Malware Analysis Report

2025-01-22 08:17

Sample ID 241026-ez314s1djm
Target e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
SHA256 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

Threat Level: Known bad

The file e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (78) files with added filename extension

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:23

Reported

2024-10-26 04:26

Platform

win7-20240903-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\ProgramData\SKoogMEs\awQoQwYk.exe N/A
N/A N/A C:\ProgramData\uekMocgs\mYkkkEwo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awQoQwYk.exe = "C:\\ProgramData\\SKoogMEs\\awQoQwYk.exe" C:\ProgramData\uekMocgs\mYkkkEwo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZUUUQsoc.exe = "C:\\Users\\Admin\\IQgwowkg\\ZUUUQsoc.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awQoQwYk.exe = "C:\\ProgramData\\SKoogMEs\\awQoQwYk.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZUUUQsoc.exe = "C:\\Users\\Admin\\IQgwowkg\\ZUUUQsoc.exe" C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awQoQwYk.exe = "C:\\ProgramData\\SKoogMEs\\awQoQwYk.exe" C:\ProgramData\SKoogMEs\awQoQwYk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\IQgwowkg C:\ProgramData\uekMocgs\mYkkkEwo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\IQgwowkg\ZUUUQsoc C:\ProgramData\uekMocgs\mYkkkEwo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A
N/A N/A C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe
PID 2756 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe
PID 2756 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe
PID 2756 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\SKoogMEs\awQoQwYk.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\SKoogMEs\awQoQwYk.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\SKoogMEs\awQoQwYk.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\SKoogMEs\awQoQwYk.exe
PID 2756 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2628 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2628 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2628 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2756 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1736 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1736 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1736 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2916 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2948 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2948 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2948 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe

"C:\Users\Admin\IQgwowkg\ZUUUQsoc.exe"

C:\ProgramData\SKoogMEs\awQoQwYk.exe

"C:\ProgramData\SKoogMEs\awQoQwYk.exe"

C:\ProgramData\uekMocgs\mYkkkEwo.exe

C:\ProgramData\uekMocgs\mYkkkEwo.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkogkEYU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qykooIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYckwYkU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JwswgUQw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUgocIgE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSgwcQUw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\byUocwUE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwoEYgUk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGYoYYME.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCsUMEck.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUkEYgYI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UswgIEww.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYcUwoIk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmIUgoQU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYsgkcsM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiMAIkcI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIAcMsIY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\meAEwAsM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcMAAAQA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syUkYMoc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYQAgsIE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByEwwMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zksMsUcE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGksUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKIYEwwE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWEYQQMM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIIAsccw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuYogUgE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaskwsEA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwUUcEok.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQQwIsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lioMkUAo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViYMwAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCEMsUcg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\acgkoUAI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMQIwIIw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQYQoUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeocgQIE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGAAcQkY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCIkcoAA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImIUskkU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYcYgAoM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp

Files

memory/2756-0-0x0000000000401000-0x0000000000492000-memory.dmp

\Users\Admin\IQgwowkg\ZUUUQsoc.exe

MD5 3d71ed911d0b3598d831581662d6c755
SHA1 53aea63601632a20e6ff752b7543234ebffefedc
SHA256 932d0fbea096dbe5e7bc8b59d374554b760872b77befdc092181e9ea50a53424
SHA512 720edf1158fb664b9b61368aa6bec32313ac170940c19479584b54747ec130f194d5406c6410d91fa68c4cba3d15880d4d2de4e41a2ee1457b5c1f594bc5d599

\ProgramData\SKoogMEs\awQoQwYk.exe

MD5 4ddbdb3da7fb282c18317fb092d9675e
SHA1 b9a02292e1483b7a3da30e391ba4454979af0aeb
SHA256 4955cbad502ac212bd061e54a3975ed25f9e1b712d3d0c15e82fe3c9bd807897
SHA512 4c2cf2cfdcbc866dae78c52ca78c9acf4627368ff9f1ec845647eea8bbcffa8efc1b62340ee75d54668a69d0275eaedebd5b59836a555cc96bc0bdd00f227031

memory/2828-18-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\uekMocgs\mYkkkEwo.exe

MD5 a9da5a114011763832327efe48ca03d4
SHA1 85e3cfe6bad968514d4442e75e1e647a5306953a
SHA256 05cce2f79295ba17262d87810ce884bb216d83110738167c5396984cb47b071e
SHA512 2b613e48608f0f38f6fe078387c40e621bcd86bf9e073944ddec5fabffaaf414a1b668d350986fb29fff3ef97b3fd33d12d4801aed15875e14e799d0b5723606

C:\Users\Admin\AppData\Local\Temp\uQssEEoI.bat

MD5 ba98ed94eda3b54a5881874e4df70282
SHA1 b6e844b7933dd136518d31caa66a09e7ef949a5a
SHA256 bb5f4a4f3f778b9e46653c9f83fc1c501c412a925991f4e6098d028a6f41389c
SHA512 71ffc00e6cc1960e7e69311201c6507835e061079b46206797cf5ebd3c316f91382d6bfea2f8408bde779374abfe8b7f4d4ba2f21459c40756306657fa1b823e

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

MD5 1e6d0ca35226b00f598be4385fddcb75
SHA1 5cdbfdf472ec849d4f249744f5ca0ca7bfeea387
SHA256 6c427ec1b5a6cde3448276a551871e1c6a0029e92216ed988b26d20717513c21
SHA512 2a257b75b1c87f6942f8287ec33e287c070ac593a1ce065d5c137f8016fe3857b1fff2e72636ad274599e0b015ec87f2f4a13234fae1c56ca52b73bb59963ad6

C:\Users\Admin\AppData\Local\Temp\YKkEgAUE.bat

MD5 08feeefd9bf92c994a6f29ae5b788adf
SHA1 375013ea220cf0bfcda287bfc446a8930598dd5c
SHA256 2ad704d4ce8ab01a2c7f686d5c02455294531a2863075d686343584927d8416b
SHA512 099b48f9ef15f0d908620ee25b83d4e4988901fe23e804599a840d928c9c0514d3f5591772f1062f604e08be5d21ec23ab0d2b1e30efcccffb8cf06464f6c22b

C:\Users\Admin\AppData\Local\Temp\YkogkEYU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\oSAEowgU.bat

MD5 788c62d11177db17fa1ed218496a0ca2
SHA1 d9ef75dd5e28be1af4979d102db8b416ebdd9fcf
SHA256 cc732521a355ccc817f1cd054a3f42bb7135549d8e3597c8175c3cc225bdb08a
SHA512 cf929bd9919592fdca0b0f1bf543196e38858261a759a8521678c143dcb34b4f5706a2597db0ff6b4ced0158bb6501fcd8de76fef9e4512d782cbe4253339525

C:\Users\Admin\AppData\Local\Temp\XcwMMwYI.bat

MD5 c18d52fe3b9849dbe7eb45a1d4b54236
SHA1 cce0ed200ff8fae7b20258f1a9636becb43d85db
SHA256 1435bca0ad69d631120a581bbb061856d92b42d607e28b0449d72568cc3d28cf
SHA512 09d51a0a056fe5893c97e6649eb816337668c7d1c26ec88881a0174fe5fb5247b45e43448dcf43d25a89811b6dadd5e97effa1512faf32bd0fada06e2b0c236c

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\lqowUowM.bat

MD5 8001497928053a5212a16816123c5283
SHA1 a4e5af7a89b8781ae646faddb400c43505ffcbe3
SHA256 3776f9ae2a84afd558c255f6a9f660ce73f326516ee5e0e0cd2329c7dbd89eee
SHA512 40d7c9df5e74a1b2c1e2e8aedc93264525672346abe295e3e24390395280377a048032676152c9ab8772100cde4f0b4c9536135820217d7b8cf86f2d240b3bc6

C:\Users\Admin\AppData\Local\Temp\hqMkwUks.bat

MD5 a9b16c606222a7ffeec173676f68a022
SHA1 4a1cdba533ad3f62f48892407ecd872a6fbfedea
SHA256 6cd06e4a56bb146467664c886357c76bf26bd4124bbee215c11c880db81a2a38
SHA512 c174cd1fbaa6f6658cea8206a99dfe17b5fba4b1f97c5213965a469f3211b128467fb19a2950c05a989b831884aa973f47af50d2f1c843b238512221b5626502

memory/2756-129-0x0000000000401000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HEYgUYQk.bat

MD5 5eed9d21e317c59d5de503848dddc8fe
SHA1 8a189edf81a2d21afb57ac3bbe57565d21ebad62
SHA256 7baecd24cf70315bb202c80f197d33a467428544b988af0d167d99a0692565b8
SHA512 9280d2e693fcb019dbb9afd4e35211db2fec406904625ea6a2af2972ae1379c6ac1d5938c20bb6b2e531ad007ef0c8898fb697d8804d3971872df11bc580aba2

C:\Users\Admin\AppData\Local\Temp\oiowsIQU.bat

MD5 b6a20dafab200cf886da81e53d37fb50
SHA1 c810d3a30028c00f69c288fa6150ef53fc2af7de
SHA256 0009e3ec11346ef23a12bd1e5a2efaa8e0a32d6cc77e28f410afeac52ce1015e
SHA512 b95a468b1735585273f7452328fc5ed95d521b3fd87f229e58cf1816a127f7964221b6742c4ae413a416e93d32a71272a1b21a55404c1a3105b8a6ffb2ed2737

C:\Users\Admin\AppData\Local\Temp\wMUgEcII.bat

MD5 d59d479d98e9fefc695db834b5099b0e
SHA1 a0f3a50981d2e36d8461c01f831974f8e2ddc6e2
SHA256 e1d4469a1a4cd835a071b577dd291d23a22fc32d710fa03b5ec1f9002a10f6d7
SHA512 49fb6ee402f4cd7e35c2bde4fe195d35aa3ee9dbf6d9f6c71924902c4c9f676206f6b226307a142c10d67186fcf75e470bedbd2a52d13acd2a24e640b3f98f40

C:\Users\Admin\AppData\Local\Temp\AawgIAoQ.bat

MD5 421651b8028e5430bff592ad4a0dc16f
SHA1 91dddc05b195d2be55e5b781af8447bc9caf802f
SHA256 5f5526ff1ff879ef53b5d460ddb8eed1acbe2a29632ee7644224eb5d08ac77d2
SHA512 6460bc5de7e8579a0bf7d692a55134b51ba876efd9a51cf8add60c6520fbb9ce62f0034ca5049f2cfb0b7f7f9dd69984f26b7b26528ec22dad2e479e4f75c27d

C:\Users\Admin\AppData\Local\Temp\WSQYskEY.bat

MD5 78df61a9468994979122051332826c79
SHA1 24fafb40fb92c2f91d8ceb599646fd058427a7e8
SHA256 f33bef12940ede65f45756c2c523ad308722b4c4b0054062bd966730d0125090
SHA512 1998f188f2815c4777278d8576379a565625768f2ad66e5bc6cb6118637e294b8c24ad77edd3a056f9c374edbde169cd82b57ada57d57d9f1ceadb8feb1afb53

C:\Users\Admin\AppData\Local\Temp\wwIYoYoQ.bat

MD5 3087f1a38934ab119e10fb18d1854b80
SHA1 7b37e615048d7dcb1f731579b9f0fd6dc0cb47c2
SHA256 bab7b4ce1aa765b4111343498a53b62671bf66bb7d6a0ff5651db62e53d99f3b
SHA512 1d55590306bd47b0b5053530e9a6662b4aa6af2df3d0116247dab029b36347662912ae2fff9628b5cf923fa80eb3f6adb56d2876ece70b2f81d33756f02306b1

C:\Users\Admin\AppData\Local\Temp\TykYgMEo.bat

MD5 43a665e9d7ad412a475336916177bb8f
SHA1 e7f9c65d6daf67d76a73ddc8413de124fa6e2d4b
SHA256 2caab00c0d42effab721cf8938c07103a8b763009be907f68041d45a05d10f6d
SHA512 fdf115a8e685d1cd836854bb85a7577cceac407db94ba47ceacc20a2ae6482fa553009ee002a7530412b387daa8608e07f88a0f5fa87478972693805e4ceb97a

C:\Users\Admin\AppData\Local\Temp\tewYcgIQ.bat

MD5 05485c1e9ab9fca0e352074bf3bad598
SHA1 fc1dce08ba35090a198b96923e65a64bb5d0ffef
SHA256 6b0e93fe0fc7d47f50534fc7ceb3ce4ef5f0de991f6b688a770b65cb4d30b8ed
SHA512 1f86e1e4c8ef69af15d8ebe37bb089be5829511fdc87e3520c7a14e36967f7e48d8fa3e6b8644e2824a6189117871891a4312b04e6b2a81b96bdda6e21856b7b

C:\Users\Admin\AppData\Local\Temp\BQIIEIYo.bat

MD5 e77ab1c8be0fbfdad09fe18ce0cd4aa2
SHA1 eda99aa1c5f10ba8982109d8b99ded997d3f2709
SHA256 fe879f3ac9d49e13ee4fd26b0cbc228cd2247bb81a82a62252ce723a0a4d1522
SHA512 769678ab1e101c3d12c5a36b77ee204fe81dfc28ac17cea18280e506c6c873a49b1e25f076aabcc62c2bba9bcd80153797442e3af6556eb0d94058bf0784c123

C:\Users\Admin\AppData\Local\Temp\ToUskIwU.bat

MD5 7551fac9a454c6b8816aad90005325bc
SHA1 863cc626037a8d32ab57f46c2fc5e596123e74b7
SHA256 621b56d372621af781b6c4edc7c91c8f4ffdb8d540806b1af6b8e49e9a6fe5e4
SHA512 475edd29e29e2bcc90d4922d86fab0a4c636cb10ac0e11c03ac7ee16d7d116de6e5ce51d2a4f3bbf1d26c295af601614abcfa8a1f60877e27192dc79c33c637a

C:\Users\Admin\AppData\Local\Temp\uWkEUAMU.bat

MD5 143e13cc75d83e4989e857336c3a7a80
SHA1 aa1f5388850f613276ead263ce017b47c30cd796
SHA256 db87eb217a18b7babfdf8fdd74dc20565a69d034970dd169e6ce6468da22a3fe
SHA512 d29789e7ed964bd7a382281b4b2cff9fa0c4fcec9c511549fe76febadeb7966c1d014f3c374a29b4b945b5f15ff8c1e2ff0b087d437414de1be992e059b8b313

C:\Users\Admin\AppData\Local\Temp\mYwkcIsE.bat

MD5 175fd5faa46b11dc894398bc2ee3e842
SHA1 aa884e6099eb4d930a30e41e9c84ad28ee7a141c
SHA256 69e1574a75975c7f73a6a3d904bddfffc8798361939dd8d01aa15a5330866dbf
SHA512 87b24d9d6fa40330c0b595e13f28beb4c1e1f338e888ab808431f733cbd4bd8fdb550d57ac2d910d185c18eda279f4bb94189a17b10effd7a7df43b86263071b

C:\Users\Admin\AppData\Local\Temp\SascEwsY.bat

MD5 3e8254d284842ad990797dc5df6160f7
SHA1 9cd668062eecb38797585aebdbedad70c0c98c7c
SHA256 2f8b3902bac7d799a176e90a99dbdc47fb339fed52186d9a3b5682b59b13bad0
SHA512 b88f62d77abbac0faacc2d5bc010299e40528376440c3f8b3e2cfeb95ac5f8a2c47b013936b4e9fe2743008fe3192d9d8ceeb00c0ee29c3d160e9bdba583a194

C:\Users\Admin\AppData\Local\Temp\gMQUIUkM.bat

MD5 0362d190163e899ca381e09f4012119b
SHA1 1e7b92fe759f267abafbd5a5c447a857ec5f9afe
SHA256 dab38f239e2b5752c602070403bfa6b8f3694d798cedd14aae250e7ece5e2c1b
SHA512 1753ff7ff7589e45e9f153ac388b3f8431dc5dd5cf7fc068d09b4d127cb9783b25a6a1fd05f39bc301cd6fdd2fdfd2253b22256ddf15fa347121edf255843172

C:\Users\Admin\AppData\Local\Temp\LcYkIIQY.bat

MD5 7122b2f01528edf5e0e537c9e9114ab5
SHA1 14e00f4631e0a70bbfec3e233e11edce0b033205
SHA256 74098ec26ceea89e2b6a4fc8b666a029a5fe0588f39fd0ac6ade01807c91a62b
SHA512 77bd8f27d11453028de6b51201bf58babc4d7ae66b8dbf2722e660325e885711d242d0bd0ee7e3b4b9b308b29bbb42059b9df542d25d29f5be053d54f1776cb5

C:\Users\Admin\AppData\Local\Temp\xKMgkwQE.bat

MD5 4daf2425e989673eae9e5d0fe6b0f3a3
SHA1 8be55414c6c222a625433e41109ce4475b411edc
SHA256 63d840c0cded1007c46273a59e7539a9a166dccf40b2f6f31cb92413b90fb87c
SHA512 12f4be59dd292f861f51f529e0987dd724c4983f853119e17aab963b2f87359aaf2eb8dd52f72f34d4d1b28cea451e5552fdfb49979e4a56cdaa2bd76754fc05

C:\Users\Admin\AppData\Local\Temp\VwUksYAA.bat

MD5 05e213c999a3a83f79c161a7a6597853
SHA1 959593030a59e10db5cf4f5f4f54f7d1daee459b
SHA256 1d96c7f31295c0caa250fc133924050151392553d04f4aa290bfef89e4bd1785
SHA512 733ad8a1377b63c1f53ad6faf1833e08b9bd4dd31e4237bc468a9045b74954961c0f28bd1044f9a093772107e6369be859a2b6a71909485ea21b7725a43f00a5

C:\Users\Admin\AppData\Local\Temp\HeQIIkgQ.bat

MD5 548a5723e67fd1dbab0564f3bf7fe9e7
SHA1 d5e305b1c016c1fda8804d3cabbaac44aa463bb3
SHA256 111ef72f8c66d7feedaeaf4c1b845ff9c67fb17945d7508df4635afbd347d90c
SHA512 29e323f731b06ea5c728268dffa5ace8408d5c72bf479dd430ac523bddc6d9fe1169be5654df765576f7466d8153d9c995b10b86f287aa2d56c96923ea2d3154

C:\Users\Admin\AppData\Local\Temp\PqUwcwEo.bat

MD5 0a540da50a34ebe07d3de7fbd4465ca8
SHA1 a81399a707376794f2be22312fef7269991b8013
SHA256 2306bfa309bf53a255f58fb4d7b0895b43eb4bd9f5a887838567da1498ab2af3
SHA512 f2f2e213d0f0e4de11be5180d62b9d4a6b699cfddff4ddec7187e2b5b92896f5e1c8095cd53041d1f059ca062cf4d2a47775c7ff8192f0bdfb5571c21e9dfeda

C:\Users\Admin\AppData\Local\Temp\AqAskwoM.bat

MD5 409456e7995a7f18a2eb84603a7fbab1
SHA1 22e7af5391dfaa23718d4d7acafdff85e42199b8
SHA256 b0764722d8833ef1c0aaf65c6995385fba36089958f6ebef63077a62c2d34ed6
SHA512 1302412f451664b7db47cf33399078ae01f41e52b73c1b431c077d056bed8526817b6eabb6c67e133e72f57706d07bbd0b7d9502da4dd4a56920f1834c2c4755

C:\Users\Admin\AppData\Local\Temp\OycYAcwc.bat

MD5 d5cc3bf61e91e8bb4ecb73f1780ed59b
SHA1 41c47cc2c7cbb27e7a8ac64119b7ed136322bdeb
SHA256 d0ebd036462214888be4ead5b8cd5c9e3c0cc89a3d316bb5b0ef022b563501f5
SHA512 427b8de6d870f30acaca7a5b7c7ce7424e9f4d002bf22d4ca490b39240b4c0bb79fe81cd12b4e3d8485a0b04a274b954bf9bd0f8239d63d00f1bc7c3abca011d

C:\Users\Admin\AppData\Local\Temp\uOAMQEEs.bat

MD5 b47dba5352dba72c058dcb9c26a92322
SHA1 deb226fc1029a94199adf4dfc2fbcfa4b60b8895
SHA256 19feb686778e3e755d64a0a3c74d7b40fa68e4aaf10b1469035a3be4a0f8358e
SHA512 6bace6f6fce27556821d51970b0fd45b3d495637b46b41d6641b9360ec1b9b867a89c640e24e9e7706efb48767401ac9367150240504b3556f27bf420959c945

C:\Users\Admin\AppData\Local\Temp\QKQIscAw.bat

MD5 de49e970f739a381000f5e6e2b27c8f4
SHA1 99dee169e207be87900aa4ca5bc378b6e8809e10
SHA256 e0c202d30617da2ccc4268b0478fee9f7a00188848454f37bd6002d35225615b
SHA512 3d28c98b66c703708c9b2493f75d52dd32d2e5b880f120265de5e20027afdab25379dcfbf64a5c6358438ad1a30f57a58953d9694d0f909485f75917f3fb9845

C:\Users\Admin\AppData\Local\Temp\XagUowIg.bat

MD5 ceff35230213a3ccaf74eca4962b5b72
SHA1 a9bf23ab37e013eb688ded5d4abf8a29207c1e21
SHA256 110d7951f05e9151a619c9f7c6061ebb085b063f7bdfc03fc5c610b3d33b329d
SHA512 749a880e8e5bdf2106bc0d8b8af055dc3c0a6065e32203e33ac1daaa842e640c4cab051bbbf2472bcecd8a8ba0fdd4eeb541f60a57082a9d3121568613984c41

C:\Users\Admin\AppData\Local\Temp\JwQkQAsM.bat

MD5 d7da8ab5730f0f9cfda7ae0574cea36c
SHA1 0ce585893cece5b5e60307daa38197ddddd5d9a3
SHA256 fd8b7d3afdc4d826013098c58c4fce3d6fcc0a493e8691dadbdc25e8fbb5813f
SHA512 fbd619926475ee4fc9eefe85cddbf31372c4119ec8e67b9d6ceb1fc7a7fb56152baec4c23c279ca0b5645cdb9a8ffc0c002b0704c998b3f32d732e81c2a3a77d

C:\Users\Admin\AppData\Local\Temp\NiwAkIkQ.bat

MD5 c67a05fe01006f720756d2b643363d8e
SHA1 83054e1bdfa345c89ded3d7ecfc4e06c5f12a2c1
SHA256 fa5449add41d9ae6f9149e49df4a0859af1e876ca26eb113bce29e205f3077a4
SHA512 a5ca6dfec747be5f6951e984967324bba44711afd883190b76d1f100665a88c8f63b727d39437c8b777f9d96c1f962e18401b8cb33306bcc68241ea563bd63fe

C:\Users\Admin\AppData\Local\Temp\ZGsgYUsA.bat

MD5 fc802035686c4eb4c0780d7d6a5f88c0
SHA1 75611eb9ae13d839e2ea9e2a65fa846d96b70bbc
SHA256 50de8536864fd9b3f86d118ed65a5cb9eb4a257b95b4d8b0bbfab39cc06fe716
SHA512 8241aa6d0c237f0cc5ace02f5c2f0b9c44e76a0a8164e072dac2ef7c11571ba13ca683c213acad5a27c8c423165d388e880751b39da39cd6d5bee039b3f8abf2

C:\Users\Admin\AppData\Local\Temp\GQcsMMkU.bat

MD5 9f6b66b827b23f29cc960c20e1fedfd7
SHA1 9498700fff9ecaeee4e65f6858fb2232cb28fca1
SHA256 d7f5e57cbc257b14f15f82ebf2bb80dd3671733bda1cf9fce2a620d235cd5b64
SHA512 00dd7dd20b639e09f6014c81e92ce00115b10b6a2b224a5216cdf6239b649d1a74a69e850f6cfe7d1e2819dd93e77ad116272a310458af697cded20690a5914d

C:\Users\Admin\AppData\Local\Temp\gYoAUEcg.bat

MD5 b33b4a27dcf85ae3c886fb804bb54f2c
SHA1 ba2fc9dee5cca5b59ebd5d2fb9eb1df9c4d40386
SHA256 1300fa8e050e483cf69b1a6ed31f2cc0f8808f4a161ad274b1bdc140850225c2
SHA512 89266a421d8cb5905e9e0a7ba6dec13fe091c2b61e86db2e9c0bb4117ae0f055316bda8698460ca2ce614c65c0c0f4d01d7d34f69618806758cb2307f54378a9

C:\Users\Admin\AppData\Local\Temp\AIMG.exe

MD5 6942d150d553985e0d0b4ebc76af659f
SHA1 926b4401bb30e648aec87338ac796d48f45f4535
SHA256 fc64d710f2f3cd94f132d75ca928dcbd25d1c2a8df38761484ec62744597d893
SHA512 3030fa857af42de00cb2863e4692549e540e7dbfae9f835a8491ad9b8aed4fb5fa3f67ee8a7727246173ad6979f509185eb4d3ec6e353d066bf2fbf8320c1508

C:\Users\Admin\AppData\Local\Temp\KQka.exe

MD5 89bebec67d639224fc3493e7bca6a62e
SHA1 6214dcde3acc5ac7352450679953faf444b0f706
SHA256 94606dbad0729828d74dc2666df6b57868801371154042bc8c5a4f43ceef7424
SHA512 737a67f694e4903ff03edf57d88096be1be885c6f7059ffdefa0fdfa5ade0925692fd76e1eca717de20ed0a8ea8d258226d830b1877debbdf7fb46d539847c14

C:\Users\Admin\AppData\Local\Temp\SQUO.exe

MD5 f0db3dbeb79cc080d7ec297d91a27514
SHA1 0714323b275488303149b311da4ca86c501b2b9e
SHA256 c52396428baa660315ef53ab151a52063692af830a78591289a93ffd0a15d7c5
SHA512 5a66d53e38263057ec1e1942fa9b43e4c5cff50d6018497edf98e8178b53dd3334bcba0c241877fa71b187ec419c917089761211ac8382c2898b1557c3eb1db8

C:\Users\Admin\AppData\Local\Temp\WyocIMwI.bat

MD5 cd5469c8054dbc9d0c80e40b3f6f4070
SHA1 26fe6dce79cc85447ca1eb7f5170fe203c7693b4
SHA256 949afabccb83035f610343d3aa7eb55eca6d33deed3aa16e973495e5676163da
SHA512 f060ab33c2360410a21f213b966905336343779ff73906e5394fc538d39a6f490a39d856a9a700743b274015a1025a7c09d7942910bbbd942d190d322eb075b5

C:\Users\Admin\AppData\Local\Temp\IEIw.exe

MD5 bf35eacae7881478a3a9b2a2af2e45ae
SHA1 5b3ebeb8ccf4ae0426362013d260c338250491eb
SHA256 1171742f7c6c5785f293fc52436ec94462feb96013a680f56bd37750cce25eb3
SHA512 64b1d6f7b70e6b5fdcf7059c7177cabda964ee8b0c6eab75997833bb52fbb9a640b59ca8e3ce937884be8597052ff277d533840cfa3a45f2d037716ae79bed57

C:\Users\Admin\AppData\Local\Temp\omII.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\qYgq.exe

MD5 9b025c8520ac99d2a9fd75081514b459
SHA1 60d771936fb08d29ef28f778096764a1c977a147
SHA256 23b4c4d5f652ec46269d53858987edd5b506d7317fc1f8238ddd94604ee08b6e
SHA512 730768814b9dd532fbd4a17d835b746f1e311cedf18978fdc71e5679de84a782553a61e09379db83c357501fb889c8fa1694f781ed0b95adafabe276ac5edf9f

C:\Users\Admin\AppData\Local\Temp\IEYM.exe

MD5 efefb8f8ea22b79c20841943da150bfc
SHA1 826925d2f087226ff4abe09c16bb8da6d514df1c
SHA256 a527fb82c63b410b7bad301589abb56473ceac1b4ec80541ad5a7e67b804b4da
SHA512 8f0c731cbf45ea9e9ccd986c0cce9b192faf9adc664ce191038ed6aa4cf13397e668e964967fd0c7902495c1d3229cc9e1e0fbf583f89b9bba92ac1642d67c85

C:\Users\Admin\AppData\Local\Temp\IoEK.exe

MD5 e33d69a23f1996d989cc0142950e6a67
SHA1 5244aa6f0dca0a852a9836fc1b346dc0f9b40cbd
SHA256 85496d43e42c45a5a5e7757319b584a20df7d695bb1cb0e57326922af09ec54f
SHA512 b49ac1452b826ec3d557bb422e9584140b675837574d794a090c9b54e376945205c6fd0cb736358d346b9a82be84e658661f507440ec757c7ff23631bac2aa6f

C:\Users\Admin\AppData\Local\Temp\Agkc.exe

MD5 ace054ddbb73985dd52904a963312b2e
SHA1 6dd98caccd2ad002712ffdc3e1ea49e202f2187b
SHA256 b2212d649bf79fdd5b4cfe9995e125dfc9cacac25714ec152200616a43ded5b0
SHA512 5280a75c5dc5079f739a784bd476f92c7061a2752dc646edc4b2286e718c11415ef7de97e77ed57b2bb907c786b622f21724342b23e00dcbbff971085f2d81bb

C:\Users\Admin\AppData\Local\Temp\uwUs.exe

MD5 53299aec3a20f23c02136e8f0f96f550
SHA1 3ab6755e074e9302fde8e8b565dc7dc7050b0c35
SHA256 d5a8e6273f103c233b8db0127705c855647f4d7c5f3164357a94c1971fbffb5e
SHA512 27bb6353804e62a8492a396b9b58ee5fa05cfdf566fbc94b37ed5ef1d98fe8aab870d04b1f953c2409779767f5f9032ea81cfe51119cd1a2b113e376682d93f2

C:\Users\Admin\AppData\Local\Temp\KQwQ.exe

MD5 4462d0635a61ea00ae7ad2823ae30cbb
SHA1 27a7b892da7bebc86679876fe99afb960e8b4a82
SHA256 921f0e65a843bf38511feecfcdd0d8382dbdc57da47abe7e2c68379f91ff2cc0
SHA512 13d9bc10df1870e4eeb7bf11629f7a02e51ed1c7733f147f100efbacb6bbdc938fcf578c513091202991e4d78ad9a3c3ad24ba141f189b3ac504168d5e3bff68

C:\Users\Admin\AppData\Local\Temp\sIMk.exe

MD5 58a9e852024fb0f757b15f187908be08
SHA1 08a6ae5bb8c4381ca7623489433ea2d9d91baa6f
SHA256 7a4913f04f37c929266f2ae8c3233f6119adbba8ee0c896beebf7881dc5494dd
SHA512 d7751a6f61b9145347aca108feb0919b22907f1b24c5ac0c39ee39926935c5c2324c49d8352d1dd1a671b82e6cd513c2971b957d8aeb10159f4c247cf10ea340

C:\Users\Admin\AppData\Local\Temp\iYoC.exe

MD5 bf06245b7309ebb6fca999ea95cc53d9
SHA1 471362ce41c7873e55174b895a5589b6d7fc217d
SHA256 7516824b8d84e5a7635eafd8c4353b44df9f5a3ef5c509c7487db2ad9884bc40
SHA512 e561ccb20ec92b0643d7e356e61389a93af8a6923f75abc993bed65ad81fb1a9089652d018b74c6b720f2a751dbfd9887ce4b592ba4359b6cbf4730ce442f03e

C:\Users\Admin\AppData\Local\Temp\AUUE.exe

MD5 1e66f2d13dee0c4c48123071cae2be4c
SHA1 c2b8a7cb2f8d51850d37e426d519e11437b7a6f0
SHA256 5db5362de66732a610734a4f3956ed5f4840db59847cadc75eaded59cb40e959
SHA512 a751d178a892f9b1a1f79ba2b1480a29c9eb74d46ec5ac53d7d68990b8a925840e7120b36b08066388ef86218982285a8e823db04f3127cad5f832db45c090e9

C:\Users\Admin\AppData\Local\Temp\kgYC.exe

MD5 f9c7293254e332018897879c5a102632
SHA1 68a6c0fd1fd15eca61a1835168ff86f26265b3bf
SHA256 7fd5f518aba71d2ef40579a338bc92c663241cdc91560757e76f95080e2ea64f
SHA512 821f1dd0b5ce574d6c8059bf49736fac243e02cf21d13898405853fed05e12de7ca66c9f0d14e94c6af71810b3c903bc406532e722a78a2274d2f91b0a85f71e

C:\Users\Admin\AppData\Local\Temp\uwUA.exe

MD5 855a9373f8ad819d560b7e2f8319ed8c
SHA1 3bdac6e3935e9b665b1124f48504a7da96a25615
SHA256 8bb0d0ae724c2126ff979aeac518a0ca702091025543630593762dd4582756e5
SHA512 c59f6a2117705aae2b018183c65799aaff5d32770a770740753550dd7a5fd4b520c283fdc9c6ce65cfd585096227895e8b3230c774113182fa47c9824f946382

C:\Users\Admin\AppData\Local\Temp\qIkQgcsM.bat

MD5 e23c24d57ff58c95ec4fe287bb948599
SHA1 c5c3757d62aba4f4140c6510ca1493087fed541e
SHA256 834ebd14e912414f4b64b591f8d15fe17c1a319360e26c284521d8afa70eec84
SHA512 98b4829a930892968c4e1bd9e2575037cc649cae12ef11ecf6b13ef3752632fbd80c33ab62c73ed7ca5ba829a540616644a3383e469fa31506d56d0f223378a2

C:\Users\Admin\AppData\Local\Temp\yoAi.exe

MD5 34d3ed9b84888cc875e9135137780b0b
SHA1 7f3a4e67ef04c54da60b2784387c2794c19fcbfc
SHA256 92de87d1c52c1cdf303c53ee322857f25e3624ca3cb275176eabe5d020c19a9f
SHA512 b923df298f1cd4c26eb34e0f9f759bdfa8018c31346d57dcdd8767ce81792dd82c76bb8f8a8cbb7f03c0cfdf57d7a5de1989d3dda10ad9d0af72f640b3ffa817

C:\Users\Admin\AppData\Local\Temp\UkgQ.exe

MD5 2264cd4a44d705a66902757549c770fa
SHA1 cc4199df58b44f5239ce31ce302dbae6c4848bd1
SHA256 4b91581fc6615acd3e476bf9a6b73c62fcef1ecc463972e032e3508f94a0302d
SHA512 18e8f4b802d5dce5ffade18365d91f70e5c295dbaf60ad7b9b578a133347163f14f4a8fa6b3e4a0d64397707ac054b4603fcb2598ee46d0facd387b6c359d9b3

C:\Users\Admin\AppData\Local\Temp\KcwM.exe

MD5 30cdb58b3e9834be43c9fb8a0a2251e5
SHA1 6f4fad91c6eb3c0d51ae339a1360838174844e7e
SHA256 de9f7bad1ab879f800756550ad93fbefdde98d9f11fa84f5d2205822495cf41a
SHA512 f7a1dc3ed6f01b7fe6f2c299d549aeda1a7bc06c93abdd4afcc433c9e1eab75d6efcd2343666f2daad2a7b97836a50b39a0e9852f0ea8aad1dd814ed6b28ff84

C:\Users\Admin\AppData\Local\Temp\gYoa.exe

MD5 c8319954240d3650ef2790d558fb11f1
SHA1 7a06ea0240e77b6701f7ffce81a77dfe886decd2
SHA256 936c30674780a2c04e67c87e8c7061d638840b42e975712d8d8284afc43b8fa0
SHA512 e7121aa4a5bce8922b574ed0c4237235121af90df6424325569c19c6ef88897b5c958198fedd93a99fb2ff4d0521fe6feda729e71ebde8490ee25f63972ed200

C:\Users\Admin\AppData\Local\Temp\AcUw.exe

MD5 57dd419782f52c3ec737a059d2123112
SHA1 aed68321457ac6ed08ab119fd2f97ff8082b317f
SHA256 230c1e660dc43cd26612f138c0dec2ac0c568f5393434aad5d3e35b8fbc9d2fa
SHA512 2ff2160cd8b40127bcea8b7a8e0514fbac9f5a35a8203e75318ea7acf8d88a6c36dbf03da51c5502dc5f998fd4257a5532ebbf67a2d03b618068d3d7f32dc7df

C:\Users\Admin\AppData\Local\Temp\cscO.exe

MD5 86ef41dad9b9b2078c956d3cb7b76832
SHA1 87034de7015177bad3b696049f950cd5acff73b7
SHA256 3821d49bfcc094deb13fcbbbbfeea8ee907c1ece3ddcf2af6a58ff362fbb0010
SHA512 f70f4f1925a2d02e559203f6a40a66cb6edd905840cdd7137f107d37950151288d4bddc83544b60313a44d3f440815b50cd7d729c7e97e90752de87dcb58fe24

C:\Users\Admin\AppData\Local\Temp\OwsE.exe

MD5 d55917699ef1195f0cc2332c4d46f7ff
SHA1 cfb2230bd6bd12d4a44f7523287a7404798bc0bc
SHA256 eecbc280667d5d9750cb2747d4f0370472c6e8479015d13949103f7e6d6f724a
SHA512 a2629fc3af8370db0ad4ccc103244b4ca68928bcd893838a62a8ae29ec397bb5ffca28696f4e15e6763c69e09a5406860ea5eff173e9776ba59ae508b86037be

C:\Users\Admin\AppData\Local\Temp\YQsM.exe

MD5 4f6a36af7af3e2b1a1229588b9c54b8b
SHA1 2ab6b3d2244fba7056d197671a88de2caf912200
SHA256 c8e26c001910cc9d05c8493e513631aa894c8e8345b20eab4821bac497721cf9
SHA512 bd74c25a1b3efeaa6cc7fb4dfa8a84060cf717685a27f9ab831ec10b56f81f08f60d0a2b76c79a130d38246e16c12cb31e0c67252cf0f61c4126d7def8c35ebb

C:\Users\Admin\AppData\Local\Temp\OIge.exe

MD5 cd1c3c04d1076e3b65e6b3e9da268d00
SHA1 5c313661a1b7dc3114d83a6884201aa820f2d23f
SHA256 0a225414a957ed7639358746d6bc5a46e62a8c1a9d4a5e4b8868145b290b163a
SHA512 e58978e625e3aa3a7934799f248dcf9e679da4225d55b6d3ec4d19e30ffc51e5cf1a30bc5aadedda30ca66ef9316d2a023b695875775f56b7090f92faaf68adc

C:\Users\Admin\AppData\Local\Temp\wUoO.exe

MD5 d987c0101185914d02473a6cf520a591
SHA1 d17c70582ed25daa76dff2e64ae456ea3a717ca1
SHA256 54c78baaa0f7d708a55f756950cb57c1907446e3c68b178274e9c2b00a31f479
SHA512 2e9cf8f7c1627aa8f8753a07f34ae053d84d3473213df7b942ae496d09f293bcc08ee01f6c76fc2ae464c0b0a93526b1809a6391f9d5a15a423321248f9f090f

C:\Users\Admin\AppData\Local\Temp\sAcO.exe

MD5 d4cea6f57fef8e8831b39363caf3005c
SHA1 12e519a3b594d48598c10d05e5c27acccbfe90d8
SHA256 ce6673c4b1e2eefa8e7cfd572a3bee729f4865b24f2ae8fe2d823b6ff3ad0042
SHA512 1674c0595aed9ea1161672d6b9198a3639431e0c6a1e87ca29477640f618a12053240688df204c472b0478fb9d78e968942d1a8df3528af100174ddb2c9daade

C:\Users\Admin\AppData\Local\Temp\EckU.exe

MD5 d34dfa5b3d1c9a44ca48a242fc68fc95
SHA1 84ca64250b198b0077bb548e87e62494a7e3c07f
SHA256 295c3391cfe31ad021c11b84d1a1d90d7ef67cc742b7fc60cee7b0f9c4a2d848
SHA512 3edb2e801f33bffa9c38bbc2b88fe7b58b7486cea9f0bc012b2698875513cedefcfeb9b6e94a616a39ad97dc826450c3d7826de9a9cd0609b025771d808d112a

C:\Users\Admin\AppData\Local\Temp\sgkY.exe

MD5 964a7a88bfc81ad670257fcca0e30e6d
SHA1 f94a208a7c5a413512f5c71893f496e9b9c8d672
SHA256 d33574d61b7e2d5a2105fbd2b26264e80b465b476a504cf468283152c4a38151
SHA512 741d23fb210a4b83ea697042eb96e07c5ba11c269f8cc87b640ac0fa598f7349f9165eea581d0de307a973567979baf97e0708c9e48d5a0de996d350a338ff0e

C:\Users\Admin\AppData\Local\Temp\QgIk.exe

MD5 5b180a01874e233521cd3f1e1f2668b8
SHA1 1ae4550a1847238a7d8c586b1b45b085e0a63585
SHA256 5cdcb169d9f9c02aed25500de503d8c646202df3aacfec84fdf9c19619aefa28
SHA512 0c0eca752619a9c1441a76cde237a08b6ac5b711685caf543805cc256d5c5133b5373274a439a0ada0c49f3e04b76c9138370de3450de0e6729c93434be34f26

C:\Users\Admin\AppData\Local\Temp\ussg.exe

MD5 eb6704ac5b50261fa453c20c2ce6e2fb
SHA1 98e2818ccde6cf07abcb38868ccbb9384adedbb0
SHA256 6bba5a2e9a20648f9e5b737153ab451131fb20223f481f4d9a70ce443ea79abf
SHA512 88d8bfd3b401045f02c6212280abd2d013a316686f1dde39ea84fc6dcb191f3ec7c69bd874867ff0811b1ae605d974d2153f5cdab5a7e52974257e7b2d853a65

C:\Users\Admin\AppData\Local\Temp\lUQQsoUw.bat

MD5 0ba831a75ea4a4220ef58fd65669f2ff
SHA1 bbd65fcd7be8c87bd58491bfcabf20913082cff8
SHA256 a435c86dadf59721cb40a085d8a4ffd0792ca81473dc6ed7e2e19c70500b9576
SHA512 89579eef77b0a41867b163c3c70e2c57a39c581e7a911f916603b2b1a05689b0ca6b35bc0d61991e4f0a4599bd1aa233b48023c5f8b127a05c0b731676d3d746

C:\Users\Admin\AppData\Local\Temp\owsy.exe

MD5 62cce115012607d1348295f21a62f129
SHA1 2d5cdf65ef9e7c5cfcd578669750e6407597f3a5
SHA256 8f0aea69c03e8630956b9e5b1d8098ac16e59a4f2c7a0932bc1bd268bef9bdc8
SHA512 c59be27976a35679490f43b410702881e162c31189cc1d6152c4a02765d7c46463ce708904ce8d558e3077a3ecd1f6f0dbb049c6f872523c67bc7f699fdf39b4

C:\Users\Admin\AppData\Local\Temp\UMAY.exe

MD5 31626e6880eb80983011ef959b4b0d51
SHA1 6cea0b2c33e7f7a7dc84ddf05abb82934f04b8de
SHA256 784a08a86bfcab422b75821ab78c7d38c38fd99572e3d144d89c43b21f917e75
SHA512 8a19e98980ff44c8a1b1d9af988d2e54fa8833c27ef66274136f0833699528984a2f7f0fe456e341126a525d4544d6b5cac05c4e9bf5e7ba97f8720fb436c245

C:\Users\Admin\AppData\Local\Temp\AIAI.exe

MD5 fc74fdfab0df94763fa1f994d5945939
SHA1 f12109861c8167eaf917eab1cf4fbe65f0f6bc46
SHA256 409bdcc7cf71f7130185644896c90024b62ab68b53a4e3ad0d3f13a747622a58
SHA512 1f42d98deae65ffb41e2a83729d8448492e1dde354ed759f25fd479f7768190cea04151d964a8a232b1aab4f4b3e5200c583678f9c9f10ab52875ac053bde212

C:\Users\Admin\AppData\Local\Temp\UoYg.exe

MD5 5e60318ef1df56b46d44d5598d923a75
SHA1 4d4d4b41cca3058bf9fa96dd43a3319c94a7ad68
SHA256 1f5f7bef69c2a8c6067b46ab9a4c29ad12f60ff6f135d72fe6fdd26e6872d32f
SHA512 916cfb3bfcfede51566444dc8732b57dbd58e9e9c635cd75e4065c37a827d1c43cfaa7b998c540801af6cb21e7702cb4327e09b0e0c70682f0b5c9a95c90d3ba

C:\Users\Admin\AppData\Local\Temp\swcI.exe

MD5 6ff22e03beef502931a11272e5ae7f28
SHA1 f342161f2ca562004037c5e0ceb2f16eb8cad78c
SHA256 325db6bcb45994ac90e28e63a06cb9e51987fa2e97efb8859eab00f06c894dbe
SHA512 115bf39cd8142b22461315fa3ddd98fdc0f27a74791074705ccf5e76f648a2e04acba18ebcc3a9ab0e2009ab33b191bfb1d7cb359c385cbeb1dbe34913523f52

C:\Users\Admin\AppData\Local\Temp\QYwm.exe

MD5 d791ca0baccfc8c9ef5b82ab3b0e6737
SHA1 d8061fbcaf3c97b89ec46b095765c65ee0c5d20a
SHA256 6653b5cb2026bd2220622cb62ee0cae423d63ac1523a61ee424387fd85213191
SHA512 4899cbe72d8bcd6c16c6b29d4d0f408170cd3bc1b3fbd9d4503b0275bf108dad8626697807c0a95b42e11451f17b73bf71f625788b288c0d10cba1a66c38a830

C:\Users\Admin\AppData\Local\Temp\AAMW.exe

MD5 a8b26028a37c8386b97d28f3bca00518
SHA1 e121858cdf7ed2a3f6a062168ee966b219dbc6b0
SHA256 6156d35e09c49b260ea5a0d58a7e1a1ec68263a90f05dc17b25cfb2e31c08d07
SHA512 c6e06819a91117d5ec5e89563d44a50212fea9f123def329dfbd42384517e09d0066bd629f457adcc68c3e0561f4236d82678102a6ac628b0d664b8d7967b63f

C:\Users\Admin\AppData\Local\Temp\YYAq.exe

MD5 6c6f3ae0c9834ebb4de2cd4e47aab969
SHA1 c4719d6bc26a6c9a092400943531d3e2fd51ef3a
SHA256 6af181aa3b3a32214f903390745cf80450f4cdfdccd72cf47a49155032a8eef0
SHA512 c79e4f94c0f4bc43d1daf9d60ec9e1d19fd6d5928e6d40a9a3ea999e550f19024dde64ee1f420cea03fd1119987fd97f75111b06078065ffce7f46689294a99f

C:\Users\Admin\AppData\Local\Temp\ackQ.exe

MD5 90def61f717c445aefb0dd3e0450aaea
SHA1 f5792e115452ee4e600d79c8a86132fa7c788733
SHA256 f7a6c82e10bd69cb249c75cb5e72c96bacefa8d6a97f71c6014efa1c10d7d737
SHA512 66fa9966aa7fae8b1000286c1a43bf20a99b95d80619911f079faec684b3693494ea92c0288034c7691d9e91736903d7e3c8540c729cb1afb6242fe933952c9d

C:\Users\Admin\AppData\Local\Temp\Mcwg.exe

MD5 8a96c361c86c83a09b4e9ea110cd4bef
SHA1 9258d986e424fd612e0effed4aaed261d7a8b066
SHA256 6dca9691d851cfdea2bab49293536bf93650f77fdf94655a79d07063967a7ee9
SHA512 d9baeba928d25522fa9c88bd7a8c7361fef6b07e0b7d36938a0f72bda4d84f41f0ad9e49168e8dd33725a20321f57c3bd3435e0b50bcf582c9818661adccf754

C:\Users\Admin\AppData\Local\Temp\ksss.exe

MD5 58d2575ad8c0bd33385cf40aa689101c
SHA1 4116474b2449026065211152595f1f9b2faaedbc
SHA256 a89ba3c6f6caf04092a9a57879bfc1ba69eb09cf58ab3ac8ca9ae558ead0e061
SHA512 3a021990d303481c6b616b08f26d47a6aa5631c571e1be632fc7cd21a3d5d083771fbfa981ca2d9e69abb4f9a8a5a2c5445d71c0060ff9eca478136a9ac54e47

C:\Users\Admin\AppData\Local\Temp\TCcYosIA.bat

MD5 5ed20964596a2964c38b171a60d08d49
SHA1 33d4e9ad072eb7f90c132d8a6d150c6f011ca6d7
SHA256 959ffdc693e1d7675dea86dc2453894796deca88e5d9621b3beb80af0db32cbc
SHA512 cb9d8b9485dba9cdf2184d502b4703c126a2e31c4e0909cb481453e52effa56174e261c61cef39ec23086c06eb609e1dc659491ad81b1b052688d037a8601555

C:\Users\Admin\AppData\Local\Temp\wsoi.exe

MD5 b17a0f099c87204a6094636cb43bff63
SHA1 553d39d6cc135eef6aced4cfb0517ff93c236319
SHA256 06c0c1222bffddd69cc22a0419afcbc57f3511d4baccd04d697e2021ebe951e9
SHA512 b4234c9f6be0b0fda867b2c63ae50d5be5c8ee64c5883b8fa9c98ff8daac95ec8012cd4a086834baada4e7d872e9d56d3377bdac7c02bc724f4ab8d1f248d3ff

C:\Users\Admin\AppData\Local\Temp\IAoO.exe

MD5 7026e9e6449327c87c27de56f02b8b79
SHA1 3075b544d052a1e365fbddbb1602e6c7ac1effd2
SHA256 ed3b0277a53149f9b06648190ce8f23432974d2bd1db4c1b37c077e185a3f903
SHA512 37b60ecbc3fa690a2675451ce71aa3d00dddd793f57f154b0a2538f32219e77de1743077a8062f17da5439ee88aa64ba7b443576c0e9e91a7d94cca3e66b11d4

C:\Users\Admin\AppData\Local\Temp\eAce.exe

MD5 55b62f8c57f3562e2135ab60e8a87951
SHA1 76d8269bab7103bcb22806e189ede7d10e2fc9dc
SHA256 e66fabf42507121074f2c0bb8f326f52c8706d6ae558b9921900469e65a89263
SHA512 c0efb794ee286f1a15daf9154e6b6fbd9e5dee5b39eb24c5b6e3a913bbec342b8404100573c77f24beeda8c4f32d8df2f67facf91304333c8c2dcc775f6e4f23

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 c74963466255f5062b1f2243821e0d24
SHA1 76758c0924a85770a325c64633b86fed26be2bd4
SHA256 4b41d5b1d4998b7ed4c00ec055739b26f2d23d4e58c80500b210fc7a2a0d7f49
SHA512 db2199c394566995d27ff5755c088ba683b8cb1f4f7c8f1c6702a1b7e23fdbdb176446f198c31180e296153130bce46d275736f53026397475afdc00415d636c

C:\Users\Admin\AppData\Local\Temp\eUEK.exe

MD5 c1b7334b8e7293c32b1072a435faa6bf
SHA1 1fa0095cfdac6ae1d12301155021e37bb0c75deb
SHA256 cc6f6f84de70a517d3d0632892ee63f9f7c19c6151ab8deff8104c4cf82d8922
SHA512 881dfcad51ddbcc180e3c7196cf33106cf8b8c18d626684c4c0068bee63fd75b31493b39dd3523af1ea5f984ca0945bd8f3fd6b0f6bdac0eef99029357a5a0e1

C:\Users\Admin\AppData\Local\Temp\yQcw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OAQq.exe

MD5 ac8f2de9b98020cc1e3b1e3bc7448099
SHA1 cb9b0b7e682a6fcbf68ab9c8290e677d631293c1
SHA256 774ba90d5949d5653b092656c608cca81f84eceec61f704e2847c2d6910f1702
SHA512 84d089d946bc19ab256c24a7b14aa08ef956c27a9b194e1a74f9a1dca60b2b66763d40e1f28586b4e79382398b8fa8ac514e3892b68c3dbc0e9b065afce925cb

memory/2828-1343-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uAYo.exe

MD5 e2ef5aace34090bba977862812994d6c
SHA1 3b1a94e94e131a8922c0e66218da5bd33ee9caca
SHA256 912ab6f151b85708b3628ecab86c0ffbf8452b3a72ce3d8c4fe97271eda1339f
SHA512 8ee6dcc7f27c24596bb3b68333956b30f761a9fc57c9eefd44261a5ba647d7fb5673a27b7cb1092f744f246beb2420b31d1527c0134232db2a5393cffaacc1be

C:\Users\Admin\AppData\Local\Temp\KyYocQcA.bat

MD5 aae16f4421b94effdf6b457599b72dc1
SHA1 0a52ffc65b051ec6cd1ea857360692f2022c919b
SHA256 286e79e425d766e4aa5c5c441b88b427320b6b8fe25ebbad79c7d581cc6c92b2
SHA512 54c80e947c5207d3f950ed29ac6d59d598b79fc96dc91f4548d049416f061439ffc3626eecfb2014c7b26d1384633d503ec709dcab5058901d69c787eebe566a

C:\Users\Admin\AppData\Local\Temp\GkIU.exe

MD5 97d3c98bb4ec72c73b1651ba34777c4f
SHA1 1b1f3a7c77da2e5bf3799f4a788c1df65ed54ab2
SHA256 649f35dc371e78b2049f14f90e1a68f647b25c311b8ccad48494ad030dc4c629
SHA512 bcf17aad7fdfd5ec54ee41820f554b5f47261705b1c466936298ef1acaa77c4571548867c382b16d3b0096681feaf94004f2efb314f86c52dd43eebe0cafccf6

C:\Users\Admin\AppData\Local\Temp\uMsa.exe

MD5 f1bde5a87535a61ce4d03756feda032c
SHA1 84aef6d8746e7aa1c0495b660f8fd351aba729ac
SHA256 df2aea7bc6bca9132fbb54657bc46bb03baf0543090e16095df905116b948eb0
SHA512 abae98eefa0c09dd86ff5274dcc5c034de853b7416d068939aef0a47eb2ce4134c8e4d3b722e286a9f550e08908130f8762d66987b8d4196952d27b10255183d

C:\Users\Admin\AppData\Local\Temp\QUky.exe

MD5 9bb431c12d7c03716e4d7768ccd400c6
SHA1 234cff9584dbdf1bbcc684c7572e2e1bd59c5c10
SHA256 18c4c97acd13f0418a138433c9e0441fe4bc65fd1ad0a6743f0f307af309a94d
SHA512 93f2c8d8a752c9ff5d7fd15e7ff3b0400b80bebc0c1406d5ca4e4c465d9f11a57a2903678c839d3bdfeb631023c5087527acf184edab01ad290dee65dcba8519

C:\Users\Admin\AppData\Local\Temp\QEsc.exe

MD5 3632100c7bc10e0658779c67e31f4f43
SHA1 4c12cd8342715ba750ca179112d3c8d68597cbc0
SHA256 5bf29c1ef5280957f7bf53ba14ec04282946a3ab94c84549e7e31a4e8aa421e6
SHA512 d6088ddb000fb25b97609d4e44c2c28342504ac8e9008b3fe4ca36fd25b483a71d205cb2277b1d765b7aa107cd2c896cce9053b039b42f97a4f7e6416d16a535

C:\Users\Admin\AppData\Local\Temp\Wccu.exe

MD5 fb0da5d778fcb5d6754fe77b9c7bddad
SHA1 bf78418872206e691f2072961918458c1b8d4a2c
SHA256 90e3cbabbaaa8667a54ed05a9cf9dfc406e1f7ffe58c5f49a317dde46861ccd8
SHA512 0c399eea43faf7b87e8a7964c65c440a88fb8d3bf57eddbe58efdfcf960b34a0cc18f7840d97d249d380612fdac01ca4ab698fed0c4750eaa163d756247fd4e9

C:\Users\Admin\AppData\Local\Temp\mogA.exe

MD5 1336859599907136b181deb5ce915971
SHA1 6eafc583ed9c6cff35a70c372921c8c9cf5f9859
SHA256 1ea3d252de8e96a48c05198e313ef33ecf25a7b0fe17aea115cf2e5fe6d6844e
SHA512 de06d18f814c24dd62e96579797c5adf98fae3af31be118d956e9e983fe97e1b06c75d9944af1bbc58cbfadd480455604a967adb0035cc352add8d8816ad0638

C:\Users\Admin\AppData\Local\Temp\egAa.exe

MD5 471a0ac50e8034d214e7bc2c24c02aaf
SHA1 b173f8813cea45bdd21326643bccf6426b10c7fd
SHA256 631ed5ac45c18a93b0d3aa5ab81c84bf3125767f02e051376fc6e7b15f9e7111
SHA512 0772497d46db6ba11b5488d6c4d70471bcb2e8c38ecd305c2047856f5a05aa32222c7d6832dca63db9cb4021ea1cd9a3a043df6b30ad542e729be153b1b84ccd

C:\Users\Admin\AppData\Local\Temp\AsgO.exe

MD5 2695fac0c9bd266459e1633dc6e597b1
SHA1 fffd08e61e91061fe459c07b6e385619fa8298be
SHA256 a72db7863272bc741d4373e93ece577b7bc5152582b08c713dcac80a0c7643bd
SHA512 aee2bcf7f52564906d01a602443896fbeb1a113a6aafb3b3b191b05e7ed3a878caa5425af9d57eaa66534d6c10b0a8351dc3c0b95075a0789d7a79543d4d63cf

C:\Users\Admin\AppData\Local\Temp\QAME.exe

MD5 f1781be6a386954bfe391e442b6e879c
SHA1 cede2e1977cea99a7ab39e5ddaea046bd124c34a
SHA256 887e03199b6688c2704b4e9d2191d3bb39e55fc50014212ceb610e7820ca71ac
SHA512 5eeda5d289f5de58a04a4ce2d6b09a6f26f5c7b72fd394b45269c7ce7f5fdde7a281ca8376f331dc281fe3b7b5fd605a32084bbce81548f30d3e3d4139bd0ce4

C:\Users\Admin\AppData\Local\Temp\oMUg.exe

MD5 b56c2e340429aaa78ad206d4de5d05ce
SHA1 66025f7889adc2c1938459b499204b90d558d797
SHA256 2c8e2bc7d251e7bff81708f9f1162b75b74db9a857ebeeb25a4bb5565a7822c8
SHA512 a9cf0719be005f852505778225ed5549e1eb41ceb80d3cf331fed9058002b7391892b02de1041a097ce33ba0bc1fb45110aae997312dfbbcca09b73be1aa7035

C:\Users\Admin\AppData\Local\Temp\aMYQ.exe

MD5 499b85d64b3baf1a15dc3fe9371f369d
SHA1 3f47053bd8685fbabf5fc24ee73e3950cb0fb90b
SHA256 adf3f42aae05673dd1b05fa6d656a7d51e345c5fa935a3cbb35b86c9b15d296f
SHA512 388aa5c1739f16fe1eb193045eafa2c4773a67f7a1f592ce088396958e6671ffccfd7c255d276315cc6b9860a00e8ac21f2401f7061bf05490e4a98fc26b3ad4

C:\Users\Admin\AppData\Local\Temp\WUIM.exe

MD5 14d2427d2732661bbb904a9a468d2b8c
SHA1 244e346bf28f175ad2316cb3888913503fb38155
SHA256 0a005122b06b44684baddca8867da7339fb9b8edf0d2856634853cae64e2bd2d
SHA512 8a876a39ce9924a6be5a96da49b03ae6df72542b1fc04c143a874e6a09a5174521fcbbd52ce41574326d1e9d46e31983b0d62bfa4422d164c044690540f1e3e3

C:\Users\Admin\AppData\Local\Temp\qQQw.exe

MD5 c2585440b629ef996040e50e24958558
SHA1 4c862d76387e86493b3720c4b11297def96c9011
SHA256 5ff00cdcfd6f28edba87823eb90f15c94aa7ab74a82655113f71cec49b286f04
SHA512 c45a4064b56a1943ebc5ee6166486bf342e9ddcf98c5601fac7d09a9c83698338b855864543780ce39b252cdd309c4dd5011806395e7cb0cf51b3152c8caa179

C:\Users\Admin\AppData\Local\Temp\GkoMEkUA.bat

MD5 66e1dd42264a47d1f0ccc9338990e3ad
SHA1 4759a677ec42e302f19930b60dc6f290be41b9b8
SHA256 c420fcd4927deefa88c8a08ead2094aab8e6d534a04841290b98916f1c629b5a
SHA512 35475a002e5e39d24a61b95cbefddb923ed97d25a10b0afe58fc91b0eb5bd98eb5af08374178b919c91fd4c2b31bf8756911f34179acc3bc59150ca80f426463

C:\Users\Admin\AppData\Local\Temp\aMQO.exe

MD5 64c95aea599bc1dc99672a3e3437b74b
SHA1 884d3631f4c915aca7013308e09258f934421aa6
SHA256 32833a6a67b55f128a2b30a0f73a8bb9e501fd4e9bdd6daac913c39b4de926b5
SHA512 e6199e37a43f3adf1516047e6d1c997c1139ba814982ade7d5efe8d90d64de986f453aa9a75b208beb41a577b2e8564cee8f50f6e981de5bfea741f867f97921

C:\Users\Admin\AppData\Local\Temp\QsQW.exe

MD5 9d484d47dfcdf63206c28f9a9bb1ede9
SHA1 2c9edd3e955c790ce9a6bf3d142f995be26815b2
SHA256 9c208de5bea7a4f165d4dc12f7d8a8eb80c85f6b144eb133cbee235f1959cb2f
SHA512 4ad62850ad6f2cdfbcb2e37ce6dd367a3f4930c04862f02932fa3328cb0c3bef5d4faa65ddd56923bdef33d86d9dc614eab773f60435b321439ccfd760c151ac

C:\Users\Admin\AppData\Local\Temp\oIkO.exe

MD5 ce57b7fcc18a5f4093159d7fdd5ddcde
SHA1 18eda4e5cd0d14fb2519f2a0755fc3b72d096c87
SHA256 07fa0d690467c220157649e4af11d6802b6d644927ff6cb21051bc224526c6be
SHA512 96261f8d2d2e07c4a6f4d6aa1ac328e2ee578a7b0119f725fb7e055795626cbd25344f060847ecd8d67e51c6370a94faf3bcfc5869b14e252bb3369565885a75

C:\Users\Admin\AppData\Local\Temp\gski.exe

MD5 68cf925299e7204e1a773a0c90d8f80c
SHA1 f6c6e5cb4378faea1124f8ce69640ec65cd41e12
SHA256 ebb22603ce5df16e6eba2ef80397b7efd645a177313c7e59d1d92883d0547a6f
SHA512 31c6f994cbd1f02f8f82102f1f623cfc8a92186710b6577a1d50687131da6dd92505a082752602cf2d30a53387fb94773e91e2b84ab01af51bc3717da2b7aebe

C:\Users\Admin\AppData\Local\Temp\egYm.exe

MD5 0f9b3a502f79ef0050648ae88a81c3f6
SHA1 f787c089ca6b2fccfa69c11eef43d067e025f413
SHA256 066b5da51dda52211a75b85b828cfc54e16af107701b150743d4490615d67fb3
SHA512 ec56fc34d273ce5bba51a3e1b71479483c1f7825e873e979defe4bf7750754cd4a84b81d9a6e804cc4be0f81cb492def85fa1e2614d04a2b679eb2fb1ec0d63c

C:\Users\Admin\AppData\Local\Temp\OEUw.exe

MD5 afb7d7946cefb5e565bc09fbf4798c52
SHA1 1fd7ba9379c1ce1141e140fa601c71d59bdf140a
SHA256 e7c63662669d8b283d535d5c702d2ff7aa80935a94d18766aa358a9a53a07c37
SHA512 9326972f3e0192efd6ec86b2fe6596dce8e0e557023d4c36941387a9281589648d50670224d32203ebd5cf473e7308d4d605e19d0a4d88f0d630b77e7a76e262

C:\Users\Admin\AppData\Local\Temp\sosQ.exe

MD5 69e1b52ee5ce346eefaf3bba5e6b53ce
SHA1 25f62f54a276c463c444c43655554cd495f166ff
SHA256 7563ff2c935561d09e12593d3f577fe045c6a5d38a473800ccda56577623c428
SHA512 83a0e92fe12d9439277c5fe9f24e8c11d68011ff6b249c16565d4bde37a71eb850bd3ce32b21173cacc0a26b8131bd946b33cee9f1bddea336391848a6692927

C:\Users\Admin\AppData\Local\Temp\qAsA.exe

MD5 029782c782768fd6e773f236072110a3
SHA1 d5690febe41aaaa7834934fc4abbc8493a668fc9
SHA256 b11f3ec8580d511499849fa6ed742d828b70d9f7ce4fee7a85d595da9c4378b0
SHA512 88d4bbc063e76d0a24d2be6be82364e3d3e215fd26d158e1f59addb22439e3cf00234b48f0cd4bb0cc8445a98305b94818fe8deeb6cbe8c82384e5655ea56b01

C:\Users\Admin\AppData\Local\Temp\egsG.exe

MD5 c1cde2893e2dc6b7fc3d3a61b001f780
SHA1 b4400f13c34f596aa1c9bb9e815cd395822088f5
SHA256 11966b0bc9b27f7edc0f6fcbfa85a1aca1b4bb3d97de74d0a134d948677f63c3
SHA512 b4758650fa9628d899aa33cdddb288842295bc84adccdbba5d1b8c5a28ce115b25572048a61d80a9e2f26b899dfbaa28a0b556dd7fdfdcf9cbfaaebedc740f94

C:\Users\Admin\AppData\Local\Temp\OAoy.exe

MD5 c835530a363a3220f2f5168dc3ca6a7f
SHA1 b2b68750e1b5efb2160645259f98337df0e89710
SHA256 4a7650d50f95eb2558d325b312ca4e47278e050cb1292a4fc32afac2d0f523f3
SHA512 9ef476dc6b6886b77756fa4869cd4ab8b576a9b3524edb0aab01e184300f6dc413e6384f861f12eda4b2f4902f71e0e7294ce003d1ac4c4167a312513e9333e3

C:\Users\Admin\AppData\Local\Temp\GgYi.exe

MD5 6f2e3b114db34dce23e4559a02073f28
SHA1 285e4721757195f59d4d6bcded55cb289d6d2294
SHA256 264fdcd52406a69258a5cccb58d3d2df0212f423aff255b4d932b21e32c3ec05
SHA512 286d20bed85c840417ea939323689e4f5d6aa9c7b9c2a33874d84c1b9271bcdeed429c4d38289465c16930ffa22656ba61114bd71f35fd6f948bad43d9f0f321

C:\Users\Admin\AppData\Local\Temp\aQcs.exe

MD5 e8f7704fc6c69659018f1015bae00aa9
SHA1 ea63256009f789046d26a363b3e46ebaf8975c78
SHA256 aa895a2b2796757ace1127bb3747f162afcb03bc4a4341526c28a9cabfc7ad04
SHA512 c2287b80a886d626ce20ca66f799ccd7b346578c2914b6a257961ec075df45fdd1a35540afa84f0771f4ce8683a61e9723d59e1c56f9abbb13c73f4479969e97

C:\Users\Admin\AppData\Local\Temp\qEUs.exe

MD5 a24a7b6fe8209ebd1f366ab14c524657
SHA1 8877152e05b2d6f1cb8fefa738c39129ce54e28d
SHA256 3eaddcec13b8a4f4336e8c9aa283f99ad7808cae2469e1382f31de7c0229469b
SHA512 8240b8659bf9d67367ea1e1b7aee4f7963654e60cb4740b689f2fb31cae4a9f79c707474ad498e57eb46e7f9940d78d6246133ad5f494c56690a62da6cea2b5c

C:\Users\Admin\AppData\Local\Temp\wYco.exe

MD5 a0a6ddaeb381164eba69dfb5459589a2
SHA1 10863d6312d1afaac4357be3a12c7217af019b9a
SHA256 90c90260dd3238eaef2e91617d0937b54e5179828f3608aba8a2ad59fbfd509f
SHA512 54629554002634f892dd42e967db3af5595f1f6a6d28a1de5a5f37396b63c6da9e5034050b30696de9adc428da285b0d44eec27aaaef969a8b691618016977da

C:\Users\Admin\AppData\Local\Temp\AQco.exe

MD5 aead7b4d73642afd05e7d239881a64fd
SHA1 13a6e4f8f2f9f759102fad5a578d011226c4decd
SHA256 8038db91bb573dfdd83acd6e86c44ea70defd0a7e8642c8b7f94042c15943c5b
SHA512 6bf8f47f4cdccd3af1e6b38fbd7ff390d8b0e20e4b9ed13eb0f54b2ea1ecf98daca77c795a6cf70e80a4be00f22ccf2dcae3db316b432ffb93d59bc7caaba9d3

C:\Users\Admin\AppData\Local\Temp\uEEu.exe

MD5 be7e0f072a707e6c2cc1410b72586e22
SHA1 424ae682b2c69d4693e3e7763f8a3b485de7a2e2
SHA256 3fea0f89f42d048d256f6a14df1f5badc4162383e595e713a938a3dccb17a682
SHA512 54d50213d90d0d38f5d7dafd114f0d144ab77683fc49c95419e8508daa5a2c6a3784c62305caf9074ed1a1c5e83479dc2ac4f566e7e5910ce9498c1c1add9ea7

C:\Users\Admin\AppData\Local\Temp\UsMc.exe

MD5 5c3814af221be83481ccb0cbedade8f5
SHA1 b2149f464163f6c9b78546f3422b0e6766198a06
SHA256 299964f86a97e7c259675708537529ff3e9af20cf2e11dd5db2c40b3907c8fe0
SHA512 1c5b02af842293c073cb30c5888097283d74075bff05131fef9187a69179d1f9b8e80cb57b30829a78ce51c5bb2e87146d2ea3bb2ae18cbbe908153d30884e9f

C:\Users\Admin\AppData\Local\Temp\qQMM.exe

MD5 9a53b3719f1bcf22f43b7763c65fbea3
SHA1 bea0bb8c002373e42d0fb3b05c1855c793aaf72f
SHA256 384228ac02d777295aa298ee1178d67b3c5b2687c131f6c4fb112d423e2cb41f
SHA512 448bb42b8eb2f80b52bdea97749eacae31db73c296ee4792641e4011c178439083c844a5ea92680e231456044448d255b821757ff2c6c430d4efa382b6e7f8ef

C:\Users\Admin\AppData\Local\Temp\eoQw.exe

MD5 a2bd58109272930b1872073655840be5
SHA1 9ae7a0ba1453c990c2fc34020700c80d203b8295
SHA256 ed7a52dad4a48e51b6316b4e1ecbfcceb68c19e02aa149acbb32d9a1aa9409e2
SHA512 47bed73a12580ed1d8c4de1877e393294fb3a8ab5c191c3b7d8404ba1e590ec9824275ab2a40b32fe4733d3f946d02717ff511e052f153285fbf1fd75741ea7d

C:\Users\Admin\AppData\Local\Temp\tYwIwMMg.bat

MD5 79f8292735431eab27ee9882eee8392e
SHA1 0586a4c1d12b74f10168fee5a5626978aa1fb1a9
SHA256 49cb10a6fc05d769e045496f637d4b944549b74f77844219239c2ac265d8c016
SHA512 48b1f200305b84ea0bf04492f711027e9fc96b005950c4d0e1cd694941741e9113d86b6487e97ca286eaf48f66584bb135f10aec1be3eae6408bc31b960a6459

C:\Users\Admin\AppData\Local\Temp\iawo.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\AYUe.exe

MD5 8371e31185830d6633de18039032df4f
SHA1 af0afd938a7fade3d0a75c06cebd4a101723b4b2
SHA256 2871b9e002ab6890580d4292dde83c144777b8ec2a710d3f7595b9639d318ec8
SHA512 49f68c000d0c8398465da268c2859fe898fcc1614067716f83b95a45f50cfbf311dd0f0036758b7639a7ea29289a27805251b1792fd0f66b24bd2516fb01f5e9

C:\Users\Admin\AppData\Local\Temp\eAwW.exe

MD5 8f0c51137f6d2d2bda7caccb36a89184
SHA1 eff0d7ae57afd7fe77161342af4eb29a539e692a
SHA256 41c0133dcca7001fe42d8e8c5cbd148f3c4f60c253ac806b9e6cc2ec5ce2f3f8
SHA512 b8161ba025ac60dcd17ced7eb7f183ead485f9fb8c27f249334ca9a39396372ab6ee041f967d60a9be158d66b847587806fad9b09a1c7a31e2f62a99d8b86d3b

C:\Users\Admin\AppData\Local\Temp\kcgk.exe

MD5 8a55812f07017a0b4a3d6fa23ed69fae
SHA1 1d36ca8a875e8a2f5b9e6379846ee7d1877e4bb2
SHA256 85ff79d7709aab5f9cde009dfcb236457e02367f7628b6201d83a770ecbdd09b
SHA512 0fe160b6526b6c8e81b6cd0b423df98849b66d69ce9fa9f172d0a529778659a49a67f1a5a0be1e110d39e550caffc6025d8e30fa95742f22ba83ecc24518f0ac

C:\Users\Admin\AppData\Local\Temp\mowe.exe

MD5 88b1bbf3a2714889a42f8015ed5db28e
SHA1 58e5f0e4e02087a1cc4111e60bdf54ca35dea81d
SHA256 35f82cb7f759f38347848d5d6cb4b130b6f489c7e54b61d6c4c4e8ce55a044dc
SHA512 9100654d2e2b9ac0ff60b300b6ad8c8d28b0a41565b298194a09b3a79998ab6b4c34c81bb173bbee6e84bab426d266e08fb7bf412bc1e0b02f8adb0af0780007

C:\Users\Admin\AppData\Local\Temp\AAce.exe

MD5 1acabdf335c8066abb6d9605cea90e11
SHA1 b8b96571ae00b24ace5eb703972dd5ed11c28932
SHA256 6fd5b63b19d3dc262a838ddef8ea9ec8208ac4c7f38f40a030180d872871bd97
SHA512 e6f65484ef976f8c184eafc9bf99befb5af60508cef0d4fa3b28aa428d5c88891c93bdf321486f9ceac204aa5953b4f44c9b8528c50540880b2f4a96de6c5382

C:\Users\Admin\AppData\Local\Temp\AwsS.exe

MD5 547b59ca1779fcd8dfcec4e1de0989a1
SHA1 2725b4901eb129696e4c020931c6e5a4c1e689ab
SHA256 2d4e8906dcf6f7fbab914d268c5fd94ac1094ae90870d2b736f6f76d33bbd4cb
SHA512 d1230506d7e947722280cd3e9b8148dbccf620d7699515abc7a954a4c85b5467d41989c4878665ffb29ca3a3b562647176f0ae9a6fc3efda0e2d0f849ee22a36

C:\Users\Admin\AppData\Local\Temp\qYgM.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\OgQY.exe

MD5 d6e34262b8af4cbc1f9149aaa0e2eeb2
SHA1 75eab7b70522d9721041c31777b6977c5c029773
SHA256 f79eea2f14e77f5ad73edd85cb578fb587b7accc1812ac387414a2f531036de8
SHA512 0c1ebf99cd5b41bc764e4a522b796631295fed0eb2a397a797b145de3cab88653a55886f121d8640e207eda4d606cf71d7fa3e44396c5f9ff83002ba137c8e04

C:\Users\Admin\AppData\Local\Temp\mEcE.exe

MD5 23687cb3f9226fe5965ba23a04cbc2dc
SHA1 097cce42148706bfc10ce1f31c29853b40dbc61a
SHA256 96409ccc0fdc9cdee01df8d138749f45ba72695a803c9c9fcf7bd4bbbc200d67
SHA512 5c0f0ce3aeb4230ac7b2691a90ad5e2a3173b4d82443d61ae2a0f034bb37a3b7bd7e5652bf5e5afd64f021da92afc2de55721277a188ce07da9206167ed48314

C:\Users\Admin\AppData\Local\Temp\WkMS.exe

MD5 76c2c1f5a22a8f99ec77a30071e37a88
SHA1 051415e5bdf6ca6b7af86d6f6adc54e37ac0ed49
SHA256 503f9e99332721354e3dff84a0bd7883db9c702d925eb1167a1f48d107b341a4
SHA512 d9fb750c85961587b0003c92e1c90223f6e472c82cf1f0483963442beb7b14c7884ae210d8003b26ad62050a5b4afcea2baeb0509f3d7cad05daa7a17b8b2841

C:\Users\Admin\AppData\Local\Temp\qSUI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\yQgi.exe

MD5 84b60922e17420a6e5b58eeb679d69e8
SHA1 63b703726720f908fda060dde83917df612b6161
SHA256 538891999d6164ea3d4d723893e43acdc1c779e02e1def0f27d876ebb44d34cf
SHA512 d5d3ba93d7268935026cdb32a19860c434a3b7365b5e7b75b9dbbcc7bf82c2aa38db7d0b9f22ff604c8cb4ffbd6bb275144423ee9b42391055449156a5064c2f

C:\Users\Admin\AppData\Local\Temp\MIIM.exe

MD5 22c529b59b5e876e0c56f24fd22d1b46
SHA1 2d2999f579a88bf01b5e389df4698d2750ccfbab
SHA256 f0fd9fa1c4f5861f24ac43398158e4fc3db35d2b4b1192454a6efdd9001c6338
SHA512 0b97d71ec6162b4f7429ed71b3d0f050f0008d77699398903750b5fbc95dd750f21e4838b60100845aedd10ddd7e5e3f6f909f9ef91784faf1d87d52bdf8546a

C:\Users\Admin\AppData\Local\Temp\wcIG.exe

MD5 f348bbdd1f8de0cc78ebd8b48e120ec1
SHA1 94b0ae7e2ad7c0384dc131aa2f3320fe0d413b75
SHA256 18e8ab8c9b3d004f0a556bd672b058db367f4588ede5c6aa64aec95f675127f9
SHA512 62a5ff6988c64068d3d1053ce68ac512531d109a81dbbf1d2ab14061f6de1d0e115cbca607dd630df57167bb5db4e3ac6d44abbde9a9bed628232d60410b4b9c

C:\Users\Admin\AppData\Local\Temp\cwsM.exe

MD5 052ab6a778c6623e2f15a8689f305739
SHA1 953cc50651b713fdf313939befff28526d6d1e9a
SHA256 81288e72020273888cf8ea014b927779b95912221ee830d9fa59160effb6d935
SHA512 007d11239809b090deac63e84fcef7c793ebfdc3ae72b272dd99fe905e5440ac166292c2eede45c68b444616ac405d9a4211dd218eafc0398a6ed7b9ba022f23

C:\Users\Admin\AppData\Local\Temp\QQAm.exe

MD5 0a3e9c02b58f02389b7309b4b07fafe4
SHA1 88360189148b2d2542384fb139d0f92abaa5e069
SHA256 46056a87517eba4626e5927e957b7fee0a839505cff1d8325ec782585eaaefd2
SHA512 7e8404d1b1a4ac4542a4d3ed371388cdcc4cbc5833734bb3d4fb13724c5dbd71f5a527a4fe8bdda6f429d5b2ff3319e1ce02f4c0b168b7e3979112f27fc53687

C:\Users\Admin\AppData\Local\Temp\qQwA.exe

MD5 9d744db75168d5ad0bfb50b8ed2ce28c
SHA1 980f30d9bfd24df23435ebb154a2f9080413ad92
SHA256 347ae81be12403dae8159f3747a3b0371b783716a2e43ca9058788635c61e61e
SHA512 27833fb4aaec8c579ce30d3bbf359797f2ef1872db019aa4e6b6f449532cbed001d804c8fecbeb4d8b6dced0ca3a96c58be714489c5dc563884b96554d411c3e

C:\Users\Admin\AppData\Local\Temp\CAkW.exe

MD5 db64c71da96800f609d7bdbef6c72aa4
SHA1 2f795c7f3bc1ace51fa983748aad5a061cefd4f7
SHA256 2af30e341c99c540000136268bc0447c7e7039368492cd563e175407f22d45a4
SHA512 cc4d00ae42b526d2f20e8bf8a36b769e10bfeb569606803cdf2b8592478c474bdb1413c8a881060961e773081985b90ab1385e8292caad9b29649034d8f60f72

C:\Users\Admin\AppData\Local\Temp\qcgc.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\kEQE.exe

MD5 4ff21a01264aa9b1ec06263069036f73
SHA1 7880c33a494d62785f12985bf6a6b77df629956f
SHA256 c63f0d07559922bb44e10f94492a117ea373e528770fcd7fbcc18a4ef0e96d59
SHA512 0fda02207b0a29055f32dd0f463b2c3f3de641bdbda533d05611493a214ea8e4c6c5936f4a1bd42490fb8827c6e28d426a73e770ab4fc241c3939c621836909a

C:\Users\Admin\AppData\Local\Temp\SIoM.exe

MD5 f50fdf21683878f458ff17ada0974d71
SHA1 7b07ca59aff56a5f99f6bf2093b22167419e152d
SHA256 0114ee6171db29f3412ce1c51d04ef994b96d2e3caee70bfba78f57a56278b13
SHA512 7b7f7c88fc9f1821cc38e0cc02001ef04ee598d989d390e9c0fc634e58519aa5fddbf0a819f8b299e56ed4bce35837d32abfb4b2406f4abd058f8119c53cda5a

C:\Users\Admin\AppData\Local\Temp\Quso.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\yEIk.exe

MD5 6039eed62fcfdd15262c030cdb5c7e8e
SHA1 0b4716ae8cd9ee8b5edbe9a8fa7bbb05e16a510f
SHA256 1012db24f524b1cca18f83b7a696f69ff39e6d46888a51a2990cac0b8a7e250c
SHA512 01ead36e38692b09c5858c53d1471723a12ba15c4b454a10f7fd2f086a32c5996ef5a519c2491965789c95087b735d86baaf2b1c85d556f100dd4395d03e26b5

C:\Users\Admin\AppData\Local\Temp\iwwE.exe

MD5 e075a3cff5c00ca9d551dc73aa1ac6b8
SHA1 85f3bee7dddf0ee97b01ecc6001f5dff2034c0d6
SHA256 06b770e2ff2803faafa9924994db585feba2e652e9e9f54788fb5058debdc3f6
SHA512 6d0f5f49d1e4d994d482483abe2d5f80f4e3c1a6f64d70add55bbfba2b6612287f9c4e7df841383fc81266e8ad78e2c1c437f9c9e0d10df1a0a326b57fd7f783

C:\Users\Admin\AppData\Local\Temp\SsAc.exe

MD5 c6614de9a561447735b424db585bb4e4
SHA1 cf9079d57dd76bfdb926a281025df850526f8e6d
SHA256 74a1b3a8bb553b820a7c766807268b998f24da0697294d21751e5a9f12bc6364
SHA512 3b89dd045151471860d15420d2ae730eb4d67e90718c6fd21d6df06e65361159ef733a590f54814303b5afde395c04d21bc720230399782065e642a378dc4452

C:\Users\Admin\AppData\Local\Temp\YYcg.exe

MD5 ca21b608caeedab9d791fe28243c3c55
SHA1 a31a684902e76d55796f54cc56711a442ff59f84
SHA256 043a3afbe0e2620e47710390c2241d41fe7222c63cec21faa100119ccb3e96d4
SHA512 8e62ed3bf67a375191f6a5f0333333941b46af76f340f063972e0192283385ba1b2725b98e739f8fe8cc554eaa0ae191424ad611c2463c2ea22c63b227e7cfe4

C:\Users\Admin\AppData\Local\Temp\cEAY.exe

MD5 cf13977d0ea2f31ade9df5883953fa9c
SHA1 73050faaed261804a8f4e47e99ca30445716072a
SHA256 395514c08dc6c427b04c577cc360a8d493d40a7dc092df6aba1ac23a89721b78
SHA512 8126dd93c3bb9b7c25bff7c8b947768543badf7f7b5c47bfc88744ae028bfab1217fbd12ca1c12aaffae43f58e8efc513e8abad0cc621bb83cd975a62dbd4c01

C:\Users\Admin\AppData\Local\Temp\uIAg.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\MMwG.exe

MD5 3b3e2617966b24509e8febda2b0b574b
SHA1 d604a740309edf740e00a5f8e0ad68b2f2f9a727
SHA256 8168c03c7c5973ddd2faea8c01d965c3b1b65070bc29d16c4efdf01832249f46
SHA512 35723907971b12406c18f83ca3e48c5e862c88783d70dfe3d3dc6134ad478e3361c169e819556b644e24b0b62ba0fd31a1721a0dac9452552993a3d77fd38bd1

C:\Users\Admin\AppData\Local\Temp\KgIw.exe

MD5 a5a433df506a197d01fad04a54d548a8
SHA1 badc8049844d8c71c020007912a9bdfdef0f9bd7
SHA256 17ad49ec87f2c5609ffb14afefa6ee019f70e80ccbe2dbe4f78d69d25af5faf9
SHA512 bda0208fe76c21f60a50f82ab6f753c8f50803697bd2ed8abf7ef50df6bb7369e906bda5cf7313713077f088f176a8b74c3ed87de23e2dae924223353bc40930

C:\Users\Admin\AppData\Local\Temp\AMAm.exe

MD5 ac7b13b5413a7a85adfeb1642dddfcca
SHA1 57c163de7ac9ef2433724ff96077b3d4be57b265
SHA256 383435c884d4a6ef1921fdc634df7fd499f8d1a3d7008a7533a7293cdc6d2ef9
SHA512 fd33ddb68a78825e8bf82940079140630b3862d607746bec5f84f10fd3f627f6fc46c22860fb08d06250faa3473413188ad335ad685f81d9a0ba6486ce678cc1

C:\Users\Admin\AppData\Local\Temp\wkEC.exe

MD5 989cab163d7f6d9c4cbec7cf8c7dc8a8
SHA1 37d879419122e6dda111eea631ea0c7dbfd0129e
SHA256 6eac31f5ec9728a9dc545d2768b9459e76f8b569dfed6518adc465f13307514d
SHA512 26b898e8d919bc400cc834052cd02623acd05ff7d2d7cc825045562d326a2974362a7ae66d6e20db8e41bd2f2d8261e65bea7fdf9bcae2bb1c65eaab41b58acf

C:\Users\Admin\AppData\Local\Temp\YIoE.exe

MD5 5b55a51dba9f2a62486b41edf1f68e46
SHA1 9b07c0bd243774dfe76b8809965cade5fb20713b
SHA256 cb9c650a6827f8771cc1b6cdd609187a81eb7755acc0facd0b717072ba3b845b
SHA512 141903b2934f291bead4913053e458ebf534c1e1061d6ae93fe47f7868d2bf4da142f05716e4d0887fb792322b7c245ece4975cdde1cd84d37a2752f6a661e28

C:\Users\Admin\AppData\Local\Temp\AAUE.exe

MD5 3656e2810344288799a275c503669a83
SHA1 969d7000fe8021c0add0cbf309c3c4eeff345a3d
SHA256 87ca9fb49a6f502f2bb061c4380538d61a9d3323b7c6db828df3e4462bff91e8
SHA512 864e6575943a9cca8f6e96fd6e90a4ce9391b54340c8b254c86d77dd6c0a1c0a1569d6ac6ab17e9e02f47395fb854c447d997324c45014fae126da9eafb2ad5c

C:\Users\Admin\AppData\Local\Temp\eQgs.exe

MD5 29e534c3bdd032b70f027d0bfb7fb631
SHA1 8d381022bd16b6a3bf070dc53fd1683d146935bd
SHA256 5d7c21807c29934e8d9dbaa4bef29e41207c2a05ff441f23c7e290e896f1a041
SHA512 958ee4fd931256b48cf62f85d0fbe94d34cc86e8eb35d046de1d51aa9a8ee41db3077bbe2f9b20a5ed6db18f93aa9801bc9b85840a94d0c4172b3fef068e2c95

C:\Users\Admin\AppData\Local\Temp\Ggcg.exe

MD5 6ac3299f59cccf515def7a2b60649e57
SHA1 d5312f433e2d516a6662a1cbdd5d4899d94cb631
SHA256 ee62a47f98e83c1f2371c005721e72b67dbe5b0723bb9b5c739e12e0d1525825
SHA512 a0ff4ff0c2f8df39573cff1cf8776c99bf985c2b4a22f88fdad6e7c32a103d9f192ab433374f0a2b4c27d827132270b99310c5466eac52232aeb76d0219d820c

C:\Users\Admin\AppData\Local\Temp\usQk.exe

MD5 41f8bf238f67dc54e787d99b2cd02574
SHA1 9abb87b3fcbc0c799e440a6b1baf980e7acec8bd
SHA256 150a0e5b1f9a3dfb58d2fe4b0bf914c409afd8396c5ac5cd763b7382ca62a440
SHA512 279f1e6689ea130f602b6f22eaa95bbbe882bafc7e810727d1c187b89dadfb840b05a09f57650118843f9f85b8644d126fb26ac0484223d557ae662888a4d80f

C:\Users\Admin\AppData\Local\Temp\MQQk.exe

MD5 06e197ee52dfa782733bc031e2435793
SHA1 124de5ffe7f9728a766245330a47b5cb0682e547
SHA256 301fa75d7bbc9d78be999e6056f2879b0c5ce2ab0ca4bf9f22f7dddd94164dbf
SHA512 c323b1f5d1c49b9fcbe3d206054e38a287eb7bba2728e27a1760c8b56c6812ac85aab1a2a02cfc14d02c01345587a4a476e2e1f849725bd059fab47ebb48aaf8

C:\Users\Admin\AppData\Local\Temp\gcQg.exe

MD5 c774b78a468696995be285719e7c62db
SHA1 0790df7545205837d5146aa36f96acd9470812ab
SHA256 f1a77705e83e42f018df367e0c40ad796bd258ceabac2e5332dde9911fb955b4
SHA512 c271a5de402066ec5c6ed669c0194d735e4f7b059f7227704d2e4baafbb23f47b0beb051f5df19e0f221d5deb273bbce295a9d49a8f4fe73ff91b7cdbd21e980

C:\Users\Admin\AppData\Local\Temp\wAQi.exe

MD5 c0250a2fe274be7099b003f40e06bd30
SHA1 a3323660b186f35bfde6ee537d9b6ae37240aac0
SHA256 b5e03c5bee4f4b11072e27545ef2c506918f77fcd99dac38beeb7c8ef1bfdb45
SHA512 a02424059323e625d7eda2cfd8fc4e4058c3e1a1d091bd852660414acbf9f6e8e8f7493c89cbae12fd366480ca71a630844143481e9bebf2c264aeae927d30c9

C:\Users\Admin\AppData\Local\Temp\awcq.exe

MD5 0dfb3952a56bd5ae07306d240e8d911c
SHA1 bbe542ebc134f771819168317dccfd125ee56b88
SHA256 ae6bdd0cc014eb6363df89f16e9533a819d116acb95ed02139aaad2103632132
SHA512 c747eb60124cb79c295577f9a6ca692574a465fa682a56d03b52c1cc245029e03f1cf24fb6b057ffcf9f8286fdb7c8a3b3e303c678bb851b82cb4b7364646f2e

C:\Users\Admin\AppData\Local\Temp\kQAe.exe

MD5 653bb369be0b8398b88bf7c06a132ac6
SHA1 7d7a7600c914d46f2211b202a77278e678c13c72
SHA256 d6ffcd261b34406767ee13e1c97f461213a2f80da006addc4ace9171d33bc8e9
SHA512 db6a1bba83c5015c47a9bf37bc713537e96d1e39012fcbd8e6fba79c4c0a771159923d53e39c10d4eabac81a499233e57d140566d83ca9228d302960a6f03f17

C:\Users\Admin\AppData\Local\Temp\YUMu.exe

MD5 9a4807b77405944c9ee9b493a47abfb5
SHA1 8f9672a6e3f7da3d4eb14698d1c263d4f8d22812
SHA256 dc233876d50b20111813619f0c820acce68326ced7226d1b19629c9efd643d96
SHA512 f7a35d208bafd0ec6da794608b2e8dcdfebf6769ccf2ca24474b5e144accdcfb3220b459ac2c2e5ff83262ecc5016763e1437af017f724f40240053cf064f2e4

C:\Users\Admin\AppData\Local\Temp\kMkA.exe

MD5 4a43d90ab520e28c99aebee3c5e40a0c
SHA1 04d990289fcf4616924375fcdf074f4426621eec
SHA256 d64be397a1c7793b58212b187bd25dcd99d7cf1701f2d5b1dacfc025108586c1
SHA512 fdce8d7ee6c1ff84e685e3f0bf660e293965231d1d4b8da31d48984b40ab21a2eec830559815a800c11106051d712568dc9f562d7dfd82a563f97c274cd6a3d7

C:\Users\Admin\AppData\Local\Temp\YEwe.exe

MD5 e40473552a3fcec803d927d59bb45c00
SHA1 48851d62b4e183c46ebbb6f6627cb818b7d6162e
SHA256 5b8adf1c16be54f959ab02812f647fb581563b383848d9f98c1e3f6c70c3cedb
SHA512 6b263b0d4933f1b2cb4fdaa7a80760fcfbc9c9a8570351c058878a3d10648acd6a4dd1cc5eb6e77424fedbe1474a173eb1ab67a2099400e4d678d534038be629

C:\Users\Admin\AppData\Local\Temp\eUwk.exe

MD5 7f517287b2bde3005eb99fd0e0222a36
SHA1 45d977d0ba71c8b1c0d1708563514083949f324a
SHA256 70a371309aded1f59d0526e876656eeb5ec02411ccda111dae07411f550a805d
SHA512 4131465028a0658047402e4957d66d30c6150df5d8afe363d39baee5e2a19f88b79d0fad974b4dd5c344f64aba4fb6437f9809b5e23df65dc06b41a820ec0090

C:\Users\Admin\AppData\Local\Temp\CEcu.exe

MD5 2b75215babad4ec94a8246e88548d8ce
SHA1 fab2e6b475ba51a1ca57c2bf2912bbce54738000
SHA256 5f9ce3bb5da49faa51213c1a0227cb9a9b06ecb338218b449ed872d753c4f227
SHA512 b1482606b89a8936bddc1e065e2bc767fb573a97bc4c45ed20bf9ada6b05e33573d125af5610bde991505c314c44f449a770859f3fa22f344d1e19ad2e6601b9

C:\Users\Admin\AppData\Local\Temp\kskw.exe

MD5 78e2a415ecfae9ef6a7d3438c5885539
SHA1 8610e8ad5dd946f7912e2a75546730c92fc664a3
SHA256 cd119a68dffaa257eeac5967a7a10589131cc9e16332dde2a4ccaa2897de0048
SHA512 f0f73a98df9a4a5f3cf453fb93bf2d36df80836360cd31996e14082135912ec969f6b07d9f78cbd958dc03df339bb5681855bd292310a4469714e433b49029eb

C:\Users\Admin\AppData\Local\Temp\ocIE.exe

MD5 0f492db961dc45420759034c50c5612b
SHA1 96303b65fa257ad3b7a2dc3a23d9be17998aefa7
SHA256 64a1e0c37b811dfeb322e3faf5cbd3b949e7c879884956e5573c8d94eaea5a79
SHA512 8afbdb308097296f121d1af4101ac674a664f8d5365a99a49ff1c3315979f8980ed16bbc37ea61fe6516f50cec3ee0f6d9eb02675da83c040a2cea7a2d4d3603

C:\Users\Admin\AppData\Local\Temp\cMcQ.exe

MD5 b1e4f0b74be41b6570e3175843cff6f2
SHA1 ac0256f46b029a3f9c6defa0b833c49aa6c84b2b
SHA256 c9c5dda4a2c38893a12f1602c5c43e2898dfd3e9acbdcb0326372e68f56c1016
SHA512 730d78cf7f5439a6ee9971f65b74b04cb20e15abda881f062d9164888f84fd4d5c5631d88736661932beef060a5afdf4c4254c6b377b75608f3cc529734ec75d

C:\Users\Admin\AppData\Local\Temp\GwIK.exe

MD5 433df0b5fc443823d822e30d3cc3faca
SHA1 982ac392bfe72bcf6f1e7bbc7f03722d6c38baf5
SHA256 91647ec90a78209c72b76cef64d18f0f768368533fcf25fd535882871f9ee567
SHA512 03b6ca3bfdad32d8bb5046480b7814a210ae05d3e89a5da635c3e29b0961daef5206d5ad5116eeeecc204486cf7af508bba70a374f8a1a0a9c94dc60c0d849f6

C:\Users\Admin\AppData\Local\Temp\GYkq.exe

MD5 eb00e38ddedfd12376c51319c3d5e2c7
SHA1 125403a6faa485c8d1cbce6867712f4ee4a0439c
SHA256 a42aef39c7a4a67ceecd13bae33fd79df64a17999149983688dc0c645ee1ccaa
SHA512 14c1f46839608e3fd138c996a32be87e2cc5bde553ad68785963bcb379b579be1938559af1f9570d6ee360c607e7a7f93134b54f3fb28b62b1772e499b9dd8e0

C:\Users\Admin\AppData\Local\Temp\IQsO.exe

MD5 94447fa93b3660342e924a65284f8677
SHA1 71b39fdc1dc8486bb04be15c094c2c257ad4edce
SHA256 bce00c0054e61df82cac85536f8110fd880398c67aae7a0065da2666f87fab04
SHA512 8e354fb9e9b3e5ab28b248c1c98e362137feb8f1f886ba64b8ad63dd7819e8e9f442fbafd32fceda6ded3ad5662d2f96ab508f5d7dee665254d2ecee1e724931

C:\Users\Admin\AppData\Local\Temp\sEgE.exe

MD5 8cb5584dfb9b5576fcf96d4c84365451
SHA1 9704ff2fa0d3ba1e6ec7f2ae216b348709ffa7a2
SHA256 ea0d5ec61764e83de7dea275be64cd1a1b3baeb96c35a5305b5ee0fa39c55bdb
SHA512 93b9fdc292fca75bbc403ed7fdced3cd517efbdc788a090c5dcd709e137dc00a05ad27d38c8dfeedcbcb69dc32b09a82385f0d3140495be2177cb1ac2a182575

C:\Users\Admin\AppData\Local\Temp\CkII.exe

MD5 9f437de85558079f6dffd9065d9e3f59
SHA1 c40bfdd1158962c2d2dac4b7dfa7b2f8ea2baf77
SHA256 963925edf5964cbd2b75af8ec731ecc4eca5639c3a0c24ffbb4041258d71d52f
SHA512 961dc24b4cdde90af241151922b3b9d470ba68c9a7980192e747957d938aa5790eab9fae39718cbefcdaa8b64083d37c2a1cdf6d8ad2681c0097015f527c9fd0

C:\Users\Admin\AppData\Local\Temp\CYAu.exe

MD5 f3eff6ce0f09422d1f34a12c46f0b7a6
SHA1 6e8129b3c24bd3cb4ed00b9d445bfe8f747995ef
SHA256 3ec07e010368d013d03de052284974727de8db6951401986ff3507579542ab19
SHA512 4e75d865c934ab47e3b7e1ad719609abcba11854e62232b10bb58fbf548a885276a2fe48b778fe396966868bc319140897f9823b054a1f909decd83549a7c591

C:\Users\Admin\AppData\Local\Temp\qEIg.exe

MD5 1ebf7f977b994e3e781168d70bdfd229
SHA1 81d299f2218a833fe609a7e0780d867947563d4a
SHA256 5fa6cd3022823fea296ed7f70cdf4b8b24650779ac7abfbf2b3e02255fbb92a2
SHA512 489ecb38c9e90db9f9fcd06266255f0fbddf24b1f592bccc95c4fb6bc526cc128414ee5a571355d1f8720940b098ed0c4cbddb55f528371b7d2db3419e82df64

C:\Users\Admin\AppData\Local\Temp\cEsA.exe

MD5 029ecb0639917dbadbdf49d228980d7c
SHA1 83b650bc216d063855404b147560165353b7e0f7
SHA256 89ef95d92578b12e9eb7540ac60d79abd44a9ffe01ad1722651f58431ad07c27
SHA512 38aafa48292e1936240286bfb4e2446fdd361014c1801be4e8a7a0ba1c19edb67e5509302074e86d861cbae2785b9b2eaa13d2ce4402efee7f6e2c02a2b4e4b3

C:\Users\Admin\AppData\Local\Temp\gYYu.exe

MD5 2827fcba6eef9cc5a2c512eb55ced7d8
SHA1 113ccbd684d29dddecb7e43a1951cb258ce7ae91
SHA256 1aeff0507900c8289f64d79cdbc0bb9c6b114cfec23778a473098f24e40b9a41
SHA512 22521c612e14ba27ea240f0a370c8d715d7e5d3185dbfeec07590b59f246c82d614fa44671fc3d2243c3a0d1265153046bf00da104a623f5aab49ddf675fbb3c

C:\Users\Admin\AppData\Local\Temp\usEq.exe

MD5 cb80484ff13a6cdf147209396995f6a3
SHA1 64a4589e44d878f520584c55c219fbb976205553
SHA256 9a7280238b01b07b8ff6979654303d52a38f1e1e85bb8dd329128f0b3152fbd4
SHA512 8cdb2d280a94a973e4369cce0aad146ee20a14cbb6a278ab7936f45e45bc1e9cbd6149f0e82f66bb5332876e201155653f261d075aa79aa4c2b68afdf6387674

C:\Users\Admin\AppData\Local\Temp\QksQ.exe

MD5 80dd5c5ea8685bb5cc0ebacea1aebb72
SHA1 ad69444ed8ebe00598f1541f630b0062d161c45b
SHA256 f564519432bea08fb95eabdcef06fefe4d3c96985ae48e8f9c920991962dd30f
SHA512 87efc2b289478b5e8652ca36075399815562daf9f72514e4743d304ee21a7254bb6ee5cdd1478997d0f73cbddceee0eaf0ac1cf5d9dbcc016e4dcf24c441bedd

C:\Users\Admin\AppData\Local\Temp\qYgw.exe

MD5 cb574ca0cd6b563979482d4fb7e81b27
SHA1 1241aa016608ddff8b5486e388231758eddc39f2
SHA256 95ade005067f0e4fd9cee582c0b442221cbe292bb0fa4499f45c1a3c997dcfb2
SHA512 94f326c8024d9c5ee2e5eed3f55745130121d3e36ee59c044b1dc64096deac973ccad3a4e1669aa6763796a648d48cf62f2ecc10f6d97b82e2b7a402fc497e45

C:\Users\Admin\AppData\Local\Temp\KMcY.exe

MD5 aa4efa041300327e7330da67b0d3492b
SHA1 cec6cc6fb1ad9fa0435bb352f4b270f559f526c7
SHA256 ca366afab4601b1dcf656cab7cbad66adb85908f559ecd7f1fc1ec805d32ab90
SHA512 7bbbc76e5c5c5ea491a8e557f06a1e6e038078286d1e6b7135579e30f631fb6825e3bff016e584062d8dceccd0dcc6b4d21c9541dd2aea730329c148ef7635c0

C:\Users\Admin\AppData\Local\Temp\CgAW.exe

MD5 b7145476b30328aaf1d238e16874dacb
SHA1 11e55dccd3cd3858a62e600e908226b4962c3e14
SHA256 1d393f749ca281a01bec49ae8f48f1104b85f179cbc60c9629d190bed940ce01
SHA512 1b5ca613db47cff9ba577b0431e772485db0b6113aeb3a80fcd5a78ea4d72a4ffe3bbd901773306daa885e59eaaf178e45611235395ec57738034d5257982c7e

C:\Users\Admin\AppData\Local\Temp\Mkwk.exe

MD5 250bcc6e701d63b3d92d37c062892eba
SHA1 fc4dbe826f5f02c7956de5f33fb923288a83dbfe
SHA256 db3de6b63e82818275d243d310cb4a223e46ef4024bca396f5e08fcd7f06d7e8
SHA512 6d2b4bca380d174989321352e4cabd9747ac6338bbc63fd8fa9f18bce8988d611ae9b5917c4cf5fa61c84bccd5e2185138be6ecdf4aec459dcc06b886be0b789

C:\Users\Admin\AppData\Local\Temp\IEUq.exe

MD5 f5646ffffd540d264f7eb3a3a0cb9ee9
SHA1 4e22c8a68cf5792622edfc8e7ea9458805fd87a2
SHA256 bd06f225a74f557bb46949c89a70220fe8e46ca2d8708bddfd6504c6ef8355cc
SHA512 5b2064d7a6509ed8e1e00ae5556481a39989f5ccc642cf3f850c153a5b332fd9a831d265bf981a61879145d13a6dc294da78aba0fb64b79f1845d729d4d8998c

C:\Users\Admin\AppData\Local\Temp\WMAc.exe

MD5 306ae19422277055a5e66156acfb9608
SHA1 15b46663f36a442a5430e95bf22d77c6d834feb2
SHA256 564d2353f8074a07f34a1f4199f56bd70dea8e8cbee1ab9867417549d723d357
SHA512 087b8ce9e1a4502cf9a1166d8212027860ceb3d6afde440894c1aa8eebbecb49c30dc55c2fe5d577387604826fcb093ad6ec0a18dd5c9dc88c1b4c63bee18943

C:\Users\Admin\AppData\Local\Temp\oMcQ.exe

MD5 09f3fe368c52aacd8c9a1e4af4242204
SHA1 6d63cb2f80fb9fcfba3c62d10f1992b652ca03b7
SHA256 df28d6f44e55da8e631e45c843acfdd1d47bb56b1507174030b7dfc4f6f8b9a1
SHA512 9d667d53f15f7f9852dfb2405e573e34162fa27cb11118aca60c55bcf654acfde49c8fbec2cc96c2f0d018d4aa8ec33b9e1730844ec595dea18bcbd617ad7969

C:\Users\Admin\AppData\Local\Temp\EwAS.exe

MD5 59a77473214f92fd05e465d45506a09c
SHA1 e4e21ed1865afe137076d46ec3eec08903f03bd6
SHA256 622c3e43359d3b1fa7c291f13b28f141e067323b7658920c62cd4870225da5d6
SHA512 defdecc6c28f7b1c2d33767699c30c270a0719f79fab35e6fa780fb03d9446848bc7bdc5fa964c25727f3aa936347916edbbae78f7b73ef1ad79c755a07610ed

C:\Users\Admin\AppData\Local\Temp\EEAU.exe

MD5 f9027bc6d54472036460205a0b591c09
SHA1 cae0fc2a4bb54422353b8349b85e9ea9788c9252
SHA256 b89ccfce21d027de030272c0ebfd51e939938eb2d49c298d15a17ac45b12ce67
SHA512 9dcf60b938d632c4028d10a45ddc15b193febd933a743e614775aebe5136734a4a720bb3082916a20b890cbe6dd527f6de0f8a20d506cd1e96568e2bf114c65d

C:\Users\Admin\AppData\Local\Temp\KwEk.exe

MD5 dc068f7d6402057376c4705066c78a53
SHA1 6479025e41a0034b4287587ef305632a77e2b0b0
SHA256 d0231187c1ec9bd48f812c67a492c02e7e0285687720722ee88d101cb821a00c
SHA512 83a1c7c38917a5750450742e69450c2ea286449727d6e89f494427f2fa94cca3a3f8cfb7f6e5a25130597d681f1ecddf8f31e84f45e59dae0347c43d571c260a

C:\Users\Admin\AppData\Local\Temp\ygMo.exe

MD5 052bd12f40ac3aa94ff755e1d2cf0983
SHA1 5c68dc3b6a72fdef71295363a9270b5b790d0b5f
SHA256 435cd9f18579ea947d84ddddcdabf3d037daee7809c2724a13f0d6eb8379ba34
SHA512 9d915a79eda18525352eee4cb1e65c549a6475a0359de4d74c77c4e10a1306e56ec32d3bc3334762d4d3fac5ff08e9efedeb44999fd99e2e5740686abf2d6120

C:\Users\Admin\AppData\Local\Temp\aoYY.exe

MD5 742221e2ab42289dabc09a86ae4cd9a5
SHA1 a3da9ec60ccdff6e708d37373680f8b55f3f5061
SHA256 240c342871700ba203355fa5d55fa2a2996d0ef73342f34aca8e3b486ecdf695
SHA512 af88bb39f3d7d6395ffd436d78ffac00edab2a5506967a93bfec695f6c12aa73b977386d85a9980db875e288b5242691ac2f8e5c0b693c62352705726a5c6a53

C:\Users\Admin\AppData\Local\Temp\UYYa.exe

MD5 f167915cc0e95c255035947fbf031af0
SHA1 87ce52480c7f8174871dcd75806c545998ffa915
SHA256 cea8e80d6a8676be57abb2fa7d052de1405fdb9756cf71307c09a0675c238b98
SHA512 0723a108850a4b13a1dfdba0593be0e8fec44ce5cb0ee9e8df73188c94aca456795f70543d59965d614d365a475c4574fa6a1b5da4d20d437aff0b794dc200e4

C:\Users\Admin\AppData\Local\Temp\oEMW.exe

MD5 855fa9bcca89efa1458292ca28fc4cf8
SHA1 6ca01e1ab6649c1695926f56db79db5a0b6982e7
SHA256 87c0f7d158162238b25a465e40bea3eefb703e0ed56553ec6e14b156a5e376e2
SHA512 84073867781d1814efc75242a9c4bb57fdafee05b4690c958b449928a1b2e63675d7c5e0d486eb2267aaad74ec0226ab37b009361af7e4d877da9b33635035da

C:\Users\Admin\AppData\Local\Temp\WEsi.exe

MD5 40fd1da33040edbb0d2f49a9676931a6
SHA1 1772d15de14a019117ca35fee487bd27371a5aa6
SHA256 c0c8ebe31c64017a0c377c2418481a7f2061c2b0a2893beac6b8d80088c747ae
SHA512 a775908fc25316d8cd8955f752b18583fb1361f886d1df6b67121275ea858e69ed72c72a76583787a41bd2694cae7a98aed1fde12e665d80a837aed671c69013

C:\Users\Admin\AppData\Local\Temp\yIEM.exe

MD5 631524025ff71cdd03a5e2d7b73e3397
SHA1 a0cbda47cce56340e39eea6ad4490749d983c254
SHA256 abc1cd09d14cd12309e089a31d4680f4763b19d3000c49c04210948017b55af3
SHA512 d8077f6bbadf805b41f0b959673e197386ac9e8fd9519aae2e4664a6b3ce3e05f54580e0a6bd5c5d2636a91fb3d49db64b5a83c6f5976daef851c26dc7f113e3

C:\Users\Admin\AppData\Local\Temp\OUoe.exe

MD5 01fcdb0df017982643cc41963f20d3be
SHA1 14207436978e7068273d7bca4a741755147cd003
SHA256 578355c166053b06f9b6a2dd4af37c1aec650a4ada0d7f5aeebed35e5004ce68
SHA512 32379eafbcd3b78b239ec36eed87b9e7bc4121f7a1ca91883c1c10f5472746f1962574b230c00133864f7b65451a0b59ac319d7e71072f8b4f69c209b6a06f25

C:\Users\Admin\AppData\Local\Temp\mEQw.exe

MD5 eb163476e4d7f74931a017ef706f7335
SHA1 0d4283e019eae9fe21f255fe64aa342196970bd6
SHA256 7a4f4f3f65914aaf5ff0a4016e804d689773a9aae9b99eaa9cb3c077bf0cc704
SHA512 c1b0687af7ca0667449edc943401e088342175a86d6b5aef3447db80c5be575ae4bb015021194aef8c52bb341e9d8b3691802517f1dfd062e17f6627cd51db52

C:\Users\Admin\AppData\Local\Temp\UkEm.exe

MD5 21d9c0f6fa5e259954452ee1551738e6
SHA1 ac21c6ae907adc68d9546dfda5c997e6c87b716c
SHA256 ad37ab1a116656aa1d8dbebf79ee78478d5f3170133e653e6cdc5b5021117b7d
SHA512 c42d0b338f4a355d54ebb332d77293f4dbb483deab768bd510d37456863008ccddc77aecb01716176f72d0c9466de77a946fababef7ed56d2e8c1d5f1655050c

C:\Users\Admin\AppData\Local\Temp\Ggce.exe

MD5 7bb92a4247c21d55ebf0e47471b0263a
SHA1 3d6b088103f1d906b1b240a4b5c73749714e05a9
SHA256 1c9b378a2e28c45127b6da59939846d7d74c2b881cbd56080b500cbfd7648087
SHA512 e587bb4d481e0e76c987a0bfc97fc78809633671eb796b5544417f4120923104bc63419c4d119c27f358a5ce8d209c22d9ede675f00ccdfd3a6aea78d1c231d8

C:\Users\Admin\AppData\Local\Temp\aUAm.exe

MD5 85903cb425d18ae02e509fa2768b311c
SHA1 bbc701f091897f2cb4d114fb31d869e8a5d704cb
SHA256 208745c1a5cfa099432b0749f7285a599a91104995b101778b2f87aaa4e87505
SHA512 7fbcfe83d0cbd82cebfca1fa471e572579c3cd839072037d8f84eb6cb6e1aa1dd89dfb31e7524138726b7e2cf6f3329e55c104e0aaaca40df9d84d7f0f13d905

C:\Users\Admin\AppData\Local\Temp\WQYE.exe

MD5 64355ced83010c2e148015c718b988bc
SHA1 cd354dad0bb0053800a08df12bf0b16791b3f248
SHA256 87b2d07c898941bd3369c72f420b0ad6eaa428e4e457dc841d7fc834c2dee715
SHA512 ca856f381457549a015aa6167d45f67fc9fc7815d85d6db0348cb0f18ec25552f30b6209792f0debce72b2650227feb92d656948b6919859a3d7bfa5f8579b66

C:\Users\Admin\AppData\Local\Temp\ackg.exe

MD5 b753c8d00fbfd75f7963f5d4270635f1
SHA1 787d638a32176bd96150be3e2e7750d18ce9320b
SHA256 422dd96a21027f898d4b180e5a8334ff76c46c5f502d362a46dbc394ac5d0550
SHA512 2ff6251ea965bd40f19d6815628cb4f648900b4c53ef2cf963cf1287a40bd257e6fae85f913209b2184421bedd4d911c6ec477c3d1102ffaab3c850f67ae9750

C:\Users\Admin\AppData\Local\Temp\yIUa.exe

MD5 603de0be3232ad04eb827105af381f7f
SHA1 40acbc148ab42159818629db865580a20b0dbb04
SHA256 bc1f6fbd211d9c0fb00133d5e51e3c1a637f9a8291bca9eec34e6319064ecdc4
SHA512 5da4699ec50ad8a1bf4ff85700f117a5833cf4e10ff8ea371194f6b248ffb957f5396f363a32b9a04e088359f8f4bade84b1cc5937e074390f2f3d5fbe581fe1

C:\Users\Admin\AppData\Local\Temp\egsO.exe

MD5 55f98222d8bb33b2eb6eb015ec764d45
SHA1 4af1953227fefdc735dc498af8a2521af13a6daa
SHA256 f61e18b8a0934739ed4fd2493ed3e0084619d1a18ef38f66fd6fa263d32fa207
SHA512 5557782126dc736946b19146b82641d6f3d166d8d779f71fde198b24d66b5bbad401a11dd1c6fedcaca11d14ee0e1806e740d6bc494dcbe9a8dbb21c89a076c2

C:\Users\Admin\AppData\Local\Temp\qIoo.exe

MD5 dfb9893a7f38fc87cc5580c09afba578
SHA1 45c36ce0e208f278c4c729c73fda7aa715c0352c
SHA256 f96dd21a49cfaf9cddeef1c57e079ac10c9495e4206efac7de687a4e7bbaf495
SHA512 4620370ba7d23c8049dbffdf9cb9d41affefe7b5460d067b022e8336d3568a4ef1d8366f5c2214b435ebda83d4fb3154f2b8faebab90f8e879390c5f296a5187

C:\Users\Admin\AppData\Local\Temp\YQsU.exe

MD5 1161f43ff8c4fbed80b2992afc97fc85
SHA1 5e02ddfa8b7fc8f04512ec025488c717ef818a57
SHA256 0c4390b33cb84633978ca345f0aadb3e43b709f7b01c5c3d8867bb789f2d8ce4
SHA512 fc7e4affb2587c213a4c28b5d3cde17a4c19819b7c200f910268ec14b4bde83b5de310c0ea6acda94b0dcaa4fd18118de6c7651d92fa5282a1c731314b874717

C:\Users\Admin\AppData\Local\Temp\CokM.exe

MD5 1b87d64659596ee596cab5002bd3e668
SHA1 48d522498e6e1c4eb4caabde044b26762544ba8f
SHA256 1b6f67d9c82bb13d0891e7ca9abd8a1c21bad027f0b53f296c7cb83f104d90db
SHA512 1007b69c5fb957f12c3d061ce1e931e8e7d60ae10b7e49da2b0cbe4f786b15ef5c46254427e24eb30977e195edc227a975fd54abc9c618e377160428e65350e6

C:\Users\Admin\AppData\Local\Temp\SgEa.exe

MD5 096ef64be590df4fc2775812e96d42b9
SHA1 805dba6dc279079dfd8772e405ad685f967234a3
SHA256 9d33c918edfd157f9ac3ac4c551d98841f66d08fc6dcd899ebe74c2ffc9d9b38
SHA512 c2e2287c83615a7b2c4692d154bd32c8ac27f473cd630b6efc37d82b7befa8406ae89bf392c63f47c1b1b34b642b524e4c3efc7e9146d06e750641f584ebaffe

C:\Users\Admin\AppData\Local\Temp\ioQe.exe

MD5 d2006c3690f2fa511e47bacc9cb5825a
SHA1 f948333222963be77d5fc28e470c2965d6692b4f
SHA256 55780f0764c4cd58c856e143dcb1d2c246ed92a77e62cb0c2a63cd60d8fcd7a7
SHA512 87c3fa41b8493dc3996cc4e93c997392bdebda2a7cda78320610e849e2be74a621319c3bd21c179733bcf4962f2662c800d4f069ccb5e6e0c6db49f03aba8c45

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:23

Reported

2024-10-26 04:26

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\ProgramData\xyskcwkM\DuogMosY.exe N/A
N/A N/A C:\ProgramData\UAEIcksw\EGoIMAYM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYAMkQQM.exe = "C:\\Users\\Admin\\CAEMkAwI\\EYAMkQQM.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYAMkQQM.exe = "C:\\Users\\Admin\\CAEMkAwI\\EYAMkQQM.exe" C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" C:\ProgramData\xyskcwkM\DuogMosY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" C:\ProgramData\UAEIcksw\EGoIMAYM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheRepairPush.docx C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSwitchSelect.pptm C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUndoWrite.docx C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\CAEMkAwI C:\ProgramData\UAEIcksw\EGoIMAYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\CAEMkAwI\EYAMkQQM C:\ProgramData\UAEIcksw\EGoIMAYM.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A
N/A N/A C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe
PID 2988 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe
PID 2988 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\xyskcwkM\DuogMosY.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\xyskcwkM\DuogMosY.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\ProgramData\xyskcwkM\DuogMosY.exe
PID 2988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1428 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1428 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2988 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 4920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 4544 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 4544 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 1016 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1016 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1016 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2368 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2824 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2824 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
PID 2368 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 548 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 548 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 876 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"

C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe

"C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe"

C:\ProgramData\xyskcwkM\DuogMosY.exe

"C:\ProgramData\xyskcwkM\DuogMosY.exe"

C:\ProgramData\UAEIcksw\EGoIMAYM.exe

C:\ProgramData\UAEIcksw\EGoIMAYM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMIocsM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMcIkUQg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOEUIoQA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIgAQsUU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMUAwIsE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuQIYMQk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWkIsIEI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeoAcgYM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiokIksc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIYcEUEY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkUIUQgo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCMMIkcA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSQQYYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coQYsYQI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEMEMYcY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGcQAQww.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZssMQQEU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKsgQUwk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEcMAUkU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGMMQIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIAgQIsw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYcsAUsw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sssQMEcs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCYkwYkU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGcIIsIo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuMggYYw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsgYkYkA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcowoUkE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekokIMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCAIQcsY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIQMEIEA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUMksEcs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSoQAoEI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwgAIAMA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOwEAAAc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKkskAAM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMUwIMgY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQIQEMgk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAMgsUgI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qegYocoQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUYwEEkY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAQcMQUk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BekQIIcU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSoEAMwI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsMQEog.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmMYAQwU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skUcwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKEwoggc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcIIAMUk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsEkEoo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEccgMYs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEAIcIws.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwQUcswo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwwAAMYw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiEkwcIA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqsgkAwA.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoUEwUcE.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rucskogo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twQUMAkw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayocIows.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AccoEAMs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggEAgwgs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zisAIMMU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCccQkEI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQAwcAkk.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIIQsUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWAMUwgU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIUgIkMU.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMkYQIso.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGIUMkMs.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMgkIsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWAMowoc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akYwUIQM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAMQQgUo.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGQcEsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOkoEwUg.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCEgUAEc.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reEAUEgM.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQsYQwok.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuwAMgcY.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQgAMIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMcgAYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siUYMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOcEgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZycAYEII.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tecYIIgI.bat" "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2988-0-0x0000000000401000-0x0000000000492000-memory.dmp

memory/1128-8-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe

MD5 80afee0cd405136bbff2da0f89ea602f
SHA1 4f3ce398bb56d504f68a752628ff55c2bb8456a3
SHA256 8980c669ca3c2f068dafcfe28b46c51cf245abc09445f7219e106a4b9a1b4472
SHA512 e9f4387f02605989ce9b6165d3fe911225a2817af1836a22139cea5f6059a4d0683f54447ee82d0c93ca77ad1d0c74883d4e893a8f634fd42fd18713196d9af2

C:\ProgramData\xyskcwkM\DuogMosY.exe

MD5 4d11847bb3c36bf2e3f4c815e9e138ea
SHA1 708f0e97996e15927882b4b1a214d81e534b62d4
SHA256 94078fd374da2695007909d8bb6734f4acb82f265039dfcee75432cd5e1973e7
SHA512 4a04441dc9ab6868adf9c7afb20ace40027cb4be1cce75d5da41dfd54e1a64381f53c442ef9ec2ffaebbf68d32e78946d31caff9aab7bea510d9fa53e9db69df

C:\ProgramData\UAEIcksw\EGoIMAYM.exe

MD5 87299d5c1713b3bbc7ce4de8c8dee683
SHA1 e36c16e39432a92845cabc6343a47b172268e064
SHA256 4b38aedbc255ed0abc1b8d981ef2d57339e0bbc241c19dc41922f2be944551e5
SHA512 2d853380607416c488b31822cd6898a2d35b80f4983225c2b7b57bb503e96194b6e6cdec9322451f46954aac96f2c489836d7a463b28da3ba47d9dfe4e9a6733

C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347

MD5 1e6d0ca35226b00f598be4385fddcb75
SHA1 5cdbfdf472ec849d4f249744f5ca0ca7bfeea387
SHA256 6c427ec1b5a6cde3448276a551871e1c6a0029e92216ed988b26d20717513c21
SHA512 2a257b75b1c87f6942f8287ec33e287c070ac593a1ce065d5c137f8016fe3857b1fff2e72636ad274599e0b015ec87f2f4a13234fae1c56ca52b73bb59963ad6

C:\Users\Admin\AppData\Local\Temp\FqMIocsM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2988-149-0x0000000000401000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkkS.exe

MD5 95abf26a2345a673f2164aec53b572f5
SHA1 11c2295e4d5bb8cd420da3221df0a6a8975d425d
SHA256 58ef100a2bb42e03d64d3b572d39571d3877283054aaf045293d730ed517929c
SHA512 d9114c5d7163c5f0efb2df8e38d91883ff0a63bd02375aa84ff5364d5bff2f977c65bb00184f40c63682e9ba9ebaac75eb885c5793ee7209343058695c4347a5

C:\Users\Admin\AppData\Local\Temp\GkYc.exe

MD5 86a25ee7608d36e2f9eac792749cbcf5
SHA1 17ed3da86e2e4b458d78d688e6181114d657a024
SHA256 32011049d3195da71cab751afbf7fad911f0c9b746a77d01f51305bda082787b
SHA512 8597bae55f03bcc85e8aaf408f38bd6b27549700f6f6628860b16202f61cb179d50b5773758d3e9330637fbc7084ee06a9d80e5a967bb426c1d288a05a5cc16c

C:\Users\Admin\AppData\Local\Temp\IMMQ.exe

MD5 6037a7fa897e87109eb71fb4b90115a8
SHA1 0e9b68930c4aa705d3e3d3e689a95804c21b68ac
SHA256 844b532a86f2bb4a233a3f33fb23ed2106e5a0cc5cde6d3cc7b6186df5c29c9d
SHA512 445c17e18dd9b654d76b3945467350281f69d16fe4bac78cfb844917b1f101565755edba68690bdb3c44c8c4dcbf21f30f445fa2262f78e05d02995a12c29149

C:\Users\Admin\AppData\Local\Temp\cIsg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ccUA.exe

MD5 92f70920e8d2c915d87ec6f92b58e1d5
SHA1 4974e23e0084c428a4d301c1e990bf5176fe8ed9
SHA256 f0f65dd7ee299a1827fe061c044f95982c71708c3cb560cafcc366dd64abc333
SHA512 547273e6063aea91dacfb9b7287495690e09d807dd75fb9e60574e5001bf423ca8dba077260a34320c96859b0186716ad0f915fa68285ed676ace6458c44ee08

C:\Users\Admin\AppData\Local\Temp\SYcU.exe

MD5 db6224f3d05b6f78bdb2a66883610a4c
SHA1 214e0f9c9d1eb8a852afa95d67bdb544fc3ad8d4
SHA256 053f09db80f6ecd88950fb7b0f9bbf82f5f50004f7d4899c7eb061e751469010
SHA512 281075f11c318d7d48954fc6e171be24f143578f5333f0c330b0a3bb73e562b0d66e2d888a4836ad513e9263b3e6f4bd1273fd237429f4c92d70ff3baef1d889

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 498b3ec8afd10d0457bbcaedddcd247f
SHA1 b5b92ed7e4e3ba1ebeba2e674213f22929160d2e
SHA256 be107618ba223fcad19ebffd27b893b13e2f124d56335226c217e056dac2d7f7
SHA512 02e2facd4660830b621a1a3278f78e5029c5b3418465e39f030b8fb7108ad4dc61b6bd02af919eab3345afb9db91648224e35e0817a220d8d65201154e5e2ab0

C:\Users\Admin\AppData\Local\Temp\aAoA.exe

MD5 ed0aba9c2a647a4432c041e3605a478a
SHA1 1b136c753105755ea270f4ed9a279489ac48067f
SHA256 b016287bf040d8d6e967e9512038717dc359472a96230225b4e9c25f2c2902cb
SHA512 eb2d5b2ca64111bb112a9abfe4adb727692da525acd4ed82599de234d475f97124e09bdeceb6d46b09d7e1c915fbfe64f9584231445c77d799ea7d0a6fdcc73f

memory/1128-381-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIkq.exe

MD5 5900c0c6ceb20dc084f9df18b45c3073
SHA1 ca2c25b892ac80a79430f3328dbb43c29a7ba830
SHA256 1f14b334f1d5b0cffaaad7edee6aacb14a41065926d8c8f72db37e4c91ec2b37
SHA512 152f56b5003069eb5ce42da8cd10fc964c2c721b8f2129098df5da5c285a933a9121cf3f4f06dfc7cff5610d1b14748d30a2793336da7b5e1233a5167eb7c034

C:\Users\Admin\AppData\Local\Temp\SQIe.exe

MD5 1d654211ff38b67930641be270a7b64f
SHA1 a2aa8dc6b656e2cc9e91e1f3582b995259ffff10
SHA256 ee3fcb5633ccc59e4aff316bd76e95ec6e5579d711af1e17123a7719dbad9e43
SHA512 c09c0f57a905f594fa1e9f6eaf614f5ba183fed7739e0c27d47b369928bff09d8148bcc00242a99f046147b0b0ae23ec8872c1fd5d46b152d1691878783616bd

C:\Users\Admin\AppData\Local\Temp\mAka.exe

MD5 d6f99579edcbd08a96d634bc74cc20d7
SHA1 1ff0eeb86c0ab894109721e41571e9e8e0e53738
SHA256 75384d6059f5f572bb56e3213faf7832491ba361f3ddb3587af2623899f949c3
SHA512 9b2d9ae44e844f3ba5cf1241ff54a7925d90165c297bc45934721d3d1932a38f160fc7fcf8c1b00fa1299aca4d471761fe25d1d256667407e1ae4af3b56534d4

C:\Users\Admin\AppData\Local\Temp\qIQO.exe

MD5 4e10a539667d8be7bb080f21b0d40714
SHA1 8897fdd0e34bd825812ccec90f74b4c41e5872d1
SHA256 846aab48ebcce797b71c5ab5648430e58d8779ff77157a697d3701bcdb7ba5af
SHA512 bddf35c25f382ea132ef49f4f3cfe51dc26036b6e9f4c26c94bcdb8b76e2e7cb657c4a50c3dadc0a2063c7827a1bc71c73ce4f734f5984aae799185fae68ae4a

C:\Users\Admin\AppData\Local\Temp\UiAM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\CsgC.exe

MD5 b3b57a3a677ab66cf240ba119b8fb175
SHA1 234eb516313ededc4e198e0a6ff46ac4462c3928
SHA256 e26e82160927221dfcb777e883d52a76f06f4605c0b253818d01839a03500fd4
SHA512 a55f9b9bb36cc0fbc8627e5c23730eb57b775e3e4e9e33ee92bad570b24ddabca34cff25a2b474ed63dd93abe4fdbabb293eb9f5427e882c9d13b5a9c3f27b64

C:\Users\Admin\AppData\Local\Temp\wEcm.exe

MD5 38ab41d634de739dfe32b9f2c47d106c
SHA1 b3cb47ba8deca3ed86edd9c8de6bb6d72550521e
SHA256 80af20a75240928d9c1c34c7a0ac0fb6a972bc2cb8c64c491ffa542967bd2ffe
SHA512 125805d598c6199877804d7445d5389fc45d5dbd85fdc452928c05093a2b8d101f478d038bbaa9040b8069e7dbef1abc2a5a3f605a10a3fe1fc969d7a02efa12

C:\Users\Admin\AppData\Local\Temp\AIwA.exe

MD5 d6d17f81c2c943e6005a37c7ecb05349
SHA1 8b2c46c21509f9d7a10dc425dc87d3588cf3780f
SHA256 82b8e28676d8f7fb4d9f7391d975fe2910551fc482d2f1657b0e24664590440f
SHA512 2b0a807f973f76eced153a50a97fe4e357a7c4e5c9884744fb85a2ed9372e22c01848143aaf5afc2ec8c108ab12d9fa8abb621a18da7235c280c0beacfcd0a82

C:\Users\Admin\AppData\Local\Temp\SUUO.exe

MD5 864dfd2ca05f6bf97666140ab098154c
SHA1 731f72b9f2e8ac1094fa217843bd21d7fe4f1d91
SHA256 db9493e577389c434a29af5b63e4f778f01ee3af5aa6ff775f745dac72cfbc58
SHA512 9dfd5addaadb053053bbfd8341cc767cabc70c27670c4176437f317281ccedbc4c0f804b57e3261dea00d6a24d9c129886134e3d4c1eecf1a0fc41f382c91e34

C:\Users\Admin\AppData\Local\Temp\mYEO.exe

MD5 b578a57f789199d6bfd5868ba2ce06fe
SHA1 4dc4e4bf4f7392a2520182a00cf0b7a3473bd121
SHA256 ce57fd1725a077bda83787f8f58a61396a635adc8f599ec87af6abf71a0d85cd
SHA512 4cc9581ad23571d49d4ce29ea348b62699c837fed70e065b4d19249557bd5c70c581e46da45a427f50a42c06654ae11fe4b84f1cd8b65aee1fe2152e810db919

C:\Users\Admin\AppData\Local\Temp\CcUa.exe

MD5 a96ed6e49f43b84bd3bd014d8659eaae
SHA1 4547e282d1b682b832fe36a3dd46b75dfff6626e
SHA256 e56f00418ed79b2309cdecb6a87c91eb2533e5f37b603027a55706e2485b62f9
SHA512 d5f981d8baf9daf9ba5fb1294ae9a2e7a1e3b88f9867fd4767442000d54e8e6afdbb0f5d83ab461d7014b80b3b8824d2fc4bd401ed308086b8f296a65c69ce9b

C:\Users\Admin\AppData\Local\Temp\mEUk.exe

MD5 dca2601afd67966cca865306ebb9ce26
SHA1 5317072a4db8a622779efd7f15970206d4163f54
SHA256 020e0105d5edc04302afe1239efe4bd156fce6ca0ad573a7ec71c61a2f63a169
SHA512 23996c1db5c35039ec5de26decaf344fa996aabd430ee27ab53d83f289d142e9ab329a2d8a59f4006609c1cb04738efadbeb887980f93d9a3d24330436c58f97

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 1be4dd6a8dfbd82e968cd5d0efea9b46
SHA1 d8ed12ce8e6f0b6ac30a50e9c0980ec39f48234d
SHA256 7b3e53c55fbeccfe2543b1a7f38b724825cb4ee0e730ab7086e8b28cbf423d0e
SHA512 9354de8c5e181c5b29f424d7c289054b9a9cf1253557f68ac282905bbd7473d0e003be835945ff434f02b953e6fb3886b6b7dbbeceb5c546a028381c4b727e84

C:\Users\Admin\AppData\Local\Temp\CAcy.exe

MD5 cf85706959ec36ae9ecc0dc54ec0403a
SHA1 2620f392704425a4520d54668c6410d482cbd121
SHA256 9fc6eb812a605f041d083b138d711c85e3fb4c716a4849130a12947cb9636016
SHA512 0c26a82abf57e0f1a88f0422c4493abea34546f48c086ecbae82740a257e565181bb21065e90737470fa5d3bf4742afce967fe807fd8aab7a57358e958983b56

C:\Users\Admin\AppData\Local\Temp\QMYS.exe

MD5 d2115d6cbcfe3f3eec84ef1fecc27617
SHA1 2859b3380e7bdae52935674655f6c70f1941d5b8
SHA256 6afe66f670dac63966cbe1785c1c8a9ae89000e0f3bb7d9ac2f07c248ac2f12b
SHA512 4cc3a250bc5b62c6383d445474a9343c3a4bef880ae0862f96366e8f3b220e109570bfdb65350acb6fc81e2ffffde3c338fb4ed14afc985ca25c1863a7813e32

C:\Users\Admin\AppData\Local\Temp\Egcw.exe

MD5 a6e5eeff195f994a4bfe8690f1d23b0f
SHA1 ea70ff8273ddb3e03cf900d56f92c20c1c3b44e4
SHA256 323476629dcfad2d81f323460524045aabaa0e4ebf2f82aac6eaf3ca57269b6b
SHA512 635f1a62577a4083530dac495da7e029763b3b6a616a7d1cdf92772e85d4bf18e68eec1949ef5afda8bb576dd353df174a76c8bfc37003bebe0db7bc33f53548

C:\Users\Admin\AppData\Local\Temp\UUgI.exe

MD5 b4a93ef40f754429aa19a640d35a8eaa
SHA1 496d940989193a0b75e16f42ce7ed9846e7bfc4d
SHA256 1b482b548a3af3560d021e69cf3d7c9b69f16c7531d1622b1b512e8e5e1118c6
SHA512 4df901be783904d2e3a06c24a86b514089fb0e19748513129c7597e02b35ee76663cd7cf04c77a6dfb9f55005a0dc0fd22a3e26cf6e7130d24619e3745de69fd

C:\Users\Admin\AppData\Local\Temp\WoMW.exe

MD5 fc630b22edf4da64f9b99af8f5a926f7
SHA1 98a32701d86d9bf4a9a0f9439c6fc959bad89c42
SHA256 bb12c7d8b49814b37cca2076312ea1a2106cc2f3968305b2666fd273942be559
SHA512 ba90ef45b531fad6eb9915f6544410809cf8580c9022255c7dbba75fb774ebc00a31464f51fe9adfe91a0d4b6a964a87a7d9d87d4f44d4c512dfd82544b7cfe6

C:\Users\Admin\AppData\Local\Temp\IAcw.exe

MD5 973dcd8fcc092dd893a7a9c9182339ab
SHA1 c26bc4f43ac3ec0c4a6e5b145f40a573d836063e
SHA256 5d5b59af117755e4d9411df5761ff283a26813878c737e0c0c6348178f8a9e62
SHA512 39ca430ebe4d7e527b613914858a477951b553bd88acf9a31cf880e311de342cc70d05abeabcd88bc5fdc5bab06ef242432f76ceae8bd7ccea8cfb8f44882e92

C:\Users\Admin\AppData\Local\Temp\QIEw.exe

MD5 6f6f3958a8a72d96972fe5b2a274925b
SHA1 ffeba86033c4372868b89fd68b68ac259ccfa08e
SHA256 db0b7675d069b688fdacd93d54d5c2c70e72faf4640a76ae96838800a2c47b13
SHA512 d4c48b00d4012b8d23e4afe70fb1440f0d534c9f09e2eba13e8cb8b747c58a723d1a9776b985946762490eb4bea7a5795b73f1dd7bae0affdf9e9da2c5f19acb

C:\Users\Admin\AppData\Local\Temp\Mowi.exe

MD5 6464733281f72b29d4b427e9b5bdb8c3
SHA1 1aa0466ff4198b43edc5657e1ea08bf3b858022c
SHA256 b0487036b1072292e6e484939640e3eeae80e4ca035757e33bca928b12e4dd50
SHA512 e9fc9fa9ddf6e5e5cae4af956137adaee3b1088a789857d857a7d9ce58592a85a8ef748722acb5b508f690dbb66307f39fa6974cc2d775f6c9c2adb329504978

C:\Users\Admin\AppData\Local\Temp\sYYe.exe

MD5 ecc29ca472ece9a66e120c3113062bf8
SHA1 57cfea728e9f33a4f87694b4de7bb7d278c48bec
SHA256 59df07950f6de83cddeb2d7ea2af81edb4a6b9363e005c6108109fd5b6686ddd
SHA512 c001c199084e14a8193c3f9a989abe31ae62d9b8e45d50c938c46140e67c65ac93064844e03ac369babf6405781fab66416220c1be76933e23057acaa541faad

C:\Users\Admin\AppData\Local\Temp\Wcom.exe

MD5 8a3cd8fce343111b978427f4076b6afa
SHA1 3eaa774ed5becd761ef567c087f04ed7b4de8dc6
SHA256 86a5ff2a84f2ed9cd6d9ac4f7fd0ef125e102c9ddf983f397b020a49e00fc028
SHA512 85a7b222815bf17f91de94493b44aa7dbd08006aa89467a03b407346f16568d46e9935db55d4d8fba8b6bf509ff46bae61966af71255945181535f0b9caf4164

C:\Users\Admin\AppData\Local\Temp\wgwU.exe

MD5 6cb1efd440bc3d90b59a9be08854f394
SHA1 32312c4e46ada928f039cfecad422b3bc4bb23a5
SHA256 20d9f24148d9c9e15962a53438ec41e6f0ad36a1efe6ba35789c968bbf67f3bf
SHA512 863a5e81f3edebaa4f69b8b1c2923c8ce50426d6635325e8d6f6bbf0fdfa655acd9e8361f2347b693be277914acd9530d1151dec45a3589a5e1f95ab82fc9b42

C:\Users\Admin\AppData\Local\Temp\mcAe.exe

MD5 8a3cdc53b2dc2ce9d1ee8fa7c1b27a6f
SHA1 ddd717a3c66c46d2acd1d52c2b59bba6994a0047
SHA256 2a12cb6820cf259fc8381080aa6c22d5a5919bde02ba4180ed5dfcebe342e02b
SHA512 fe22a9ee31d112ef53a296cb1fe5118d65019a2ce3b9b2ccb2558d5da98874afd09842a823b36c8c9e81c5f5071ba9bc5672ff01875566ae6c15e803192eba34

C:\Users\Admin\AppData\Local\Temp\GswM.exe

MD5 8a686e8ad1f3ee5fe99a5f920b59fc21
SHA1 ae5b18577859ddab4ae6162bba29ea80bf612307
SHA256 1a5cbc3eb12aafd0edad87cc078547571f97748e555bf3e921182d783bf767ca
SHA512 c411f700f0217ced5a92c35fc7e0bed6e0392df8a57e853c8d8150f95b5e89c7fc786c99295ac593120ab9737b6b87876bb9434e9e9bacf474f8d1593943c7a4

C:\Users\Admin\AppData\Local\Temp\qUss.exe

MD5 3e2e870c15625d8c4b766ab83e7b3ce3
SHA1 a0e49a9379d9c1264e26e9529577c6da84222a28
SHA256 a7707bbb403961fdb326414e026f02ea28e1e61ada62cc04f36d8b35f038d2e8
SHA512 ab6a8c047afbd1085391c9aa11c3da2ecd6952a74a310c2ccd24e073e15a905280fa9331401286086a2892176b0581294042b25c074237d335666a3b4051bae4

C:\Users\Admin\AppData\Local\Temp\aYgo.exe

MD5 4e9bc8388cd1e64753dc36101a72d8e9
SHA1 018c13879c28d7c47ba8ce00a462dfa7cbe033a4
SHA256 324347589f509b7c788b8dc4a2b101ad4b0d177baebfbb37cb019c1733bfd43a
SHA512 0059ea5004d482b8e6794325243218c989d1a5fc3db35fc47c2d4784116ce07884f3a0b06a12b999ae3ed205ff5e3e66b7cf9219136523811a9f489a5db2dd96

C:\Users\Admin\AppData\Local\Temp\uMIG.exe

MD5 9a63e7b10b0fdc9826485f255ea40cae
SHA1 cd5785dc6f1df771c23b4900f364035d627379ed
SHA256 07433b15eeb6fa97aec7f6f4eb2dac5cabce83c0545ea4e47fe526d6b1cdd4c4
SHA512 3fcc264dd979a7e72c1d5ad3a04f97733644e072465d16af24192e70788e2a89cf7d93ea1fb0fbe8e2ad8879052b84f7e0a5d0bff3b354fbda93f8663bea7ea3

C:\Users\Admin\AppData\Local\Temp\wIkY.exe

MD5 f3ecf5f88c9d06da634b909ecd2ad15a
SHA1 76855bbbba8e54193352d04c4f9e3c1682115f22
SHA256 133122fba8aedc72d2807a203332f7444122a69448ffc5288718cd9b7cbc6608
SHA512 85ba82623d28f77ee7838d633bf7ad1701f29c559ac1611587a2b0a740be1c84cac4e6f1e24adf5a58aff98c123646688b9d789ae45a9525620e80a73a454bcb

C:\Users\Admin\AppData\Local\Temp\EMIW.exe

MD5 4a32d7e61ffcffcdaae82628de712ba0
SHA1 aa5c65a519e2bfddcb19480bbb5275dcf6fc164f
SHA256 e30c38153528251282def4a4d27176ce22aadb60b6870be3546fde42db3b7755
SHA512 4aace442e00d3f7d2e66c23e57c0889cda67faec1c6dfdf4f464e3e13d6b4a2e27acb43d608b7ca9e9c0ee0ce2f5511aba1ef3615bd9b42e3d820b6748df02b6

C:\Users\Admin\AppData\Local\Temp\gQQC.exe

MD5 ba78a65226fdb35687967779988b32fc
SHA1 a62d9c17877faea2e00f9cba30b14badc1de0a76
SHA256 6d6014439bb1e723a12cd859e71010974ddc44296a80d0f7c79b5695091b22ec
SHA512 e5bdf2a32c22f0a9b902597369697d01c02a81942c0424ea99f23b3c58361dfa7c32155e134bad7ae985e1880aff97457236562203857e822b63a2f9f0502520

C:\Users\Admin\AppData\Local\Temp\wQQc.exe

MD5 3c9e78b0e2410aa11658fb46e2e2ea47
SHA1 a06427d08e7117289f84558406c1a89ffa6c6b5e
SHA256 898e8d609644e03c54ceaca8f3e80dab4735c38660eccbc465af8e8844af677f
SHA512 cb686bb3bdff4283599dff6e94f786bca1e23fefef3fb5c7dc12051192726fe33acb803be6f1b2ff9a2d544e2c10f84e9cccca9e6f44fcece9456a0987a6ea3b

C:\Users\Admin\AppData\Local\Temp\YsAy.exe

MD5 7e74620c4fe170394c097a45bf830e2f
SHA1 716062d75c3ef53ff2949643c1318463e7d51796
SHA256 247119f4cfb66f1f8f6d36caa2d372a8920d229f71abccf333cdee9069afc719
SHA512 91c08e345438f03308e45c9788cb15bb04ae2fa94d0a4795f2509b41089a16c7cb1dce2bbce5b2d20b4ed49defa573e08f99f697163e640e11dd742afe858385

C:\Users\Admin\AppData\Local\Temp\wMwg.exe

MD5 b9a568efb9e9f8a65a8bbfcc709711cf
SHA1 1c7540bca2d367ad43fd948383539a3f780860d4
SHA256 38d99138c0aff4e60a0672466bbf719d913926f9f881ec3df0d39db24420403c
SHA512 498c0f8e60ca898df2992aa8c9ce3e83fd28e9e90618eaabba67d877c8ce79adfeb49f9f6ecfeebf3b3df27171d6b83d0d64f7ea85b84961b0b594da6a337457

C:\Users\Admin\AppData\Local\Temp\IsoI.exe

MD5 317430c3acd68c40169851ba712e7480
SHA1 d3e97dc681f50deddbb4ff7feb44f3b7da64b130
SHA256 6317b7d7e7b3a07c32ca9d246295d17c792c4c136f782ed5e378241b6213b6f7
SHA512 f2a14fc83a64c1e1b10da86e037ccf17d77c99ae1a1b0bd4893d90273383de83184143dda8adc94d0886717e90c7be98c5907d91ee9c0b7c25cf033cbf18cab3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 fca03fbe8500169ed9a676202bd59a88
SHA1 a710b162f2f3de58b0fb46859804eb553f33926c
SHA256 fcb796f810a70a6e85f22b2863207de336278682b19f817da0d988f8865a3a38
SHA512 6ffabb0c8d1f3c94c91a762718d5157c4aba60ace77b06a0f4a5210a8e8daf57b089657cb826e2bfc1da315af4b886cc0473b33abdc704441315fb2b572fd324

C:\Users\Admin\AppData\Local\Temp\KMkC.exe

MD5 d28c884bcb6ccabd73a6169b608aaf61
SHA1 c1bfe6b04d7136a7e8e5963ae689665e4a2efc23
SHA256 733cfe8c5e9c7c6057fd0438c62785800c66b5cf4a5efea60c796a60fdd19519
SHA512 92c94ce9c8663981ce500880237ea2dad85e8f292d31e94a9b180ac671ae67b6217e5a9ee0d3fa1deda16592eb5e67a72833be8eaba42f2d88cd181cab1a0a2e

C:\Users\Admin\AppData\Local\Temp\OMEu.exe

MD5 a4d3dce601eaff794e2acea71bac361c
SHA1 bdb26590aad0869573a0eebdf82bc2874553f877
SHA256 14d42b6f540c86f239bccdd28661a211d5e40b28f41a9874c0d64afcc687467c
SHA512 f7b3a6a8d989ce81d513b037116bcc56500ae965b429f35f594dc207db8820762cee017b3d8fd97c7cd4bad441220e00fbac88fec948b9eee84ac79979384599

C:\Users\Admin\AppData\Local\Temp\eAEG.exe

MD5 8ac9009b7de4f599b8853d123e569485
SHA1 dea392d23fec1df25aae0eb5dcd334c0d3ef1314
SHA256 3f59a12d6408090079c721b6029afe240f346f88a8dc4f3a90e021ab4717af0c
SHA512 e58bb96ae6c4d0b6cd028d67c9b50da5aa5d52ef00f022a33a9ec17c50937bb5902c1bf09ec4731667188c082eae11198aa3eecf5f40df032f5d49b60eab39a3

C:\Users\Admin\AppData\Local\Temp\gEUE.exe

MD5 3e8a74825eb2060d0c300f4bc12dfa46
SHA1 42d85afc7264f16ab01611ec465ec1902bb1f506
SHA256 ea8e59587abd10262ddd496ac908e449d11f8dbe3bbb5d7f67d7048993fae17a
SHA512 2f0e1f17e7adeaa5e9d645885cd8fe063b73278199f163bc4e7755ef08687f48fbfa19f2c3125f4d5e90bb5f0ffaf37cac660174f4a2afaa604ea05b12502c05

C:\Users\Admin\AppData\Local\Temp\AgES.exe

MD5 71c71e8332d08a0fb6c2765fdda8b2ed
SHA1 be9029f4bf6d3992cb526d3a27eab466c93f54b1
SHA256 f7905ac04dc0c6f4f98ae3308a4ab987c5d0eed8f638f7527e1386bf71da22ee
SHA512 b4f3c1d84874b77f28d2ad3d291061fda813d78bcf202b946c7823f0eb8200e24ebb133a38d2aaf2c75d19e8132f96992cb6ea40febd5dbee8541c9214a05cbd

C:\Users\Admin\AppData\Local\Temp\qosm.exe

MD5 99b4131c1ff2c43090b366300a596bd1
SHA1 b53d0385f0042014b68070f251a8d21dfc7a17d4
SHA256 6574cf9c914844fa53d155b33d32c180a9c2104c151cdb9455ebe52aba3292a3
SHA512 2b593b29f3f7722180fb68907ce6ceaf760c5126b80b7f45291a47170c89bcd3d026bdb0b67e816519a106839d9d6a6e3f1dfca5dc27ef1ab3a466889b0289a2

C:\Users\Admin\AppData\Local\Temp\McUE.exe

MD5 40e54210a9fab1e83af2e5b6a9ab4192
SHA1 9ef0b5aee2860b411fd842b9be887e3737cb2cd4
SHA256 2fc12e752db246f7a814c66a47374ed01657276588f7c8ae2d347394f025eaa6
SHA512 1bd2fce7650e9ea308cc7b95640c5171bc9fcf10b364276bd34f8d9bb8ba5c6ca5ac651c2dc3aac0669742f01bd563ebc01436d7ee9a8e6c63a609f2407c387e

C:\Users\Admin\AppData\Local\Temp\egQY.exe

MD5 6df0a4fa874ee41dcb31c78f5cc16145
SHA1 e5c179c004f07221164b7ddfff73bc8482b98b78
SHA256 9a40a043046e19e535298c325e8e683ea2a5616b111e99435d4be486d69432a0
SHA512 cae799cdf0d03802fd15879f761b1013c68c254e3a0c2c3961a82940fe8c8cf83d0aba48a7f07c897dd4687c5d5973007447e5d3f34bf3ebe9d7759524e55289

C:\Users\Admin\AppData\Local\Temp\KAQs.exe

MD5 01ecf8c90422cb168aaccc22e1044e48
SHA1 6e5b50a6c5b821ba5489de30c4ad32162a133954
SHA256 4cdaa17f7938b384289e7449ae5bb50d96f3aa0baa81ec3e66dec74ea7a4bc40
SHA512 1c4480555b3626a9ac06082ccec124a54ae449f6b16fd7707e2f47bb23d00be0737ca9232e983dcaeff7c01675ead0074dc3a5cc96f29226b0dfa479db9545a8

C:\Users\Admin\AppData\Local\Temp\soAK.exe

MD5 246f41f34c53bf7503dad622be7b3bd2
SHA1 a7f1cb084e98d02fa7f0877e8934a777a378af68
SHA256 7a953904abc775c44cff4410a68acd6629ff995c4cee1224f58478ba1e55dc24
SHA512 72ef3f150ddb02ff51b3083d0fe09a7420bbd59d5fdf6d3f2aa3b931c2ec4e4886a9bdcba64d666e32cb5e4584fbcd9c0b7001b4244144ce2a08ef70c83d0ddc

C:\Users\Admin\AppData\Local\Temp\KMwM.exe

MD5 b197898ea4937fc35c01dd7429f8ef69
SHA1 81fc4d7d1fd3ef9d2c9977b3c93c2112d3711ac8
SHA256 613adc26771a8ba4a5c23c5680ce01fe41307786e57c18966fb6a7461609a73b
SHA512 f21655bd446ac4539112547f7bb4001d7c9816279db59c542926f89addb8b9366dac865f6cba558f7d49f9649cc33832bfcd1531b6501537b9fd23c9c4f422e3

C:\Users\Admin\AppData\Local\Temp\Igkc.exe

MD5 eb28da9bc5678ac91a615b5551e83303
SHA1 a1473cb2e1e8e2069ecb0e1f2264eb3e389fd154
SHA256 1d565b2aa0c19a29ff3a56dee11d9bc88caf623216d99cfad9c9214ae1863c3c
SHA512 f05d29be4b82e428ba3707cb79a72a1c75c78a9ca735ac1d3da0184ec3f4bbd115e3cb7366d12b314ac4ce60de2b9fbf8b455aa7cfe6cdfe7e935667888d5323

C:\Users\Admin\AppData\Local\Temp\EAoI.exe

MD5 f149f1932ba83b36fa63fa4c78f2be40
SHA1 f218fce3ccdd0aa055311380765149902bc5beed
SHA256 43f2ec20a649cea4a4d5c5fa33089e043477a2073ffa0c6485b5371eef38ce50
SHA512 9c7fd27dfc61986083b69bab5a8a5a1897e3907637a0790c0ad415c60c5abf034de0c29e807da95d301b9aea77e13e2d054f0ff533e186589c13dc15e08dfd3a

C:\Users\Admin\AppData\Local\Temp\qkwS.exe

MD5 224b03b79c290822d75c077b176d1326
SHA1 a5d347bce21dde8425e7afdd6e66e89adaa6ba14
SHA256 80a10480076aedb5cf320f051393156106fe47f606ba65eb2a280087a0b22ce8
SHA512 3ef06a5cdf6be19aa060abad47cbf32e7816d780e936a95eabf952b77fcce445c338bc32653fa10d64e1801a2a7e0f478302ae51256cc9f12f4e7317067547ed

C:\Users\Admin\AppData\Local\Temp\gEgE.exe

MD5 202e0d088f54c43a598930fcb327db95
SHA1 8b5ce004e73b9250ac9e31c04124027c7fcf0fe4
SHA256 5d37f8ff259d1850f6030e494e9e8f18ee03c7089e267567fd5e3833b98c3399
SHA512 d973ebdfe1018fd254d092cb6571a67ac9ce55519601caa4bb487eeb7bdb4bece3d64f41cf0e24a433c2b54c45a8b052373f5500ac0528b88574f2e2bffc5670

C:\Users\Admin\AppData\Local\Temp\cYck.exe

MD5 3c78792684452b5e22530500fb2bdfc5
SHA1 82c857cb17e0a65f91fc9bd0bff7872a0f87fc8f
SHA256 c3756e3d5f60e4e1b4bec40d9f50cd82bdfcc1b29693b8becb6ae18d975896ca
SHA512 8b73249268a672c3dc9d70880913a136d35bc8fad381551b1f4e54b85953822d9633cdb47751e66e7b58c2cfeb02e6f566bc23b93c118dd3ba613f3c70ada81d

C:\Users\Admin\AppData\Local\Temp\Akoo.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\sgEo.exe

MD5 c3ae9ac981eca0d965677c4630aa3285
SHA1 b4a9aeb7d95b682121396cc1842ed2154a17c283
SHA256 863d209800c0168f483bd3b3f1518f50ff2e6ae9cdaa979a82373f7ce5d9de6c
SHA512 db3909caa50b43ff5e80667f59861a87a9bc3aaea50c8d6d442a6a17a22d9872fac76676bb6fbf5bae6b29ac63cbafe71df21f77092f679cc06e45e9c4535315

C:\Users\Admin\AppData\Local\Temp\owQi.exe

MD5 edb87af78cf2dde2dd2415b3c81e57e6
SHA1 04e236000c77303f9a3deff5cfdf9663e829e239
SHA256 2b11a126b7aebdb38e9de781f25c6ad8af22bc0bf4dc2d0fa68fd3b92e7bdcba
SHA512 2bc30f709a1859096ccbfc9c09b87af116806da96823286ff5eb808a9c0993a64795d14869bc1cb28dd958a54c3f83b164b4712f25c8b652d7d0f86cfec554d0

C:\Users\Admin\AppData\Local\Temp\mEIm.exe

MD5 89c71cc75e4196c2a0fcf4ffabd0678c
SHA1 537834442bce31e462b995438f57c21cba81aa79
SHA256 3317e391723fb49150381a5fa3a593b6e6afb245ab3eaa903c236f4cbbccc782
SHA512 9991c23d5ea7205825c90a8ecfb6964737ea2b93af3712997542f1e82efaa25be12b4fc82731612831f50373a7c59990d162850f0b762a800ffc8fc3c00940d4

C:\Users\Admin\AppData\Local\Temp\YMYE.exe

MD5 169d37c4c394e7a88d64c2f0cca7ba2d
SHA1 cb3079423e6e2bbbd428bd28c56f48c66cee6aa0
SHA256 44d4f14aa65cf783ca4da92b48f4e9c3f8dd4eb8f41b6c53280149aa29221c76
SHA512 a40135ff9ab3dd68b91074fbca1effdda049b659b22262fbf9a2f9ef6c1be945ef2d637bccb5ea190aa204e85961a01de5d58e89a2addf99bd813521862eba67

C:\Users\Admin\AppData\Local\Temp\CcES.exe

MD5 0e4f1ba388edd4a0b7e728ee9c9f438a
SHA1 3e4a0295840df4207dc555be22c322812c9973ba
SHA256 6410ab3557891b207be8e52a3b917c83ee8d3c345f9d2d9fd183951e35104455
SHA512 c6b9742bd902a04e38816e90d0da4c94ae3c031df9cda25ebe455de3cf7903e987ed14e54862123b23455f09f000560fa2f4b461628bfa6fcfcda5f95616ec09

C:\Users\Admin\AppData\Local\Temp\wgco.exe

MD5 b27a2a90ce1f5cedf66b8ce0f9517acf
SHA1 fed28608033027498d7b74812e9fdb48ac62e21d
SHA256 67585cf30ecc623a5589a26f7793d486ec762bf200e32b4258f0ed2c5f199126
SHA512 697bc422b17d7f6941b63e4b927b08f2ce9f5e156fb551fc7d696f31cfd4f75f158c535e2f97d537480139648f5f562ab0ef7e0df6d434e5cb9bc798de024f64

C:\Users\Admin\AppData\Local\Temp\ScoI.exe

MD5 4903fda555bbba08b548e9e7caf04148
SHA1 a33ceae18ac7cc2767234b49bc3de89425d14260
SHA256 5a1b5e0dbda980536e0929e437749fc06db69b573d866d93ecd8d76e3ea7a45b
SHA512 7fad59a96688efb95554277a36c54c2e566038b94f7e87454fd8c31283b81200b82e847d738743a47963f6a22cef9f837e9e904ca9aae4a3ee8b0cf436cb5759