Malware Analysis Report

2025-01-22 08:14

Sample ID 241026-e25bysxlgn
Target e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
SHA256 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

Threat Level: Known bad

The file e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (65) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:29

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (65) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nGkEQsEk\okcIAUIM.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\BUQkgUgA\VaEAQQEc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\okcIAUIM.exe = "C:\\Users\\Admin\\nGkEQsEk\\okcIAUIM.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\okcIAUIM.exe = "C:\\Users\\Admin\\nGkEQsEk\\okcIAUIM.exe" C:\Users\Admin\nGkEQsEk\okcIAUIM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" C:\ProgramData\BUQkgUgA\VaEAQQEc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMoMY.exe = "C:\\Users\\Admin\\eAMMcEkw\\qosUMoMY.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mYkwIYks.exe = "C:\\ProgramData\\qmEossog\\mYkwIYks.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGkEQsEk C:\ProgramData\BUQkgUgA\VaEAQQEc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGkEQsEk\okcIAUIM C:\ProgramData\BUQkgUgA\VaEAQQEc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\nGkEQsEk\okcIAUIM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A
N/A N/A C:\ProgramData\zsIQAEUk\wiEYskco.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\nGkEQsEk\okcIAUIM.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\nGkEQsEk\okcIAUIM.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\nGkEQsEk\okcIAUIM.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\nGkEQsEk\okcIAUIM.exe
PID 2324 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\zsIQAEUk\wiEYskco.exe
PID 2324 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\zsIQAEUk\wiEYskco.exe
PID 2324 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\zsIQAEUk\wiEYskco.exe
PID 2324 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\zsIQAEUk\wiEYskco.exe
PID 2324 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2684 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2684 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2684 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2576 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2576 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2576 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2636 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2852 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2852 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2852 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

C:\Users\Admin\nGkEQsEk\okcIAUIM.exe

"C:\Users\Admin\nGkEQsEk\okcIAUIM.exe"

C:\ProgramData\zsIQAEUk\wiEYskco.exe

"C:\ProgramData\zsIQAEUk\wiEYskco.exe"

C:\ProgramData\BUQkgUgA\VaEAQQEc.exe

C:\ProgramData\BUQkgUgA\VaEAQQEc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fscMUoks.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAgooAEI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eukssEEo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykIEYAkc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcQEMYsU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgwAEkkE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmowYMEw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiwQgEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWIUMAgk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NakEscAg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYcoIYoA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqMoccwk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiwQYQAI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyskwAcc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIQcgkkI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWsEEssM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIAoYgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiAUUAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUAAsIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgMEAogY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUAYUgkw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWMoUIso.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOUwQAog.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIYccgMI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoYokIEM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMQAkAsE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIUIoMIk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiQgswEI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1313905677-12768056271772980359-2001290672-124202400-6233767331657948616-713453559"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWIcYQkE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCEIowYk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAAYEgsM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "31465589117415862621029038478-1471448371-750419234428771514-904288292-951704418"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PowIcoUU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1652698441647730867-736842398-3508498252129815538372810981-10412518962014475863"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1629699826-13779735881546759988-11861249932062513-12530880211616749474-2072563053"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bckEggQU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUUIgAYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "762449382-1180126176-1596977012-20579428391745557503-1950899488-1141379501813263960"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmYYUsgo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15428120-691238151-1377964172-251985812-672533427-855250561-1097056549814652642"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9562725590244812711502409631376370950421445581978699719164115291-2067248574"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGUgocMc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-988394847960450762-17035608271611319494-825412037396531932-1065431165-30371291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyIEwMsA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\eAMMcEkw\qosUMoMY.exe

"C:\Users\Admin\eAMMcEkw\qosUMoMY.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 120

C:\ProgramData\qmEossog\mYkwIYks.exe

"C:\ProgramData\qmEossog\mYkwIYks.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 92

C:\ProgramData\MoEEoEgQ\QkskQAgo.exe

C:\ProgramData\MoEEoEgQ\QkskQAgo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 88

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "424525557-498020338314743340-13365532591992279299-563760453-1567025681-1604716023"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGsgAIgY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOokIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ResEsIYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgcEgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-946062562702649003-594867596-12024704469118471799756310191243096147384415187"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYEkkwYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSwcYYAE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-529543015-1692718661-176605549-1733117157-532168713507755632-1527688229-1509295095"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOsEkccw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKkAQEIE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1199241793331802527-20622030042144289341581519547-958676431-1428211319-419227771"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1576789523-17770084886497394231441605362-387666089-214687579770710021-1004004997"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOEYMMsk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14624064635630273341146093011140255589-3328289251832442027-10245657631015732969"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10043201161494429830555306325-1566052460-68140287916114077934641623091064520776"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGsUUsIU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCQAEAwU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-277302308-566514244-1060199792950730661-650975829-38348754018241860671342720658"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19283243491378452912-486698798-26437813815364328971799182631285951091-1846385567"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WiEkMgcU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1677550839190616428414160320951259068588-1516605018-1553295160984844057-1095488333"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEEIEwww.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "809405489302107792-13545637961105030299-1366242640-1076590001682366336662621521"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqosYkEM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20186989401707757233-1242741206-193290159-1386530904-854432464-12240656081415360098"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QowgYAYc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12731860-884648799-1985379813-1066069496-1332254113-1261570064138932530-153792975"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "174680345387836384-453893526-62805369-186138411-714458053822274772-672551014"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "210583894-31572520610452740605971776851703153140-1686960351-1188774092-201055029"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeAQgUYs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13971170781851923697-2142708991-1553978786-866329417-1553746623716691004255996581"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEoYEoMw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1873332126-5181925233858499256984042701032380245-1816234339460015533705041171"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-796990878-1526108394-157770407313331294569195255543763449-1003710314-1479369588"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwIwkYMA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "122400281-79695526146482658214858081531011157675-632842278316409347-569609855"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcUAAQwo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "64395513841972536-148561241814281816131614519704-1816252343-1070514171204210714"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIkIsIoI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kecQIosY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6915560379762025286899933361007607936-17047498721205557489-15086568022107058802"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "174975282091582196-164564553217468455114909005319040017372132865640-759801526"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcQwoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKYIoMMM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1815968112-632980237-1159683157-1097879476-1673095910-1379855947-253910570621138247"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyYEIkQk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "242616090939169327-16115113601848574-7782694461554018930-1773449996-1052044622"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cigEgMcc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "856329096-466079912-984227479-8499563229336964363952127631869996601-906248212"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp

Files

memory/2324-0-0x0000000000401000-0x0000000000492000-memory.dmp

\Users\Admin\nGkEQsEk\okcIAUIM.exe

MD5 9f60644bbb7edf5dc620fc0502d9929c
SHA1 7fd0d0e173da6b28ccd5e322760c52b9334d3c58
SHA256 232a54504f0fc82bd3a5ab8d0ac64052b1af2c2b1193334bec04c8e84dbab9cc
SHA512 eaa9081989010f921eac95bd26f63084682262e91842c3611f6558c65f7278318c34d87834595edb3dce5a2c1a9081ca81e46d9632d9e8a4dbc1a3d8eeaaa6d2

memory/2480-12-0x0000000000400000-0x0000000000470000-memory.dmp

\ProgramData\zsIQAEUk\wiEYskco.exe

MD5 d86f17f8effd541bb2e6268ca18eea47
SHA1 c40ccb4485f1e4dda63f43730e3e9e1a5ab696a3
SHA256 1020161d8cc2979584ef2a0e9b47786f81a9a1685306f3e35790e647eceedd4e
SHA512 1a5ad9e5571f9e49941a83db145e2f1afc819b34c005052e97f7924d3b82e5b69bfd8a8dd039cba5e042f033969e42bfdd837bd6deac73254ca3c9b399265048

C:\ProgramData\BUQkgUgA\VaEAQQEc.exe

MD5 f8e4a93b637bf43f530cc5933f534ffa
SHA1 cbf0731b33d88a9407d9b48e09029c7abaa5395f
SHA256 340c6710be30a815518589b108024bc4eeacad314bdb3d8c905e540927d79bc8
SHA512 1c1c08b9f02c842197b605ca73476a130b5d2cc00817b35f5b872a17328b45e3131655df77293890550f63b756eb19db05e79c8c1ce82efe157d283b654ce908

C:\Users\Admin\AppData\Local\Temp\ZwYsUIUo.bat

MD5 fd97295ac4735a95bc0c3f1b7365880b
SHA1 1ab90b3d57d399fbbcc04c5bb9c6f42a946795d0
SHA256 d4ab6a13fb0682fcb7ddeea01f954a9d72426b7590b416d6cb86828bfa7dfc56
SHA512 3f1ec9d66b7402bc6748ae6b8b680752525e09ab49526e70a7e9b9289259de581bfd30d51f1ae17e6f788b6d7c4d1b26d03509fb6732c7a6e341f4cea062ce23

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

MD5 1e6d0ca35226b00f598be4385fddcb75
SHA1 5cdbfdf472ec849d4f249744f5ca0ca7bfeea387
SHA256 6c427ec1b5a6cde3448276a551871e1c6a0029e92216ed988b26d20717513c21
SHA512 2a257b75b1c87f6942f8287ec33e287c070ac593a1ce065d5c137f8016fe3857b1fff2e72636ad274599e0b015ec87f2f4a13234fae1c56ca52b73bb59963ad6

C:\Users\Admin\AppData\Local\Temp\zwowswcQ.bat

MD5 fefb242db19e6aeb860c1c30528b94a5
SHA1 547989d400624d9d0fed60ecfe5c65702e29c381
SHA256 d5887216af36258dbb92b96dabdb3b2d05ecdad3ed56de128711186132478165
SHA512 d3e32fee1ae6c5d648a242babf471784eb499946d8188bd66f78dca855c484774805488cf21ef91ec6f5798c77fd2b4445dbdeb8997a1d3772e442095043e430

C:\Users\Admin\AppData\Local\Temp\fscMUoks.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\JiYoMoQg.bat

MD5 38dab1230ec1f08a0cf16685411abc73
SHA1 965e44bf2d6c9ad913f48c9d9d83cf47a7b0bd7e
SHA256 1643430b1e9d743509a7b53015a2cc6162c3580ba1257e139065048a97e66961
SHA512 50e80c663f95f2ad2ac8f01f21e1c719a655128f29e490bae306c72fa3e6cba9ca91eb44cc27e1aec76894bcc1ba276b429b32d1a75697c0c1f00d7993e1ece6

C:\Users\Admin\AppData\Local\Temp\sCwQYwsM.bat

MD5 9ccdc2a6a3a86274f4681c9cd5fbdf95
SHA1 46088482e8bcbfc51db288b8b08d5ea919c68c25
SHA256 80f115d5352df60ea1bfa8da445c0968460ba3037e05e623a7fe453a49641318
SHA512 1f0164f49951f771dde135fb8d14099e1772e657486cf8f75e700cf59b0fd7f6a75ac8d998b7640d1bd40e44af5e16c91368fe444b8e358337f0251bd4a1d668

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Ykowksoo.bat

MD5 2b9afd906c99a430e0bfdad3335a1a90
SHA1 3e10467b33a42e03e87784e85e6ed9df7af4f165
SHA256 2103b37bab9926ec20d55e07e13221ab508f500a45f41866695b74d21dfa010e
SHA512 6a062ab5c734c2153e2c531ebcb482f9969780d7dda82cc05fe496a21e80166bd973a4d015ea499cf4965f0b2c3f1410e499de8e1d2352c7bc45f8866acb6255

C:\Users\Admin\AppData\Local\Temp\mqUwcYwI.bat

MD5 b5a96c5d0f0fa0356227091a3a9c513c
SHA1 54c37bec8df8a8c2b1ebda198f60044caaba3a2d
SHA256 3162ae047a883dad8a86c8b69b8f02096d07fc5a1a0ff625ae20bf0d960cb792
SHA512 0b9aacf1c892de83355f819c3f2ec7af84cda9c63920db10cf20d3a274dfcaf3011c6af06046f3237f2993ad87796be53c13eefa9aff7f8cd7da7fd2e94867b8

C:\Users\Admin\AppData\Local\Temp\umgEIEos.bat

MD5 73d49149c2decd288feb9b8975714b82
SHA1 554ec7f0c7c0379eca5cdf56f31c6fbc248576a5
SHA256 4cc82c53863877f7f5190538a1b4df70b6718c982b7ad77737d5d2fac6f3509a
SHA512 472c99b5712b3187e1cfa98899930cd76584caf69002404fcb58cd1efa0475dfcafd9c5a9aa594c6ba3c392b8f8085b31ee8a47921dae18848bc371f76c060e5

C:\Users\Admin\AppData\Local\Temp\fGwgEIAg.bat

MD5 e665648e3b7be24f7cb60b157f2db76b
SHA1 0f6f1c6e7733b196f07824269faf7742691fa549
SHA256 1b4a32f45121c8084aff2f4e0edbf9b52d6df4587f5a028161df49ff8c77720b
SHA512 4d54fad04d16014b502b7e886c1a1e0b5861ecbeff7685ad1e9b0dceb5185a8b7120df59832ca1730bbd03d168d37ee481ff7a61f6a8b8f9b80f0ec0b4590a5e

C:\Users\Admin\AppData\Local\Temp\xiwAgMQc.bat

MD5 82d5f90dcccc7ace45f980113b5ebc29
SHA1 19fb636746be89c0a5c2dc50d4588b928cd06019
SHA256 6a6492ecb699c72109c9fd6e2a1b05a14655a5e962e0c18e2f710fac11f13707
SHA512 c9daf45fcc823e6cdb327164c8323ebf3ead3696f6fba7e2fe74b204db0863a83c0765cc81b210529570bf015c31f82bde2f64e03c881370d39b72e16a2e8984

C:\Users\Admin\AppData\Local\Temp\xCkgwokk.bat

MD5 30e254bb19cb391379ef989d77f8aa64
SHA1 86b4a1e81fe620bcb7965eddc547d682d2f44382
SHA256 66c6a29b365967c07076b258766b13453d1091c226e79966e5a4018611912ae9
SHA512 e387abc5c2c9694976c6f276dafc6247eb22478107af53cb0dc5c704be0d2490b40a8014c4d87b0b964060ffdc22836079ebfbcb570ec2a7a59ce7cb2ebc15f7

C:\Users\Admin\AppData\Local\Temp\xCYAwwsY.bat

MD5 66b29b0be5ea7b0f6c52a3532fb09f04
SHA1 a780d2e4e06a0b1935d4139d4bc63a60322104b6
SHA256 275b4e3816a36e28ef3ca219871f13f75fe9a185efe2233d82ec27858c903f3e
SHA512 17213d48b2eb3fbdbfb3c9a35ca6d54abdb4eac4962fee6c637ac9f8553a97d98ce775d8fd8a28531f35d28f22fb936447cb12f9fc23b724697b350049e99045

C:\Users\Admin\AppData\Local\Temp\fSswkYsE.bat

MD5 a7883683e72ce9c6a2ac09b8f2e3f77e
SHA1 40112ae3865240b45e86e00db4e272903a9b09be
SHA256 e8d8b281057721c09d304d4d6e82b1cdde2de05e47426db52811dda32c6d909f
SHA512 683fb18a0dfc1a7208abbaa992c60433090e1de4e0807e710d8f378a144abb4339510ebe81a1ec525a1433295128da5750a4c7c64ec88c8d30d262556199f65a

memory/2324-264-0x0000000000401000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgUUYMEM.bat

MD5 903bac993d776e078d4e977094bf009d
SHA1 613814d6cdad826fe24fe2f934bbb058aae4d734
SHA256 46c656dc0f115b8fc130d538c66f0de8cb5a7085de187b8d98d641f335ea65a7
SHA512 e2720f2b48d9121f26750690c814ad5de25f88eff03410648a1bbb40620c44e3b14a88f05801e02777c57423e01735507b3393ef84673f4fa8f29d710eafb777

C:\Users\Admin\AppData\Local\Temp\SOsUwgUk.bat

MD5 22916b2895172ec77a683f566181b125
SHA1 97d90b69c6569ce14ccee358e2ae07c869cb965f
SHA256 bfd06ce0636cf7887ad4c859acbc732f92cb3d0f4797c578e733105e35c19ecb
SHA512 9508133f139d2f60c1bf26cd952c7d9c5d7f8dd2f9cf24a9a39a456ac5387b7855d773b718824c4bd3a2bd9a345c68c917973b7d9d5ad1f27d6fc7f5533b85f3

C:\Users\Admin\AppData\Local\Temp\gScIYAkE.bat

MD5 e889320893baa44030517663678cc8d6
SHA1 d306805ed0b60e2312f88e3c433cecd3a0b9d2d4
SHA256 bbcb1c8d090821ca0c247eda7f3186fe4f5b3f9873de79c09efe80002745ff44
SHA512 0f3ec61b76c8e6287fb32669c0567e75c1c14a36f13dfe875d46a1ada5582cc16fdb2bbda9f48b8c3ad3b1255028bcc366304bf922788153d4cd1bd61245fb31

C:\Users\Admin\AppData\Local\Temp\zKIgEQsU.bat

MD5 c739f837a7dd7451a50d018b37e96fff
SHA1 8238a99808181b00c634f4280c906ce84c155441
SHA256 07bf05025b9760be43d1eaed65d051a19e1d6574dcc9bde78301e5f9ced9b254
SHA512 696b5aa1b590dd0bddbcf7cf894ec48928f7c8446a363d6c8c9070f97c09a8cedfcf3b13742e1c34ad4e2997a2a5229acb1f4a028a8fe5b62144fdae535656df

C:\Users\Admin\AppData\Local\Temp\BWkcIogc.bat

MD5 3df125c212c9dcd53c3c9cf455bf2b51
SHA1 3f355d16125bb8a84437cd6804ff42dd1e4f2c1b
SHA256 5bdedd9e933810eda52bff727a9c2cc8da6190051886ddcd69e7669dee64ee04
SHA512 d4f51929cd6dbe474f7fffebf57d72243829cee77e4a0d7cae092745b0b7470875cb09e43f443e4138cfc63c99052185936c7a1eb75985dbfe783d0b27a85dbf

C:\Users\Admin\AppData\Local\Temp\PYMkMYEo.bat

MD5 5d9339af5f2867167357dbbb4786a974
SHA1 b97668599b24b199151c18a82f83e15ba88969da
SHA256 054d3ba2f307099665d2a749b9018e15eb897c00a27d80b43e7eb9f00d9b170b
SHA512 23e31d885fe9b7989337a18e45a65dfd3fd5e88c67f25e4d746fcc7238be1fbc0af936a8a2f828f083000e16c3a515c93780fd4a331c8060fc823008a343c7b2

C:\Users\Admin\AppData\Local\Temp\VMkkwwQQ.bat

MD5 8270f8965e447ac399f6eacde47c1d66
SHA1 03c8f9d9f565cb14394903bbdd6b450bf74838fc
SHA256 b7096eb67bb6249e042428c9bc2013e738ca7a51e8c6503c8da604455512866a
SHA512 83746f27bd42bbc47cabc0cc01ad47efc20b535ea0853f542a36cd3bdc30948e85da7339982ee3ddc5dacf05d94f219860502e11d561fdd8a2e0570c5a4f3663

C:\Users\Admin\AppData\Local\Temp\qacAAkYA.bat

MD5 fc9b7be5ade462fc06183d8a9c944f2b
SHA1 065dc446f7c0803708338293da4ae0889b368b8a
SHA256 d0b68a9b279eba3639db915ddac0c13d706631f438da23211f4884b50f8ad966
SHA512 7cfca517da658c287eef3c54e15f35e1af6a34e7d8d444d105fd8014311bc6380158bf9058ed3850c6997099995993c7be28a2a76b98d0fe2dbcf9fe378bcefe

C:\Users\Admin\AppData\Local\Temp\oosgokwo.bat

MD5 5c559626739d5133d96bc7e7fe81f32b
SHA1 0eab5b458ed71880539ddbd1573dbb1971b23e29
SHA256 4cd4e8307805877af2cfbf40e3061ff42a6b307379525df2f7490b6bf7c7dade
SHA512 fd0d607fb3c86c7191fd5fad9513a8087074ea0112aaa11044d2f30f093c8164470893b1d885f76f443f80bfc54b67836831a3e3db24a75d1318843ed43e6fa2

C:\Users\Admin\AppData\Local\Temp\sKQQwMgU.bat

MD5 b6ea488386ba590f7173f610430a22b7
SHA1 d1ab12fc57af5e7c9d78781b797ed482cadf5504
SHA256 d72c932ab14fd862b180cc95e02719be21043050e2f07bb97427c4339709b0a4
SHA512 21125e634a5536c64402cc3bc7313996aea9a6fafaaccec146f478cda721d9c1502f90c481797503a284c3afa2aa21de35363826815c6c0ccac9cffeba601d8c

C:\Users\Admin\AppData\Local\Temp\MwsMoUUQ.bat

MD5 7bca97e6bbbf96205357ac640b35dbe6
SHA1 b0ad8352854aa2bbf93afc1352aab6c817581062
SHA256 327345261e4a057bd89bea862105df0b62788549e15ef7fbb0712776d9a78608
SHA512 9f9ea85ee6ef7fe7f8c5cf70d338dae42bafe9ff7ea97bfae380bacde0a6cb9980e1a2b7c108a7f5d61350a8cc420d77c6abdbefc74b2c801d0d400a2975b341

C:\Users\Admin\AppData\Local\Temp\wAkq.exe

MD5 ca463d761892a7c5f5dac7b9a4e1401e
SHA1 fcea368cc03d0e52607c8d9fe85393a5dcdf0e46
SHA256 5cd9434ad967b30be8dcb2bff4e060cd16d0e856db457bc938b8401485f9c859
SHA512 6e3400a61b45d409e40bb6fd16c44bbc00445a676b7196d9c8e5fdfd489deedd31685ff21c5754190a04d7de6fca5bdc6d10f8d30cff0869e3902bc71063d475

C:\Users\Admin\AppData\Local\Temp\Oooc.exe

MD5 ba0846ed14ec4b3b8dc1e0d3816ed829
SHA1 b50c7a8aa5965aa2f9f47471c8eaf9cb13f9ae1c
SHA256 f68c91c384188df364eccc6fd5e2c3e479cdb54bc5f737f4eb090748c6a32ee5
SHA512 f331990beddf77a3c56fff1501cf89d4b0c6bd5430a92c895eb5f551d9ba78f6e4108da3dce50b46a9910798c63d0e52961f31ad3007d6b500f4d33b64919cef

C:\Users\Admin\AppData\Local\Temp\XOQwccgI.bat

MD5 f9cc321187b02f5fa64ce45c2e93a03f
SHA1 e32091fe1b194ecc0c35496196ec7da8a349f1a0
SHA256 c7991981829fc7fa82f526b4f3530c4c8fa5c528e03d9ceade0b0d2567859508
SHA512 7b60621878c455b9ed0030bc9ecff08cc23b5193fc6f7ac7d3332f466fadcf13afdf298380f0bb97a501c165ea82a537d0725c384bd45b9777441dd152cf893c

C:\Users\Admin\AppData\Local\Temp\CMEo.exe

MD5 861c8e6070f5f3dab786a51916dee540
SHA1 388c2f88b8ca2e2a604179e3435049d37580ae2b
SHA256 69652e28052a419228cc36f88ee72f089e5e9596606fc865c68c20d4a86d8586
SHA512 a070db000012180dfae0e8a4e039f80cae1057574f8e173909bdad0953c246ab56419cff7ff4e1c684de5e4a4f58abe6ddd88f002fe499bcfcd23a01096bea69

C:\Users\Admin\AppData\Local\Temp\WsQQ.exe

MD5 9844a1fbe6df6a400b0b66bd5f09483c
SHA1 2367c64e4e22e57634d1ae8c2dfba3d76fe77025
SHA256 a994e48505b298388ea3d3bda2c8306f0c8246d30588eb28ca27557a0c04ffc8
SHA512 24497cc5ee0caf33facc83e142331d08c6367f5848d90dcdbcc6836409dfd2d0e1279e384745a6370d94033f2f3273c523b716bb440e18b001b485f0bc7f9af3

C:\Users\Admin\AppData\Local\Temp\Aawo.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\ucAK.exe

MD5 5a682f4172447287b7bf6e167e5002c7
SHA1 669f362ae0acf8714c9aa9d7889d59be6d93376a
SHA256 8ba985382ce6e35dea165a8e7bd3e71fcefb726f080dfe300ccfb7eb56473faf
SHA512 eb34cd217c52e9b1b75896f08c7f18ff699938544a976e47ec5c9a5c9a50aac7112184d896fc9fb0f5b1ab5d1d16fde5d1b7bef2a9e0ddc64c3115b462d17cd5

C:\Users\Admin\AppData\Local\Temp\MgEe.exe

MD5 18c44b55eaa79b1959952987bb331f9b
SHA1 87493af4c70195bb0c313d93897aac01eb685a9d
SHA256 589966a2d4d295ceeaab45b3d7e49741d555336aa4891a4a09287d738f6d8464
SHA512 25883e2c4ba8752b88ec019383e6d1377ad38c08d082d606fa220aba0fa987c303de58ef1f3116211cf32e1a44b0e5fe9d6b883691fd070aa04bcb4830f2cedc

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 fde5e637c69f80704143cd95cb2e4be9
SHA1 b32467d48c61b5bb416d52c2d9b8ca6f433a42fe
SHA256 04ca4c18f4f497fc74662813d993ad72a2e4928e6018c4721d7077744db090e2
SHA512 300601da7f70de26f1ca39bd99fe554cbe31a870d2cd152412b4c33bdd7278cc113675c732d7c77faaef36e8102c5778e655ded4eea794e6327f437ad1baa195

C:\Users\Admin\AppData\Local\Temp\IEUg.exe

MD5 09e0aeb1e3ef9243b22d8a3011df493a
SHA1 e11a19a5416d573e38cfde684c53849dffccad3a
SHA256 67b8da66568b83647b52783d8833442544b2dfe93537dd2fd1590526f3abcfff
SHA512 71e9e6e3c9bc2933c6d7cf43829be47225ad11b0fe1276cc019b2429c2f6e26536f38ca77741cfbd47840c8de1d027202b9684e1d01229675266abfa82614bec

C:\Users\Admin\AppData\Local\Temp\ZYQooQcQ.bat

MD5 0045a6bb189f48da5498ab34df76c721
SHA1 ee7a8d6e81f12496c2ce6595bb426fcad2bdf866
SHA256 15a0167e9c12528e5a797ab0c956328633f297b3d896998165d65f101dbed6fc
SHA512 7eeaebbab1df19d20cfdc0b4eb368bd9142cfd975aa17f474851f424f31886071aaa87001cf57aaeae1ddd0a31503d3883d1d124aa145a2e66669d6596ad848b

C:\Users\Admin\AppData\Local\Temp\akko.exe

MD5 5df98df8a43ea3a6b9eb264513cedaa4
SHA1 ba25029e75260c62eed87f751a252e29053bf9e1
SHA256 3ffc33107bc44bf330a798f5ab45a12c9e5c2b990ab97dda09b3367e339f872f
SHA512 b8617db13a19d51f58d637d97218f9f0da710ca3fc4666f4783689de551a33cea9f76803218b78b7374a129ce7cba034b429d5477df80786f6c7226a23d3ff57

C:\Users\Admin\AppData\Local\Temp\qQUI.exe

MD5 6b61873a4a7723ccc73522109d61fca5
SHA1 489fd64fdad473ac9ed6b60cc691fc9a8554ed25
SHA256 82135ee8da7e7480fbe7b4566392b2579e40dceb3f5aa5153debad4129adb018
SHA512 f6004963cedd09da2608e708da8d482232c3150e4eb314b57c98ce568481d0711e49a4581ffa9eadc9df8d363903bdb7c1332b2fd8e68dfbef89b4ab3b37a846

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 752402631440f7660e32b618ebb959d9
SHA1 70307a001c7eea8e130e4ecd989fca7556e948c0
SHA256 64a096698203f153fb80a9856ed88ebe673b5b00fd40ac4ed83145bc9f9d7eb4
SHA512 039f4b5fac49ab04b72593fe03391d64fa91a43fd2d262b229e2fb90e7751c7b562494c1a023d155d169d2b97f6947f3cbf02955be7abef4ef4c09a67cddaee4

C:\Users\Admin\AppData\Local\Temp\KwcK.exe

MD5 298a79f85b575a30c210ef2516ad8195
SHA1 5b2b091f69a0b96b729252125e3c4b30372566e4
SHA256 63fa8e88e967786e59f24a126a1ded3763293c6aecdb9fb875fc817dc94346aa
SHA512 2b4b3878fec91c997f202c041ca1e77e82f85724516f19559b571b61fce33dc4d7b8ce9d92fdb9a4151d6496fbb44f23537a53a789f34a09b4f33efe51a59b1e

C:\Users\Admin\AppData\Local\Temp\EwQQ.exe

MD5 44456dddefd9b26c3f1eaebdd90f4e17
SHA1 a088c16a6868c87374cdd273d8a979d2d7960f4e
SHA256 0944735ea912014bbd58f3e21a70b021e3987f6868bc1715148f02bee1aff74e
SHA512 6f6e42e4c3f45821afce836322b902977527db5f9a22d465a08b8726dcdf181097fbbd5cdcb2813bef7d21cde87078147a3bcace46192c9b4799a0416a1c2afa

C:\Users\Admin\AppData\Local\Temp\ROkUkkkw.bat

MD5 70ee1e88cb58c15fe8d1fcf9dd5aea84
SHA1 033f7ef99ed69a4ed837210e71e8cc79259320e7
SHA256 ad02a3dce0dea76913d5e4c696f0dd5912cbcede36addc05186561ba845b5376
SHA512 0fac0e29fcda8d4f799e1cb31fcc1a35af91eed94793f4047ffc6517bd6f558469dc6515ee2d331514995d39826abf00feeb3a657fc93e43c63d3f595e22b7c9

C:\Users\Admin\AppData\Local\Temp\owEi.exe

MD5 9829a0e1b3ef84e32388d90c330360c6
SHA1 a451f5030749c4f0a49d9d0302aae578638815d0
SHA256 43ac9b0b350ba9d87ed66132ee4a3f7d12d82617c4590160dbcafd7a8276839d
SHA512 9cde089a29dc488c9c219d24f790fc5b15b19b4e0743be6ca1374fe1efa73a2c8099c727572a7b4957ab51ef6515e66317d4f9f63a32f7a4b2cf337f42d77755

C:\Users\Admin\AppData\Local\Temp\oMQq.exe

MD5 9452278d8879a5952b3153ea839c3851
SHA1 97162d39246ae58bb90582dd9448644a44b37413
SHA256 f7963c920f80419e725f430aab127950b0aa448470cc751577eda289eaf62b37
SHA512 c2795b626f0ddf828d387a2cec22f4e234cd455675d1b0cf7fb6f36ad7b8265c7e97dda8c84d4e228ff5454b3a9df7bf9d3c67986cbe4228151dbc8432dd65de

C:\Users\Admin\AppData\Local\Temp\oEkK.exe

MD5 4eb319281ee2a68c6d3731b471cc3497
SHA1 287738d16e8953743e6916a17d695817d8dee643
SHA256 5b61f5a85818a4334785cf20810f51e8b285661f2d439fc82d04be5c6c3165bc
SHA512 358da5d9615931e650e86a8354bf14fabce08754555eadb9a54a054321b0347683c1dca7b33369c26c1447e487ebbafad887ef5cc1ce47b41098108fd30f82a9

C:\Users\Admin\AppData\Local\Temp\wwMM.exe

MD5 e7355dae27538d68dcf87bee28428ce9
SHA1 dc49959fb76abeece5a85deea242182d2f5367fc
SHA256 5865f65ddebe84d5ca333e1d59feb3978a49fb105d2c35ebdc0cfef7f2c4cb67
SHA512 5a8abc5e708276bd895c47232095a332f182a0b5028e66b59f2f3fde9ca3131c1e11180b3f055dacabc1e8d01ec6f94f9429acdba2d023fec754f0cb61f0a1de

C:\Users\Admin\AppData\Local\Temp\QcgY.exe

MD5 4dc9759c907c02d5945e76a03c2aed52
SHA1 f43e9fdcf7d707e03b85007843be945c9814bb5e
SHA256 ed183b9015a737255ce0c70b4a54033b28de5f383929edbf15a7148f5c942fa2
SHA512 2e52d0573a6250c587f103840f5d5ffd297c0c57d0a066403acba6e9457218752e83a576cf8ed950d80c5e0eae9c835ba08ff64c3bcaf3eced9836ee14945433

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 0f898104bbc8ba3950bc21884e9480db
SHA1 1e11a2ac326623174d6c7dec84de9c5aab1c5fae
SHA256 7065239c15ddf4ac36006fb1416ced390eb7d383d33f0424086cad15e43ee0da
SHA512 fff879d364e112db3fec672ed260137c5155f8eedfc498b6bd144cc106d47e7fdcd56766c88bb5eacd71bc56ecbeaf65b2995bc9b1fb876eeb480d15e7a1e648

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 8d8177a3e9d689d37955d45d1d669d29
SHA1 2fae76c650ac74e3f8683ed87c74208b2639ccdf
SHA256 88bc96ff82a0be825f3220ef101dc6c845812ac221caa6ec88841a28622277c4
SHA512 384fad3478a53930b963b906219103e2893c8dbe854b5c2596c8da7f5e5c8ca6de0db80db1888eb8d9b05e605dd0f13ad8373730373532e37b31a31fa3284ff5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 cc8e3f7b923d1b2ac0b12590ed7a5eb1
SHA1 241f545baa2fa1b198cc12eb7412d5827d76a509
SHA256 0c4c13aab901ddbd7cdb88954bc285222b244fb7844bbaf3cc67b589f4d0b49c
SHA512 06cb7295c6610d0243361cfba4aec1436ff376e9732bd1db06600562e212e5658b51db0ee1a69b0f4bd6d2186e2fb4db82b00e0b9d5b53336bb5ae237d9af63d

C:\Users\Admin\AppData\Local\Temp\jaEksokA.bat

MD5 93bd14325618e81142f176f2a0637b3e
SHA1 d96e7c49b6aa62f48ce631ac8e74b7060aba10af
SHA256 125de75a8a1aee1d733cdb3f5304ff9db089a0fc83970641b15277299337a9b4
SHA512 aba474611d6df7674437f92ac62ad47caf5779e91331eb3bd1ca32c2b98d160af261071fc7382d48cb1d1daaad7f3f1e8c8d30faf1cee6dbdf01cd8944731ca4

C:\Users\Admin\AppData\Local\Temp\KEYw.exe

MD5 69cf0d6494cf2e6dda289b6c8cae3dbc
SHA1 4308bc7947bfc5af0a743ec53faca42ede58298b
SHA256 bcaddb281d3ea755e5d502be4ded4e8c919f78fe94f463ef456fa1b8b73c50fa
SHA512 9375dcd7dd9137e2f1c6b04d383d143b4e2156656343af6a7c37cedc68287f98e20cc560acf2a9c68853ba372318997e5666a7b7e09c2da5fb9ef2b52d6c060e

C:\Users\Admin\AppData\Local\Temp\eAko.exe

MD5 624cd398ca4d8222351a57aa8820c326
SHA1 ca075e7b7fbe4527d96c52c462db8e02ad9c0467
SHA256 fa87b41a9e1cfb72c4807bf5020ac67dfe521e5d5d3f39671e4d0abfc643d73d
SHA512 3d0a0175ed98bc44f3b465964068a04eb8f048f7bc571a4d2eda4520cfea48ce9fc7194dfc191dd1486a061edc6c41aed734770b1f394c2f5998e942c0852091

C:\Users\Admin\AppData\Local\Temp\Ggom.exe

MD5 1b9b839ea12f18f4377512513392bfa8
SHA1 dfe4a4a82c4d46c73a5e5ac3eaec2325027cf411
SHA256 0595fdc3e560ef1e7ad6f301da325c58f5d0016fba0b3c90012c97fd549d7306
SHA512 4b05c4a20e7d3d968fbc256b5a65e8a6cef1f8ce9f3ef6f06317947751de1b7d89cdb5b245bd93d5e3ef5c416a764ff892bea6fcf77c2747b74967b9a9f19df4

C:\Users\Admin\AppData\Local\Temp\QwEg.exe

MD5 150f38e10588423e06ad69d931e07eb6
SHA1 3f376053edea830f6be8d0752371a493406202d2
SHA256 b0db023804a00e2a876b9b1c0ad4d4f9c5cf52b78c38fbf49f2c23620b3416c9
SHA512 3cd9557df64cc514523dcad4165f2bf37491ab3e035da44fad2529dfc8f138b7d7870c10c1a874befb999112b758b2fa91fae6da5451420e9e875b73ccedf859

C:\Users\Admin\AppData\Local\Temp\SkEq.exe

MD5 b2857e5562d7a336422474f5cabe6942
SHA1 a0b62d79af4e8a153f899c6f971f3c71b339e202
SHA256 e4e375526f10ec1ba99bd17d13932a9a7cc429c01112922acf41711d66baa83f
SHA512 b2617fecf8e08824e0b999c3d1fb9c0b73b8c76a55236130c2f1a7390590f59d898ebd2b40f880a341c12ab4fcfef406ad29bf6b5fb4214050716290b5780ab4

C:\Users\Admin\AppData\Local\Temp\SIMk.exe

MD5 12de9fa839cf8cf7552bba84839c86b9
SHA1 ee9d287a21611ec77b77fbc6547e8c72c7499c61
SHA256 26720f637ace838115e2f4c9da481b95e010757ca1972425e72fb663d2902517
SHA512 bb0da9054f4801f21833d4fa24ba198535b578f1fce629a2ce36b80bd3e9743dfa847c757a5e348ea483aebaa7dc86391ab234fe624c132def17b19bc47fef1f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 b630cfda044a60dba8b9e85cde121c50
SHA1 0cbf1d01411f08c2a3f7039e7c0f54bd4e19b0a5
SHA256 3170579bdd642df2d0b2b81dc1735b358295efe11a4756eeb942b59af900d5e7
SHA512 14dc40dec3b19b37a95dadc6c026b12e44bc67b46b38cfe861ba228decdc0bee45c4828dca356577165a184508b6709a146373ded713af7ba06aa4144a634889

C:\Users\Admin\AppData\Local\Temp\YMsc.exe

MD5 ad43ecb4319e77f239d784abef68a08d
SHA1 99b390a46d3c9e9446255467ef64ef539f206acb
SHA256 23a6626359a7d1b3c432678831c39097ff56a3f353c85549c33d28dc883bc865
SHA512 4c6318581ed187d2cf76116e144195a1715787aea62338b7eed670afcaded16ec99fc4b1598c5f2c3937b2172c84139f52ba707e061fc06c85e01ec5ecdbc7e2

C:\Users\Admin\AppData\Local\Temp\SQkEUsAw.bat

MD5 f8a18b4195db1dd870fc3aebc47fb8e6
SHA1 b247626100eefa4c46bd2a5405d41f18aded5fc7
SHA256 2e31d262503236864e83cd4a2d94c89936b49b7d472abff87b707e0fa664fbbc
SHA512 ed7dd237799631b4cc6c75711db6ea60611ff4bfe073d95ef7b925cde23ae92f6f8b713d641a0ad7c702fe2ea9c3f54c71f3f8286fa45a3e62db93736aca181e

C:\Users\Admin\AppData\Local\Temp\IAcW.exe

MD5 026c5924a6fd11a5117cd46b99c05d20
SHA1 6698fae14be4ac8a29ea0ab56f65c10d0a4cd0b2
SHA256 4e692cf99c8f76cdf20e007f7612bd7d3b4460f7cc27c49f5db1b883a91bc0b4
SHA512 3a501e4b64393a6d60813cea8c207512b3d992cc90f272fed07fcdc7b74791777520afa2d9327de70ed4745d5035094735cdb82ceab55809820a8fff24f86adf

C:\Users\Admin\AppData\Local\Temp\SwAU.exe

MD5 d020007ee9a529b00a4ac9f7acabd5d0
SHA1 8b980aed35c3cdd8af3656caad0f2e8d33355c31
SHA256 e07bab25cef4ddefb321cd3e6b076ef95c71ea69b7ba71a9eca46ce59fb45c77
SHA512 28eab3a15234c7bcb3c0e1338c218bab1b2fa3b25303d3462051b4d108a12353eb523bf49763964e105fa52f7115ed8f68b1fc672209a93a6932ff72d941e156

C:\Users\Admin\AppData\Local\Temp\Uwgu.exe

MD5 0288a70a213e07d3ac2e8b528a552aaf
SHA1 5bb858668f771bab949787cb53eb93fe75e47316
SHA256 661c6eb74acb173e9231d62b5c20f408f4db6ea767951386d81975b0d070abbc
SHA512 7954a09a389394bcdca7004808bb553a67f90f1b33b6f813832f2f01cb955135778627de23f102fb52a67a25ea5b63d3388db56c2bf3fe20db05db342aa510d1

C:\Users\Admin\AppData\Local\Temp\assI.exe

MD5 4c40eef901a8cc8b1cfb448ac0dd0998
SHA1 5698e142c21b1a9d6da0236f8d55cf96c8be2b70
SHA256 ed4875304ffbf67454bfe9bbfdfd8c81e9de33157353840bc6e00e6a51fba25b
SHA512 b45dd51fb8ca22a20b33e99daa06f4f9cee3a7c76e415ccebea5ce5b6b3af9c507c9420f08260db591a091f43dff7fb9c64e3f0f2ea456ff2df4595f03632971

C:\Users\Admin\AppData\Local\Temp\kMAE.exe

MD5 3340e310fc141d6abbfdbe2f46656eb1
SHA1 8f7b93f851f606c69b4502382e88e24cd773d55b
SHA256 4bb1b2f8737a15542f8f97ed42a465756926afd0837b2a50618a2cdc118d7453
SHA512 496d60bd3eb35bef8b46651dd5ea0e23110f66bf46387e9e8330f2c28940fc4547fdfea7934b5d4f25d589e9bb0cdc1d9bb6e3f23487c1f3f25744261aba9fc8

C:\Users\Admin\AppData\Local\Temp\ecss.exe

MD5 b98541ffc0696612f2138fadb135d292
SHA1 e661bdef7faeff7d7c01606b810583003f6a8494
SHA256 2940dd3778a968e742f1d23a0a5d644577811be31011ded89ae9b5693c0c9d63
SHA512 fc22adb4e542d4ecb537574a0269e1bb40e8e3374005cb7cb54a45661c0a3778ab513d88f48cb4ac11d799565013cd5d00a68e59f45abbab91d51d1504c929bd

C:\Users\Admin\AppData\Local\Temp\yIgI.exe

MD5 4c042a0a1f60575585837b25a519a181
SHA1 a3e4a8e3f339486680cb1b45b171da16cebe0693
SHA256 94d052624181ef15ddabb39d97adc40776e2c61fc6009c9bab59485a42f3c0d8
SHA512 2853e45fdb73f5eb5f74c3443153f5e32f3f6c0fdb4669be6620cbf62a4cf9ccacdf42b661c07ef5baecf827119e9e350b6ba581db08b7f6e56625d4b3e75cae

C:\Users\Admin\AppData\Local\Temp\igMw.exe

MD5 e6dc725dd9c742d31ffd318e94060c61
SHA1 799faa706e84ff47efc94dd9e496459c3b1f1cf3
SHA256 6e672f305d52a46033cc1710addf6c29ee85e76686639d46fb3124fbca479a3f
SHA512 ef607dd6db9c0ffd621b11dda02ca50f393af2638981de1be71fb278b82a3fde0653ff88890324a8ff54999cf434049b890d1ae61b60196ecf4ee987b209f3d7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 e628d585de85db30de7c7c61ed47468e
SHA1 3eae320e803fbc0f8467dbf02179ae078042b1c8
SHA256 31da3b68154c6ded92f0732f58cf6e5f5c37ac571113fb1748eb5aa8e2d4bf3e
SHA512 66e07cad5620bbb417910bf1644c55c845a6d2940ee95573bf6dbfadab79166bce8243d479fcd56361c0a02bc92010e28296102ffd3b53f5e2e056563586aee8

C:\Users\Admin\AppData\Local\Temp\AKgQkwwQ.bat

MD5 52c2f5f07ed7c49b50b0e16ad2b37f32
SHA1 ee754abbf8bb5c694c9f9acfe2858af37a45d0dc
SHA256 3fb55f168d1523fa0fb863381710ea244eae0717a8de0e59b8817d1b074542f5
SHA512 ee08460174270dbbf0137dc30e0cd6b44d1208e017ca2d1c1f99adaf5348f423f171057db4c11c8904fa06cd9916cb051698e83c9deac6350973ae35c40036e2

C:\Users\Admin\AppData\Local\Temp\QgAm.exe

MD5 f8c8fd77f0f89b2b2fdc8e9b65f90699
SHA1 769c4445e39ffc7f1beee6fdfb74aed9c8efb133
SHA256 ddc0f2467caabf7f10dbacda5239f0c9ba4f15bb2d14f55d7b123f9b19be1bc1
SHA512 5e26bc244df62940b4286c0cf1e2967a099e1f705f34e5457b08c5fcf279864bf4893e1eeae2b850b253d2f6895c826d864363fbf6e18feaabfebdf06b54c7d4

C:\Users\Admin\AppData\Local\Temp\CYgE.exe

MD5 cf3626536ca720315659b359d142bec7
SHA1 b1e2f8e5893cd568c911b2da87f22ae696fbba7f
SHA256 464fac764924725cc308f9d6525e96b76c3dc22eaea45e51b8cb33d0f43bbddd
SHA512 be0c7b3d9efc4e26da927c49ffec91dc0625edb292e89a3df420c2e8cabe85963341dea5f28aa7343354dbaf5676b0e90495ed693f83d6f7b613bf9dbf084f2b

C:\Users\Admin\AppData\Local\Temp\UggU.exe

MD5 13c8a2b9b7b4eee26b787a53ad602471
SHA1 869682a756d3abb022cf9bf6018ce6fe323e65db
SHA256 4c44532ce5ac97727c8a7f1dca656ad4218a7d63616ddb6307d1e4efc7364b5d
SHA512 20374565681fe30350e1aa5ef7c0eeff3b40ec7060391642834aa859217d594534607b6a74fd615cd37469f537841e7f07e9480d2c5b7f0378a16a0c6ea65c2f

C:\Users\Admin\AppData\Local\Temp\isAa.exe

MD5 ebd1ee7c48225e2f6a15af49ff22c709
SHA1 d8e053853b21048d62c9c3a3cd7bb382ce704f02
SHA256 1d9251fd81fec186c1b6999ba311a0388ec61f4f6c5918e9649cc42b745c6199
SHA512 3848e2799c3a2557fbcb0b596473d25f8d678a0ead18b381f53138b56399e461f59c879e728a5265a94a9771f6da6f504658f3ee30dbb56ad469c8f0e317f9e9

C:\Users\Admin\AppData\Local\Temp\yUMu.exe

MD5 2c7c06143def98594958b1a08c4d192b
SHA1 05448092edcbeffb640a0c33d2e673c3dcb76577
SHA256 a82635cc353896fe8543cc12df82c77aa92a4fea099143595fd7a2b67084abdc
SHA512 924b9e7c51cd5c7a8df45ccf813d3b278ef832437970e78fae4c6cc38a8f2ad752039606487f45c705831564c4a7eaf86519f4f1522714ea431a15a7f04b4df7

C:\Users\Admin\AppData\Local\Temp\Sccs.exe

MD5 528ea8cc941f6682d97f68db26e52c89
SHA1 f8b1c6987ee4d28196a551944f3fd45c8c77ff58
SHA256 694780e4ca5fca7c9794cd1173a47f5507943414e464b0f014efaef2d82a59e5
SHA512 069f9ee2afc56c7b8b9cb1c835bafc8eab3c2bb4553c77f9e1000c1fa564482be21551700a00d9a141256ef52776b40ee112764149d25f2ee138cda21e86727e

C:\Users\Admin\AppData\Local\Temp\Gwos.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\AAkq.exe

MD5 36c3c9b4ef47381dc5555c5b6eaa5659
SHA1 bdece714d43abb647bbec2c3f08de7bd6b654996
SHA256 f929fa6e81d9a16874f9645b1e2fff1f85891110e97face429abde2063f62c14
SHA512 ad4d365fe8232b2d6f1d9fccd2891de28cbcf1a5514951d649f47fd243d2d65c5eabfcec3c41b9737ec2b889f51670d3f787ceb20bbda6a2252cbc41c118ee5e

C:\Users\Admin\AppData\Local\Temp\OoEA.exe

MD5 2b7efaebe250dad5e71bdaeec283c98b
SHA1 25a341637688cb28c21296568b66639534ed8f96
SHA256 833da64dda523af2ec07e5e890f501401fc895ddc128baac7a551270d0aee6e4
SHA512 1e4ce892117af27d77a1c3ea58191c93e0ddef4cfe8bc02407324ec964ffc4290191f0cef361569226ea035181782801566e7bae91e9b08ed91bd0bb2cf074e2

C:\Users\Admin\AppData\Local\Temp\ysUogMsg.bat

MD5 0fd56bc4f93e2000cdff002f3fda481e
SHA1 ccc24aaa252c57dd9cdc2ab7a2f8497ef19ccedd
SHA256 7772757fd96d307c591fa2ba268c1f6a9dae15419eb3813fd924be17a5bb342b
SHA512 ef0e9fa42f49381969e0dba1de4fa44f361712d38d02345c93b1107b7994019df6557c731d8918c3d47259cfa36efa012c930f6a1b9a85b55b2a97c78289ce09

C:\Users\Admin\AppData\Local\Temp\Ioga.exe

MD5 586bed053dfb1ac514c952fa9d26d271
SHA1 ef606e269853b4b81524b19f2bcb3d67e0887b75
SHA256 bd54a2ec2fd61e62461fae61c4f7a7d2d1bba294c1264c99f5ec2bedc53636f7
SHA512 7398ec701d061135be27a3f48105be58ee7a210e653c138a7868daf1e7d0aab62412cdb7a7b01fcf6ab618a9a137c44314b78dfdac51d698faab5f2b4fe1f05e

C:\Users\Admin\AppData\Local\Temp\MEwe.exe

MD5 2d50cc21fcf41349aa3c4e124d113da2
SHA1 54a1ce730b6e653dc9ebb185e73be74e05f3a499
SHA256 38c0a09e46dd9183b547b95b7bb052a46f2eadf4a28b783603b4464a5c0f4d34
SHA512 6bd1554262b2bde76dc5fa02f8b79f0a3a0503fa016a45a1dda78d2c2c708a8706e472c19d624a1901c44c8c0bf5fddc0ec3c5815afb147c37430db552614bcb

C:\Users\Admin\AppData\Local\Temp\QMsY.exe

MD5 a960ffd5d237c0c2c862cbc52a9369bf
SHA1 02e5c19c1f5f0639290473d803a405f812504bd6
SHA256 5172e7f75353599f13d459f3176602fc535de6d7fd71e97340c1b40b23e267fc
SHA512 b0320048483333e345272e7705d792069250a681ada2241408d72061c4db81698db79784aed4ca5c130134f05bf979060fb397009689ef2745eb54107fd34c72

C:\Users\Admin\AppData\Local\Temp\uAsq.exe

MD5 3d0984749b86bf64fd3a834c1f1d45f1
SHA1 7465b2f9fc6dcae632ccb69c1290df873d790dd5
SHA256 146d2088d66f54c2c42fb436a02a29ab33a82cc7d53312b17c9588e8b1c23622
SHA512 428deb590e1bb714d2ec3534162c41a10deae34d649878814141515e5ee4bdd27135f42e40728de9390f5035d46ea6b3eae2b0952d65a6915538ddc1fc57c92f

C:\Users\Admin\AppData\Local\Temp\oKkMEMEo.bat

MD5 9ffa0daf090f72c4cc8c8e2199fc1240
SHA1 7b37f680d6580cc9e95461d9556fb1340dc5305b
SHA256 87c3d6592c9709a9912f536bea990ab7106ae66b3543c7f86c23985d91e67e0f
SHA512 35df48d7d1c5a4647c57d87bb4a6571ffa00359cbf997fc14ea049b945cdcb20be43f9deb228de276f98407b4e34eb6448ec29765319da8527ab22320c916aa0

C:\Users\Admin\AppData\Local\Temp\gYMa.exe

MD5 014e37597f388ac88da669700896f25e
SHA1 d6762899c257408fb8b3aaa7d8e34237eeb9b41e
SHA256 f7656e21b04e314b3b8d8424f4d7669a80f889467e21b3ca1f98e41e9a9a63f6
SHA512 2155810bc15264d1fdc44f1a9249c7c4d80753d2fd0efd43eed565c37f8fb91f0497ebe10d99bf7dfac7cddbe23354095fa3a96c3203b7b54afc79b878aeaf91

C:\Users\Admin\AppData\Local\Temp\QMEg.exe

MD5 654201dec26918d3adce77dc809f6a75
SHA1 3a74d5835dd0e0fe5c9f8f6d1ed4df4544acf28f
SHA256 f24ce483214550780c43ff4b37bc03b90a506890b699daabf25d73c488541379
SHA512 7e366762520b8847eda2c6cac9aaf3e4cfc347363cd13bbbf9fbe1fdcc4e3a59d6ab4eefcaae4413b5dd1e1131323a8f6a3b9746b55b0a602f545a48c99c639e

C:\Users\Admin\AppData\Local\Temp\uswY.exe

MD5 315caaef1f57ed2fb2a1c8128965e635
SHA1 a3d330b313486354bc4fe2786afaf05231b1125d
SHA256 860f9e9b8e48e761dbb00f16ae29eb8de6065b262043cf80645d023618970bdd
SHA512 6346af64d29ab28551d5ec3c328e5a687716f5cdbe61c0e8adb52efa793d0d943d3521a48081644bf9a9dcf31a32a6465fcbc2db24182a54734fc40f4340cf0a

C:\Users\Admin\AppData\Local\Temp\ugkC.exe

MD5 06562f09e67f38e11f962a803ca80751
SHA1 5045171f8553115d61d4a6334e2b636522f9122f
SHA256 732babd5eec986b47c35e8341bf1bd61db46f3d716a4a4b4b76797a05ec25c4f
SHA512 e79a6197c25e95e619614fdd459bbcae9653e486f6bd8f09d7807109471b9b5007989ab05874b59dc1784ac1df2ffa3635887e7c0bb6d42352d235072afced49

C:\Users\Admin\AppData\Local\Temp\uwwy.exe

MD5 23aee793d4eff2c9d2259fc21f4204b9
SHA1 1ff9c86c67ea2e958d9dd84ad446231e9e5abe5b
SHA256 2b6fc27d1f1701c86cbebe247f0fea72fb358e08ad2cef8c3c13d22f818377bb
SHA512 13f7e08660b6452e87ddc7829cf15aaf7f570c712704bcb341a322760dd63b8a767573b21e522140332cbbe46b641b69ee81761419ad99f2ba227eb03b09ebef

C:\Users\Admin\AppData\Local\Temp\esUo.exe

MD5 986653bf4e16d6337009b42f2fc9d4ca
SHA1 b11475b55901b866211675475b19bced58247074
SHA256 21acb178aadc297f61a1d689ffc8c35bcbac09ac0fabbb759f36c1a01c6457bd
SHA512 9d1b42538b006fff856e26da968587655e5f83aa6f9109820881dfa1b9143c7f4252274b366ea109d3f6ff96d677cfefbdadefdfb0892a8b3b27f471b855c601

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 6e215c095283b6f03a934f87065a12ab
SHA1 325f721b0c4650795030dc6c77061d94f4de7942
SHA256 7a5cf62243aa7eedb0f55f29178453f906963bb9cce57dc1ca094ae9fa9f3faf
SHA512 65faf12b1bad7593fc647a83005dea1d85fd78395ce6fc99f7c75e6403f3f792708d05b87abe1d30cedecf60caaff4c63002c8bb49efa28b861407d58d7a6317

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 314007be70d4173b3218d26261465182
SHA1 5e778e54bb1cf2458eb5eec90a94f4447dbb368d
SHA256 86ba0f1cc5bc9ad7c18a07c822878241050893565ba9cc0840fe826cb832d5b9
SHA512 a71414b384c90325d1f073fbf929199afd77afc3d23a016e1feb91d34e4e210b5b3cdda63e1db6eb6ff0a90521f872cdb49e1a8d38b34fc4e42291c4a928a1aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 c11082a18444a2067d8cb3c74c2a85c9
SHA1 f5653292ee4563cee42c8cd3aa6a5803a4fdd72c
SHA256 3fb3512022f5c3a49a3f12e89a803a28b06874173333961c9c18f0d5efcf26c3
SHA512 55710d5f261c3f27da841b06262093ee586e51202d766f3e48d957071a217f11e3b486066721c644e70adf551f30cec1b138be59448402c4981ab4c402e17146

C:\Users\Admin\AppData\Local\Temp\syQcYskk.bat

MD5 43dabd879972d664d838dc29ed093894
SHA1 4340f2d7a855bdd2d0a8db0eae684b1959eb30cc
SHA256 87cebca72f3d8ad9dae4ec684ec4c26e0be8695e6bef472e397aa8e50e1ade5f
SHA512 df0edb1b9cfe42198176042a4773910f3614122befee3268d96f94fe2266150c42c9b9fab7893bdce6cb601ce79a372b0b4937591b16e906c6f59c3386998687

C:\Users\Admin\AppData\Local\Temp\kYEA.exe

MD5 dabd541f91d0e43ee24096a73b0e8415
SHA1 c3125492665bded8d28c8e235d22a5f83d0b9a0c
SHA256 f01de22cbd3c2790eaae5ead3c729b97794ad1058def292e96e417142e43fbcb
SHA512 7721e04d4bff6690fd40e8bb52e4352951f3cda34f76d25a657c989a02da12ffde5cd892dea108b25d8c0e278d99ed713a529c1d5576c38e9bfd5ac308777f36

C:\Users\Admin\AppData\Local\Temp\WwEm.exe

MD5 1213318a92ca711b18d5cfd0639dc235
SHA1 be5feaecc8bf5832fe4dc146f9fe49896fff9f81
SHA256 cbae8794d275a5b45298c98226a4f940afaae33932160b84fa55b7533858bb77
SHA512 25173f34f50042847bc910beaf14d5ea0fc48dba68f67b13a7604bccc513b6becfb6c063a7f7ca154e3325627e9774153015ca879db8232ee5a4975f64ac90a5

C:\Users\Admin\AppData\Local\Temp\MMEq.exe

MD5 039e358d8169727b49a4e8662935150c
SHA1 5ea28adf04f0356f1ccb30264dfb05950bfdf6d2
SHA256 b05969a554edb5860342e28f1f9739f264c3fc32c7b066fdb1ad31873079d95d
SHA512 f8bb82600bb1fb64b1de016f80be463eb17f60752e136db277b37d7fa0d7d99bbde79c883e30dc62e5be29e04e87f540587fc0a8688d503529aafccd49cb2483

C:\Users\Admin\AppData\Local\Temp\mQwS.exe

MD5 fbbb6c84b786b8bdf8bc9572bd480486
SHA1 07491eeabd3674f573a2b4347e45983952ceddee
SHA256 c361808a06279fc5268651185d11ee0aac52002b82640319deccd3025c26856b
SHA512 a231a17eac2360929d2f5a147d7efea2e155ad32a4d9426182c48859b903aff447bf25f230c0847ef7ae7d81ee76c75502e4acd19e52ac8b44175eb6c779ba97

C:\Users\Admin\AppData\Local\Temp\QsYU.exe

MD5 64884794c2eb3a97d8a6f4e89d4c52da
SHA1 1122f4b4f782a494e7eda2d695fce448cdb71643
SHA256 d52647fe917f5bffaad34880e49ea2146ba421d1c5aa2f95c52a9a898eca2945
SHA512 842d02a67daeb1c2ad1290a0ff1a2447019de2ce9667dedf54e9a9af909e081ecab6fd6c61fdc0ce7b6800a95e3582c1e778c7d28bd434581fc7c0719f4c9285

C:\Users\Admin\AppData\Local\Temp\mIYw.exe

MD5 3512f873f3ba3509d37d1a42c9c24e81
SHA1 1860c1d25e1aa55804f1ce4dc112cb851ff1782d
SHA256 a628138a68beb2113b7919022cd35b17cc4b90c3214a6ac2b2f9a039e29385ed
SHA512 c0698204421126208570f82446dc398178e493484efa9329ef95800c0d5ae1f6dae74a9f3ee0f512126e1dd6c2de42028d0ab7a14b5ffdba29a67490a3215a99

C:\Users\Admin\AppData\Local\Temp\UEcE.exe

MD5 835a6a647052405511956d698f897d9d
SHA1 df08da0f3bdb98de15056c6c5bf7058fc8a22802
SHA256 be7d16e9fcc4dd2cbed54eb626b8272d8113569030aff6a2b9c44aeae3967215
SHA512 abae3edacea8f51610c9aa5d7cd90bec056ca1c506336c24e93df1f557ca2884bd9159f35493edaca93019ad91e8fa9bf99a8a0620d7f1ecff1bd001a5ff04c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 8a4076cbcc4448f7cadd1cae4dd1858b
SHA1 3f065f4a4c844216b38f5b01892ece1b8e0a13e5
SHA256 ea49cb1e163fd5645722d77c34ae372b223eece21f156364825871ef59c62971
SHA512 3b9ac53e11ba2401ac3166df01325cf01039626ef3471e7ec27917756b9aefc13d7bd10fe60285c7d1cf05f6a838ade4ce53a6a78f8abdfa5fae50b6b11bcaf0

C:\Users\Admin\AppData\Roaming\CompareExpand.mp3.exe

MD5 5e92175da20dd68922c183523f79cc5d
SHA1 f3aa145d336c7ec28089862b8f2fae28a029edef
SHA256 12da67fdb421db8dabae701c2e5aa9950feaa0c027f8c43dea2d6c360c938db5
SHA512 67099f1d8180ac56d83641b257caef2f3b4345bf452722f92552b25655476b9bf2013f2c4de6ee899505d1f243a9e6dc51468dfba07f9947cc4e84e85740b7db

C:\Users\Admin\AppData\Local\Temp\qcUO.exe

MD5 ea1bb17bc23a68808ccef046aa5609ff
SHA1 c1533c8226cced822f5593c47456529e71b9eb36
SHA256 36537c297cdfbf0d1da5a4fc37d897b319aaa067b51e6b848541c82f10c0a73b
SHA512 c54a2e3dcddaaf3532115e1ee75b3f17be1e1731cef73f5bbbd077514f31438f45076ce27852d3fe7bab53c4c0dd39910eb60b00d27f2ba8d36932c5fa55b295

C:\Users\Admin\AppData\Local\Temp\qEYW.exe

MD5 66ed5c7b21ae0c5481c703365a936e4e
SHA1 7cac1e11129ccd7ec523d5583a74e80cb0fb2888
SHA256 85b491fcbd95f94a48ed8d9f84d0b2039a940220e40c4f9fa6fe1d8663186f0b
SHA512 ca9b3d67f42319b4daf949e8c3939a954488f4dffbe07bc783ea1736ae7fe34d9ff86533d7737de290023a697d3d5c5790fee9490b761af5de6237290c77b84a

C:\Users\Admin\AppData\Local\Temp\KIQA.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\IMoM.exe

MD5 7ff8e14103b0917d4f3f9f11456c8f26
SHA1 eac520642f9030fbd059426caa8046f40e95ba16
SHA256 141be3781605dcab705778a6b3e45c770cb3434e67146837b0e70ca825a61248
SHA512 5aec51a3d18d4dac737ef91beaee19882f2a0652e8a69a00ef81c140c01e5169546aea2861b4971f0162756f8e6a71e01463f7d2be09578f0ba22180d36503ed

C:\Users\Admin\AppData\Local\Temp\jEcoUEUs.bat

MD5 359480cd8948044fd9d476d8922af1a7
SHA1 3791be986dd21f3a9b66d329b54d389f56079f63
SHA256 97bbd2f40c53779ee885d5726f63345f7112d1ac68f45ade8d2d6511a348baf7
SHA512 5fcf1e020b9dab4959bfd252f018f7bd45e4209cc7a2194fd124e185eea7f53dcd45088a3ae2c03682fe926f1748ae027b7a0296336afa09896b8d6c5e918f3d

C:\Users\Admin\AppData\Roaming\SaveRepair.wma.exe

MD5 15205f6a16637693ec1bdaf3d6b87448
SHA1 2403dbcd231c0c6d3ad08ad141634deae5886543
SHA256 1c44a8f2493dfc05d139a97ddb162d0a9c4595f8b40886f88ee7d0cb7f06177a
SHA512 791c55a366b6b94aa12e149eafae2912580b3432524e0276c835f10143c2336ea7c37436edefa8f7be7994ab096b188b2e1a9c15d0018fe5207c2a92a93222bc

C:\Users\Admin\AppData\Local\Temp\EUkI.exe

MD5 d3f4a0210292f1161258db1ff45b1bd7
SHA1 a2e5060c957cb80ffce953f5ee5913e9cd9d4854
SHA256 c1b5ef7396b7a35b2b72954a33adf9a92991a462ffb3e7d89e66d913133d2790
SHA512 8b69193c1d3bf6d8ddac046bd79f1a8f432e4e261136869f4cd1824898d5968071c27e4a76df4b95f912e408e52d0516eec7e191365da03588d1d25c858642d2

C:\Users\Admin\Desktop\GrantSwitch.docx.exe

MD5 a561d98d1e5426cde1c7feb8db93b612
SHA1 8d5289a476ae85e5602c35cfcd3df14ae031768d
SHA256 dfe55cca5cc68c5ca6b84e45e58656c47e2be3771398c51ca6ae66fe7b7ff391
SHA512 19a8e472e3cefa5368cb143ce2e7fa5ff9eacd760b9a2f564871b3afa816629a19910798f364efffa1af589990d121bb9dd6ba273308d363db507dc01d6a97fd

C:\Users\Admin\AppData\Local\Temp\TiEgskIg.bat

MD5 09e018c8c632e224ebbf75ce41195627
SHA1 f07bf28161e9792e525aef7cf8c288dbdc80f3c6
SHA256 f095afb0a8719c3b2195a3ada91aa526fab33f19835e4bef1bc64855c6405f6c
SHA512 8dab692172ec3903c70fd8b9cccc95165074c9ca8227d0d206001f2a5ae572c3d2c7f00b28f24a30c9533f21021aa56c76467674afb38d08fd463128ad99e36c

C:\Users\Admin\AppData\Local\Temp\Isow.exe

MD5 c5f117db6f663403f7a25802611c5992
SHA1 f74c34297b879f04831abebe8db01e0d37adb541
SHA256 e67ac2c95790a3a4dfc1130ba669175cb112d27a45212c0b5db2ce0f531de7b3
SHA512 5aa23d05a6cd6b4483438a73544c27a5bfbae01566d6954246b78ccc93cbbf4f5761a0a9eb8b5e9e71f2fc4013536d051530f1b835c6d68ed7ca9d21a8c7c96c

C:\Users\Admin\AppData\Local\Temp\ygIW.exe

MD5 14c8b0a28714446dce0b322d36832459
SHA1 11e614da5b26dd6503375c475ccb0152675390ac
SHA256 87149c6a1c52552b0939fd41ae7499d5c29f3ded53eeea51905d8e8d66181f52
SHA512 b76237987e6e20c221d79919e7f02029c4bd8997c8b20cd4b9aee2f426d4b9e5ed6693901b0c07545a790b2df7fd77579430ae482bd13a7a7e6f785fd5436ab3

C:\Users\Admin\AppData\Local\Temp\qUUQ.exe

MD5 aefa71259ba5597f5c03ca01c22904ac
SHA1 5d69310a8b4618bcb2e1ce3df91ed250672face1
SHA256 54eac37ac35592195a99faab55ba5abafce4cb27812f2f688b515c94a57f8e63
SHA512 73511d1603d168dd22ac0caefc27c8e4c446eb1a4a354a7704c4bb86370d8833c39ada0cd70c99f3cad399da9b6e458f91f80a5aabe21a40fca5890a735454b8

C:\Users\Admin\AppData\Local\Temp\qcgW.exe

MD5 b1cecb32e8cf7afac5f7821302967a25
SHA1 17bb7dad920915db85855ba9613f274e433d8b25
SHA256 011dbce853eeeb919ab51ee5fbdaa4309b5a3971571c29504aac5e477701443b
SHA512 24f706fe6b170d1178c4452f9dfcb84d23aa6af3d0d688fbd2c034e6c51269afafbffdfda5a1f07f0a929f137e000ede53956805e5c0301d35e01ec7408df0d7

C:\Users\Admin\AppData\Local\Temp\mQQQ.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\gMMc.exe

MD5 03f5ed6869d9e538d04ef76ea8449b66
SHA1 16f034132547218cc8bc53bf315fa3364af1b20c
SHA256 694658d934b68fb9e5c023f332382a28fff3dc1f0f6761d1591a954b61652f48
SHA512 6c3b0b7bf7d914af981c6ba814a3625b107cf871d1debfbb127943f78722039f17933a2bd0e4ac7c2b4c22e46c6df58b11549800831faca26f412debf0556a83

C:\Users\Admin\AppData\Local\Temp\eSMw.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\HkUoUgwQ.bat

MD5 93df363ba984f67e1c0ebcf6437b50b7
SHA1 f14912f160cfffe1228ca48b019544043b860b71
SHA256 c7e8ad9350e6fd30ef1af44ab9578844e46e044d0d79333afebf0fcc6c49d12b
SHA512 54eddbaf9094a2256e656a95fe4d498d1c481ffc2ca1023bee24569e675a5f056ba61da8c80b8a10ed7c6020f40b49f8885bbf1865c8fdbfc5dcb65423b25f8d

C:\Users\Admin\AppData\Local\Temp\AggI.exe

MD5 dbbf284afa8e3a1f445b8f9c8fafd7fa
SHA1 ee145a9369045ce5646c8df81d60efe623701601
SHA256 fc34ed5183a4b34aead94efa7e0be31e0eb09225776f3ffbde016a6f1ab729b1
SHA512 85c80f825bacc0e7906a1c7dcbaecfa32381b5461ee9c36496958658d09d38ddb73097d4f19b8b4dda7a2ff12d898fff24aa513dbfdad1ab4dbc641319f386d0

C:\Users\Admin\AppData\Local\Temp\aYQO.exe

MD5 a3bf4aff8cc248047b54745c8498ef17
SHA1 3df17ffe1c67220298a40694390d2199f53f0b07
SHA256 fbaf96f0fd672ee138ff3a685cd7da4c49f18f71c4c1f63dea44e7c39635143c
SHA512 c9257cd2054b83bc89337bc1f3fc97ae8fe09fd49650ba7202528816682dd4c7d8ec66cffa17e2894490ea3a7d831a1633be8e5ce5bad1a7f6bf8037d0acf109

C:\Users\Admin\AppData\Local\Temp\YYQQ.exe

MD5 99defa083de46ee431b81d98aeca8d6b
SHA1 b1a26bfac993c33c9bbdd3cf9e2772a5c067d47b
SHA256 e6876f817b063c0de4e9a021e53d7f30027878490d0f1d869f166de58ea37a65
SHA512 1f78b63be7ab677f9ac22920cbd35c08d62aec609770201bebb21f3ccf11671f6fc0ef98767a8b07881477e604c1b52fbdd9211b526cfab629e55ccfe90b14d2

C:\Users\Admin\AppData\Local\Temp\eEYq.exe

MD5 43dc78e9d83c4e5dddc6f1865babd51b
SHA1 db94914b4e80d271880333b463f2a4216d88ced6
SHA256 23e8b648e20c477ce6ca67e333f7b1b22d28badec2821b7d0ad550f9aa2464db
SHA512 6e43bfcb20069604a85b9aa24ee37498895ab38c8a2c8d9014d2e1e94dc34446bf65c93f14ee7a3eb945653bafa9fb19ac582868b70ff19ab17d3ff681822e71

C:\Users\Admin\AppData\Local\Temp\mYIS.exe

MD5 4dc34a9dc2ae942ec48de66460959e02
SHA1 8fae4c12832be2712840e5b0a25e39a4e0cfcdf0
SHA256 6e3c9caa2791e84bd0583fd4b24f4c9f66f0e8c25ffb4c8d10b50909b18134b0
SHA512 2cbb395ca0bdf55e04b1607150a46037d60feffc6127ccc3c89d6153475b25016d68b7b9b68b07931bbc9ba1f64d4bc0bc11e7768aaa24269d2b0e6d384b6b50

C:\Users\Admin\Documents\UnblockProtect.docx.exe

MD5 4de2a047c7a1a9d01d2b505acd7fb7e4
SHA1 c27b7d7b2f5245be0a0ee5c26b0070ca4b1dadf8
SHA256 2b13ce6153091e1fc0b6fc0c1fec07106e97bb454c1683fb3805afdcd5c1af42
SHA512 a3786022dbfd23050d064d4716ebf28129fc7d7fa4120a9e939fd456fdfdb27953d1757bba2b280f406f06faec53aab0fb0ce82d4c5b89e4536365050bbfcbb6

C:\Users\Admin\AppData\Local\Temp\zQwIYAQA.bat

MD5 3df06fe1103e37eee496aeade9a94d67
SHA1 86c41cc2f177efc931223d86e4d445ea41b56938
SHA256 1917bbbe49e8e3ec6e71eb822eb96908f223bc85c44f181e33ae24fef8d8d500
SHA512 919384b629560e83d84c1b7a2b13265aee5ce87691d3f13491ad449c6a0c2c62ab6c6a835a57970e9cf21beda5ef646307442d56604a50194909a17f210fa7ef

C:\Users\Admin\AppData\Local\Temp\scUO.exe

MD5 f20124769d8d303cef3b54d7b3c5bcfb
SHA1 791af96cf7cfcdde038bd9224d7773b5ed4ab43b
SHA256 46814395421c9df076f08511c1a87a5c895182604111e0005374dec98e074432
SHA512 58e319537123d1af9e62bae7651c6b49a9c4b1b9e2b0e657d787d2e0352000291ae3a2cc63de08076946133b5f313a42256c91316f68fd5c31b2abd2df9a5136

C:\Users\Admin\AppData\Local\Temp\KwYK.exe

MD5 0688b98b43d969ac8d78cd6517a83660
SHA1 a114e85f500d0bc44a754f598802e95dcf0687e5
SHA256 a41c15592a3f8e018a40796a446d96da3ab8d1b31fbc5090fe898538ba93e6bc
SHA512 5b833dd1dff3919a8aba270d66ea91a055ee4631662d56dd006523fd9a7ca34a35cf02b064a0555e14563c50072452868938db7174e1a3ea62a00ececfd212de

C:\Users\Admin\AppData\Local\Temp\CUYO.exe

MD5 6c16a73a4f2a5bd31bd4d55a2a12f4fc
SHA1 d2d35af99aa727eeddf9bc2e8f17b58f368ad88c
SHA256 7a1d2178f4bab10adf7ae8a0fb341010556540ecbe3c747b697fb5529468fffc
SHA512 f2d6a1f15a77b68581b291ce7a6acd89d8b97d87c9a67592165fd79c5243b8736f9441bbb6e5fbcf082848fe3e9be6b981f2844a01b7ff2d4dc6dfe4ca7c59a4

C:\Users\Admin\AppData\Local\Temp\cMEG.exe

MD5 e57f56c59e9154aba31afb712d4a3674
SHA1 c7bce92fae131c6a5ec8843cb7d89789cf2a91d0
SHA256 9824a2fb87db0761e0f0f04804bee0fd7e2a12abed84586b138e7a8724584a5d
SHA512 fc9baf41675dc75184759ad6e6ba19adf562d66715654dea5e596badf6d518b45d802974d81fc88a842d7edaa37c7565dd32de15ba23c33bdbd929e2e44ac888

C:\Users\Admin\AppData\Local\Temp\cEYe.exe

MD5 4e62b5c4a2959fd9b4ec54b8c81f39f3
SHA1 4d8f9689289dbfcdb6370b0b7525b8e1eff675ee
SHA256 a9b881ce040b51eb12f085ee78680ca6bcbc7f71d2c6da9ae7b7e96b8b790848
SHA512 8b593532481bfceea000306ca9e2fcf5dcc6b55b79d4254c2f051bc6ad8ebe216e2266482559c45f53cc0a3d503505c18d46ceef6c724b4c846730d38dee92e0

C:\Users\Admin\AppData\Local\Temp\kEgs.exe

MD5 3f2b0cd6d009ebe262b4cdbb9718b034
SHA1 8d1eb28221a5d5996858eb06c6d6b9a5a449063c
SHA256 a59c59c50fad4c53818683e465b2099c3169e34ce83482867a717aa460275f5e
SHA512 4a6aed4778f9cbf64133902fd70c8094ae805c3e3443a08cf883e4530f0b7f14360211ba6cf7a569226c46b4c926e54422c0713a5d31a8fc3f4ffe6fa7b7286f

C:\Users\Admin\AppData\Local\Temp\kAok.exe

MD5 dc9839c95f576360c0c8a91033985875
SHA1 b635c162f838247c728d554f4a65d65dc0c41feb
SHA256 9ee037e0e42f77fdf34a0420bff78597c1b95f0ab849932eb0f3d5e48279c009
SHA512 04704d680ba002c4998cc6b3449d1248496f5a282fcde814a2b4a91ae4b212d270f7929352bb5c88691965a399c78006c3abb4b2185aa089ef3ae07e49733c9e

C:\Users\Admin\AppData\Local\Temp\YKgcUkEI.bat

MD5 7ca90389227cfcac23a0b657c7159b0d
SHA1 da504e9c35b8ef179033d0b58bedd415d89e87e4
SHA256 a640b241a8c0e62671b9cf9ed400d27c2e267ad5641a879ab64832700c625864
SHA512 e0695a95df04009c94c077e2a3695d724ef2680d096809a05de884d1696dff54ced320f320d9aa3217b00cbdd3faae0a6629904f8960854879ca3dbc14117e53

C:\Users\Admin\AppData\Local\Temp\gogK.exe

MD5 3318879c676d8d71d329362420075851
SHA1 b913b63fa75bc7e278c206492cbef98d6f775d6c
SHA256 43c329edbe6abf66a7419e30c977bd6324fedb81ec7b826df3bbd492b2f173c6
SHA512 e4108ee8a1204c517655396a9ea275fa4589ae898def460cb03ee25b2cf1726b0a46b7b52662f21bee92c1bfde6bb878968532d3764c294a82672ab647d42f22

C:\Users\Admin\AppData\Local\Temp\YcII.exe

MD5 07281e9a540c50a82212342fbd04f905
SHA1 92f81e11a2925eeb604483ec36a6791020070e31
SHA256 9c8aff4ddfc736a0291555449f8daa8412d8d9a9407ad8a1c2f7182e948e8146
SHA512 009c7490518f1c8758973c270743054dcdee4cbdb82ba4956fcba3ed8b1818b9ec3764e2f396d2255b55e194ea56cd0ac3b5a9b92b5b7ae42360bd81a42bf074

C:\Users\Admin\AppData\Local\Temp\UQwg.exe

MD5 536a2a8f01abe01f618ec6524c674f4e
SHA1 7c6c66e4604be6b308520716cbd72117df9f816a
SHA256 09b09fec56beba2d4fb310557b6f7c269a176885e806765a3d7a11f592745dc5
SHA512 c174ea7a0ecacb58f28d5f3e8bff97f812754adfcdf26b36572ec12757c552b195ac18de429960d9c03776ff7c58ccd567ded6a386a40247aca0af05f52e3f3c

C:\Users\Admin\AppData\Local\Temp\KEYi.exe

MD5 ae68d294fd2d5a7cccf10f70d6cac232
SHA1 fe6cda2f070c8f70170682bc4f365cbd37f369ef
SHA256 c5af38965255937c4b16ccd82791514ca8be1476980f21a08bfcd884046e3564
SHA512 6b5e0c6f1e58880e185655b802f447394325dfe15d0e45d793671020d784af9da2099615212bc0bd14242f21fe25c73235041e6b61c8dcb79412d8a3705e4955

C:\Users\Admin\AppData\Local\Temp\iUoW.exe

MD5 991bcb0d945a23c872a43bb38d847cf7
SHA1 576af41b693517c297f422935a8c5b9edda3b100
SHA256 514ddcd9603c77f60b2c6a7906b0d8a2f7b582e4c83b9206980af04be96d2a6f
SHA512 7445cc1f0448c34f59f1369353c0255e6e191376187dde52f9514ede2962a130b3448b65936b7837ba44bfd81d42701595428f6804f642c532f122dff498b981

C:\Users\Admin\AppData\Local\Temp\EIAI.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\Kkgw.exe

MD5 8e9bf09c5b07406d526d786d590dbd90
SHA1 bfc82c569b2fafb582fd8d8f5baf6041ef7daa62
SHA256 2e9672ed03c47b14175d0086af09f13e8bcbdc5caf909b0e2e369df4113dc80d
SHA512 54c0f8685c687684da88d3e55e4713d712b69549445e0ebd8c29d89adf1b3d8407732a40a1c7e38c15a9780d8a3db854ffc8aaa167179dbb6fdd41472d6b51a3

C:\Users\Admin\AppData\Local\Temp\IUos.exe

MD5 a477c94332e07e089157398954590882
SHA1 b1809cd1b4c882bab902bdd7cb16d57e86293ab6
SHA256 3e7c8cb151f061f3eb46912e3823a558fd53c61f8899f3bc828d31cb24db681f
SHA512 09b2c3a39c8d7acaae3655b4d982f14dfbb76584c68eaae47662df5016349d2b5aa13ff6ab61f577003689b776fc2de79547bbe1d390bf60a60f487cb734696a

C:\Users\Admin\AppData\Local\Temp\UYgS.exe

MD5 b6b808c81d3ccd5cc69b4a86cd18af30
SHA1 659e93995ac9265d5bcc4a23ea47f4d9d82e4d55
SHA256 8354bb1d259a9a2c3368ffb6e9021828ac7879ef104fea593b0295261628a939
SHA512 412c062e5ffc890b509bdeae6bff3f8aa498a7a47565af701329e8523e801d77b940be927e1dffb8dfd9e8e082ea430d8a8cd8b09dabf2804c1314cc47ab9bed

C:\Users\Admin\AppData\Local\Temp\Agwi.exe

MD5 e81a71133a1d85ad54bafe7a849e6350
SHA1 ccb3880d4122b239ec7fe18e07fae625842d3885
SHA256 7596c7b2f4484805b93d5310001d1b2d840402a52412aef91d285dfd8ad08e99
SHA512 52ff97982fd255cea15317a4d0547d9bf7d3fbb685a7b90086590912cc7ba27a4cf4621b5b1dceef9d4c3be313d39a52b987fa4752b763480a1b8f7a1250c5fd

C:\Users\Admin\AppData\Local\Temp\UwIG.exe

MD5 f8f00f4ca724c560b2e864f8c4fe2f9e
SHA1 fe9312b4afba9634c8f3772400c0d1e327632892
SHA256 33e97a33d817df8367557fe74aa2825bf9f9642d851bf594a13c022fe8420733
SHA512 71a7fa7db3d9f86e969cf903562bea968c5f2938a3081d2a922e11217080df033ad110ef82bde53f428072aa7171a45f0c71543ea571bdd37e21b360471fd09a

C:\Users\Admin\AppData\Local\Temp\eEUs.exe

MD5 8392dc7828761a9d20d7f0c1943b9373
SHA1 d5bde9c91f460beee92752bc1a09868a2f5e2c67
SHA256 e7565ac04e017ed2c755b8fe2b1ee91eb8b8d3c3ddc93ab0c6a35188791ac76c
SHA512 07cd89b0a03342d97949f8827a54926dd9f6408cf221bbab0bca180340186d921316e56b956276862cc486d376ee9bb5e5b06ce53211a962e676eb7715e98651

C:\Users\Admin\AppData\Local\Temp\uUAS.exe

MD5 9486eaa4414e660e664f30f585fd7637
SHA1 1178bbac620ec5de48dabdebf978604d4d74e601
SHA256 1932aa31ca8a5c7b922bdf0c59143e83b1108504625de0ba833fe1f03a50125c
SHA512 286554eb25d366bc2d155b4e015b17d29fc1f0d4931c10d3dfbc1f3bd8e79eb82b3bb7a44e67e4897607ed94f7f2cf0cdfa22c04322fa4b0db839e4165b8dfa0

C:\Users\Admin\AppData\Local\Temp\ksUY.exe

MD5 3c091bdf5cfee9367a8e72d94bf3d54d
SHA1 75ce2ce468f0ae4855ff058834665690b54a99f2
SHA256 6fb67bd4c0971d770a7f9454de937817f121cfc3f20b4854bbbddf16399814e6
SHA512 28ff99ef1783ba7a66d98c3eef8f3878c87d39ae0d5920bee291244336441d1ff5fde00deff7c68d2fb308b3a75d02289543c6fc69211be5ff58e1df0da313f9

C:\Users\Admin\AppData\Local\Temp\QwAm.exe

MD5 05d7d5b6cbb51369edba6e41de88863f
SHA1 33014e5c9af145c0279073ee582bc16d93993dc9
SHA256 21578396afe2ca69afd915b2773bd082faa9c7d0e804c8a19d82221a4c21306d
SHA512 a187ced1af04a0c88380c10ce24f6872f4608120482404516bf90ca4cad2138bc03f59d5173771f42bb47fa63df264767cfa5c44b851abbdbd2285f3bc593dbf

C:\Users\Admin\AppData\Local\Temp\ywwW.exe

MD5 097b8fac3056f1a7d91e2d31628031bc
SHA1 41aaa1f5a2e9e93159d25b930efa23ecdb793947
SHA256 d6b61e1d17ffbc9453299d794cd7cf050f29e3da0c7a92a27b4f3789b03c0f19
SHA512 13f10882daee1200ca600579fa365017a0e51a0f642ae626a9232a646f9fce3f2b038fbd7cc10c9e71fa03cc21d3c5774d2626e40d02348ae9efa8e5e10acd0e

C:\Users\Admin\AppData\Local\Temp\KkwE.exe

MD5 81827843492e96c60e0fffeb60dff6c0
SHA1 b0d6d52d6214a004a0a4157b04805e31823c4f68
SHA256 fe24d06cd04474fa1b4941d69b67b528a5cf759831495360fe1cec2b65a9ed1b
SHA512 49bf15905282ba284d305f076472ae958f07f91d4787b60625a3c9cb492c004c2cf98d6a2ac19fc2e89edab0c821cdd0cbae3fb307ea9f6519bf3bb4de05fab1

C:\Users\Admin\AppData\Local\Temp\scco.exe

MD5 18328e8e4d4e3882c5797342241e2e41
SHA1 fefa1df30a8aa673d1f5a9cd4ffdcf1b8ed3b8c1
SHA256 ab919dec242000d256b8bc2061410228bc196534d88c227546085dae11001f8a
SHA512 44bd3262939d7e17b392c92b0ed27b41bb60a273c6b1f17a03f62472d0582a2e875e39bfd7bb798358babd5dd9bc9623b34efea8103e475749c13d535a4fc3f3

C:\Users\Admin\AppData\Local\Temp\OMwy.exe

MD5 41dcedcc204a86d831c113fbe9aaa9cc
SHA1 620eacd0e9f4ed9056962d85d077e65796a1a77e
SHA256 1524bc0626db1b2eb5750aebf0cff032d3561c3f60d3d3068ec0909a84c17df1
SHA512 47ff06a13b4142aa631e7628ea3c5dfa17a71319377fb13e38bfdd16d2d44c0294c5ccc8d23506dc39d2b1c5c0a7607da7e432e4712566085ab483ca1e1141dc

C:\Users\Admin\AppData\Local\Temp\WYgy.exe

MD5 8f01d7bf7d65a190ab8476dbac8e4296
SHA1 b51ae1f5f07ec5140f6389cf42350c3a13f4d981
SHA256 572177ef129cd86cc49ed3fc352ae64c204449dae5d6986aa0e6e5d1227e5b1e
SHA512 9b07fbdf9b5e8fec6c049a2603ab37548f457400f56b491e20a1c82fd5267afeff3f86bf9faef4d163a3298f87788e9efe70ed01fd2748eab999acb11c595050

C:\Users\Admin\AppData\Local\Temp\eYIy.exe

MD5 2c1881069eec853afc3855aaf4e6eba5
SHA1 a161361cbbe841ab2af222175f3fb70bf2809821
SHA256 151346023634f3979220f68441dc1760696cd605d70a99136484b628c0ff703a
SHA512 19e5474ae269c8fb298000951df35a0cc5139fd9ff3aeb18fe9acf02e26528cb3facf26f7c459d879c92a43f7a8941dc59fadc193160e2deef4705db42ffa21e

C:\Users\Admin\AppData\Local\Temp\IYUw.exe

MD5 0b8162c48679dba38d92d5f33c54a283
SHA1 10259b2ec21a9008d50c935192a1ed7a7c2310d3
SHA256 0fd34005b5a5e810b85d1218deff0a88ab466684917b5d4f8cd7449e17b9d882
SHA512 21b4fed8dacd98740089ae6d4e24b219fef678b5baaaf26d07e2421d6277431fb54036d5a3de019217912b242153d384860de0ac8317fc3d234f033702af48f4

C:\Users\Admin\AppData\Local\Temp\YkUa.exe

MD5 8f66ce47c68a1758da23fea5246aaccc
SHA1 bd196013204d8ed6b2cc4863033fd0fe24702d3b
SHA256 f557d0bb269ae3254f0dfe0ab705244a4babfc7af04ddbdcd698b749868b69ab
SHA512 8cd7f685cf3e18705191af8a01ae2433d4a9578a5efa1f3960c5fee220f41248ffd91584a6aadff7c83c06861f1702f1efd580465820260a783fdc29349989e3

C:\Users\Admin\AppData\Local\Temp\GsUM.exe

MD5 80b580010c0709b8fda8651f8de73056
SHA1 63934d36964aa56a9673728768ca7f64d645ed81
SHA256 cf630e2475a9cd39c46c1ab5b4cb309713be8952f7e166c4655509f2d8c4d515
SHA512 621ef9ec83a615143c9452ea9bdbf257eba7a3d2391f19a0115173b45bf2e4e7ecd8ac147612c5a4a951bf63c1b1275849ed20388d6b31f17b829e525a3230d1

memory/2480-2319-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mccg.exe

MD5 79446d194cfe5d5f900b27229e4e4df4
SHA1 7dfb72bc7912c80a79a5fea668607b5b5d4beb71
SHA256 fd986500e8833f7baef3454ba13284b585fb773a1802afb89c31a5981712d04f
SHA512 d99ecfa9d6c92d8472335fa8fbece43ceed7ec9d04ec940421a30602a5a9d200991070f34c024bee0421f25b2d53f95621c9f26e53164da61a6438fca2bc36bf

C:\Users\Admin\AppData\Local\Temp\FkYAAYkU.bat

MD5 cdf2fd2c3f937254734b097818c871da
SHA1 9597bc1cb6ab76f416da1f9822dca8a05ceb39ca
SHA256 5a72976932e1bfd377b495f17f3169d9e70085e48d9e80a7c2c70c6e98d0b163
SHA512 03b0b9f4da6b127b593ec97f36b1fdf1dae53e97694d99350b99f979aeac5228a809f043e2d00d15cfe8043e4a94258ce815e681d6f4e36accdcd119cb2be78e

C:\Users\Admin\AppData\Local\Temp\wUkQ.exe

MD5 573f7b8603f6c696eec7aab8c9defcf8
SHA1 9332eb3c8c36218619e992030de28eca293e8c16
SHA256 d22f03f78f434b378171b36e7c6e389f11007e0baa123f089701e49d36a71303
SHA512 17bdcc83448326924e409d564de19ad5ba96d3e60fd7a29f410ab1ce9fe7ef5995f78b1e121038c37d2e6304d5d6b9ce5e5a7729bded4b780d2e6fde64b3592e

C:\Users\Admin\AppData\Local\Temp\KMMM.exe

MD5 42d80cb70fabc4e7bc66bab9e2a90864
SHA1 e6d03f7c3d3c54057b8a1449b547f528e8389f25
SHA256 48b7aab1b6a48f1984eceaeb4c38ef4da029d0a9ca8a16ad32f15bc9fe1f5c82
SHA512 70aca066eb539384ed17a5d311c6106f9d57cbdc1563f6180f55be1fcaf2b7e1dbcba1d077883ac1cb056b37919332e251a75a1bfdf3602a404b9c367c733d9b

C:\Users\Admin\AppData\Local\Temp\cEsS.exe

MD5 c80ca56339800514f19cc99578988d59
SHA1 3b2fbe4f6295db1b7143e281035ee43864d2a9ee
SHA256 696629f1c590428f48732572852a7e8f23af7e0060b844f3993c9cf6a97f5daf
SHA512 34d5002dfec1ebacff0abbf0533567eabc6e63e448f5e03901e6130e1f8bb80b4d726476e751fbfdc91ca0eb8915e8ded1e4db70b68b9d05c8c2d1d948ca4c2e

C:\Users\Admin\AppData\Local\Temp\rAoEIcYg.bat

MD5 1cf10d1f5f86d8412cb7e578bbe3e577
SHA1 aaf2b399ccd2e0b15363ad6497b0c04d2df104a5
SHA256 d58cf4f4337dc6f5d4b6fcfabebed3509a4b93a0a770ce72bb108b5d97bbe3b7
SHA512 b2c91a92e50e67aa137a7bd4f9dbedf75d58fee26b3ec38b7d91a8132cbfe60d267580626483750bd3fea684891396751cfb981dc31278f88262679013b09851

C:\Users\Admin\AppData\Local\Temp\IYcA.exe

MD5 a891900083aec276b48cf82af736da93
SHA1 daeec19223352b8abb2d480b703680fecb0a55b9
SHA256 a91151284af6fdebfcd46f6721cc57e3fad755ca03a535b8204442eeea5b2bc7
SHA512 280b2b4b5edeac8c4107b85be181623e69899bf1de106539954e05cb3eadaac92344a8f19093150b7f654e02e89216331a78a4b48d662a5012b6e8307343c543

C:\Users\Admin\AppData\Local\Temp\EQkk.exe

MD5 0d815cec7b025c991458fb52816be3b5
SHA1 f31e5b35ae3f3a0f3a37aa755f9f3925c2d24e84
SHA256 0385dd1b116a1822562e4c5f902e1142f627d85be7b7f75b0dbb8b1e5cbf923d
SHA512 a6192676740204ec85058bddd1f3d5bc56fed9104383c84e2d9f1bc6381184f01d3d2bc44591cd2544a075194324c23b80e799868d6667b1eb38bacd05fe46b2

C:\Users\Admin\AppData\Local\Temp\YAoc.exe

MD5 965c7cb030b26c1fd71abe08762f0410
SHA1 eedaf559bc7bbc144ad19afb090ab72132551f1f
SHA256 2e0c3c68f33f3934ef43880fdef897202a0ca1a40ab97c9f59ff74c548a07710
SHA512 1e7e20249fac70e185a3f8bd359d1b0cc6ae2b88baaeac256b923ccb89e4f481f796a36b6f2c78498e631d1f79429c6334029e5d7dc38d5dadc1793220785408

C:\Users\Admin\AppData\Local\Temp\KUUS.exe

MD5 1497dc31056eb479a080a05dff07b471
SHA1 ed327aedbeb7d58481ffc21301adcbb5d1ce5013
SHA256 8be63e92f0533b3e814f98271914e44eb995645b15b18c61d0feead4609d975e
SHA512 2a17fd5ba55acc57869740ec8136b127b5f3591ee7a60d32d9ca24dbe0278db74f325558fb90adc0f63390e57375973c2f59b77a6d56aab7da07dab35475cbaa

C:\Users\Admin\AppData\Local\Temp\uQUk.exe

MD5 b55fe1a288b58e22858bff59c521fbb0
SHA1 b4abdf2aac9a7e533c7959e9bf397bc8b18bc7c9
SHA256 c23114d22ab6511e0768046ebd5d811ee418dd853cbdc6d5a71ded2cb9fa1173
SHA512 ad3f0755275a1b3f1d9f3f09400c121583ee2de6b4fa78c34907c60b9ccae1e7c6647c5db53724fd4f90165012a44c242f3e71f797cabc7624defb41e687ebc5

C:\Users\Admin\AppData\Local\Temp\EkYQ.exe

MD5 6e4eee269adf6e27f2285c3be37968e2
SHA1 18c3763a0e942195ab1d5cb8c2d0a0cf8eb01778
SHA256 4d55add6b0003dd5ca44cc02ca31e54c86a83a6538d0925c4fd85c1f6fa14af5
SHA512 864dda46c01da213567297fbcdc7740e506a29ff7cdd621f5f5076df7a8c7c39af67f29bf9a9a53e2f356f196c847b5432cd15511b1f60ee8b603b9907aa291f

C:\Users\Admin\AppData\Local\Temp\AcMM.exe

MD5 3569fafea85a42d30d1bacde32a98917
SHA1 3c150c8610cab97722b1bb876a16fa9a4e7ed458
SHA256 d3b8d73df4732c54f78bfcdb053e4dd54f9300998806fe6e470739f489bab71e
SHA512 4469886ec96c57959dfb63ef3739d5de3dbb8158913b2acccbc162c0a185e588c0d08ff6e7d7fdce6d5bada4d96418d64163d76dc7414fd735688a47e7f66566

C:\Users\Admin\AppData\Local\Temp\yMMQ.exe

MD5 2ac947415ff47d2dfdf1252b00240040
SHA1 a714f1645f404bb7a7a571071d884f5e603c4ceb
SHA256 30a58b8b3ea94429e9463b3c7d3c8e058688c02520a607556be5e5239a9288cd
SHA512 9e6760105e317dce654c6ea98b5e8165ae85c4716581a8d6201aee52a18c0a4691ca3f48594dbbed00f0d7991fdcfde28e5b6d16cc4845ce14d45a526d02e84f

C:\Users\Admin\AppData\Local\Temp\NmscQsMc.bat

MD5 c355da6bbb63221ce47c668b3561b1c2
SHA1 e0e11908e55d4b9b158f846def0e88486fa3189d
SHA256 ba2bc41aa5cf71b75e3dd48cae6565b22dbfc16e51604e247209ff30d7e6e5f4
SHA512 d880917cdcc87a5cba3fba8a12673f92126b3aafb83e621647ee04f0ff0ea4388c5324335804f7aefde67a89dc2f3164e1bd5a654d65ae3c97923bbaf4c64ef4

C:\Users\Admin\AppData\Local\Temp\cMUA.exe

MD5 4b3881d473048357fdfdbcacec0205c8
SHA1 e1e60917e7e9e3e63a208277293df921499c11c1
SHA256 258eaecf067abb2348d1d0b852d439945b07d86f5ff31ecd1c4ed00bca61703f
SHA512 5e336ae6f2b350a69e5180100ad9d8b45da715fb578e6decca00bce7690e6006e12fe9f775e513fc449b31b26f4b042e2e7c203999bd9141108b96594a7da863

C:\Users\Admin\AppData\Local\Temp\moAg.exe

MD5 0e2c29285543ba9bffa8034e71916148
SHA1 b89e8384db913c566a24ea839cade6c44274cfff
SHA256 370a4a8c295dd91cdf08297964cbda5e11de4e18ae6c67a7959f56270faab5a0
SHA512 5f7a427b318c54a5fcaaa2e1bbdfc5c840fe881b4ce7d3dd3a74e6e49e49296f54694a748d30e9e500e09c637d96a14bd2dc688c5018fe786b5042f89a7b36a0

C:\Users\Admin\AppData\Local\Temp\gIMq.exe

MD5 98358e09d26b4b61fd75a0f66a3a1a09
SHA1 e4a87a0512e6401cfd6f672a4b47dd1b43eb050a
SHA256 176ad458e766bb920850f15048817cbae303f4bcf8cc3ef69911786dd4e28b0d
SHA512 faecf265a344f4e95da89051544e6b7cd7678b955cd2211fee958b5ffa889912e4f6a64f89e01f1c734fcf5307c10fc30a0cd121d682bc398753f7fafd576702

C:\Users\Admin\AppData\Local\Temp\eMMq.exe

MD5 ad9c97044b1726d4fa0cedade0bb7c40
SHA1 00c5ea88a9a1270c7c72ba21ebb024bada54f9d5
SHA256 828e0860247ef00e15ce2864db53e2161141d5427d00de4ca799c937e670cb23
SHA512 42c48be7eb53753af7b0a733c3aa3beb08ee6bf47c29d790d45945cc74d75fea20bf9669d83ae576d7d0d8d8107d16dca4e0bd2bd38b195f79b952de83f34ab8

C:\Users\Admin\AppData\Local\Temp\kEsu.exe

MD5 79156f827f10c47943527ec01aa5b5b3
SHA1 7a1337c3e7183572a6db93e3a23e22eef4647568
SHA256 0ae39b3003356c8067536094e9477e8c7349a4b8f54b80cbbb1b5397938069f9
SHA512 0c888468af74607a130c2480f2c73baba2ab9a5e8ae7c4ae8a8abfe61e1bd5c097bfb87e43769f66572b3b14db9d0f87816c85583307afb6a56c6f0c4f4e5d27

C:\Users\Admin\AppData\Local\Temp\mgQm.exe

MD5 7926af51563065dd866c5a7b56802d8c
SHA1 4c580da8d06eb97d513d1554252d12ce981b7d77
SHA256 2948ebaba5b0c0586942b628443f74f6b9b23fb66547014fc17453121e1dae72
SHA512 b95c2de984121fe6e78348ef6e95a8cfc365945ea0a228ee4398f26b1c86f536dcc043ae89f8fdd1b4c7e8efcf6c4c6dc721c287d5ed06b984a45d0467bd7515

C:\Users\Admin\AppData\Local\Temp\UMsQ.exe

MD5 e5e833b81dfe8c4d3788b188710da5ef
SHA1 5a6942660b7a6cd0beeb1b68048af77be3ee52cf
SHA256 97c49e3a6ddb95c7b1ecbfc98308670c663ecf79699b24fb6622bd2acc36fca6
SHA512 56f4812c1d7e8089e1d880df2e88b271152e8740ec4e5a0df03dc1b6a5d2154a8304a97bc78c926b76370e90e909a7bea479fd435c1d473925402e1d251ff0e3

C:\Users\Admin\AppData\Local\Temp\CMsi.exe

MD5 7862d339274ab9b60584aadbc067bb69
SHA1 4f7293a0c6dd73fcf63bc3987053444fc1ad039d
SHA256 5f515a7e3e13381180bff3beb1f6d670955a8880e113821d1842972349b01afe
SHA512 dcf2f5de78d358671a0495d1077016f474fafabcdb19b18a6b4b60c2a5e37d996a78cb8b61ae07a886ea078c74d0e112a0ac2a2b01b30a45105b203628259506

C:\Users\Admin\AppData\Local\Temp\IUMC.exe

MD5 1c80edfd7727ad4bde5fc7153e92af98
SHA1 00971f1b5a4c2b29614705d970fcded499d7f425
SHA256 135a66ca54903ba9377f64beb94ee9496d017e8d6a018292ef10c678e38ed458
SHA512 43eec8d85de313a28c66358c3281b35473eafe19828e5f17e6b86105d40feabc5c04fe800a0382955f4733ebf7d1e5bafa72bf9ecdc3cf3fff09003890aa3d75

C:\Users\Admin\AppData\Local\Temp\ygUq.exe

MD5 1005fbf48998bc8e5237a0ba3286ef63
SHA1 b88f1e8ec9f250eef19a4e2d1896e4391e08b9ef
SHA256 18a09727156a78e90ef6dc549167e5d84c075136ef3d650097e2b946b672b2c5
SHA512 3b6416cbbf41694d74aa21fb10eae4138a751c0e547e9a64b57f6a94da0423cefae0599f3c438e06941bb163bfdd3003b199cc9735bc184bfa6b30a0e6bc624a

C:\Users\Admin\AppData\Local\Temp\okAe.exe

MD5 ddff439ef2a84018d9cd6aa2e4bdc08a
SHA1 79d8bb147ea505d5028028e0b25df9b45fca1536
SHA256 279c478daeba4254487babbbccd429c36235d1acf2bce24ed9f62b1b01d21664
SHA512 54f6d6e693114a43523568cfd9c6d4c4d587597e8c7b733a50a9ea09402feed3944fcd752dc5e8ea3ddcb4b2e0118c719024ba011b459af931e4c530469236ae

C:\Users\Admin\AppData\Local\Temp\AsUe.exe

MD5 08adbb6660c94c1a1c41efa6d5554937
SHA1 3116a6de811f1461b3004d5015f3b8043ff7762b
SHA256 44a6cf31c94d054092f66e75bdc229d960504b093c2e8a3ff00a777f95c90da3
SHA512 3e347daf873e242a2a56914a850f72028d19fe28d1de99c9ff22dbccf405a3e0da761be4d7feee0a3220a7863abfa705f640324b4c29cee00b42dbfc2058b9ea

C:\Users\Admin\AppData\Local\Temp\KQAg.exe

MD5 b4bb88e839edc6e3c7aa7812870cfa37
SHA1 db4b1e6a6992729db5495154c08dc18fe0b2c053
SHA256 8cf1ec53f5086a3ebcb8575b65decfd0a8610dfad744026db58da5d804fa996b
SHA512 c7c1320885c4c7180096410787c61b744f9863ad19c1b27ac4e2934580a784a0401077b0540f3ac3a0bac707f7c07512ed134ad5a8fa50d46a0834edcf6c2a5e

C:\Users\Admin\AppData\Local\Temp\EeYUUswQ.bat

MD5 7e64638e8cbea79d32c5019a3f31fdf6
SHA1 069d20d9c3f141258b1af53d12b548d4b6f28e15
SHA256 04992fa2c0fe3c8a29aaea578c3ff052df32566807fd4e881f11e013a210c7e9
SHA512 25a12eb43ac53649971d21a7b72c65a2abd09511d814e5e734a8eae83941ee76b2505edcf97eeab5e0abc97f6dbe98bd2073a5dead7a1a3f26f96eaabff0cde6

C:\Users\Admin\AppData\Local\Temp\EMIC.exe

MD5 0193e2ecb4b7573d6877d8b62dccfe1a
SHA1 86f099193cfeca34a736ad91c627afe57f89bfa5
SHA256 db920ec20cc5e85d985e66ed02d0cf1296200f6cfdd3cbdee1a430fd65eba5be
SHA512 8805bf9636f9368950c94af8d62af6570efb4597782ac20795634275c70637fae0b4420ffa22d8746c0c12e01fa0bd63160edf981818bd20b064a4cd7acf9c15

C:\Users\Admin\AppData\Local\Temp\eQcO.exe

MD5 4fa0d04afaffeb27f6d3702dae0d1dd6
SHA1 cccf666753c2bc5fcfdfdb5332ed47fa872f57db
SHA256 12596f078c8a942fdd22ccb06afb4652645a3c6fefe9d4821d25982258e628e1
SHA512 45ccff5b58f56219e4dd5d262312d93c571fcd90adbacfedc04f476caaf9efa37006240240a7f75e81a9159b950db4e93a39028d3fe4503c4d4485cb635e3be5

C:\Users\Admin\AppData\Local\Temp\kIcA.exe

MD5 16c6606e63cdae362aa67816c3b4ca8b
SHA1 9a89e13e624efe0788b6bc14bbd4839b279ea100
SHA256 95402a5f36df4fa57e78b8f16b0cd4aec402aa13580c0f23ce38145f41e86b87
SHA512 723e680a4063ee83d534f551b85e3f550a5484efca4ac71d7eed9f156506f2943e495b38a1968626f4ecf891e26d4b02ef0edc60199d6d11f7191f6b66f586a7

C:\Users\Admin\AppData\Local\Temp\WaMUIEMI.bat

MD5 e7044402506d49664ccd63bdbd156de8
SHA1 9454f2dcccae4746ea574e630de93a48ed538ec4
SHA256 18837c98bb5b1161bac3a97c5228dbfaeca819755d61d914af6efd4c151c1d75
SHA512 8ffc9656155cd716e050eb75980969bc3969d26d49dc410f04172c2cabfc2fc59a24b3e1f12d195e0e4fca9bb0d3b17bc604e85ac3785c0df5c532922db9d252

C:\Users\Admin\AppData\Local\Temp\OYQI.exe

MD5 c77beb406c5b4ad21eaee3f35721fc84
SHA1 bbf7d8443f8b24b7045e841153e962f250d8f4f0
SHA256 1cddd6abc5efa4bfcb4d653a6db7827e83d9f85429534c3bff7db0383c9d7804
SHA512 9e8858d316983ca8e9537689bbeb54774e3ac416068867e6f63429386c62a1cb14a7dc55dec8647c4d4df99213b5abd4ddaa64ab35972ed6f8a0cdd7e8b16912

C:\Users\Admin\AppData\Local\Temp\SkwM.exe

MD5 1b8aeb1515a8b87474520fca188d884c
SHA1 430d11b5f9b4d649c9985cc334e6a666c754d866
SHA256 9889b7939e1ecb26b922c4f7c12cc3df2ad8c391aa76497a93e0da2b9eeab1e1
SHA512 ce611827aedfc8b38113decdfde8c72823e0b86e78a106297369c41d245be0e61c614588034e1ad8556991ce9ee01c60e1bbc7e5cedbeb8c0c46d7338d2e9947

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 9f03c917bcd9059fb397ead7b2ebf11c
SHA1 c1e1739e1cdbc274dc9b7a398c26f776e4d7dd82
SHA256 eb6a9bac7e5f1a38491edee1aaa55d9fc448dc351546fc468c6e285ef205eae8
SHA512 74d91dba236754f3c9670e725b7c8eb4846e280203c89d38f97d9de89753d7bafcc15a7b9775700f09dcc92656517bfcf64200243c2467bddbebc932ffee8e0d

C:\Users\Admin\AppData\Local\Temp\oMYs.exe

MD5 5c236e66bca028228d041b5117af6f06
SHA1 76dfe5abebc6f2ae9a1196e9782642a280c330f8
SHA256 c6e7b0024fd8d9678b2d3610f8b7881aec87c0105d6b5429b8df39eb8ceb1a06
SHA512 3de242b7862c28a19d38725bdf3400a0c3df32b8fe48fdad1cc1f11713054f3640806394f427f86c9adb4dc5ee6ddbd1e3e6b6243b8c513a4d1de5a5991b7ef9

C:\Users\Admin\AppData\Local\Temp\IcMG.exe

MD5 9b33cd9e68ba060c9587a7ed2c9d515b
SHA1 ca1ba10a5ccf12d60fd6c7f52b8de3e1f41dad9f
SHA256 4542bbce7a5692732b215f7f38ce0014f3ec0a2d9e9d67c13d920ac65d773947
SHA512 4c09b1572c0d04c9aa3b66dd899acff4930cc13285bf622ce2fd20f87fbc538a17d390e8bb8a27f063cc3432edb2170929b7268b17f8154afd4f1256295234c2

C:\Users\Admin\AppData\Local\Temp\KkMy.exe

MD5 413acd60701d6a6a6b460db4897892ab
SHA1 1c04dc0f40d5e0f6acef4b6503e8f5748b582c9a
SHA256 ab4a4fbaea2116415fc213235a048a07a9df77c29c6774d057b2f2f99394ba67
SHA512 03a49c4e4ab6447951d67657bdb18c310f5a1e373a218f9b6abc4bfdfe6295fd139389fc81552c1c00ef8ed1b7916dedd708ebb10d21868cdac6005627bccb3c

C:\Users\Admin\AppData\Local\Temp\eEsokgMg.bat

MD5 c704a17fbdf39b611a6438df2bf71e49
SHA1 b4b8c7121da70df7eaab128bbe6b29cfaaca719d
SHA256 c23b829deaf7dc6557fdad6f6fc35ff7aba1952377d4c6a3ad4076c2c60521f4
SHA512 764d81c18d1b9ea9bfb5a9619623fb9a6189cd43a6b8763b78f6b124bcd8349388b78e872d0378d9e88ed1e077f4b479ffa0874cf280f03dc6cd9ee656765bd8

C:\Users\Admin\AppData\Local\Temp\NiAgoEkE.bat

MD5 e50e4aaa54f716f5a1cc2512448bc1d0
SHA1 d3197fea51dac76f8a69e107c88b87e755b14f4a
SHA256 803a5025c37b11ecbf95d71c47e7bd4502ca3818260057d2dcc70a0221206a0e
SHA512 d50408c4dd72e5286b4f765eeeafb73c4d1d5dacc9879a270f43c22890aafea45c72d3092eafa3ca147ddb10cac3abecd82e561296b3b554a833c0031aa21ec4

C:\Users\Admin\AppData\Local\Temp\BwYMgwMU.bat

MD5 58d2e475074fc334ee44bab1c378c689
SHA1 8dfcfe2c25276e2013fc9d30a6c498bd1ff5f778
SHA256 197f8a97549faa81f6bcd6fe0db06a759e8708ed282c561df7de5c9605344411
SHA512 cba6be87e7d68b00d3875540a8e0709e49a6c1f97ee5aff6a0808d24df51ef6ffac07597c086db132a1d3e00a63ae985c29d71aaba136084d061c899637d1876

C:\Users\Admin\AppData\Local\Temp\fqoEEQkA.bat

MD5 809791ff3ca9066fbeabb0bd5253d2a2
SHA1 6b1e3c2b2a7746afc044f2dcf31a569addf5d39b
SHA256 d10783f2257301264cfe8c50d78d57bcb61a7afb91395cd6cd124bbd9e46f6bd
SHA512 d131986feaf7695cf971deb6c771e993de709c0c85e3141d5692143bc27c7292844427b665583f4abb34e1689a2263e0671c543fdde0d607ef14a23ea0456cc2

C:\Users\Admin\AppData\Local\Temp\BCwsksgU.bat

MD5 b0ce7772152a223c0347c53a0a3410e2
SHA1 7c45908552a8773ee1409bd26579897e40593cd5
SHA256 aeec96300c8b4a3300f26e787956a3f270128b01191bc6443d67bc0d0cc0c535
SHA512 37c33beede44e0f7ddfa142b7022773baca55acff8610f1a6ffa131319ac70dab636a90ec8e68c8694925303e5a36141e8e67e58091e40252c02e66886679039

C:\Users\Admin\AppData\Local\Temp\UikwIwAI.bat

MD5 e63666216cb1c69594dee5f2c345bfe2
SHA1 4a8dec18fea04e354fcd9a145e104555aa936789
SHA256 7343f9091ec21e3b6365f6997282757c64e55a12f3ea93ba0b76f111d256efef
SHA512 7bccce1c2b18e167996c9bad93521a66591e2bd12fe76a776d069b0096f5dc68f1baff715899bc2433d00fd5d449caddf4811f77235c8b2f39ee26a194f9f450

C:\Users\Admin\AppData\Local\Temp\GWgYoAAk.bat

MD5 1eaafd23a489eaf83239a6b3de866daf
SHA1 d283e43d8036563458253fe77e65aeb6c5ec65c1
SHA256 fc0a0fa094a362bfd3ac04c1644620d9aa99f24f0bb39abd2ca648a584412da8
SHA512 5a14fb33f29175d449c83a4350019956fbf38f3c6168fd50c87e587b0ef5c5ba39cf298bc232090d5299680b1e4ef1ac267cc47e376e4abafbd8064de4a9354b

C:\Users\Admin\AppData\Local\Temp\SQkkkcYg.bat

MD5 404310db455a50f6b405456ca05d80cd
SHA1 048dda3f2718712e61045592f67bb485fb441c68
SHA256 b7fc1e74ee29b6cbba19cd2d24b0dbbc3f133b9b462b8bd968160fe14f050634
SHA512 2dd753efa69d81626ba28d5871b2612ff4a49af7e157aed159feb839c8644aa0a11ae92f5c0b9db05c44ba67688c58d75420f263af422da90e181a31f372f31e

C:\Users\Admin\AppData\Local\Temp\SgMUgoMs.bat

MD5 778f6651eec78449348f734aa744ff01
SHA1 c79bda89f8a8abf708419701d2188f67242e09d4
SHA256 8b733e9798b1314bf38fcd0518f3c4f18ae811745e358da85c455642e6859184
SHA512 bb20c4ee21babc0457743d20a8cce121d531b1c1b5ecff484f195428c03cf7f9882e7649e97c530d934ea5b0935c7aea8b4683c666c45b8de1959e63863d53a7

C:\Users\Admin\AppData\Local\Temp\LEcMwUEc.bat

MD5 1efffb249a350129bd6eb52ba38cce90
SHA1 888d457d542742c71fb505964696afdf918382ad
SHA256 7ea49858dc6cae7abb2e2028fa4c3eeb81b33c472bc0780c7e53f741392e4c26
SHA512 338a3556ecc1adbadbdaf41a1dbf41cc1cc241eb7042027e749da63d31a0bcb5a143ef083030bcd0f0c8be5e35f699e6ac2a556787dfa85578e196fac929f282

C:\Users\Admin\AppData\Local\Temp\VooIgsoc.bat

MD5 681f8f33bf4001f321efea6fd8458dc7
SHA1 99fa97f9cb0a78f2c46352b850490eb948bddd35
SHA256 e3e13b6dd46741cf94baa3da629e1876a962300cf17d9dfdb596ca2bae50e13f
SHA512 3756d65e5cb311e16a3cc23878d17eb1952ecb66fe2a34cfa039249d3d106092641bbcb56bdc41651f8cacd87bc57d19886ea61b41cf8787039d9300e44e5b59

C:\Users\Admin\AppData\Local\Temp\lGAAUUgA.bat

MD5 434c5b9ad0bb0466252c981d3d1b08ee
SHA1 3dfbfd22be9ab9e3204e975f104d0af2317e3a10
SHA256 48ff138f759d7f2e550ef7e5991fcc43fcdfa1cddaad9d99142d304f40b81201
SHA512 a6179c921ae8f6e2ada112b387b6857be610ba074a75badd087aa57c7d411cf16c41e67d4c1594eaea63eaf7bae769c2970dad5a2d6600fb669a2457bbb8dad8

C:\Users\Admin\AppData\Local\Temp\RMAUMUMU.bat

MD5 350d4a9c533aceb8a90c7311aaec646d
SHA1 cff14b0c235a0ec7ef61ce18309f7a29806f0a8f
SHA256 22c0320ff33d3eeb2f0f6fe0cd8b21cb7ffe2a0fd97b4c1b78e61690d6ae9c01
SHA512 8ceeee6040356db575648e806f1fb0b797236cbfbaf31e5564f4a5a3e2fb929f5042e7d276ccf2e56c10565487f78e7a4f576b581fae14dae68602afef4a6228

C:\Users\Admin\AppData\Local\Temp\WwMAgowI.bat

MD5 75723d8f020e955fc2ca0f12a3517e57
SHA1 33b9d7da3f951ad01a1c3e1f0bdcc6f9e6d02032
SHA256 3f90f7f90fd057451e88f0f52d0754970d66592fdd8bc7b7a1aa34b78a49a11e
SHA512 c93acda53a2b9b94e9742a7e4ef3d2948a1fa71a09a2c282c48069364edadcfecf8659d688f14b7e8c378d1cc7549736e7eadf0864a28dde85669c10ab1a049c

C:\Users\Admin\AppData\Local\Temp\IAcUAoMY.bat

MD5 d661562b015db8763078be1aabf77548
SHA1 2badc040cf125d02924bc26d9900db952ace0a5a
SHA256 38c672351b5693a1637434ddc55d69cdcf1b64803495ed3fe5607f16b580acee
SHA512 3d407364d23f8aad7a9f943b8dfc04a5511e912aa91f959cf99c508d9f4e674f9164ceabd74027ce26173e3b540309c929b01826df426a36e164a13c17887d1a

C:\Users\Admin\AppData\Local\Temp\TewssAwI.bat

MD5 b5f1c8d768c01c3eb2627b61b795f537
SHA1 e3900edd4d2a3737dd9c079e23d07f25f07ea830
SHA256 cb99b0fead357bfa69df4712ad5c82149d2e9be64e937c71b8f53767c51f1062
SHA512 b23e1d1d71143b9b8528966dbeffc7c6a0f0a18f490668d81596cc9836bb045a132107b61aab7849084467fb6a0395280f6af9f8a4598353652acf7927db3a05

C:\Users\Admin\AppData\Local\Temp\BEEwoAco.bat

MD5 c5b0e3ae143e08ff8dd48d24bd7eeb7d
SHA1 75aff718ef436e63c2eab8decf90bd00af65ee0a
SHA256 b47401a548a47403c46ac1225e9ce5b9a11fd55642886def1cc962d00d931b32
SHA512 03dc0012ba8906830a070135e6add40ad1348f24c86b8425fcedff92dc5d176e095a4b8ffe335f372b4ac303111b43e5077292aeda62a979e3d847a61f5a029a

C:\Users\Admin\AppData\Local\Temp\REMIgEkQ.bat

MD5 fa0931966ec6919f988e254ce6fd39f3
SHA1 e7bb4c90dde567bd9b37ed2c1936f9938d40b6e0
SHA256 dca56850ac4c2d6e21819b85706b884c1397b584c4d641b4fae4b4220268c33c
SHA512 eee2ad941b2dda55b99f6d93799580417fa284ad0c2e60e5ce3d567a794ac7232155085c821d7ab05b5a45e4f9e1d0d864d932a535a94d4c93a7c5ae113ef72a

C:\Users\Admin\AppData\Local\Temp\haIIYMsM.bat

MD5 ce3b84cc9ffa11e5d703871fa801a8eb
SHA1 2b94afd770d3ccce9851410413edc1b7e8211978
SHA256 f7400ff769981b51f2f57c676855f7c397954bf0c946584c82f450d338de4ea2
SHA512 30d87331b1da1fdaa244d979a240adbeb606e2ba6c833b391d5dee74c930cb60a75ea065cf4a7d1e416fb459113d8406c31162e737096f06566e96e210d88738

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\VAUYUsAY\JOAUIAEI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuMEQIIs.exe = "C:\\Users\\Admin\\HqMgQUAk\\cuMEQIIs.exe" C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" C:\ProgramData\VAUYUsAY\JOAUIAEI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuMEQIIs.exe = "C:\\Users\\Admin\\HqMgQUAk\\cuMEQIIs.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\HqMgQUAk C:\ProgramData\VAUYUsAY\JOAUIAEI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSendMerge.xlsx C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWaitSave.docx C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\HqMgQUAk\cuMEQIIs C:\ProgramData\VAUYUsAY\JOAUIAEI.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheLockRedo.xlsx C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheNewInvoke.mp3 C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheRemoveUndo.xlsx C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnblockUnprotect.mpg C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A
N/A N/A C:\ProgramData\GSssAoAs\swsAMQAE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe
PID 836 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe
PID 836 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe
PID 836 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\GSssAoAs\swsAMQAE.exe
PID 836 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\GSssAoAs\swsAMQAE.exe
PID 836 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\GSssAoAs\swsAMQAE.exe
PID 836 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1660 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1660 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3332 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3332 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 3948 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 3948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2428 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2428 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2472 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2472 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1376 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe

"C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe"

C:\ProgramData\GSssAoAs\swsAMQAE.exe

"C:\ProgramData\GSssAoAs\swsAMQAE.exe"

C:\ProgramData\VAUYUsAY\JOAUIAEI.exe

C:\ProgramData\VAUYUsAY\JOAUIAEI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsYkYYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyQMQEMo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkokwQgk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIwEUYks.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGMEUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkgMAsos.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmkwIwQI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgUUookk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcAcwkMw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZawUIAYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiEYgYkU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKQsQwIE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKwoIkUw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiEUMIwM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgAUYAYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsEUMMQw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nykUIAMU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAkooMUw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIAUgIY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUEIgoA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAccUMUc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWYoYAkE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQYEYcEU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeIskAgg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmYYgEkw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiUsUUoA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgYUQQgk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyQgAggo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swwccgYc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQIoAMYc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKwEEwgo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyIkocco.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROIEUkIo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIcoQwok.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKkMcEIs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuwMAYIY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIEIIgss.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqgEUUwY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DysssoMs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKkggkoU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoowYokU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWQUUkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mewkwkAI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egYoAYEA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImYUwUAY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeMAosAI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaQIQsIA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEscMow.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuogIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOMUEYwY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmcgocIg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymYEYAUY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMoMQUI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIIQkkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwIoEAgI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziQIIcsk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGckYskA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGkIYEgY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkswsMAo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqoIgAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwUEAgEY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heEUosoc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCAQcgQM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWQIkIQo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGkccAEc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoMgYsww.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEUgUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkMwUIo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgAAcoM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWMUAkEw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkokEEoI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqMIUckI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwcwYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BecMIMko.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOssMkMk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/836-0-0x0000000000401000-0x0000000000492000-memory.dmp

C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe

MD5 05500682783e57d3c3ac523a16404867
SHA1 b677ea81ccdda0f79817cdfea571925c2882de15
SHA256 4c98e94ee34be39f827fcb1fb3004bb8cdffc31e8343791e8c1e48725010913e
SHA512 7e5f87f8b761c151fb6ba33354f17959c35e8f82382716910a6f94abd5ef0ef2d59eca5a7dfc7499f7a3e708e23e5a0be1033597fa6073ef6698bc575dccea00

memory/3660-8-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\GSssAoAs\swsAMQAE.exe

MD5 3e93f5d1bc8d26282d0d12695f1b0966
SHA1 d3bfb9cfdfa7db158fd01243708729089d1d15cd
SHA256 8fb902433af7614e54210f313e03665f765ac3bc4b6971d429c3180d357d426a
SHA512 0750d90fc7afddff2ecf2ff0ce0d59191db552fa38f53e406c2162b7ef6f18195b33cb42b2948920f17a561de5876d1779c80a1a8252bad022c170fef5a97437

memory/3008-12-0x0000000000400000-0x0000000000470000-memory.dmp

C:\ProgramData\VAUYUsAY\JOAUIAEI.exe

MD5 1de1d663d0e7fac006a72aed88c7bad4
SHA1 9ef8838f8da09649bb16d8ac7d1a30a33c760643
SHA256 64798b9d89139a691df81d0b1e3dcfc591af6575ae44954b2f32a0fbe812507d
SHA512 573f4cc84a0a013f09d5affce9ea130d47c3a55850ede4b7d2f0e7ba070d7e88185c3dbf282a2cbecf5b9947baf789f529f921c2bf7f0ad924325c672ef3898d

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

MD5 1e6d0ca35226b00f598be4385fddcb75
SHA1 5cdbfdf472ec849d4f249744f5ca0ca7bfeea387
SHA256 6c427ec1b5a6cde3448276a551871e1c6a0029e92216ed988b26d20717513c21
SHA512 2a257b75b1c87f6942f8287ec33e287c070ac593a1ce065d5c137f8016fe3857b1fff2e72636ad274599e0b015ec87f2f4a13234fae1c56ca52b73bb59963ad6

C:\Users\Admin\AppData\Local\Temp\FsYkYYAQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/836-127-0x0000000000401000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMYW.exe

MD5 be26039ecab8c3a2082b725eeab5699d
SHA1 801144ae728583388eccff374a55f406b43aa0ec
SHA256 7f3fe651436ef4b1542b7b358a4f48533237e702590a72aca402013a1e997760
SHA512 b4937c9cda06c1e3ece11862c6641cd770de8cbf9f115bb8dffef841f12370b10525055d8f721baf2db97b9dc0dd77c84c06fcb0389cd07696775ed141c19895

C:\Users\Admin\AppData\Local\Temp\YUYU.exe

MD5 453a0961d7394a48557eb956d0b5e540
SHA1 436f67544e2ed1195640b4ee8d186b3e57b75443
SHA256 d6d7fc0c3b49122f8b31975457bfd754e180ba967e0ff3c83692e7b7c4bf9729
SHA512 f7afca877b95263894ca778e4e8147706b4167cc9b68ecfd5fa72774bb2333088785a8af7d6733e91daaf9871671fa45a6a65e5a72f578cb40b8858b14ebcd07

C:\Users\Admin\AppData\Local\Temp\GQcG.exe

MD5 7b7486cd46031cb9b0a009afb4f8f0e7
SHA1 3d01ad0baa10c080e2f521125c290a0feeae7aa9
SHA256 fdb8179e0db8daab5771444ffcd748e20eb87cca55b93fda56a94262a02b0d79
SHA512 674164cd4c5bc572de1a1269f0c3c7b754ba9b58ad13f305e37be888166ed5059d049972622b87effa9515afff99ba7ef23e796d9bdf5d85989cf884d79407d2

C:\Users\Admin\AppData\Local\Temp\SwgQ.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ssAU.exe

MD5 f43be5c61c2396ebaeca2e607b26ca5a
SHA1 2127bd1bff3832fe1d1787c674a693b14e2117a9
SHA256 ab00b1b2341cd2c7de9470623f7d1efff20fd98cb65ea1fa5581ff1e82960814
SHA512 ba57eb6043faddd0aa273f4e215b8860ef53f65fb765b395b9a0ccd1da3f6186a780881fb8b271f92ce9157afeff359c0373e9a181fb2655e48a7d16d5accac5

C:\Users\Admin\AppData\Local\Temp\usIM.exe

MD5 02bf5cad819f05749124e17a9fe9d3d9
SHA1 3936f9d6f64c8ce7817ec3c565d3f0755a76d50d
SHA256 83d53edf2467170f64367374e24f8529e87f70199eef54032b69cb453f34a9a6
SHA512 6867eb763ccb36e63e8a536e14f6cc6502e5e67bd87835be9fc4c150ed49008ff26c2108ee975481db811c293b2729b0850d1d0fa50872c6e1e1fc1bff55600f

C:\Users\Admin\AppData\Local\Temp\WoAq.exe

MD5 cfa213015c88459114dd25875b71afb5
SHA1 84bbc73928f6bcb3224c21d3988afa8e16813599
SHA256 0dd0ba3a99b9e59c66201ce49827e35d02c6d159e939eda5fda9c2b73eab071d
SHA512 04a60931ec1044e0bffd1981d57afd89f68193ff28a9bf7d31c8ab2d6cc448791bb0e38b1ce1f017491349a2ea21503e2a28cecc49170a4afa0d933a38a97f54

C:\Users\Admin\AppData\Local\Temp\gsws.exe

MD5 0de854eb9e7208994c7c474004a9bd85
SHA1 3635e3347345ac3b5d9020e031298ee8ab7e09a8
SHA256 2d73dd96f52332c7572d4c09f266550b64f23daa833827ef9bad49550766e9a4
SHA512 073939802da01e979275f7676f465bc536f92abbc59193a2a922eab2d243b152f50bbb45aa8a8ac9654b01a2d18234393d5543ae3f38159f1f5cad99cabbd79a

C:\Users\Admin\AppData\Local\Temp\AMkc.exe

MD5 bde7c0e153be01788a0aa014f6ee3199
SHA1 af5530bf8747793563f633d4007cb13658bf0456
SHA256 d8e4a707ff0e7a26232c0eb3a3366ea46f00bba78071c4c0949bfb8b4a909c20
SHA512 9901ad9dc4a5d07236a1b973259901c9d6850dd3f0462cda55c0f690f31100ddcc38500fa8d861113b7034d05f64cdf859c1a26a6385df43ccec2b9c256c174a

C:\Users\Admin\AppData\Local\Temp\qokY.exe

MD5 3ddb3117a6eb8b156826eff74e126dd8
SHA1 042e6a72947ddd8af09e3128af752bbda427e4b1
SHA256 522882fe997991a901a1f686d868bcb85140572a7f71aa56d5209c08a44aea59
SHA512 802303f05609acb786d0e562072d41b1eca192320b3070515b94940e1bac17b39195592d108a24e6a32d4e27497e5679c359aa18d595690c0be93355a8b8d9d9

C:\Users\Admin\AppData\Local\Temp\SQQS.exe

MD5 03f59d5f1d700b25f96668fd1ac8c010
SHA1 a17f2982bde8b6ba8651054f330c908e8ffdcb07
SHA256 3c8159b0512a5b6ac2c0c8ec27c7a38d4fb80fb2bc2ddad9abb2545088213e26
SHA512 c2ea45f6d5000a829139ffe3969a5c0e3e6fa198e3419f8082ac0b86c935fbbf0c9cb82f4db2da2ebd9f9015312f8d38c92e524b186e73c0bd7075c0c3e3a7e1

C:\Users\Admin\AppData\Local\Temp\aAMm.exe

MD5 75ca60e4bde38609658941ff7cdcb784
SHA1 d9fc608073de536df46e04624cd25ef09a0e4f50
SHA256 910ee3a78dfb96dd42ea85a8658fc7807f0e91574f763ef6242b3c5f0729fa7d
SHA512 1a3323614207a9d3d2de944982f68f990730aa772b9223c8cc70b76a5d56112f867e827758e076a0fd659be7b5063f8ab3843cd1e97ae0eeb8f9f7b6ba7fdf3c

C:\Users\Admin\AppData\Local\Temp\GMsC.exe

MD5 3cc5d528dca6ba8ed8cbc9467d3a84c2
SHA1 9f9758e493d844fa479b9a641e96105e3d9d31c6
SHA256 bd8514f2470e7e3e923f800c772fbc58b6d688ecfc6672ef52eddd2c59579ee5
SHA512 e7c7dd3947ebfd8aaaf0192192d2142a125eb1acc480c09459e36ab7f4e8c3b594f4f84056dd1db71ab70435d32f7050ac14317fb893613adf4aeed160c0d53b

C:\Users\Admin\AppData\Local\Temp\sIcU.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\eQAq.exe

MD5 642bb6aded6a6cc8550e4797c0fda82b
SHA1 a5a408502d44554b0c663789928f9e76bdef6422
SHA256 dbfbbaaa26b5483ca71afb2cf09cdb3c9f1987ed3c60d61dc4429663581cf09a
SHA512 0810905d5b96f63436cc11b8d05ee1962c3e44bfc68ff2cdbef9f8f6695048d7c385593aede5934ab5f488c2cfca2b9d4aab45717ebf35d4c0d41059c392cb2d

C:\Users\Admin\AppData\Local\Temp\IosM.exe

MD5 1f383b267cbd9c85d3e399d07d32a98f
SHA1 95020503975987911bd49459964fede68e568cba
SHA256 0a7de27947edf74810f76d9ce6e736113cef78d9892c97f27889f99b0291e1a0
SHA512 84a5995a8168035f823d7b8551c42e7380a04511cf5fc90daf474a090bbeeebc90b2a092d031eccb8e5144de2185754f5d0b5f6e7a087fecda5ea546257096a4

C:\Users\Admin\AppData\Local\Temp\yIAi.exe

MD5 14ebcb848dddaf093a346789c91b20f1
SHA1 7611da5dfd0a4537451714a43df878d3a15a2858
SHA256 14fd012ad38a99f482fd3631f6353cd0bf7b315b411eafed2f15bc11bc237b59
SHA512 5faa489dbd1c013c0919f1faf0b6f4a85cf9705098bd807a6fbca8596c256eb6eda3bdb12a272f8ad03350cf7d08bd9715f2754279d27c1e5e091d57c253f6b7

C:\Users\Admin\AppData\Local\Temp\SEsC.exe

MD5 ecdced0d30b6eb69842b1ffff0ae2eec
SHA1 2f8c01c7010e63e54a3eccd74e0654c9a6a81764
SHA256 009c1694a1333ef9b315871ccb80f3291a06a7fc014715c2fa12239136987084
SHA512 3c5b5163943bbc2b79b9ff3302a782c570336f6ba74a9c2d4354518dfa27a2ab164ba544579ff82497b9f534e30b97b4e10106bb97bb99388dc9bde1d2b4d769

C:\Users\Admin\AppData\Local\Temp\MEYc.exe

MD5 5abca1d0a441a8fe3e7276bd7babbf04
SHA1 3d2b1339c6ee3125c4c7bf6d0e7b71994eff8e72
SHA256 99c2d58d7da4bffcf2931920ea3a94a3d2dc50eb31ac63b1f3a7950511a85b4a
SHA512 cf9456ffbb62042558dd7ee23b53eaabbf5ed94fde1e8d72a9374f22c4dd265b93a39737f452f81d4a3866733af67c1ea7d822eff74449bb71a6d7166ffa9bcf

C:\Users\Admin\AppData\Local\Temp\mgIO.exe

MD5 cf9eb247af66f7d34cd32387fd66687a
SHA1 fba1f2db31261ce42c80167727e1a8a63f711332
SHA256 2b21042d4799922c69b9e9ede13f9219ec4ff3d94666d8d8c482df86536a83d5
SHA512 0cc047fbbb6c7c49e045db2e18af105137940d3cddb382c3fdcd631d451312cba630b762a4ce21137d6e933c018da823afe63e3af1933e2f7fbc238382b8ae45

C:\Users\Admin\AppData\Local\Temp\OcQw.exe

MD5 da0574e855711dc62beb1e820107f928
SHA1 dd495881b90c7ca43925ee6a3ac48ae114bee3e2
SHA256 74d92282e043c1fa75b7e2c4cf19fee25d9444fe643c8a00d8eec056401eca85
SHA512 7a8f0113f36574a001f7605bf6c9ed3da69e2281a8419782d80e6aa37d9399dd6ce049702c0a68113b36265292faa86e72a004add323e3123ef2e57d1b3f3489

C:\Users\Admin\AppData\Local\Temp\wsgi.exe

MD5 6441b7b084e6e2777d7dfcf24b0e2ec1
SHA1 52b772f73edfc1d28038b412bf5c4ca504fc952a
SHA256 47ece5284a9bd764354905268ece6f33233e1e1098f085b1997458b8da2390f0
SHA512 9f1f175badeea33ce5dfa7e577eb3699fa24829464e6ee3a28bbae27a3141fbe813ab6b5eb8577f44ce1e2563de7c1ef78766ea351d272dc5d15827ccc140c36

C:\Users\Admin\AppData\Local\Temp\sYYQ.exe

MD5 95a9ba6c532d8d1193e25d125a2dbc14
SHA1 b8bde266fad3cfaa588226d01dc872d00df2e938
SHA256 19185bbaa345b5abe1143a0746ea96f27dd3150072d007e90a6144177ac0639b
SHA512 87931afd14872c3db2faef078944f78cb0008efb11a66e6d007aa29587ab4c5ec8a0e49af4f50aacd87c89f0eb3a9b616777a5a0d9577efe64dbc4e4f38485db

C:\Users\Admin\AppData\Local\Temp\AAgC.exe

MD5 f5e5e7a3236d5fbb8aa03745135c67d5
SHA1 393a709c0c6ea50179e3b52b2bdaeb0a46106ee3
SHA256 7d84ac58a094f9d04e37b8f2ab9bd3fb65e8deb749d144dfe029b9dd30f81d7d
SHA512 3d4bdae255fad4bc0be35c5d0e69b148b4a2dfbf67299f02a89fdb4ccca2cdd620bb420f5948917debbfd527828c726b9f9c5ca17d74d28107518b8227776b4d

C:\Users\Admin\AppData\Local\Temp\CwMY.exe

MD5 a8b89739f1c0ad6db30a089a6f280ade
SHA1 a791bacffbbfa7251411539c646ed5210e034c68
SHA256 42d01e5192bac383d0974528a22bd9acfa0d6373ceba615069780f682fb3d4d4
SHA512 182ba8b5e3a827b4470197ededd58e0008a46452be76ff03ddc661aa4f4ad34846ac870130f518aa21e86868f9d4c636734d554d9742e4d5af7b46dfdf91d1a8

C:\Users\Admin\AppData\Local\Temp\wAIk.exe

MD5 79b7fd2ca5db75a0b0a079d83b1fcdb5
SHA1 57271a7b193aec3bfdbec5e17edd2973656e99d9
SHA256 f27ab157c2f251be22e2004f56f77fede20f98ded292432cfd52a3127675649a
SHA512 fd5ac3811454686771b70ffab4b965297bbd7554a69f4e0f69406429e67f9d25588baac4ca9b3b46989f866443ed77543622084be303693e56e3d8909f9e2fdb

C:\Users\Admin\AppData\Local\Temp\gwkC.exe

MD5 bef0b6dc63c63c07d086e526b162cada
SHA1 ec1d44696b62902391f7e2ae2e213c3253c303e1
SHA256 402698ec4a3f921ce32944cacc30ccb7ad7b1f82038161666ca83e3b2bc4d490
SHA512 a7159dcb2f10af35d45e2df57453b665814c4757375c2060f8fc84cd680e793ace202de8040b3d68a9c2882b3b1218b70fe07534154fb0ef9361e55b66a2009c

C:\Users\Admin\AppData\Local\Temp\EMwC.exe

MD5 b75643b3d9306910792057871e4247b6
SHA1 901807c569eec033e7991f2473f6e2a31595496f
SHA256 80ef3e0ae0e29e80de9dbd4702ef869ba9a2d30a9ad5ca610188f35d2d851f5b
SHA512 84d7619b96e0387c9c723ecf4ca1664a36d6aa4a4283b7bc6000db44ae522a3ecd350c2ee011ee846315d8d5f2d38734b3a361adc82ce5c1cdc844d29cfb9c17

C:\Users\Admin\AppData\Local\Temp\GQck.exe

MD5 35439bc39912660a47ca6dd2f68f743c
SHA1 f9114d2f1ad92bfbb6ce8e290f1bc5aa38cf97e0
SHA256 d15d0c013b9149e0987f5d870a2b1af95d10f6b0ee8df4ddc7e19d4ce6c68a0e
SHA512 a10fe1d81374b4a9c45dd1cb765015726a763bc1808888e9f52a5137a9b597746f79b316b7788e218755c6f61c55c86a5a260e4373a430515e08ac302acadcb0

C:\Users\Admin\AppData\Local\Temp\IkIS.exe

MD5 ef655381daab376c3e06bbe9ef67a624
SHA1 c1f78b00493c3931c3319f82a254d2a903cbed58
SHA256 e3c5cd7bf005cc3588d30084c0e7fa32a0cad9cb47ce8a8c90d091969dcc7deb
SHA512 152ab0b88ccd085ffd7bd2222a0cd0772593d2699b2155c1d9cf69d98d1afd91a8c184a2e52db9a409396a0953043dec07c6dac1e5b9eeed77a06d5790921678

C:\Users\Admin\AppData\Local\Temp\SEIQ.exe

MD5 9077acf783720fc014d347ec644ff31d
SHA1 0bb3a047f9690be6cba9b7c308c0025c26f3957b
SHA256 867dbe74da6d8d06b93aeb29e2c2a66bba0d81333b569b5a3f45659cb527e09d
SHA512 391303a27159e33aef299bbdd7bb80d86afe52c1d9a2193ba8e5bb8512e43ddc96071614070377a29a0fddab0e288a2e91647300431680c2ab600fe1ee86d1d0

C:\Users\Admin\AppData\Local\Temp\MUoM.exe

MD5 c341e7f9185d6465f248a00b8c1ce52f
SHA1 cebb4663d339fcae80584867563f95371ea00501
SHA256 02d90fbb3bcc79fc330cb23f9f2d7fbb4b3f2f3644a5cc0c9208e9abb0545ca0
SHA512 5e3b2a996fb54f41233aafbcad5a0a816701b9655af0d89592ef098fd6ca8149b62d71c38ffe5680c47543c83e76afe031de8b9110745421c65631e1ad5003a7

C:\Users\Admin\AppData\Local\Temp\OAIY.exe

MD5 293fdc317cec188fbde86c23f12835e2
SHA1 99d336dc993bd44a79a34b32d52ef5540469aee6
SHA256 0c5091c5f0f202c1e39b6e0e7911205b74a5f7ac4a1200013653ebd758acfd81
SHA512 e5b5d1483cfe154a030a24c2bbf0b173699ae6572f83a806323033c22ae8baed736f0893aed077710c6c8ea0112ce517c26408e4eeea0f2ab89c279968dffe0c

C:\Users\Admin\AppData\Local\Temp\eccs.exe

MD5 e23000ffaedec015479886e541a04d38
SHA1 6d2e8df8e836dec2763797832009f1b79a51f495
SHA256 d434f2dbcb6b464d687705badac17f39a03dc1736e8016d5f3aa95d753202db5
SHA512 aafae2077a87b09a31a0fbcda6810fc913fffbb3dcab4b54aa5ceae5f849264bc018355874402a296527d408a3ebe7d91b16b1f4ea1e9a4236c2d1f11759dc12

C:\Users\Admin\AppData\Local\Temp\YkYs.exe

MD5 e1ec13c3a4e8654cf9415f49742c9f10
SHA1 a3d253fdf1348299e4c0eb937afd17d4add10443
SHA256 3bfc00985bd9d5906486fe481528ad6babd1b78e7648676ad9fc877e08616efb
SHA512 ed64b2e61dbea7c78ca2a2980e4080132b04d5f2757692b00023cb52eff2c7f52c9a5d580149331f6f6cb0b7dc0b1d570128e37abce7a12082df09ed8282853d

C:\Users\Admin\AppData\Local\Temp\MEQK.exe

MD5 5a5e0861e2182cca4979581029fa274f
SHA1 ded99f8de28eefbd456efa5c464656884c4b497c
SHA256 d12b29869f7a6016b99bdafeb8608c36ae56a2968210d0e31d9732f16820d87e
SHA512 b728c3cc9d33fbfc316d5a1d7ca5de7b2bffde8092cf360ff7bf20f9bdea124f8c4915a21d1e29ef65bd35db843ba795295e47a736f11abfe0973c4831e386c2

C:\Users\Admin\AppData\Local\Temp\gEww.exe

MD5 1047749812e2a866f4e8e1b557e74730
SHA1 708841408e5d5322d5e471ac57e3b3a86baa499e
SHA256 54e7cdfa57e5364902e99965df848ffa78832bfe694905b5ca70c1c933e2aaa4
SHA512 fa45923c9510938c7b0af0c289e8f3c356b8e420b4ef4b1ed484cbcfd5dff50e40b8995ac26da20d437f6e290772a046de2009e9a3bd1ccc5c4d8ac279cb4410

C:\Users\Admin\AppData\Local\Temp\aUUw.exe

MD5 265ca6e094d1ecc4701534548d2043b7
SHA1 eb3248fbb21e574d856f7556c1ab6e14e3920f14
SHA256 131edd5f3a5bc265f457aecd606ede93f43a5e912ac9a8c20fb3db77ad14053b
SHA512 0bc253941fef27f963e50731d333b8893322177d0e0babfab5cd34851af2dffbe2e0a110c73e029d73838c187d9ac570987885cc653fd731e8d0558b74175c0b

C:\Users\Admin\AppData\Local\Temp\qIAC.exe

MD5 b4f01bec7aa63b8447320fcf79354c45
SHA1 8d075d093c0a6135a2c3f46bde8d6c52e1b81104
SHA256 8a4318aaf50b28a13e2693bdcb4e9c80da9d78402f5343f0419ab0807ccc31b0
SHA512 d65c37d71ca5cdd6a38714abff96ce40e75882bc2fb436bc777f7f43be1b40795302eb837775dc571842f5394e4de9908682db30b4e5ed50c07bc16805c870d5

C:\Users\Admin\AppData\Local\Temp\SMUE.exe

MD5 3c836d96d1dfc1a1f1c48dbf1b3a108d
SHA1 e5de6a94e6613bd8468707ef9bf9301a547c77a4
SHA256 9b7e677ee3578d06cef695d1d3ef7434cfc46b7b0d118d4134830967d0ccc98a
SHA512 a0ff9baef35c9f79592bbf771ebda78cb2b7cfe21a295d89f8e877ee41a9e4acdc42e75a0c148e4540b4d8c7246959edf0217ce031978fac1e9b16fd4644a127

C:\Users\Admin\AppData\Local\Temp\mkkc.exe

MD5 127f5a3e4b456e0c2bc6cb1de6e4bfaf
SHA1 6e6440546757b8669942dbf563704ea8e104f656
SHA256 66b6a815ee752029c611931b011497b0d2bb6d344641fee8ce3e8f92afbf2592
SHA512 b5f1728ddc67b0892b24234ac670fcd6899ea0ffe31f7bbbe148b3fbaa3d160380eefc872e0aa4fb50f776ad90bfb0e36bfd74b21e982b69ff4adf668154245a

C:\Users\Admin\AppData\Local\Temp\ukAM.exe

MD5 8226a89dbe1e64ebe5608602d1d27ba7
SHA1 808d6916075756ccc0a40aa2a405041e85c96ab8
SHA256 36a93f765570cda0ff95d8eb9c3ec03fc7612188785bdc5328b636e13437d48f
SHA512 18f3089ddd1dfe2ad7b1f784b974d7fb63a69a127b45fa46db60220c4b2f2bd88aad65ca0132702479771f5532f63229200bc82030946f9c046455d876b4ac37

memory/3660-810-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUAq.exe

MD5 1ad41baddebaee698ca51afdd83b6096
SHA1 762693826e88890919e22fa825b9c68539074081
SHA256 22289a2510bbd1a37a357f09af36673e0f63225ef96dfd875afd46f7efcb1079
SHA512 c7fbbb0c5b4b31ad67139dedf71e104d927d88a7e7048079440788380b9ce7cbcf5f6fc53fa26b65ec38edcc7623f0a6c9fca2a782fc61f21f7c479af2ccb361

C:\Users\Admin\AppData\Local\Temp\AoQi.exe

MD5 cf650925315f0d4a2b39a1be897d9469
SHA1 0b230fac66da90d3b5fcd02077fcbc6884761b79
SHA256 805de944e20fd62c3c9ff5c9868951b57e379612d960d7be6be085cfa18279bf
SHA512 a3d80216dbb8e61d246f439f7bdbdb55916ec57ea0425ce967e41e130432a9399e13b58ee80cfa080efc6d408e5619b7dfc929e1b58c5042cbd446b60c019e0b

C:\Users\Admin\AppData\Local\Temp\gswa.exe

MD5 7766b929f1b976d32650c09b8b68cc42
SHA1 73d92ef4fd3e58f9d918ae13835b9e30d7da45d6
SHA256 acf580c3992c22b3892fc2127c6d00d6b997cf6dea082bd865cadd741e4bd92d
SHA512 70324b91ddf981da50f0f23aa7f12e814c22bf52b225d8eb4bf54e784ca99b88999c73925e9cd75962b5fd594da2c02a0fa1022fcb9d872dc0b13ad8e4126c6a

C:\Users\Admin\AppData\Local\Temp\OIMc.exe

MD5 4d545dac3a9e295f72aaab3f2d4eb213
SHA1 d95f87c8bb958030d39dff744576ddb035072585
SHA256 d08775cacc3bc941fbf82016ec0d843742bd44073150107825680a261126bc91
SHA512 fbbae87ac30080ef63ea1baa020dba603d4727846419c730e9510ce503b4d76c67b067609ab176226c5e2ea8e9864a79dcacd5b675cc4d1e321cc9a98c2d908b

C:\Users\Admin\AppData\Local\Temp\kwcY.exe

MD5 5b08d37d6a44b7541aeaf30449ee4529
SHA1 ebb0e38ea0e98d326858e23942c4c10e8f3e4e26
SHA256 fac2f23cb7f46d73ae16de87961c5956ae1f93aae40466e6c130d9ed9b07a50f
SHA512 7128190cc03d9605aa025991cfaf4a62be5200a55057260c783aefcac2a4b14a66ed43520b379b4537dc20be7e7ef895073e429a38798bbf5e02d87d26f063b2

C:\Users\Admin\AppData\Local\Temp\Ikkk.exe

MD5 e17e62cf3ce758205c7fabc68d5f92a3
SHA1 bc69e99752e8fe0695d43db5ec0602e8dba206c5
SHA256 fe4342097e97f7796db54d8e53e8f19a413d2b5e6126085e0dec5e34e560a9fb
SHA512 50ad232bd90ce66b28f7e317d87160f55863486c349e8299057891d71a3a3584b44f6ef740fb898ab768f42a1b8042546cdfebc0dc9ee436b432b8a90c3ae909

C:\Users\Admin\AppData\Local\Temp\YwMC.exe

MD5 35d926c43459aea1ff2207e1673fbf8b
SHA1 86844b56e925568327fa251d1a4724ef3e6b7583
SHA256 91fe04e6f16c7ccb2285c7748d63eb125ba183fb40026c2a67730f0248659eb5
SHA512 ef5bc4e6722adf1f9007ff294dd780b4420478a91351a0e66356c9b4d3899fde646e01b071d84e951f8fa4e078be082ea2759d278ad4120e4750444d2a6ca942

C:\Users\Admin\AppData\Local\Temp\KkkG.exe

MD5 72e820662a060bbf0a45048678bde74b
SHA1 462edb59b785e0d7e7d206ec41c9502f9c551f6f
SHA256 463005c346541c4a65c2c60dab69b5744e2ea21bcaac1013acd81b9b1366cb17
SHA512 cc679d5d5c27c3844de3d3160d6c624d35c2c38036e85218b9d8512fdc4c729fa89e9a6d1b7e57ef835833f5febd3de7f2e5cb79a7136b9a412cb1dbdaef86c3

C:\Users\Admin\AppData\Local\Temp\iMse.exe

MD5 48c314732f73039bdb7af1de0e8285e4
SHA1 fb95a669ef57fb9d353107032dc657a7440241e6
SHA256 b3f4112b37634c8f4dc1a1fe4efc8ff804d68bdefa3fb0fc0baa02c92909f098
SHA512 44f111856d45c65a2c5553ded6d9ca8c71c97226a722ac6959ee60836a880304065aacbe4cdcd64935dfed27c561a6c887fc85c1715bc68d0dfc64179a2df632

C:\Users\Admin\AppData\Local\Temp\cMga.exe

MD5 b4b7395490603ff5180370e14920e634
SHA1 1b3dc47c710be68babe85d339ce06dbbfd2d9360
SHA256 14300a652f148dcd5ddc2246db3bd5ca6820395a326c697791cf0797f87e7b42
SHA512 335e6cfd242edae6428a032089e8d0aadb4c1bef99908ceed776d93328051e38d0d5b4ef503c181397074380101003802007fe67696d51bb2744d2e9f7a7bf32

C:\Users\Admin\AppData\Local\Temp\AQMo.exe

MD5 1d110c6c4a2b9be11753119d8bf5c603
SHA1 48f039bb79a2409fe2c640de292717c9d6cbde0e
SHA256 a707095dfdb059fc60117386a7e31d39e6560a7af337ceed3e63c13291919e6f
SHA512 68b9436c8f7d0214cdafd2a3b6f26e60160bbfa43b4feb4f0458cfeb0f8406690c2a4ea8bb3c23f2ffa30220e396f72af271f5f3173d4b75271af8db034b1554

C:\Users\Admin\AppData\Local\Temp\uYYW.exe

MD5 9f8e3fca894be8b634838a36aca0e0ac
SHA1 980441498bdd8e78cc779d02a08593b22364c7d6
SHA256 f20ae4ae82e7b87d4e975a98b91db17276273d37ceb0fc09fde8e929fd6a4665
SHA512 f0f14c6c2b85d6b7ae381055deeabfcc1312489caab86a2697970ff432ad1ad5e8ce7dfa81bb60b769fd3871e54b15c2e906bd154ea2ab2bc91b0dbf78afb419

C:\Users\Admin\AppData\Local\Temp\gQAa.exe

MD5 4103b1b75a3615f2109df86197960f0d
SHA1 450ead33b2d9a4696ea31e5377f2b9ee3bc99d1b
SHA256 a01de5e9dce4fb5b06b633015e9f4913d90bd8c108ee3b88f3a7a6797c25d0a2
SHA512 d55396a4e878a69962f2d6e7f1a7581afe01d8853a2173b4189036ab6876daff69f1e538ae36ee23f38e0b9cd2ec8a2e4db4200e2a993e60794bb85cc6155b25

C:\Users\Admin\AppData\Local\Temp\gIkS.exe

MD5 3164fb5ed44eb87534a0889fe073293b
SHA1 727da201e10b9c2d16354edc531a36ba91611cf0
SHA256 8279281a8f0f44f6eb867939c110d35967aa483f8b5941ee45e4b3d287c39b43
SHA512 99d3826818cc48f7ecb728f51e794961317af0cad494ed171239d056886c799496cb9b3e97c3ddbd01a3784a6617aba53f6f26ff17867e90f0cad4240b8b9ab9

C:\Users\Admin\AppData\Local\Temp\SsQm.exe

MD5 ecc11719dcf3612f8d953747cc7ff82a
SHA1 e1ae9346802f220a257be3eea99d825e147254df
SHA256 427a1a7aa79413c7c2c0f580efe9bba5dddc40f0f5af75162f334b523ef9801d
SHA512 7f634a9f35e31511c181807d9f70b69951d75581cb17591b2c85ba37c9e1559bb1e24a75d5839fba27aae857bc3c832e35e1b628c2b72e546bbe401ad25df87d

C:\Users\Admin\AppData\Local\Temp\awYa.exe

MD5 7f31cc2e66887ccd257748bc4a40bb24
SHA1 08e7b912a984cbd90b312a01ee85e6000f11aa4a
SHA256 78256b34d9c92b6a1d1a82eca26f9b6f0928659dc10681703358aa9c60f7e55c
SHA512 90bad510777d47fb9e75a295c8d7bd5c18dcf6fe38d71ab9eb6632415cb9247a548141eea8098355731610b6fbd80199094649fac0930d57a22f2bdea6a54a94

C:\Users\Admin\AppData\Local\Temp\CEkA.exe

MD5 d2d947e33c8306291fb0fda79ddc0bb0
SHA1 2a9a1713b260edd6e30b8c931041112a25e6bcfa
SHA256 34ce0ef7d63a2f99f1ff33942a38c2ad07909d5b05e8a300207e3f0d995d5a17
SHA512 f37b3d607c3491c24111edcd64cb773667d4896b015f780f583b4a4c106320aa27288fdf3dc60c3129fa4802bd2ca41463988e2b9d64a4b06e35759e3c15b4e4

C:\Users\Admin\AppData\Local\Temp\uwAO.exe

MD5 d89f292b4f49bf63c149ac0397064c4c
SHA1 7fc51a75d59963840dfcc7d8770f691f670e62f1
SHA256 da566bceb9d68ca55d3249d2b4f56b72835667a37cfcd92696e8bf285ddabe36
SHA512 e61e05fdeaa1c8d9df9276aa85fd97f2c230ed99cdaa79a9457f6d6015fe3688206ec2281a97693c251d4a47b7e03faf105c861e0f06336d764f53a369a69605

C:\Users\Admin\AppData\Local\Temp\asAs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\eUsc.exe

MD5 bd4eceba551f412fa0810f1ac7302641
SHA1 d99cfa376929640d585b765a56b787de12001c8f
SHA256 a91eed5ec6a61db1f4541e4a5e34f894a248bc334eee2b595e01336ff02ed731
SHA512 2adf0389ce33a9056d2efafde1cd8386af855c8f981c4f8638162bc63d93e24955202ed2e78e3d44e640ce047c44de87767fa4f45a7536e32fce4748fbd66963

C:\Users\Admin\AppData\Local\Temp\SMEA.exe

MD5 9f8aaa598a4aabf579ebf603d4a2f62f
SHA1 8355287802ca10cb9f89207f5e1aa42a3f056796
SHA256 a074f7f830bd146c700a1fb90d9a55efbef0f7e2f40d0666ec526befec46edf8
SHA512 485e811e7b4f02dc2f4f1686638842c088cc07d571ca05e8e63f2a4262f498af3354cfae189a411e0b87bc7f86801714533c9eb472df3ca25197b7a1dc0191f0

memory/3008-1096-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ggwy.exe

MD5 8a0d15c352f11f6243ed8161981080cf
SHA1 fdbdfd3da2a912a32af382b26fae03affd71a480
SHA256 927107e395851b85f8bf6a331eb8b23aeb47ff22a52000262cb5bb7d70d20fcb
SHA512 be6fe4d15a75672b9dc3b0e7514b60917d54731e59ff68e2315ee0010ab703a57bcbf088e584d99237516a9eb30efe8eec6d4d1a453ac3ceb985ba5f335e5eb7

C:\Users\Admin\AppData\Local\Temp\OQkM.exe

MD5 0c7b9634bf3e08e672c8f4109fd036ad
SHA1 1f1961ea4a3295a2863880fc303ea607803fc5f0
SHA256 3cec38e71350224ac771e8a6efc4df4168dafbb15a43b175711bbd5df3f684d4
SHA512 524bb0c3ee2e07e5840a5ff571dbb8f9f1e4fdc078e0c4ae41ce4694f5e50130b03f1c0662667eb4ef72fd7ec26780c77f51bcf7b4f2f3d18a4b2229f66204f3

C:\Users\Admin\AppData\Local\Temp\UQYg.exe

MD5 6e9a43432e7e0fb9145f76d5045221d1
SHA1 ded066b511175183b4c36acc6556a0cc035b14ea
SHA256 f8eff1b848850b07203c5771b2f1f531d91600324ab603492c1c3d305f4345cd
SHA512 98be89423ad3906f36812ead6253a36289995fe9af1fb57d38f9576176365a2d432fabb7a4aed3975e90c4c931e600975bd28a7cb073c3db102425fb95adb0f3

C:\Users\Admin\AppData\Local\Temp\swwg.exe

MD5 12bd372b2671e854aed108335f30d411
SHA1 4a5a65291139ef018cc1fecf07fc3e1a7402a180
SHA256 997d40ce79f19528fd565818b1b1dbbf628962e1c2fdfdcb41099fce394a2690
SHA512 0124f9b67996b56d0e7fea53455c485473b4d114178d7284e6d0761728354f9ec0b509053d281f12a815d5329d0680c0a639e721e232b79435deed851178ff55

C:\Users\Admin\AppData\Local\Temp\EAos.exe

MD5 eccd73d7c2f3d231c9a26d29332cbc94
SHA1 33bc29b786065ad299e5796e5c1aaf3f915a2b83
SHA256 cb7159be48f147469d82657d3db5c550673acd559fdeeb04c1082e0399bdc5d6
SHA512 eb046f1b7fbc9962a4dace1e699c6ad764e2f7cd5534d29ab59f742edd80a34150979902988aadd6ccbf9a394bd1fa645d81d6b6d5600ccd56ae8dc4172f08bf

C:\Users\Admin\AppData\Local\Temp\mQge.exe

MD5 0f513d91058a26cb08c5e31bf5e446e3
SHA1 67c2c6193d94fa7d959f11aaebc0be32bebd04af
SHA256 ab75c660eafa7d23ae8551e36a6d98aa236e4fd36c3b8fcbb3175cb62532cdb7
SHA512 c08378d987c29d38c7d6d6b2ef54689f951c6abec21881a32433d0cc596bfc6ec5e849c1b5e7250f598d8b4f3a8db6a1baf9171f2f27ad9a1fef8269eb874e77

C:\Users\Admin\AppData\Local\Temp\GwQK.exe

MD5 48ebd104c319a280660c30c11059f1f3
SHA1 d029e0d5621d5d4d38dd383e2166bc1c588294bf
SHA256 196785816a8230a3f772678fbde23da1e5dfb9faf627c40999df0bcc3a46d545
SHA512 f345bfaec77fc9fc80c085074bf0fe652ae08d92d3ece0b34326d351343c1f59adf9c973238cda6d0afb36962c98bebb73d5b7a6be93f8b69dce0d2040126c01

C:\Users\Admin\AppData\Local\Temp\AwsU.exe

MD5 d6a52229fcd7677798e3e2c11804d525
SHA1 0dbab541f500ceb45a4093ce600c15cde09873d1
SHA256 2ad3ce3f0c385ce38523624204de733544be98e91f2afc756f03a4e4a77234f1
SHA512 f0cfdafb67350f13280d501b8462623d7c9453a3eb64f8e4e5d28d8bf5770b3f65a680db8c728105df60a1f40a8094dbee608f379e347a6db2b06404e83e1ecb