40ee0c506e7d4a1e12b74abc46a4b2f168c9d39ef432cbd5940ee178f4253ce875ef9f99633962362042f2aadbf57

C:\Users\Admin\AppData\Local\Temp\Wwgy.exe

MD5 96f00e0fcc82b261c523c9b4d257e58e
SHA1 d5b31ac9f46eba334c3d7ce909f622f1b89d86c6
SHA256 72c2bb4bd5c00a7381d8ed9b04b1c28237b3ff771e23b58fbcd4d9b53110d0fb
SHA512 7ab0fc6a5a88de54310089402644ca5d667da6206394ca194b5bc4fc49ee727bdbe4c05a7c12689e7d3cdaa60e9394a4519e94b6ba98ff4b70192be5296ae7ad

C:\Users\Admin\AppData\Local\Temp\CwQM.exe

MD5 b550f59b04a83cb38bfd1d77eabb2a6b
SHA1 3a9d43e524579c8d605ae6fe1ae0a280e4967221
SHA256 754fbde231d9f1028147b184894d4c733fdd9ae1c5404f9b5c39e6f1fd5b88c0
SHA512 f53a132cd8de74c788e9c66e87a3e1f29d20be89547bf09002b66e88bee149541b6b3aa6e3be3dcadf68495c258eab7cee3d2eb433ecfd49f72de4d1a0cbd721

memory/4172-799-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEUu.exe

MD5 01c5f34859698d093e317744cf8c4dd8
SHA1 d21cf436fdffe2d370da7d4e54b85a07761cc827
SHA256 d7d2458b20642d3d9291069ae5f3bd57c2add52e3968d1e24c10e9181eec0d51
SHA512 7521fa8a3eba87d644b4f6b53843e59292c8855a0923bceb3d94dbfc926e9c72232c236d7d17cb2ce53d4bd59bc09c7a41b4843b2418e0009ace02e0b2fd3b36

C:\Users\Admin\AppData\Local\Temp\YYIm.exe

MD5 dddc2207b194ccdaf868d4d07c0722d0
SHA1 8d29b6edbdab78ca95e9747e91dc9f2eec0eb43b
SHA256 37092ba1260a460944cf7ba420783ba302079a0d3ab3b2280e58e4a97e5ee943
SHA512 591ea8de0e91d4004f318ee4e1cfc591122f3668927cd20da99656ba421f485c5c42ac1984660ba87096ca018df499160ec4e2971d17b765105a5448015363c5

C:\Users\Admin\AppData\Local\Temp\YMoY.exe

MD5 c88dbc2a644062e077713e6c51b167a2
SHA1 5d6ecb82d503f9b01dc33d933f424afcb8c1c390
SHA256 e6bb43d7e144bf1919286043479fda7d87d3d4248723b9f61b27a5fbf41db027
SHA512 cf01237a26b6c1b9ce87204e9dd25facb0b979983f7f1f2d25a660fb0dbe90d4632dc94f573651bc9b9b7a09ff5a532c764352d1996deb06ce4dffa5a26aad34

C:\Users\Admin\AppData\Local\Temp\kwMm.exe

MD5 eaf2f88a4c49aab3bc0dbf4d2a36e495
SHA1 862b0912ff071ba238717bf79a33f45c576aacf6
SHA256 518fc06f38351dc232d4491615d51dd9332930b1103d05bc2798005751b314ef
SHA512 b6b076d9e8c33d07dc4ca80dd0225cc666cc80d552531b0c927bcaed9260e09621ad793131b93116c9981f13e3733f4273a9b4cf51994977d6f0defcd172755a

C:\Users\Admin\AppData\Local\Temp\Csoo.exe

MD5 4f7f1e808d2440fca6c4972810272c97
SHA1 03ac696f462782d3a5b8cc18f8e5b49810b0ad7a
SHA256 cc1752758c0d43da0be98b645cde4f7dc1bdedada8efd941357edaa7bc31cbbf
SHA512 3a2646a8f8e40ba1de33d34b9a85d5867d273492deb22c5703bf4cfc0c7eca75b58bd23fe3d43c69d856e4ad72a048c774ce0340b9ede50be868724cbca6045d

C:\Users\Admin\AppData\Local\Temp\wcUQ.exe

MD5 a450c76a2d2c3f9df0db75fa7cb9f755
SHA1 b86fbcd141524b408102f163909a0606425dd757
SHA256 8a6cb6a35f100d698c1f9f8806dde6c72e0925c7647ae5220c30e2f29caee897
SHA512 9f24dc76da6a66f2b22a786356ee1567e6bebd20308f1c28862a48a8c2f15e94706c5d1c5711e5b144de5d9a8dc2a9c549126d7b7b80bc302433910d8b0ee392

C:\Users\Admin\AppData\Local\Temp\OUgC.exe

MD5 b21cac4e2eab51f9c6d02612990f793d
SHA1 a823dd606f61e512a21ba3cb7b582aa17259d28a
SHA256 f32ab10590ceeeeb6283233d9b5f87643ff375305f3b730189cdb76494ecc9a0
SHA512 fb8eeb43ce4564dd17fa77cb6c9c01d584c5ed4f983b6d3f49b5913e97fcbccd373604100007184e21031a9ae9e595d091a6d87086283e603a121cb1721feb28

C:\Users\Admin\AppData\Local\Temp\QAcK.exe

MD5 b0a725b17bd5646ca9fdbb49674a3b2f
SHA1 faacf456ac263dae52c0690196bd2da37ec626e7
SHA256 af8719280f1e6f905d1939d3b6e20c55993e9d30e0d990896d2521f1bf41b315
SHA512 7e242e98aeaa4312d4447b9f248e757d0792567abc6ef5bf8e750074bf6c2a2168fcb930ad84afd05a6a49e8de25b7088dde20e644e3e3927d2c2d19f0287002

C:\Users\Admin\AppData\Local\Temp\aoUY.exe

MD5 4092d2f4b206dd7e1d3daab7228d4ee9
SHA1 1630ee6d88eed7e2cd11f7067194fcf3f83aafb6
SHA256 3c65cfe9edaba6e804c3ba7bd319ecccbc3f4a26a1ce3c47d632596d146d0cfe
SHA512 98d41a7d74f9500f031cec6fafe813f7c452f487e8b8022f31d959653edfe59977310485687b2c05752dd7a1e2ef060867d4b1acf71876ab104534006cc54728

C:\Users\Admin\AppData\Local\Temp\qQwe.exe

MD5 d6c2c49170ddfea2771cd8770860b085
SHA1 d629c9a6282a3fc13c5b30eea31bcb11ffedd59d
SHA256 2f6cc3670d6e33279e3d39c48e791425cbdfe8dec8a7f881950d9897ae2fb35a
SHA512 229fd03064b080c87d45b01460253670f4a4b0e5482c23036c273c01b197e984ed9ee05679c678b64adab1971fe464afe71f11dd8b0d175feecff08d68a70e8c

C:\Users\Admin\AppData\Local\Temp\KEge.exe

MD5 3cfd4ad99afbddaec41efd5d72b8b598
SHA1 58152ca2c5a2242b5b2ae4c6a23aef6b72b4113c
SHA256 3f2b987f0f12d9389fb4e54503fbd206751e9289a36132ed92a01cc2c1fada15
SHA512 65f0a321926e070d1b931875492c4c745ce64f99388391a2ff27dd55b1957397419cd4b93c635e9f613b4125a793dd1852b82e6d2d40bc283461fac3ce59963a

C:\Users\Admin\AppData\Local\Temp\qkQE.exe

MD5 0a219da747b231b7fcd183b40f69e62b
SHA1 ff4d5f06abfd06dbb675f23dc58e8e5cfe89a03c
SHA256 9537586a67aa3d2c4b530858d14390844df219282fdf1546d0733886f1c3d1bc
SHA512 0c96a219137c97a37144a317211b5963862e6887a7e6caabe606c8260b25cf4c48f76dd60b05d19d9b9ce9e6a9751124b330976104a62c75d79f60aa9e968261

C:\Users\Admin\AppData\Local\Temp\WMAS.exe

MD5 04fcf7727a22576dee7927a4dcd320b2
SHA1 fd08078094eded14df87644c92055d31d553d99d
SHA256 265ccf53584b4ea3db3b1a2680bc1acda157a5fe743b0cfc6dddbd64a85477bd
SHA512 b329894b870e6d97ef6e83b7bed5a6bf65434eeb6fad8bc41f2e84e72980f2fb52bdc44279e3f749437957b975a00f77e33ab2b30c7da48d2b3368a032ead7da

C:\Users\Admin\AppData\Local\Temp\OEAK.exe

MD5 ef8b03b079f0a15e3db2b0088aa6ad7b
SHA1 31aad7b82e158964ab8a0ad321767a9a66c197ee
SHA256 8619e82f2600f70aac4dcc329ec06b991e5bceb179f5fd8507c388676626e335
SHA512 07a3598ab30dea7e2c2ae072f81adb1125174fd273b43fc44f2090961c9fbd9c7c30987cdc95a8df516e7f393279c7c34f41078d808ccefe7e190ece6ce6c745

C:\Users\Admin\AppData\Local\Temp\kwAY.exe

MD5 cf99665117764ae6ae803b107bdfcf01
SHA1 efcb8168576d378a0ca8a527b39e6ae75acf097b
SHA256 2641fdfa15987b66a66bc317d4bc03b1d0a22a5db8d15f32674d3141b4351435
SHA512 755fb6a275d54004f75a10ced01f7b1c2d61e8c7d3824842d5a446a0427aec52511aa9a76b8e9be305612627a171935ea88c64e7b64491881b7998a9bedbcb24

C:\Users\Admin\AppData\Local\Temp\qYkg.exe

MD5 1f5c5068d32ebe0df23153e4cfa002a2
SHA1 904fd609cd1652240bd27ff1fdef350f227325fd
SHA256 6ba2907ff465f6623c29e1f9c8478baf7400fe42defbcf1f9e377e51f634765b
SHA512 10aec1e9528be39e457d256890bc5a4f8590f7b2d8dc9c7273086c69b0fc9d4c7a666b1f78e167e67845d97e9b426f8bd61d7eaa3e98b6d4c26f4f1362bc46fe

C:\Users\Admin\AppData\Local\Temp\eYIW.exe

MD5 62307837657d106210f51f3ffbc566d2
SHA1 7d9e612bd7efeeaceb5042e66613c61905cea80b
SHA256 375e11d9b6caa94a20c3642e9526b7a2280696fb3d3bafa6a9c055392056913b
SHA512 996cb791d938e32a47748a3dde6b50314f740d5795cf7a181a2ca0c2bad55169607b39336c6a520d5494812d0d14e96dd7ca1c5ac14de27cd4ba6f28267ed552

C:\Users\Admin\AppData\Local\Temp\wQsY.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\sYkw.exe

MD5 26a75b4471f106a14bdaa1987c9fb215
SHA1 78192888353017b4407e5ad929c60f1f0746669d
SHA256 3d6448c77f055d6080b171ac21568232a360dd876ffcc292a5924cc70b0c49de
SHA512 8ed59876b8f9840d56fc6591e8138ff425da88a2ce1ba94f94e59120195073f4067e7b1689593d06ba4cfd2882ebe7352ba6f7ffc5650a26cabda6f25b003e60

C:\Users\Admin\AppData\Local\Temp\ycIO.exe

MD5 52135d15055ffb108f348cd6a655ebb9
SHA1 b4bf8343b592f4aec57b8860c0b5146a1880c1d2
SHA256 f60cb38b6fecb5f3b5cbb740abf44b6ec41564b889a3d129847f2e50e673d4cd
SHA512 5660a721cdead0c11802dd61b42f74d1b36ab602a64c28691861d8078d1088d52ac7895aa9988ba56c70070603a0e2f043cfb42ea8dcfacb24232a05ac81eaff

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 4924ca1627f53acf84d5ef7eb76551f9
SHA1 b8654e10b7fce63a579066e59b2b6c890c0f321d
SHA256 2020cd8f1e840e2583168d254a857d6f0f3e6b15d48981a091d5d08c9013ac4e
SHA512 bd4886f3446352b55eaf6c3addb3c8164e01157487286c24295d88119fc4d086eab2363bbd194cc8b72a1365650d447dc33071602ee971a4241c667547a307ec

C:\Users\Admin\AppData\Local\Temp\oAMw.exe

MD5 a7d75b20ed442ec8461f71a9870aee58
SHA1 83d76f8289447fadca796a24ae85324c6536773e
SHA256 41e3495677eee78902201b617a924fa9cf242c7e725dad266e29a5166eac87c8
SHA512 5eaf880106616625636729c4304253700af63ab3840d7bb0ae05c806efcd136dc79fcee41f6ae662326ae774faa4d9576bafc9c8f8de13af83c29df97969a585

C:\Users\Admin\AppData\Local\Temp\CwgU.exe

MD5 c3672aea2069545b332e09f28f3f5c5a
SHA1 146037d20d78141e9669995b9a0a50cd1112a4cd
SHA256 2f8e14efae6b92b85c3d67764ae6ee8f07ee9fb8f4993b7f4d9086efdec3f475
SHA512 732f04b22f2812a3a8fb66b0558890832e542a180aec4f6e66b2fdfc82a91c3bdb9afa28dce00cbb1279c2b94f49e58423d6c7bff61e5123268456fdb6320345

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 28c450a88add7b4c8d1e6027c352f199
SHA1 eeede4dab105da6f3697a84f94ffe1dfba823f69
SHA256 b8aa87835a8094b6942e809d0754e30d5beaa427ec9d4673a5e629782006b9c3
SHA512 8356578af449ee99dc510e6d684a94c1da4b4e5a55451f949c56ca57f4e5a69b1553136f5e602bc79f6e3cefb5ccdfaf555814f03c537bd6afd9c0d60a623b5b

C:\Users\Admin\AppData\Local\Temp\kAUS.exe

MD5 c1117a22c55ab05cb5764bdd8419739f
SHA1 5ee0ce2d600687036a9910df22ce25dff839a722
SHA256 de9b998368855a358b841aea76769972b5ac2d9d8df7580618a3d28392925702
SHA512 ff07def4df3d711767570d2dffea6a7cd3f6ce8cb84ec9d399cb096745fa6400a91dc07c4d3dd006fe0fce3295ccd12e27266a1ec019bbccf3f4ddc6f7b95f67

C:\Users\Admin\AppData\Local\Temp\ysYM.exe

MD5 3f71c674f1b8673f4fe6768e9ce30b1d
SHA1 54d0147671de0cc7c46d1f1ffcb9b58de0a0d160
SHA256 2711e4d4a57aeae7f3b4b718930ee2eae8be501e700d034958ba7667db2eb785
SHA512 4e426c0bb01978ef3366fafcfd1cfee2765b2d7a2617403d0fce9aa3ea4ef36981e2da57bf00899009fc5ed0589899d550b0281dd2db7b013055a2e2a48624f4

C:\Users\Admin\AppData\Local\Temp\IIgo.exe

MD5 b185724b78263db8231db9fbace2b881
SHA1 2c31e6c78582885ed3333f240a758789aae729c8
SHA256 39809378b4cb3794d33bf8e91789c0a864237c04eb07601ae12a53053189f40f
SHA512 9843b4b3b480be91b57ff23048c682d18888876dcca46aaa33dba7db79a42befcc12db8d63973ec3f048df289566e3a4d8a948c7e8a7cb1eb54c97a147afcdab

C:\Users\Admin\AppData\Local\Temp\QQcI.exe

MD5 8f7d8272b29ddf03b3473ffc21ea68fb
SHA1 d6aa7c80e8b39fb29b28cb705fbac5b6231cfd42
SHA256 1ff53a23274dc53b91d4213a25d03862920082c0fc578418958798b09714ea6e
SHA512 f116f00350fb97f9d3e54d2ff6a4e51a569f761b2c582e554691a01574f5847be8326763e5b7cbe0e63a054ac4a3f480f5db8400abbd87715f1958d42856bab7

C:\Users\Admin\AppData\Local\Temp\kIYQ.exe

MD5 85a5de47def7de1fca01bab83e5c7221
SHA1 81d8ef0ecec826cdc715bcef5402218cab24ae57
SHA256 19204b128e30b263c0c558968be467b5f6271ddd64d5a72fc566e104cd41b8b8
SHA512 4ef26dfcef83ee5cf4260dc13ecdfbc6931713b381553f6f1e1643a97ae38bf9799d81b4b82d8fe12f25647794656933b7656f1c9faf3ce0589d8c3b150d4078