Malware Analysis Report

2024-12-07 10:17

Sample ID 241112-17hwsssenh
Target a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
SHA256 a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

Threat Level: Known bad

The file a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (88) files with added filename extension

Renames multiple (72) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:17

Reported

2024-11-12 22:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (72) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xwIcMEMA\VMkcsskU.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\IsIMswIY\QOogQocw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\oisMAEAw.exe = "C:\\Users\\Admin\\KEkYcssc\\oisMAEAw.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nMwEYgwA.exe = "C:\\ProgramData\\FYAQkgMA\\nMwEYgwA.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\VMkcsskU.exe = "C:\\Users\\Admin\\xwIcMEMA\\VMkcsskU.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RgsoEQwM.exe = "C:\\ProgramData\\FSUAcgkA\\RgsoEQwM.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\VMkcsskU.exe = "C:\\Users\\Admin\\xwIcMEMA\\VMkcsskU.exe" C:\Users\Admin\xwIcMEMA\VMkcsskU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RgsoEQwM.exe = "C:\\ProgramData\\FSUAcgkA\\RgsoEQwM.exe" C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RgsoEQwM.exe = "C:\\ProgramData\\FSUAcgkA\\RgsoEQwM.exe" C:\ProgramData\IsIMswIY\QOogQocw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\xwIcMEMA C:\ProgramData\IsIMswIY\QOogQocw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\xwIcMEMA\VMkcsskU C:\ProgramData\IsIMswIY\QOogQocw.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\FYAQkgMA\nMwEYgwA.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A
N/A N/A C:\ProgramData\FSUAcgkA\RgsoEQwM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\xwIcMEMA\VMkcsskU.exe
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\xwIcMEMA\VMkcsskU.exe
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\xwIcMEMA\VMkcsskU.exe
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\xwIcMEMA\VMkcsskU.exe
PID 2408 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\FSUAcgkA\RgsoEQwM.exe
PID 2408 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\FSUAcgkA\RgsoEQwM.exe
PID 2408 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\FSUAcgkA\RgsoEQwM.exe
PID 2408 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\FSUAcgkA\RgsoEQwM.exe
PID 2408 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2796 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2796 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2796 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2408 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2764 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2864 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2876 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2872 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 1568 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 1568 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 1568 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

"C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe"

C:\Users\Admin\xwIcMEMA\VMkcsskU.exe

"C:\Users\Admin\xwIcMEMA\VMkcsskU.exe"

C:\ProgramData\FSUAcgkA\RgsoEQwM.exe

"C:\ProgramData\FSUAcgkA\RgsoEQwM.exe"

C:\ProgramData\IsIMswIY\QOogQocw.exe

C:\ProgramData\IsIMswIY\QOogQocw.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\auIAcQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYssIQcM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOQUQMIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCAQYQwA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaAUIcsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQMIQcIs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LScAMEkI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\raokkwco.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HosAccQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sScoEwQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSUoEEcc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWkIgEYo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYwgcIYs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIEQoIcc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYUswsMw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HicAkUUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwkcssEE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCgcUkII.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWosggwE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syMYwkUs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYwAckwE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOIAYMoU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMMsgQEc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWUQIwYc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgMMwEYk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iiggkIQU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqUEIIEA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQIogAgI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKwMMkUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgUwAowQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKUEcYUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZsswMcEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGQwgwsE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1754605927-340984423-167168386921888357-230830981710110196618290459-1711520949"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmQkYEUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "694750296-987955961-16691143871670224472-10728468211063945443-4546762431783720987"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUUYQIII.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5255969561771799452-17661101601577826348-1800301489-1789568691144050584362924913"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JikQEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-178429056678760617020049995089779454496159792416798623715615511161045318091"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hggcUgEA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1296442149-1151749934-2115802243-2078857998-821184023-122333189938836430-943119950"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\KEkYcssc\oisMAEAw.exe

"C:\Users\Admin\KEkYcssc\oisMAEAw.exe"

C:\ProgramData\FYAQkgMA\nMwEYgwA.exe

"C:\ProgramData\FYAQkgMA\nMwEYgwA.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 120

C:\ProgramData\oqcQkcYo\twoAUgUE.exe

C:\ProgramData\oqcQkcYo\twoAUgUE.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGIkQEMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REMQMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "114720633-115816911-1928932872111991232820130540451549162531-1287388595-1678807564"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2592374161372737124353474209-2093370857225833736-3562400851618136619-1521234152"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-718752910-1452793683-21171719571212135934327243485585804305342485321-639815574"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKMwcEIA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwssgggk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuEAYssQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-83403338321108044871918008495-911320055-5090012671150476037-2059126487961283099"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEgIkYkk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jsYgkMAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1607202905405040214189117155-1627133348-757052321720611994170658544-842198294"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp

Files

memory/2408-0-0x0000000000401000-0x0000000000476000-memory.dmp

\Users\Admin\xwIcMEMA\VMkcsskU.exe

MD5 5c9f89a47a02fa5bb4f594a57f0ff1d3
SHA1 45713760b897db16844dce9187471c17d0086847
SHA256 f73f4c5bb19e38b852e279e5f97bca2ce95a044339ad839ae892a7e1050f0c85
SHA512 f41192af25e9a16bc280e3274ccbe59da20450f251d6cfba7a4cbdb84b8dd83cd148c681f1cac90bde7ca5a0cb2c76ad8230553145a241b6676b0f701b2373a9

memory/2056-12-0x0000000000400000-0x0000000000470000-memory.dmp

C:\ProgramData\FSUAcgkA\RgsoEQwM.exe

MD5 2896fe55e7f3c3e854b864b9efadb6ae
SHA1 4eb25d938657820c5e8e7d376115927dcc53f988
SHA256 697037f9f55648060d1d3ecfa524609df312deb17f5f040c2c5ab2af0c796f5e
SHA512 6e8092f161ed2c8448e0a29af43b00aa60514a0b864e3fb5ea86762182fd436500d5f65703d1d57dab749c7c125ab65315af812efaf4af87203d50becdc52f43

C:\ProgramData\IsIMswIY\QOogQocw.exe

MD5 d2fe2d67ae6037452d35a0e45ca8f078
SHA1 0b1923acdb9d74852f1d91935bbe622a615cfea0
SHA256 d3736503186cc31ff1d3449ae36a04daa395b7fa4cad9a0c05ee6a930e269370
SHA512 3aeb0e0e61049d25f5d79daee21849e1788ed7a1da0f434a8879098ae785d0c54734f95080044beeed8f8a19575891b69c5b0635312d902cf6eead2372b0aa06

C:\Users\Admin\AppData\Local\Temp\zwYcoMsg.bat

MD5 8087c204887c170bd9e9a8936a000fa1
SHA1 b04cf4edb67c68a1a82e968ae72d48760868be63
SHA256 6f25c25c5446f1b3bd46267713cc9793792bf82dc2a18ad170debce23a4ae8d0
SHA512 d4f82e6bbf8d8fbe5d10babea7d764237c4cf9516b6b8fa24e274b177733682578fad14034e21d912884e5aea2ae8e8718ea9c346299c1665625d858bf0a4d11

C:\Users\Admin\AppData\Local\Temp\maAQogkg.bat

MD5 dd2d0ce3aca8840b4df899dc7e343a51
SHA1 953bf5029bd2983fce7d68da5503f230518b8651
SHA256 dc8c8074e8bbba0b313ee4157621eeadcac7a6547c8737576686fb1f0a354458
SHA512 d438193027c73053572e61ca10fc86cd940770d0484faf0044f98949a407db3f5a20aa4d7e83a6ce9334ccc948506a2f6ace3e05b2935f53f40e394de5c0331e

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\Users\Admin\AppData\Local\Temp\auIAcQMQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\cqYcsUUE.bat

MD5 6ad68d71cce96f660c1ab4f508f13285
SHA1 898bee3dd7cf9c8aa91a2ab44089fe2b92d991d7
SHA256 e0008f6f7e5c58536c87013da6eb141db976ec02a35abbf591078ad611814f31
SHA512 25532d70f990361f25dc74c276b2e1beafbae45a137ada95fce8ac9b69fe7da0a1b9f450b7107d7479e478e420e41ff1cc356f2fce6e52e65bbaf292429c0500

C:\Users\Admin\AppData\Local\Temp\sEQUcEoI.bat

MD5 c0c5585d6b77d96cdc2b66795eefa1ff
SHA1 32584929b5a49b5e4a5e654572aa105c853c0f80
SHA256 8b9970c993dc813cb2d0159e5d0a9881b599d95ff4280e3159ad2817b14c4f81
SHA512 718c4841257b9e9c301f844fba638e17f97f11a98a5848fc1f11e8f863876a1daac3fe3f906cf1e7a6d82926301107566ad879f09d6278a30151ccdd584dc33a

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\qcsMYoMg.bat

MD5 9a1b3fae7a7294a727d0ad60e20acbe2
SHA1 7fff85a1f3094b1d4433acebc6a237355cfb14ae
SHA256 14794be54c954afb5e2151b4cec65af76281632d96c17a2dbbd502940449eb6c
SHA512 ac90e68e926cff9ac4e7ed6697bedfd3871af7e750146b07b8a624ed2ebdc4abf9b2bc6a17ded3da1c5a85018eb71a0383f693a4e1fef6fe8c74faa9a0a6e280

C:\Users\Admin\AppData\Local\Temp\DYkogsUg.bat

MD5 a57a291a1bf0d6edef38ce563175f2dc
SHA1 f0657adb61942e39ae15e28dd1734b227ad44e3d
SHA256 f992b4a304b291a812501951fd44c9972696e12e76a9fa5dfe93991053730bf5
SHA512 83d0396e6c05a1df98875f86e97f35ee677b5a1d0390df5dff0702862316de7aa855c395409f5e1a1f89446ceb7b8896bd954af336e6da87007334d04f4ce16d

memory/2408-140-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LEgAkIEs.bat

MD5 b3ce648742ac6a5a194f1b2a5e993d12
SHA1 472040882d67f68f3199ccda571a62c74315813f
SHA256 b7894738dcf8a6bd7b13b30ec755646a8b4231ded4119e8a7b74b6ce728b2f03
SHA512 8be1a200c71fcb2f0e0b3b07f341be436573e78cb063767ef01d03e4e466d8c0533d745bf9d56e9cd258d63a0e884357ed29c0227c0db1fd0b4552d35307569b

C:\Users\Admin\AppData\Local\Temp\FKUgckIc.bat

MD5 95e05bbefe7b8e5316182eda3dcfed87
SHA1 5d83f3a9bf1b072e2ab706ce72f946acde89ff5e
SHA256 d800078639cdeaf3abb602a13925114a1e35b309fad203773fa3b9ac820ccbda
SHA512 7fcd4bd4f88726db119839ca64c8fd8a7e12c5c88bb75fad6766ef1bb240ab21df2ffe5233a9afc376650619ff0cfa1effd90e7b42fa6257799dfd857f2c0b3b

C:\Users\Admin\AppData\Local\Temp\DiwccYkI.bat

MD5 b208143977f28f503a54e2c2fdf4914a
SHA1 84e297d35fafc26dca1d807763d76d00422588c1
SHA256 dd3c32235ad4d6ac185db27dba546d90f563a638033ed28ce7206535ae36a394
SHA512 94a9afae9927c2cecb133442ea06c6efcf2ba8227f51cc8837e3e7853091eddcca54d624bacd0dfa1a4a179b0308a66b694419fd2ce56fe5e492da20dade925b

C:\Users\Admin\AppData\Local\Temp\uSEwIwcg.bat

MD5 9ca974f1806fe231849997c775da256b
SHA1 c371dfd92ff1785fc18f4ee35d4804e5f137b3ee
SHA256 743cb8540e484b07c00a54f82c8ae35f4b84d62cb87db317617e5b3753d4e570
SHA512 4a080ae1a51213e2a02cfb257eb1de695396897ac30735a675fa251ca5db18b922b444bc3677ef96c9872a4238a9dd3741497c3593222a9d316843c1243f058a

C:\Users\Admin\AppData\Local\Temp\AIoMsgMk.bat

MD5 6b847e6fd2a886c6f2fe4b978fc51691
SHA1 1faa4c419c0fd268f61e4b033af531e539fa6c92
SHA256 b8cb78646afa86c65b1e16131e2ff6b07e1d6b3f5a464c5ad94fd84282027f56
SHA512 4e8cc8b667537187c89ccc129bd7ac59f1915c73ec58e858c79666f50fe8cf558d887bec06113f40a62e4c0203a18650404f9ec6a9a13e21f10f390fb6d6189f

C:\Users\Admin\AppData\Local\Temp\CsEsUswo.bat

MD5 de36ec395c50929cab9081befee321e8
SHA1 ab529ed2f719e16696f4c9562497ad306bf221e5
SHA256 4fa44003331799897181a0c3f84020fd2eecad5150f60bbb6c8e49bd15f92251
SHA512 5dfc16f002da461986fb9fdd605f0547d3cd419d46e8e7309fb54080af5ff952074c866744c603d9857810bf22fd383764a98f2aacab1b8c0e06a71e1360e52e

C:\Users\Admin\AppData\Local\Temp\IaQcgsEQ.bat

MD5 1ce421f5dec0160ef08dfe6b9fa4bc50
SHA1 77854c205bcabcd775d1682f5eb31a2d9dcef688
SHA256 e05271476cc383fe97c63fe23c04f2b49c28c6ecba2888cf7e04fcc171cf5353
SHA512 164845079ccf8b610ca890f1114ec04f70244f741c4c3a779c4717e08f01e483c0b63b7b8d5c96a50acf5062e716fdfa62803ba69336ddd0466479fde2b9c58d

C:\Users\Admin\AppData\Local\Temp\DSsQQAME.bat

MD5 5368f866b48d03f50e757642b0dbdac4
SHA1 f41037024bc3ecd1d84d5194aae6615f20728ced
SHA256 f206c58f778198e465b281f67cf340d6c34bdbaa5d70958f0f63bb9c4c22a8e7
SHA512 6c14482b6cd7f0ef5dbdac93c2f5400a914cb94d44e5b7bd4bd738502a58224cedc71e5b0f2e6af4541ca10d45f2701e9aab32a37e9b99e687b1ca06f973d08a

C:\Users\Admin\AppData\Local\Temp\DcsAEIEY.bat

MD5 8e27085f2ff33683d6cf1761e7136785
SHA1 5be8460d26ab34042faebd714424f1e3d290ba8e
SHA256 f65b1c3cef37e92f6cfd4f1c90a477f392d547d602c2028b91ba0ee73636b525
SHA512 d79176633da795c3d9f256b6a84ce9b7607cd49243b5360920218ce0139da9bdc24d7d5cfbebbe91d5cd5910d59f9a7ac8302b57cafb73c92c9ec6d5115871b7

C:\Users\Admin\AppData\Local\Temp\RMYcIEsM.bat

MD5 425c5d298eeb4bf0b690ba60c1d08e52
SHA1 1df90319f3bc629a6924cc59632af89fb0b3914c
SHA256 36a5c7df97d581cb7d0a9fee61679b3fdfca1285f17810e156bf267dafdb9a11
SHA512 d7a8f89b82cdddf1adffe48fa354c3a7478b1bc375bf57ca630677ef4c0077853f2e0eec53aa530bb9baded695cf354db19c64d0d948869918ff18ce1b114b1a

C:\Users\Admin\AppData\Local\Temp\aWYQYowM.bat

MD5 cc2323b640414ef2504f81162e49554a
SHA1 275ae6a91b93eec34101a63270a6361623cb2960
SHA256 766f9c9d9e5e1788730f09e4d2801c784f5e868bd29ff99f32721a1563d1e034
SHA512 e5f3766fc003f4d54257215db531a4e05a6df14a27d4fcf425582a093c7dc77c5fe26f22eb1c25d55723b81ffd7f15f64bae260b5b4aa3939fbf168617387ee8

C:\Users\Admin\AppData\Local\Temp\aAcoIgQc.bat

MD5 c541280a9ea08e496b9f42eaa2ed1968
SHA1 704f0d215b846b2bcdf9312df20654018ad34dc1
SHA256 3a1efe84d60be9065800723db8a86b521ab1aadbdc7463053cb15034cac7fc03
SHA512 d002ad0536501089d4b838986d27e482564aca4a60b2cfb0849ba6cdccc7fa3ad6871a4a0172c157685066a729f80066b4974b99a26ac5de2f9d3928ae930fac

C:\Users\Admin\AppData\Local\Temp\EicYwYEQ.bat

MD5 87caa1e291e09938b78346999e8b0d5d
SHA1 83b573e0daf82c94f371e5f5e530178a292481cc
SHA256 1220103be355f03dc63bc5ae3c12cdf1ad0ec40cbf67efed038a8afb6adbf065
SHA512 008afb12d236471738a973ca49c793f0dd828090144fbe3418927613f041ba1549c9306a893bb31cbf4cd6bdf3c1d64a107e1a0cf4ea29452bdae71dff5b8de7

C:\Users\Admin\AppData\Local\Temp\CaoUgQAU.bat

MD5 07b7b98b0996553a4a39550f2b635d49
SHA1 d8b3539da0f8938d7c624513bdb3b111afc76aee
SHA256 3e9660098f2cbc895df179a0f2bdc3c56db3403711e0eb2bec734cf2c188ee14
SHA512 01e135b904b3f493e430254056f31a8842eeea8bcccad0761e9d3d932bbc2a99a655d00a39b7a55ae450fd540d96b891b4f6040972ec07e03293a08e34a2dc91

C:\Users\Admin\AppData\Local\Temp\DAsUMYME.bat

MD5 3bf839178762e34fa9d7a9b533ec48e5
SHA1 8e8a5f2426ced0055c1879acfd322441e23d3070
SHA256 c38ab87a6833a72b6b998954633d9b71d4a6ed747930f8f15051035c03859835
SHA512 e61b3925a8edf261797ac543a1698413eb16479ff11b471682b9851f60dc8b23e986da088caee519eb1000f53db9474021c7c8fdd5cba15bfd7e04e90f835eb1

C:\Users\Admin\AppData\Local\Temp\NQIYkkwI.bat

MD5 aafd7d736d736582f0f04c50fbf16847
SHA1 903c4d4250a10aae0aeaca45e9857c8cf7258c95
SHA256 e3259e1480c0983925ca95f0bff894282c51feb2c9a5d9bef59f43d203f2fb33
SHA512 018f458ffff0135b02b12ef6d9e5a0732224589bec5ee0cf690d36f7d1c1a6c384ee0391f38aa02cedb2d46d1dfb7f03575ed27c9baf1ad72392138c96437620

C:\Users\Admin\AppData\Local\Temp\ZeIowMEc.bat

MD5 57b0ab62df03df12dfe63e5e2af10baa
SHA1 26a7b2ed5e68f0069beac91b25752a3a5d911ee2
SHA256 a2216ae740a7e2245103ea25873b3982aa29d13071360b0a5ff5d6bf15111b2a
SHA512 3e6eee0f9be1e55817e784b3ed24830e8030a8f1f7f4b500a4517c2b3b08ece5dc3b457e025de001f305e4e14300060bcb65d46e733eec2f3f8bd9a5e2e671b2

C:\Users\Admin\AppData\Local\Temp\BicQIYMs.bat

MD5 bdb220440e94f450eb61bec8feb23e7e
SHA1 9de49c9dfe697762b073ed341ea2a54902650f26
SHA256 9b6797f301281ea71b4cbe49e641bdd9d7177a3ad872e3195d1f1b26f282aec2
SHA512 95633963c38dd5f6e94e9181b2cb4049f4aec343f8e66a54a987aefb71e3145e7a3d2a59a833876b72339afec1765bf8b51e5e9223487372de398b683b817a39

C:\Users\Admin\AppData\Local\Temp\skYcoIsw.bat

MD5 9fb78bcc55d65128c2b0e4e671fd3aae
SHA1 7cdbbc53a4a376c95b31d660dc24ac4403601d03
SHA256 5d829fa549670ebce699a0d77bdce9d2c83b0689526012bc1830d665c62d9e06
SHA512 11cc86a37a0644d00b8fcc38315d725e3bfc11ef786fcb5129ae7cc23936d0046089e174bfc07bc08f49b6187ee4a8a11e565c4f961dbed91271c11fcdff7722

C:\Users\Admin\AppData\Local\Temp\YkMe.exe

MD5 da97a1648f755b380176069b4b629c87
SHA1 0aeeb64fec4574c8ceea12be9270b0352bac7c85
SHA256 2e13c27fba638dc269b6f8253528f9dfdefd0404612942bbab6416719ebb06e7
SHA512 a4417a50a801792fefbfa00540b33ff74eb467fb0eae50aa24bd816e6166dcc554c306a3434df929abb022a7ae648f83787125c63267530fea7839402f7d6fe4

C:\Users\Admin\AppData\Local\Temp\YkEk.exe

MD5 f0114bfffeafd4bee3a3e742f25a0614
SHA1 657df2eca8c354414ce25a42d416311761e5b165
SHA256 604440690ecd5a11a8b88572240406e525abe999a51c219be1ffb03918730d45
SHA512 0cf254eb597cf9d27021ab1965882102f40100315f7c365e80ade611d7034b7c9d56a6ee565d0c2c4422cfccc26382e0cbe2a0ca8b13bf1076924062d17416a7

C:\Users\Admin\AppData\Local\Temp\uEYMwAos.bat

MD5 c5dba57be6b87ae109cd0f2e42898adb
SHA1 b44693f7fdd75ffed4e14350679d97896575b66b
SHA256 f60e9687ebdfd769dd3b24140e8fec8cbbe0d63e5b9d5eb2a899196260f3ce3c
SHA512 ca27316d6f69517835ae7ab75f92fb1c4228721cf7829182d10b1373d56d58b0b4868edcaccf8748ef6e5c75c75cb9d4c98c0e88201982d8d9be37b848cdd7d5

C:\Users\Admin\AppData\Local\Temp\AYoo.exe

MD5 2e46e7ce75ba47ac8ae1c0c8aa0d1a56
SHA1 b4f8aea9e15f737772e33199ae977a39083868cc
SHA256 71455dbf0a577d10a97286d956f1b67a156fb92144bbf9201a7505fe0dff23b9
SHA512 354a09ba120e5bfd067e3c098b5441435f0e2eda89818b353cb3c39c5961995b386e8e526895ee4f20ebfea2feb8d36a04f8e6cb8000ab89cb406b190c93e4c4

C:\Users\Admin\AppData\Local\Temp\oYEI.exe

MD5 c7b504163049bd984e25d1a596b54637
SHA1 44d398fca68e9d447151d3ec23df227b7b44bf7e
SHA256 3eaa2a1042a79af7c3c2e3980461da8980d4a27d08b0c74a9e48610f54d08721
SHA512 095507ecf28b31de7564f522a94497b60fbdc16bb502a3c5799fb4ba30a6461e743ede9280c8375a814e8bf11ae10864b8fb62e80e4c4eb8f9f601f4a486e38b

C:\Users\Admin\AppData\Local\Temp\aogE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\gQEu.exe

MD5 9fae0805f7b061d542ce2bbaf070cc18
SHA1 1b531635e31e7eeb0f58f4434e33ea266c82ed72
SHA256 75526c96ea37fd0a463260397426dbc82d771e46f4c05e5906e8095be90b2d15
SHA512 26dcc1471e82e40271f4ed49993b36da2c53d4d4b50099922fb28704282cd3115fbb046b4b1bd13936f315a9734cae5157a7621452b9e925d7d70a8e59c3a38c

C:\Users\Admin\AppData\Local\Temp\GUMu.exe

MD5 7c5d6062c8d71e139644e18d8fe7f44f
SHA1 4f35b547223011735c8c4ef7e3e7e767d03492fd
SHA256 218a648366a1b2b61af50af33bbd3a96cd87abd0cd5fec789d85d997da64615b
SHA512 c07144f7ff8ef760a0a268cad21b70cc9708e90f667b7738435033a2b6aca71669af4656299bc31c1f3aa50cdeb9b9a71b5943932ca3c011d3aac7dcc1ebc23b

C:\Users\Admin\AppData\Local\Temp\oAcM.exe

MD5 d1182045e4eebd1dae4a6281da015cb2
SHA1 485e3275b081608a6f975df4f6d7882f3e636817
SHA256 bc666c667de0ddcb1b4a4b2a2f044fede1ca2cd2719bf87b181c1c1a55b45291
SHA512 ee1c787e25ae4c01c4e7b415cfa3be004d39b9224c5a59b51a1a0b59319e776aae2ce0b14d6311853839bdd7d8d20b58a03a40b70add0e62fad8b486dfa258ed

C:\Users\Admin\AppData\Local\Temp\WgIu.exe

MD5 6d64bf3d1682bd3487a88a4943f45083
SHA1 6e3cea9ab7110611c12287044ff66ed9cfd45627
SHA256 5b90a5932715398b6b34f3a5d5c13961efdbe2d62fda8afba0df704f34648a91
SHA512 402370c8840610ecda7a701de47ba0f8f7f56ee5bba0b3acc56a31fe8be2c9297dfb0a22d2a3a1c31c9b08999d838ce10cc56cf2448cf03caeac0a65be6f20c1

C:\Users\Admin\AppData\Local\Temp\WmcYYkgU.bat

MD5 b3874b4246eaa42a5db0a28e9eaf9173
SHA1 0cdbda5144f106029ecc246b9d05e0c843ca1b85
SHA256 04ea7d2c9e1f6119a8dae98ea58e37372cd16dcab67e5487f97fb38dba34de86
SHA512 1b0d30730058cf548e4a4beb89d99ca59a0bbd6853c433d960839ca6ec1da4bdb279ecc87c2d2aa03172bb5a6a145ebe676de3aeba1ee245650960e23303d1e1

C:\Users\Admin\AppData\Local\Temp\qkYY.exe

MD5 6b21b88b5492492504577f9018a99d53
SHA1 1466f6638f5fa068abf21d43c5446f29b8386f5f
SHA256 aa3ea5bd1d88e2503ea98964232056f22928b3fc3fbe09a30241e9e0a2e12866
SHA512 0111da9c66b67faefc51543b00594a9df63212026cdda385546bcf00863998e8618614ef2ee41f0332ee800a42745a666520ab26ed58a2a2dcdaac060cbb3591

C:\Users\Admin\AppData\Local\Temp\CcUg.exe

MD5 dbdfff9aac062337ecf196455cdb347e
SHA1 7db7004488d439104d0c67377f402261f3584d0b
SHA256 f304dc8ddecabe34134a8e77c48b245bd90ae25aa22d43f7a1a8060c04a4bc0b
SHA512 f6820202e3ab9ac93f01f8d81c244f9d17ff124fe6054b1d5dda11735943d1891ae5c6029a7160afac11f47a4d188efa6f36bab8aa4cd52ee20b85ea3eb99ab8

C:\Users\Admin\AppData\Local\Temp\GQcU.exe

MD5 1aea5c544681e0976425e1e5d7ae7496
SHA1 ef29a76d346ade7339eb6f8b92f311cdc06748a9
SHA256 3c04d643d8d1139a63cfc4dfedf6f8eaf0b86c78a57182ad155d2d8f8f7b7492
SHA512 f40141503df6986c1cb1f8837dd428d900958539e2d7983edbe7c99d022b86ea3d250613d0b217d7dec343cc38a86481c371b3afa18f4ec9e0e675b07823bc74

C:\Users\Admin\AppData\Local\Temp\sAYA.exe

MD5 443ab21f6150a9c13e4a5fd48a020303
SHA1 6047e0d418bc10f3308187b70e040dcd427571f1
SHA256 11b68eaf7affee7fa127e0f1024fad4963e9bf8259ab2d2db9c3746ef38ec6f1
SHA512 a1f3699feaee3453325651fdd310a95818ffe8d6ea939619785422d8308434baf4a5c09056b79715c8963942f91c5050eff23bd64fee8f478a38aea93bd23cd4

C:\Users\Admin\AppData\Local\Temp\OekwkAgo.bat

MD5 85866727e31220dda79e2043ad1b82ce
SHA1 75292f86c909c0864ac511fbfd3aaf84b29d2b6d
SHA256 a5d4ae9e60242ebee54371cd1acfa504cf809aec8b2d63eceeb75e71554eddc0
SHA512 9d52f0ad01497b888eb75a2d1bb4225536185c546b5abe90783062e2c1afa5dd8a5979b4e9eef4e5c4c32595d12cc5bba7fda27d640c2a6a77afe9c655dbf6e4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 b3408fc98de08fd13dbc022c5484fcce
SHA1 71b3712e901206880c57c4f695c2638688a28a80
SHA256 37a1c7338106b5fa5b0d3d67304076c4447d989e9ea829732a5a7faaa0b2657c
SHA512 c8553cf058ede0127729b15546aa53e23634494cc21093c5435752ba6166212e8f3ea756ae82a48a9c990731de6c47b2eee27884eddc8b829626637e675f17f2

C:\Users\Admin\AppData\Local\Temp\qkgk.exe

MD5 96423b6d40720e05b8aeff434bded1e1
SHA1 f3cf85af671b405b47a62fe709c75a5f20525c46
SHA256 69cdf86e8977059957712b6596d695a909e56e64b89697e61abee52325970f07
SHA512 a93b6ac6cf2ae40503c0432975f9360365b0d4f599a1d30159a8dbe628743b0e3465512cd4a7578a64c306a686e5cb0e6c49f98c8c3852102c572d776c174027

C:\Users\Admin\AppData\Local\Temp\kgwO.exe

MD5 f618716ac8642508fd6ff2d1a64f5a06
SHA1 bad4d1cdbf0d96300bca3584dec70b46b1f7255c
SHA256 e10b50cccc74780ffb5d20213222abbf6a02c5ef8c3147a640e8b01bba172238
SHA512 92e780f0aa93f2c9f1b3da1db338b69cd6abc30941fe8a0e0978e9a3ae6003bb04f5dae898a759efb464911d7d238b8f9327204eb2014c15b20a45dbac2f710f

C:\Users\Admin\AppData\Local\Temp\ykQg.exe

MD5 7db6b167583b700b390c91eb29d30e32
SHA1 52630e512937bf3e9daa4549c24f110d54e1566c
SHA256 29f9f1ca73afba6319fa3f34543f42a2783f4106ac56a09914782e8ba2f7dbbc
SHA512 3df617956389732c74611fc8ed52d361f05539d0237ff95a10a07849b444763d785198de2634e5267a10c0869bc7bf33e7a333c366fd70b65bc50e3f2119dfbf

C:\Users\Admin\AppData\Local\Temp\iMUk.exe

MD5 ffbe7ec69efe5f196011e27e441030d7
SHA1 a5ef552378b52b2192f9a3c4f653abbf5a720ef3
SHA256 385cbaa5673d405bc699014f3732324873c8feefce1b96463ae5afcaf35314b8
SHA512 91f072a3c1f48993554197c4a0609bdbd95bdea812d02adec5018c2765d73dbafa95d80d14b374f380aced2f75d922082df9c36864c86dad31192140161b52cc

C:\Users\Admin\AppData\Local\Temp\oIoswAUM.bat

MD5 02356daa4d4de5bdaabea09cd392cd13
SHA1 73122bcbed062f9da73f0e77812abf685f2b3d56
SHA256 dc3e36d6483ee1bbf7e6efac8ddef81973a70c56e638e2c35029499fe8b21703
SHA512 687aa22878ce522011bad15f3b0a945feb2fe6635ef39f15e78dae8bd5bd074c73937ffc732234ebc1ee236b8a4098a929db2a3c41d05c0dae763a3ae5ce1955

C:\Users\Admin\AppData\Local\Temp\IIsg.exe

MD5 6b54de29cc578755d6a6674ff9e1e14e
SHA1 096a09713459be091b8041effcdce98718b4e353
SHA256 fd62eafa7e0cbefacb4253ade7e1167ee12d2c7ac47504895bc1db9b96eb955f
SHA512 7e9d4c72e27bd7288192e9356a4539eebaf0fa3861553b46fb70374accd603e120a9ae1b1cba1ed0b565f19eb8fde3a2a04128cebc53493c084ba4d2aee919c7

C:\Users\Admin\AppData\Local\Temp\UQsy.exe

MD5 a58fefc6ebd38063be14a2c7fa6234fe
SHA1 74a047ffcf5acf69a509c89b2f8b028e74c8fc7b
SHA256 de8cd2027064ebcd80061850d77a09ac7c0d84f4087e7aa62f95069215b95310
SHA512 62186c3468c7fbb5ee553376b5626cff153fd2e2f91ceb509a054b31a3fe9ad47b4dccbd58f3af9c27e8e111751fda7e88f1fa98664e8821bb6a9c8f3c82fc80

C:\Users\Admin\AppData\Local\Temp\ssAY.exe

MD5 c3c1b43be447c4759081dbe78819fb6a
SHA1 3c6e0050eec26175dd79e13498633e59bdbd027b
SHA256 d6096a67c89b64a21b269d741ea08ee51f03d8a8d1eb875de74279435a64c38c
SHA512 b58f91cd26bb0e732444055b5e5d92ad08cbef83e6800a6be73928046b3ccbc37e82cdb9081a96027dd49395204fde04c7ea9ca1068917d72aea0c45519c15e2

C:\Users\Admin\AppData\Local\Temp\mokQ.exe

MD5 06f781e5954aa0a244552b532eca5b68
SHA1 3b61b24cb879b797c297de2e412e41554efc36fe
SHA256 a72cf6c1049aceb7d0483d7307a4ddcf2f07786e5bed20d12b9953abf08b8087
SHA512 ef3bd81b192db532e6415d7d0377a90564499cab481f013c0ca3c3b4dbf53c1fefd3c2f96710672e46f04ae260d181a112759e0d108e497599c8305e85460319

C:\Users\Admin\AppData\Local\Temp\kMsO.exe

MD5 bd8a035fd838e0de5bac005f7833bcb6
SHA1 6ae0d4ab6c3dbc1831545de0f686e0bbb51f563b
SHA256 1da0b73734e59ee15343127d72b4f6d50368379b893149d077e5b9e30eefa8a1
SHA512 c3385c9ad2a43732febd0a48acb51e3119b85719b392edc00302aaea40ccdae2bdcdd0e4434e6904cc784931f6dd245988e24455f5cd80f6423f4df843c72333

C:\Users\Admin\AppData\Local\Temp\soQi.exe

MD5 e7eabc31cd20423b5aaef6c3f7d5c6f3
SHA1 ca0c73f848c14bde85c34d98be202521218946fb
SHA256 34a3cdb9955f3becb01e22fc8d23b67f2a3a8c6ee6c8fe119711a75bca8d6392
SHA512 27c1f95c03d6b4f2c65a4f081267f686d2762f700ff5e30cf0a5ed15da9cc0c9edd76fbd9873e2755e9f171f85e1cb384a637a6e7d6b5c70c75f970ca3bc5d4d

C:\Users\Admin\AppData\Local\Temp\SEYq.exe

MD5 22cdbc5a4f9dd46877320981059f1bc7
SHA1 32481d3c511fe658c8afbd632f5c24182419bd2a
SHA256 bc94b29cdff237898588f980a9238288e33eb979ea59490fa4159b135f2785f0
SHA512 dc73f5978186ec7c71b8f4d015a55ba95853af660e143bceb24a13f4916ab6ea10e729ce2486bc399367a3016a58c616254bd41c133e4666fc455cbf6de884e0

C:\Users\Admin\AppData\Local\Temp\viUIQoIA.bat

MD5 ab79fdf4db832d026ea10ba3e6432d2a
SHA1 575d5026cee08190425a69d06d90a0cdd344ef1c
SHA256 81842a901f86f657794f225278aadbb32a155b98b77db1bed9b175b4034c52d6
SHA512 ff33fbe61a9cc1f5a9646bb9c77d579938d5979311f6bdc5b9032f1355cd0355f6716b6ce066b0b4c6fcb6ee3086e23368f9ca61f07f9b40671d85a2e2c654f3

C:\Users\Admin\AppData\Local\Temp\MUgy.exe

MD5 a1074cbd91e4449b7bde9d321417367f
SHA1 c71e53f6c78435991494522e361f95ee397cfeb6
SHA256 6fb34f3e92e9c35eaa5fe0a5394cab2c1363ecc2acffa1db7e3482896f11256a
SHA512 98e7d5336f065d898060f13081347d750575925159eeb4ddf958c1fee13ee5bedc4190dc6608ca6436c3d96baa2537a4ef077a5e53d8fb56e89dbcf34d6a2d83

C:\Users\Admin\AppData\Local\Temp\ikoe.exe

MD5 eafc12fe4edeb88eff15e31f475e4953
SHA1 6343caa2ec6a4e2dbebd5a8cca2fb96b5d69bb82
SHA256 d9b630efb81b96dfab4a3ab5ce07bcc096913fdbb4388a1773016b74ee3269e9
SHA512 dd61d913ded7a562b700987ac792db58f93d7c30875f92b7065d1e81859c42d33102b49c5b0914b1a8ac98f712baf3b393808531c8305e938150fab1c498ea5a

C:\Users\Admin\AppData\Local\Temp\kcEC.exe

MD5 4881e5a1d16c6e644358b5e4fe3936b9
SHA1 2238c52f00b216c958994916ab116d4b7ac1628f
SHA256 1c56b03d9b358b9dcbf607a9799c49fab8bc859edffb1cd09ad4fa110d3ddc84
SHA512 8016bdd58c998b4cf9dbadc8efc0770d207878924b12ea6458f31c05c22966041cce412f24230431bb02f098b5af0007f4caa3bc3601cf548473fbc9f07a8f99

C:\Users\Admin\AppData\Local\Temp\eEEG.exe

MD5 2065fe1f70510044fd45b6391e8c5bc8
SHA1 10c730107c063b04a6030c7984dd425afc455514
SHA256 f3d0bbf3c3d5d3eb9b4a51928f2c4ea6a17e6d40cf2eec1b96c7b6299e31d592
SHA512 39c059dd34c734c667772d508dfdcc6eed76db93ff3a165458cad26c3fda2808970c8b38816c389469ce0fa03c4b8e3564c67ea6c0b71f6d69203b730621d6c2

C:\Users\Admin\AppData\Local\Temp\mUsa.exe

MD5 6cdac5874e49d3dc076f6e5cc0206821
SHA1 c0ddd868b5441efc6c276b1b49a671423113fa86
SHA256 9138bc2f768ad1bf5a2e74e00725ed3f0d2416b9476c118621587318240c28db
SHA512 9125eddfd4c8df3fd7500b5e7ef7ac849cae665eda61e0df50007c0864407e9c0297b43e79e8bdc3b93c33b019e2079380b108d3b241bb2ba79c9116fc784566

C:\Users\Admin\AppData\Local\Temp\eIEK.exe

MD5 c52fb87ca04ea03771612586c8edd7b9
SHA1 2180fe81d2cd2d08f2e860242ab6148a2ae5bbca
SHA256 d506d8e17fdc9fd814abc364e9d0c27c8c819e4287029e5b7a072f57a5d98ca8
SHA512 df02ee43427387de1399213b0ee3125244749f9226055788669eb4ed46d25b44e95e569f4d5e3514274aff892ce1c914e5b12351035584590750b9ee2dca8a8d

C:\Users\Admin\AppData\Local\Temp\uIQU.exe

MD5 865b0a58a86a6463ac333dc1c3aacf30
SHA1 9ddc5c5f021bbd7139ca660751f32f1c33dbb6ef
SHA256 30dca31f5ce42a2da76fdfaf73c54e0def427de0f8ae54b90f0d63393ab2317a
SHA512 e827a151dcd35b17c793d7fdc2a8c2e6c8bff2cc6624213bbeb55255fa373da3f60bdcf94a61e82e9efcee00e6edc842c60a00647f96d372e2e08f2a7cfa0397

C:\Users\Admin\AppData\Local\Temp\UYUA.exe

MD5 3f1045c25ed165d31ef96f8ac06c2386
SHA1 ddb249014fcbed36e9ca961ee84fcdf705b02a2d
SHA256 53e965dcedb38664e5a3fc00979311f0aefec0e848d53d01a9e8b1d3ce6de1b1
SHA512 c51e48ecda767ea552db6b53bb829fed3896538894ed6e6788296572a16abacc64e35ca6d3515f3ac991a4df90aa4e119aa06d31f8348c40d14d8b8771089cef

C:\Users\Admin\AppData\Local\Temp\DGgcQUIU.bat

MD5 9c74398b0146b591f80feeacde2eee4d
SHA1 c29560f5027f433302154337b38fd53f5c20d8be
SHA256 5b48089359ef370c48792e822ba1b9775654126fa7a0ba88cae09071f41c1218
SHA512 7c7d0e43d2657f6a8cc4cfe0cae27bbe1776f38c9daaf93ff51b8bd727fc42fe73587c7b2ca3eb6a57bf07f487cce05f88a5e7ab53d440a320c9b884157f281b

C:\Users\Admin\AppData\Local\Temp\UEUg.exe

MD5 5112c85b92b27ff864903ef8ecb1934f
SHA1 400b08db29b6f3e7aa2ba254d2e4fadd6394a33f
SHA256 34af6abbb4762481fdd45dcf11fb7f9c2cc7b9c58a2b7e2527a2839e23c6b0b3
SHA512 f46e55e4c6929f21808bb04f92c9800413eaadec8bb3168fb35066ef4d08983c53cf609e365e51035116d5a215e81723c43baab88b109a8162fa414d8967da34

C:\Users\Admin\AppData\Local\Temp\HqcAoUEE.bat

MD5 9d789ef1e80b64c5b771561bc712481a
SHA1 54fda372645a8f03e1d0a145059a4238f2605438
SHA256 38d8af8b6df257c3820eedd63fa4a5854f75dd0ab31b8de57994106e2d48a8c0
SHA512 2f34364a2fa8aa1d674a87c6105f5da82d30a4a601241014bd17749d1fc76ac7e7c598641379366396c87623a91eb75aec84ebdffa2918d13ffb059a06052c98

C:\Users\Admin\AppData\Local\Temp\CYoC.exe

MD5 a1ddd11c111bb7ca8a164070c62de20b
SHA1 c7109077833d88989257234a24ed6fc6721a82aa
SHA256 545dc6600c5b79cbfd9bdefd294f4f7d2e156e99bee8b4d1726e0ac8c5929d93
SHA512 cc8c9e022e39e589f8c84746b8031885bf1cd85f56d95d640c71c86fcedd755d5603bec6dbe75296df65174faa0b4f298d7eef6f31e7987adf450cbbf3476d0a

C:\Users\Admin\AppData\Local\Temp\KcgA.exe

MD5 7791c3d26db7996a701800ee6636507c
SHA1 f9619b7bea1dc402802f2699f86b8f400b05896e
SHA256 4e278ba7b0dc65a8f31e4428cff545e4313be0d74c0a0bdf17a7c59c1ba9190b
SHA512 75a48d98f713864c0ca8148e1ae40cec410e752be45fe0e4eb5351e2be23cc358a0c9e55f48eb971343eb607f9faf8d4d9fba2dea10db64bc10bb03eac7852bc

C:\Users\Admin\AppData\Local\Temp\oAMS.exe

MD5 6c1303e7c6485b4185d513e2e9119207
SHA1 e990777bbe1a2dc0d074c8b39094e49f6de80965
SHA256 15238db4a6227f37bfcdf6ed8e8ed594e04ccd1d346b027209f5d342a43f1ebc
SHA512 c9f89146eb258ba9a9c4caa40952a930e44ef41d1635d09aab6e01b9a95d9dc62c0dc535ee02baa5b1494eb80b0931a6149bda66a3ed8b00516eca042ec08175

C:\Users\Admin\AppData\Local\Temp\IEsG.exe

MD5 cd9021eff9aed4a3af9d053f612bfef0
SHA1 8f40dc641530c63137387ee871e36954b86cddf5
SHA256 d4bd746e4f7cd1b6643f5f0097100467a167857279ba749657b02fc82b664287
SHA512 78dd0fea4b0623317b916f976192abcc3423aa2e63aea6ebde3dd14d1221e487d30700eb1212a5f09801d3e10f1ad3c57556c3f06036f316c746641d98e35e12

C:\Users\Admin\AppData\Local\Temp\kcMG.exe

MD5 53bfefd1399ec7225dea9296f8ac89ee
SHA1 33f7290bfa07e99380f0b01f7febf18e72870f27
SHA256 03bede5996cb861b9527d9b6057674bb93da7211a4a04376b899fe2a887d2591
SHA512 d3955d6e653a2de0ef3b496700a190dd215c600a4a92e5494d9934bd0c3a0644c9d19646c70c50aa249463b3866de3f549c789f3fefde218ab8d32fd886566b2

C:\Users\Admin\AppData\Local\Temp\CYES.exe

MD5 0fa54683969afeef69af9b08f225a5fd
SHA1 7e2697d072d812d68d20fc43cd19d864d54f8fec
SHA256 bc18fddca74ddccfe261b19cd96d154b8001611c912f52dbd1e04a784da7b638
SHA512 f39c52f01afbd56441931f4101dd5edc3708194c48b73d41f4d575e0a886edd58ab4b1b9e7f52e9c3259d4631e150df2bcde3c7335c4be4847a8ab63903d4171

C:\Users\Admin\AppData\Local\Temp\gAwI.exe

MD5 2772e43f5d6878af1284d4a561e49a30
SHA1 a5f60e04966871471ccf0b41b72ae115bc9e486c
SHA256 7f4b473110fdc29d38d9946c631b9bb81144d5da1ecd46dd8a6143ccaa2525e7
SHA512 34b9d69a241bbe97e116beb59c95bcfcfb9434dc2926ada921dbe688cc9a04e82122afe5eb494aa102b8f6599e0d5c94338bbacf5a5d41be596dc2b9dad8403c

C:\Users\Admin\AppData\Local\Temp\kowm.exe

MD5 62778f2d0016a10b0b3de3e8fb50de64
SHA1 813b2f17be7531f7b9fc9330b4bc867d5715ea5c
SHA256 8df296fae44501e465ca93e3a6e149c1681c9ef055b2ad9d7a80b6ad6f29a81c
SHA512 ee16564acb6a1ee2a2f01e86274ebd3ccf7900ef3e534fa8c1db22a58d26134943904e2b0ef4519e8ae35ed15952a824864adccd7229a4ae0d20c0b2fbc640f3

C:\Users\Admin\AppData\Local\Temp\uIsG.exe

MD5 6283380c6db6fc6d9458b4943b0d17a5
SHA1 b5a3238b0471902e193ea564c61a76b7fe567d27
SHA256 4310df106541afa294732c4399091b2ec3387d31b0a75b5923a62fbe80b01c1d
SHA512 78de435a7f180d958f4b383b6df8986fb6c77f8d5f626e02149ab0a50a98ec1132eb6576c5984c38898ba9866d4121d5399db1de1810a20ecd7b773d81c1f097

C:\Users\Admin\AppData\Local\Temp\owwAIUQw.bat

MD5 27ba283c19c5162cadb0dddaefc7f642
SHA1 1af9766fc483218222f46f2d2b599f9bb7941721
SHA256 438d1a8c4849049a225993eb342d9f4323b7ed96e76028be0a50fd6f04c0fd1b
SHA512 23277697fff5e4a089f904f4fb0fa422ad41bedb59690a6f491c84560f2ca4a8ead8bd8f82a4a30b7291a1f229ddc398e2e26e69b819fbc5e0209807687317ab

C:\Users\Admin\AppData\Local\Temp\AMEm.exe

MD5 ef3305658c407831e114934cb2ff0199
SHA1 b595c2e755ed54d9b02d794ff4d549968d90e467
SHA256 4808627a204a408f91bc7137848dea32ac4fc0232e3758f29fd5985744b533f3
SHA512 6127bfa67799b329d30aab373d3ccaf5e2f5c58b068777ad77f0279904ad40e61e39aadc1eb576f51696ed505cad8f81d2a911e05a79854dec661cfcb1966992

C:\Users\Admin\AppData\Local\Temp\AoIk.exe

MD5 4f3873d9114c53a0c42def81b6bf8525
SHA1 a2cbc5ca3bcdeed10f468e87d3add8396ec838c4
SHA256 eb5a84b4290c4686ea539bf6829ee6837655be973f76c0b15579ee1de003a8fd
SHA512 e5a569fb785621b26841e99e73577a065b5f97db3f171037ab9325fa7740b2823a1373e1114731536c747b3fdc8a83e0e18c058fc4e2147cc8febb762764227c

C:\Users\Admin\AppData\Local\Temp\eMgu.exe

MD5 8faa02374b64de983106348d25459b85
SHA1 e1d7202f436f2c65935882359a5fd405c118dff0
SHA256 4c52f7ac4854a52ea44369274d7ec4f1a5a73c79a55c0d855b214959e69a89d6
SHA512 6a198ba84692fdc5e93c3fe674f406a3cf17cb4a059ae3ad3ee861a5eb07e08cb8a95d41072a8cbf186cc5135d761060dc155c5ec6036b470a6fe417e9190839

C:\Users\Admin\AppData\Local\Temp\aOow.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\QcQC.exe

MD5 f6b04679df4b71f6ea7b8d22640f8ff1
SHA1 6535961a9d65640d31f372bf1d182f2d189e1ce0
SHA256 3fed4d164245e42ececd15beb85d0abd1ac301856e1a66b33f876be39f82f518
SHA512 55b8afc77a584ad8a396cc662fda8a82402d77e0d80caa1343d8f0ed21ba2b4642afaa8f1b04c342aa6b1a58f48d7a50dc94ae7d2bc43e3381a50a3f92c5d9ff

C:\Users\Admin\AppData\Local\Temp\wYsM.exe

MD5 551cc06170337ef383eae490f2dede68
SHA1 255b80a2be1e0580f67c25ce526920bf5c5d84e1
SHA256 85bd518bd0d4dc6cfb864ae4762fd390ad0dd1bd01dabebec50cf6ca7f703811
SHA512 c1a3937fcab2901e2e5887cfa22a9b2789200e707c7df016c9e9e7610200727d6e74834b01c63e545f37d4b4d6dfbd1f336a998336c867650d6b36570d64634a

C:\Users\Admin\AppData\Local\Temp\wYks.exe

MD5 f4af958f4e96d2a937b7428b1b14343c
SHA1 aa14fa50658e9ef384bccae8c077b483b81801d8
SHA256 fab3eecde91a7c7c6dde53bdd8be525cba8574366a5392800c5da271ef43fc7b
SHA512 d33643a112a0287cf03b00193fdbc0aa10b13efdca9e942b9641558e176bb3806bac78c7c6f70c72e67c0b3d7e9eec6c19bdd5340c91cb44a7c0fd27f556d0ec

C:\Users\Admin\AppData\Local\Temp\uAgc.exe

MD5 06c957b1bc40e2a0755b2821e9acf837
SHA1 6ab67c8850a43a6884e1d2fcdccf1fffc4f102fe
SHA256 bf088d139a04757c12fbbe1a66bfc9fe83ecaf315e03934653943d91c623a843
SHA512 b0d9372763e2dc42364907839a66ffe9bb973b016f6b874661498c1c3490a5bbd0f28bc92bc2159154dfb46396c575ff65673059dda591aeecfda354863d4dca

C:\Users\Admin\AppData\Local\Temp\OIcq.exe

MD5 2460423b81df6be724bd5652a57fbc44
SHA1 2f26deda9e6c6eea5bc9b94b562a402f4c1cb1db
SHA256 5437028b7b05d44ad311d777de38d1a34d447046bfe5761fea180ab9c428ba7e
SHA512 bfe7a12c93d4422041f77b1cba01f27ca285b12ffd96422224871586c79028fcaf6979ac4fbde0a9332a4e9ae9dc88846ee714287e22a3b3e6382e4e7d8ecdad

C:\Users\Admin\AppData\Local\Temp\MIco.exe

MD5 96997315fe067f3284d6282d922c91ce
SHA1 594ca88fc45b746dc924dec8097e57b6f82a389b
SHA256 07757c25e81bb709dbd80ea292fc7644535b6ee19608a19d908045b4aa577e65
SHA512 03d3a6794bddbf4136b1c71f0ec23a756ea6ce4b1a036466bc4f36da0c15301def5123b99b18a3e8ae5d59e64d76630f4c644d4eaec8f03589f40cfdef4120d0

C:\Users\Admin\AppData\Local\Temp\ycso.exe

MD5 1d5d1537e45cf410d22081e9e218050e
SHA1 daf71a8659ea1dc253b406e8aa38424b23dfdf25
SHA256 96f2ebd479377a26c2884b0dabcf3aeac2dfa157fac6e48b3c7bfafc8bbe2612
SHA512 4ff611d7996a75ddb3c6257086bcf7f0b70193ff91e9af13fee542aaddbfecd4499a004f46d08deb407178289b7d013906bf18b0bb783d8e928298b004f3e13d

C:\Users\Admin\AppData\Local\Temp\ikAy.exe

MD5 37c3d8eeda3e54d5a8a79f8d2b00ac63
SHA1 225f8c1036002701ae3481e4e73a2a7ec7f35f42
SHA256 65da052ebad97e3cb440fd56df4fbd0df454db3d48c625269c7fe0e293e663e5
SHA512 eaee874cefbcbcbc7a773306744e62dfa5eae130f5ebeab2cd92db042854eb905c23cfaf3d1e0e84fc9f34cc03973a2041c9beb0540caedac187a1f52c16c307

C:\Users\Admin\AppData\Local\Temp\CkMwcokI.bat

MD5 018e6bc9c1f3b58f3c86215f83088952
SHA1 ab1104fd2737c19c1e23899e0b0633d6049b7edf
SHA256 0ff36aa885e92e93b349d7d1199236488d51c85c130f9b2707a4a2a8eef59e55
SHA512 0281677b30529e7f90cae1ca0dae0d06c79fe8921f5cae6b5a61c3e946636f13f19f135a7afd45442b8b6681294a59c2973f3a2d0b13d35bdd3588f1caa41831

C:\Users\Admin\AppData\Local\Temp\KwAm.exe

MD5 0c83344d8b727b10254770e544f946b8
SHA1 c60d8784bc05a607bd0841b0b0cfd2d9ff288c68
SHA256 30d5a5071032875a9f318a9698b7614959619f808335be4e3fe727611552c21b
SHA512 176761df87a7e367dd823b26dfbb3b760252f24841c38ce69a246f4121b910ae70398aed90f9955f78059d617cea20aa34a1a5ac98ff7205b06693ebf2f6f82c

C:\Users\Admin\AppData\Local\Temp\mgEg.exe

MD5 2d6f1008450dc13afe618e8307edbdf4
SHA1 ea9ba1d86776839b23bc643d09b33a7f69dd70f9
SHA256 fc65e4ed03ebb60b6abc0416f72cc7c9846ed23fdaf0980410232f8b1b615143
SHA512 a19bc757daa5d5bf4c4efba3c3042e899f26fc8b47a8657bcc077d93bf1b01c4feb22bab23c218192e06891758d00fe76ac37b8c4429db18b49187731905c0cb

C:\Users\Admin\AppData\Local\Temp\kooG.exe

MD5 637034e88987c754dc4b6ac28756b344
SHA1 bb639018a86cb66a9db3b4495a7e344b5af753f6
SHA256 4b24a55afb485e3757c1320cc19a1086957db1f831c9a0d67693ab539a9a0306
SHA512 30eb85f472cd6114d5cbf22a16cb751149008efecd8d724236eec326eac19ef4a715e6910180bc61a38bd1bb74b897b88f0869c0b9a1169d7924f5fc3d6180d5

C:\Users\Admin\AppData\Local\Temp\YsMe.exe

MD5 a34f38034de3779dc72299d17cda9483
SHA1 1f662d8798bd070ef2a6b7aa369b4959da2decb7
SHA256 19a5497d69ecf9fe22cf9c3ebe6f638f07002831d19befc999fbd9ba35893771
SHA512 855cc9c4ae78eeea722614dfe60dd8af7389dc2105a0c63bc4d06c062b00ff97d0c694de6d9ff1e0284901b349d00641836215e30a65ec7bd07de2fa705d6243

C:\Users\Admin\AppData\Local\Temp\OwAU.exe

MD5 a9b1587301be07d7ba98552ecd8fbec9
SHA1 e09a6e077ac07fb65d28ec2d28f735af47e87636
SHA256 208c50802c04b336be1a3f96d8331352ec5b0dd2922ff3a5e7a4f6382ce1914a
SHA512 785704542f43b155fbe3c8aed6081f1b9105bfb566f2bce6bd45bc353f8c7df0d55ecc52c8a486f536ae82fdb874916222537b91c3db0e042dfc248efa946b79

C:\Users\Admin\AppData\Local\Temp\Mgwq.exe

MD5 efb89268f5083be8a191b863fe0b5941
SHA1 2ba62e3b368b4a01798abbce8a89a902c8ff622b
SHA256 47f12a8156beaf11348527cbb17f773ecf4004f371d844fcfa260f75744dc7d6
SHA512 15afcf2283926340dd4bf3b90d71a813f5ec21d8a283fd73d9ec699bc0083382d12de6e9aac07beb7a0dacb8df5235012021c1b887a0c9dca4406cff7dadbdc5

C:\Users\Admin\AppData\Local\Temp\ecgY.exe

MD5 74cb5c96faafb2bda87d3b137a465629
SHA1 2f7e0e679f7953cdb16736c5384645555f243030
SHA256 32cae5d4dbe1dd81c32f291969042dbae2638c5c679ba32a2728d7321e8097ef
SHA512 e4504977b9bada3d7f4504a8c866be93bae488985a9c76aa76d70fb5b8f88ec3ed69873b46ea1390e0756ed934eb1e34b62e3bc48f78ba4c848b795312b5af66

C:\Users\Admin\AppData\Local\Temp\OEIEgAAA.bat

MD5 1167fcf179a4dccda0a3dc1ca02bc9d0
SHA1 ee55d92fa61f50e9d4c60d5af0e16893054dd3a6
SHA256 e15bf1c9d231640acc790140177d05702396174568f392712c3c05e81df0a443
SHA512 c9eeb7e747429abde19a747aa94bcd0ecf55fd10e42bfe77a3c889e1263c8ca558b015e92fffd080829576d9053285dcb3f539d10da701aa3a2c1bdaaff81bdc

C:\Users\Admin\AppData\Local\Temp\WwoE.exe

MD5 35aabd266d89d42f1b259ef47bc8f577
SHA1 a96b714d38e8581ed0d4afcdaaffaa8464c1c818
SHA256 68b2ece16894ea908101de80530251c4863122adab1b57e7af97d942de6b1c20
SHA512 920655e7f7af5d95aac914a28adcfb9127698fb03766b6f12bbd81b6cadb4cc59000256fb67eaf0a3d9688e4b78da50a1e22adad455247ee5679c72f4c2ee07a

C:\Users\Admin\AppData\Local\Temp\swQU.exe

MD5 66671c9507f00df0c479ae84132cd449
SHA1 a225ecc4a05cfbaf63206815f2abbff28b81f240
SHA256 cffc0ab5706ce90ddae0e73b355687806d632802128d2c761b1c4aaeb8da14bd
SHA512 0b556597207b66bd8994c543420668e905eecf74cd9bfbdfd8d3917c06224185c6f156514d69e278829afcc096bcd17a6cb2139ea9ec4c54daa1fedacc78dd36

C:\Users\Admin\AppData\Local\Temp\WYEM.exe

MD5 b590d6061f380ec256ecf519ab627e71
SHA1 69b95490ef91ecf0735120662870265d0f54b805
SHA256 27e6c84e7814c1f2f751e24760cbef4eb172cade1b0073812b4c359a77131b62
SHA512 2c1e472f045912269fa6e47f01dc77fb78c447dad72a1b87e9c32475bd00f1fe02719e286014e5f119594c4918ab4ba08c9869d993613fb7766a1da8e944dcbe

C:\Users\Admin\AppData\Local\Temp\MkcE.exe

MD5 08075641e522f072d9d025b2db1ee01e
SHA1 fbfae42d6ebe65203e19c9837609885a2cedf518
SHA256 a49e9a5bc371375c335eef14099bc9a984d89c0815222fa5206d92a68ea1c503
SHA512 5294a8f3b658a008b1053a0a734cc6290968d4a6ecf08e2d668d092c8490102316004306e8cde1a222767eb5b66741198bdd8668840fbe1e771d7550b367a214

C:\Users\Admin\AppData\Local\Temp\aUES.exe

MD5 0b15959a6a09651c82ce29721b553e65
SHA1 2571724ed910c4486c5c6b7a174d2f3ce22f367a
SHA256 54de06c8fcc3c7b501437e2b6ee7ab261020ab6a77b3476f73bfbb371429dd72
SHA512 9151cf0b4699ae4163c336c411832acdbd5ac34183db72b4c0288919737a5a8f81b26938eb91bba0d4d20191acf429c68dfa7c5e55b60d079579f295b41bc01d

C:\Users\Admin\AppData\Local\Temp\iIUg.exe

MD5 68dcf070a9fdbf55bcf2850994715dff
SHA1 27e64642fe57040a205bc9cedb165bb724c43579
SHA256 8e2ee1b395e0d710b6d7a1ad96b9599e301cbb4361359fd61f54beb7ebf49c94
SHA512 13a1171e4b3004ca901dd73f69d40ba8b41f8c899b136c4e51c35227b7fb95bc9a47e0b02a0ce12ba85490baaf0c98ddfda40e9191f27833aa2bd2c091a93337

C:\Users\Admin\AppData\Local\Temp\sYkU.exe

MD5 6b6902b4220e1b3801b25ef2502e36d4
SHA1 83e359588d8ab7c745a510484fd638153fcaa565
SHA256 1a3c7f9bea7e389824dea8baf2ffac9e43ce1300047cceee6121bdb63d52ef65
SHA512 6b05b0c6ef0846efb0ce5f5f7de56f274a8c22eed15c29b225c9cae61cc1061a115be86ff059e290310509b100bc4c3d225a236d1bb0739a5834dcc39b81276e

C:\Users\Admin\AppData\Local\Temp\FUoQAccA.bat

MD5 4fee564c061d0045c2d9f3afdb38ce8d
SHA1 38493082ceef2427d0397f92598db39eb188b80f
SHA256 a5bf4c901e2ad167ad331f0369f88533e2104a37aa762af0e9ac448dd1870b84
SHA512 ad646cb1fe19ccb3dbab9ae294f53ebaf3bd3b965202be1cf2a47cbff96ae43943409b6337c8180afaf8822501271a139b381110834a78f65fb845e6f811100a

C:\Users\Admin\AppData\Local\Temp\WUYA.exe

MD5 a41802fa4443ec59da6175d22fdefa55
SHA1 d3c26aa64697ed0de2b367b9592757fdc69b050a
SHA256 2103e12e8d2371b381db116615a7600f7cdc4be1806877e2a1c25bce0c629ec6
SHA512 158310935ce24f32f80a14efb128bd73744f39da2cacc37763633d28f6d7a24c1d21dd62b8a8868112a8f310377dad9ece6ee8ea455ec434978f9e45768d448a

C:\Users\Admin\AppData\Local\Temp\koci.exe

MD5 c8aa993cb95ce07dc11de6f5b8be1b06
SHA1 45a15bd11146fcc876ff7ba0b850ba2f0302d187
SHA256 cd6698982c8a9b6223cabb866359ec22c49a7952f47b82d533fb5eb250a88b73
SHA512 ec798dbe19bbf7b925afd3ef16bb02e8107400dbdc02d45b8545e21e722d60ba648c3dc0223bc99bfbd50fa4f1ff6a780ba0dec30a2ca4289522e4833ee6f863

C:\Users\Admin\AppData\Local\Temp\gkMs.exe

MD5 b903c53cf40504dbabfa0507d71bda3b
SHA1 39d68b00254ee56cc8c696333b80ed27118080b3
SHA256 ad4ff822f409978d5556924d5821bdd1d3b75bf453b3092e2e853db30c8341f7
SHA512 7a42f13fef5ca310641435a16a54d8fa51feca493f82e765c033fe565fb456092bc7a732a4abe8b488dca1829b404e772582eab672b1653c566bbff0dd1b36a0

C:\Users\Admin\AppData\Local\Temp\essE.exe

MD5 d548ee5a6d152ad69a26097e5243ca26
SHA1 8263f7e424eb7303b1be750746c275b67a4a0791
SHA256 e51cefc1a25840bfcade32d2ccc0f25ddebcc0e878ea2a9105f29655ba5792dd
SHA512 8bf72c87c485cf0ba93a714f434cfff3b5b59929ad4bd7ad0529e3462c00151461961d2b7627c3e913bd27348ad5505549d4f75884dae4769f48e8c4a726877e

C:\Users\Admin\AppData\Local\Temp\QwME.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\UMEY.exe

MD5 a65fb665d645a9f09a09d8a8dcea702f
SHA1 82061eb790b97500de1ec988197f912518dcb603
SHA256 25cfd6bbec06d2a0ac97b6888e824f41799397cda6f6a905000f53fd20b66bd0
SHA512 ba22aacad4d1f1fc55c64551824633d550e7191ee9cc9254afd0135521ed9631dfb5238772aaa87d4e63f4d182c4ca35cb221d804cc2854957926bd5d983079c

C:\Users\Admin\AppData\Local\Temp\kokE.exe

MD5 deaa82468b893a694c799a21e06a6e00
SHA1 df2e89bc4536d0d5abab9ac1e352364484d509f8
SHA256 1f62be0d3cf4060737130adef89a2bc518d0b616de7138039500ca3dcf17404f
SHA512 07b6b7ab27e5020c39c5b2575e900693849e1a57de38b75290599a060d1b034b0e1432632e040a168710918af1f158a86fd4695c1592b0ef998ea360c1cb1f04

C:\Users\Admin\AppData\Local\Temp\NaggoAIY.bat

MD5 94b72eb62ef792b284cc43e2fd69c916
SHA1 628740fe14d6a3139a6959575062f3d10d7bce85
SHA256 44da009485fae41fa3cdab7135951c362007e4ca05e0686350cbd533141957ee
SHA512 e2a5c17536ed1f0d0edfaeb25879c57bbc7cb31b6943235a807e2e2432fc42dd3a0503fc497c91d06cffcc9a7358ad0284a3e71c36cea96737bb67207ed3cfb7

memory/2056-1693-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KEki.exe

MD5 2c05b56b2811dc5d3e7727ae756b2f44
SHA1 9a9ada328a8e7c8bd14e0aec8e1bb5a8efe2193d
SHA256 8b8e40535a9042a7677fed87e21a29ae60bf909c6350586daaee7f8ff8bcf198
SHA512 d7d6e2cce564044571cfa4981d02658c4ebb8f6699f90a404718af890e0a141b917a633558a4bcf48b0a6aa8619e14c2393a15ad19f321976f93e0546a27aa57

C:\Users\Admin\AppData\Local\Temp\EYck.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\Ooge.exe

MD5 ad3c88457025cdd8b2ca96fb55803c75
SHA1 5cfa42cd7940e980372019bea84dcb09f58403f2
SHA256 8dbff27a228612f9cc274a66831a5481d52a097c0bc88b8c29c330890ccd2999
SHA512 74703b439260652324db14f081d8bd00998adc5ee2c7c165f0478c4f14688383aeb02bf9b91e48e3140255cead1b0d06fcbf7a74a5f39bde91f9569d7b54040e

C:\Users\Admin\AppData\Local\Temp\MkwO.exe

MD5 62357df33a9c827798d417ca6b8a9d7c
SHA1 502c3ee24a4b3b9ed9b280f3860260ed651d8bf4
SHA256 d135828c6ee4c3313d6bae0ba00a8f2ef0b48802fc74e6dbfa2c113f6e0741df
SHA512 c8470bd7b2d9c08736123c788ef226422d8d00c1c053037eab952441c1a10ff2331d5478c9c3918c0955847fefaf20c2b0e9402bc022f68f3bf1a646e07d79a1

C:\Users\Admin\AppData\Local\Temp\seYQ.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\qkgO.exe

MD5 43a759da3c5072b1fe658aa28681d337
SHA1 eeeb31b2b61580221146380d734bed7243fd38a4
SHA256 5de0fe0126f8f649319133e9b318558824aed295fee4cdae1ef9d96c3f7fec04
SHA512 741098d053ab386207d2d62319dea24483d1c431213e584fc807129eaf394a339fa2a554319d6f0a97bc910dd46660a48e35bbef08c9d107438e38a9b24e79b5

C:\Users\Admin\AppData\Local\Temp\UIok.exe

MD5 f912664927bf52b1f56ab28c8f559c38
SHA1 568fbea1128a166b033e66653248aa79ff60c902
SHA256 b6824f6fd2b0ab3e4fac9c8cab73762aed4fb57d380b968c4e2dd43771fc37d9
SHA512 3e4f46b66a0a32f4b8c9c1a52932093aa010c3d2ec5d738e34431de5fb5d85fa37e8c49bb2ab1490dde85ba6640adba8dc82ff7517c9b76774e93a4dcc1c785d

C:\Users\Admin\AppData\Local\Temp\ogoG.exe

MD5 39a8da6860b507d2fd8af41363be5829
SHA1 0a903390028c2ea25731d59a31f8cfc9393f463a
SHA256 c70f1632038cdf15e62ad352842845a8a564eab4a2f90f2c7eab85e84ce9c879
SHA512 62254579bc6e93f5b45288fd19e87b15a9aec4ba576ee89fe36d3521ea5be685cd6fe1b775d81bebd1698b63e5ffc1587a2272e90fab3ff9b0763611874fef98

C:\Users\Admin\AppData\Local\Temp\AsEs.exe

MD5 15f73011ac3e609c8f082f0f4b5a95d8
SHA1 f19569255179eb3a3d7afc0392d1706210c29087
SHA256 b4e5b51de2014e04a1bac994b0f3a6b23307741fe1ee5f8d3eb63b8f2a80f064
SHA512 841660b34661aea7121c58858e1370970a01c4feebc1342860e4059367484a2b9734380eb0938442111c17ee717fa8a5cd15b6cb5f4b6fcb920f7f5dac87b68d

C:\Users\Admin\AppData\Local\Temp\qoMo.exe

MD5 70848fb18164b5d7f0272e1509851899
SHA1 b6ca708a2b510c1a72036cc73e3689d4ad3fa81d
SHA256 37118c8d15f50bb8d16ae52e8d2c24794075645ec19ac7945a116c0fec4072fc
SHA512 379d84c4074fb8c16d280de54d69a254fd303353676cc960e2fba4519bd07925cdb7d519f781b0efb8f2897c123e080c01c604f88bde5d36b16ce6cc649ddcea

C:\Users\Admin\AppData\Local\Temp\wAQA.exe

MD5 d49eaeeacad06ea0c113ce49adf76bb3
SHA1 92b7a1bfe12bb324abf2c5a38c9dbc3f86ee9c38
SHA256 6dbb79c93036573a3309ce16766a774ce04ae5b4641cefd876aed2d5c264217e
SHA512 5e02a47ec3242bd029a74c9a07bfe832d879f3b2576cd3e3a592261f733ff705927de51cb13189da974ba2a184ca5bd74fd1d3a96289cef2196ba8b77d992fcb

C:\Users\Admin\AppData\Local\Temp\SUgg.exe

MD5 57b3c2879bf0673657b439ab2e83d103
SHA1 bbb624e42bf368b73f5d2023590ac201e6a3e72f
SHA256 6eb6ef2fe2bf413e7f284cfd16db2c335194363a35196c2f22cd86563f9047c4
SHA512 fde0317dcaed6a3be789dd140c5c8634aa63a9728c0725bda31e523803b660fcdfa21d639ed15bd4cdda96f1a32195ef75ab2146073ec957162c2ee322b8b75a

C:\Users\Admin\AppData\Local\Temp\IMAi.exe

MD5 1665310d0e8ff70b9e9581f3e2b7a934
SHA1 49ce7c7668bf7f01963670abee3303da8e585834
SHA256 7c1c532acb1dd549877c3dc623ebc7520fc91c4e17ecbf715cd39eb7b4fccfdc
SHA512 ad7ce6d8cc59e6f5d0de32a7691541f60d668c57b91c6fb9b8d178b4a5cddc49dea14cfe7675bcdd7e2ceb2e8fe89ecf7f0a3d7b39500b7bff97463c8ff6f135

C:\Users\Admin\AppData\Local\Temp\wUQw.exe

MD5 9e5139380ec7ba17ab45ab8700fbb3e7
SHA1 4cf83b68ef33187834411cdf210a8836309bf2d3
SHA256 6b33c65d0576c1bd1168f1ea8d53d331468066588b460d477e3e06a194c23ceb
SHA512 48376242190bdf18f646c2b046f7dd6785c49c80a1a79946bd51f32ed4ce286161e8d677cc712edaccfadab38192bb8cda50187ce6d7d37564a91c5b26dccd60

C:\Users\Admin\AppData\Local\Temp\CwEY.ico

MD5 95a3f981c6a54d59d23d6a6c93de8f98
SHA1 a092c67e4c00aadedefee03b5184300cf1ab303e
SHA256 5e15e82b2386bb62937ea83a7a11088ce2d506b7846e6e77093bf5903d97f51b
SHA512 242d0a16e3bb36ab857033ab2d66e55a91a87171508aa3176a62fa9b0a23c35966c26805d664afb7c44a4d8e749818c6499968c7adf577e6afe8b993f3e1f4f9

C:\Users\Admin\AppData\Local\Temp\OYAQ.exe

MD5 221d84306e5d4256437181949269c499
SHA1 f2683166c3830fa75306f1f689bfb6d9b29a152a
SHA256 74db2cc5db47a2081fe0fb1939bd3dca8a147ecf23c22f360167c00a252db903
SHA512 a3e48e3f6299fb55a54ad540759a6de154c16fea34dfad7eec8dfa9a67f59ba353890c6ee23cf4cb4df023bda041f47d23174520d0fb94fcdd167a105a6d8847

C:\Users\Admin\AppData\Local\Temp\iEsM.exe

MD5 f9a3aa98e0c0aa27e7b5650609c0ea9f
SHA1 b44cdfb0d3a6ff512ebe6f6af92eb215c652fc52
SHA256 fb12bdb142258b89264a2a2a9d74cd6c17b8164d705f7192daf97e92c7efebb0
SHA512 26b38aba039ee4f63483d913eee02db0a0679a10007672d6eb8ee0c06e08fdd5688a3820976d30b029a70461e7bbf0b585110cebc2d7128f5f61a0ec24e6b9c6

C:\Users\Admin\AppData\Local\Temp\Icgo.exe

MD5 0bca5a3ee1783ca0ed771fd0812a4b71
SHA1 9a6524ec34476cd83c6396edabc13b66a6e036cd
SHA256 9da4abc87ceae813701e047a26ec7e415b86cd36fdd429a489ca55cd22713863
SHA512 23ffcaa06c8aa425e25affac731f3575aabd7861264f68e7a4c07de1353c98c1270ba9627883e562c9535d1c39318ed5e4fec7c32020abcda6b12cd55d560c5d

C:\Users\Admin\AppData\Local\Temp\IkYI.exe

MD5 b9cfc25c93e0c7be0d8c711991425e3c
SHA1 d466dcca9bc321bc6f9ffe991af1c965cec2891c
SHA256 7fc01cf2a230d1602bdea2ff94e89526569b0edbd43ba2d94d61fe13e71c0821
SHA512 f9cefea64d4dd577780dd4722982b7a4b61d7274824bbdf9fda8f45108d6da2c05cd1cae09297fac56d840e2ec8eaf26816382530f0a551ddb929316f1b0c8a1

C:\Users\Admin\AppData\Local\Temp\qYYa.exe

MD5 da92c84b061e0e4953140198d0b02abc
SHA1 6ebd82d178639babddcc18df6237f55b39d38f6e
SHA256 dacfe8ab1c0610fbadf43d1b7ab6c649d3aff56ec22dfdb3623dd7afd48319ab
SHA512 63b437ee30b7298468bd55b8a173a6e4bce110277bb336fd636a8bcc032c6db0cc701e8d06dbe0936b09c9aed52969f5bf8d3ec0bb5979489f0ef0ff2580d26f

C:\Users\Admin\AppData\Local\Temp\oggk.exe

MD5 b02fef32f6f98447dfaee338f5e68ae7
SHA1 8e137524d352ad306b80b27ec73b8d1474ced32e
SHA256 3b413e01c6d7e559b31ab882fe53a66e2d7cc042d645f068871b99854a804992
SHA512 6f3f5b9e2a22decede27e5e63a3786a0fbef93628550833bf054eee86de21a701dd38e6e0d432c705f124ba419eea97d2182a3a2fb100149be8b29231fe06d3a

C:\Users\Admin\AppData\Local\Temp\wQEq.exe

MD5 0483188cf8c9c6db8a76fffb3c8b3b2b
SHA1 560a722abb9cdd310c92098c669a2a4a5965e512
SHA256 dd21204b13d3de1327f6b4fb0538dc383ae0fba2a04dbd7fe911a3381fece216
SHA512 2574f598f8aee4a4c958116c0bdab04744e240b1766a280cc07718eab3a45f310ef00ac6f39d137df5ad66946c8fcac495ce2f9c5bfd99b81baf130e89ab434a

C:\Users\Admin\AppData\Local\Temp\cEQC.exe

MD5 87d5d8d9fe6f7641450b2028efc5e830
SHA1 56c196d4e5ac1d3ca365a015cff89942888db70a
SHA256 6f79c2529d66e3b1d22bb43768d3f378e6bc9b7c096d2181cc1c6b07f2e58de6
SHA512 9b3d6efaa9f7ad921390690b1e7406d03b4c86ff3b758d2f3f55a87c58e95fbb85985a54151a8cfdfc595939df12269cbd978a5235429040920b771b65aa3c6a

C:\Users\Admin\AppData\Local\Temp\MMUO.exe

MD5 1130343e23afb69ffe06153623d0a8ac
SHA1 92c54941082b6f5dff41c97e95c61e0313619657
SHA256 a7f166ada5c615e768ee277fda8ac957772ace5e582ccccff710036f11130594
SHA512 197a4a5561f0474766a03716d93c03b0548aa9c18be46f7ab3e46c02aa0296ce35a26947c537cdb9f502a5493c026157256edef326c86802c0480cdda1cf25d6

C:\Users\Admin\AppData\Local\Temp\wogK.exe

MD5 bb39b3b9e174b46572992f91790ff045
SHA1 5f9b8796a3d0e3f24b84e17d918a9f0e0a800ac5
SHA256 54a41ac4c2b10322045e461e745e9dd49391f5f79ddc3f0269f7f998c51ae7c0
SHA512 f02511e65da02b46f5d7bde09af8ce67c124d4c0ffeba66165556cf2756972f54743bf549d99271a63e1eb2ef8ed7f34fce3a27f68a5b85f1c659b17e3e6b17a

C:\Users\Admin\AppData\Local\Temp\wgwo.exe

MD5 c23b63f149e689bfbddf9679b29a776a
SHA1 f19efe412eafb186473a272b2c5ddb32f73e03aa
SHA256 8db4640f7ec152071409195a1b5f9f6b07b7dc4551de2637188225be59b34c40
SHA512 c773885871195bb6d44974d0a58388958d40302075143ddfb588af9fc9162cfb423ad54cccde9af1e874aefddf743c0f7fb407c38c9bfd766c52629bf1c9ac74

C:\Users\Admin\AppData\Local\Temp\aoAQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\WEUG.exe

MD5 c7bb60e6e88898f30331e06aec827f63
SHA1 7d1617aa4b0c0c025ef0d8de1389032cec873f38
SHA256 0948d47ff8f84471ddfef5de59a440c50b65299950062874dd99c69fe286f201
SHA512 afedee0b1555814d607155e62d8e4f1260cce1faef428640272f16641081fb6c0c5b9a9cd44d22e527b3066fc1c82e1a93b11db2d454cb09b617730284dc83a7

C:\Users\Admin\AppData\Local\Temp\Wsco.exe

MD5 672b98b01208ecbf5c775b7fcbd7e689
SHA1 c79593e090a297ef0e1fb2848eead2b7cb7cb5a2
SHA256 59fb23284b253eea3bd4e403c4ab2505bf742285a0e81064287c529f26aab37c
SHA512 238b1054bf37f9d2d68836a59db41883c778a0230bc96fb476698b77f7937e05d9ef5e8a5a4c23ac490f478f819ef4d45bc66325f8b6ad87e0643f5c2fb669b9

C:\Users\Admin\AppData\Local\Temp\SWMk.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\Qkou.exe

MD5 612ed4b3dd73de7da82532fd8141ccc3
SHA1 f370be3603908c3aa9981aa4dd8a7a62bdd7d92e
SHA256 f2b84a4983569d756bf2f18cb20e34be88d3a40d0b1dc09d938e1dc6ef268673
SHA512 81a88fd060553763f9af7257863817d4a3b47692a298b2f0f08271f2891bec7168f246e2e3e4aaa107ae7646437acce7caeb94756b00929aeb08afd13a93b303

C:\Users\Admin\AppData\Local\Temp\EswY.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\uMYY.exe

MD5 5462772e0afc9825caec2bb250e3a7c6
SHA1 d03dc7e3dda412469ee09f8995c9c7f4dcb3d013
SHA256 49b3980952b21b7e83a71741ca6c3cb3a77e4527cbea9a9b5e8ff9a59aed5555
SHA512 4e54527a84af0d69e251e9004daae9ab3f5f2132c573e5e57676b18dd4c47946be9fd56e8919f7c91bd01bc46435e526a4b28d5e8856b1690bcd90c687c43935

C:\Users\Admin\AppData\Local\Temp\CgEe.exe

MD5 7a6b6842f5b0eaef0499eefeebf12198
SHA1 ea8df6a5c8a42d5ab43f15549fe1e275d6bcc93a
SHA256 fa944efc0aca4cb390f3b5f7ed48fbf6327069630609970ac257237aff14bf5a
SHA512 60a2999ba73604dad935feeb2f29f87776055dcdb4a063e12d59c7650e178f01b99981b93bdfa7202e891442ff34714411f45e431f4a375065fc829849c19089

C:\Users\Admin\AppData\Local\Temp\OkMi.exe

MD5 ac83acb3ce4d9c83c3bec7bbc6ceb9cd
SHA1 5b5337c007863f565695e7678924f9f218c1b0ce
SHA256 254ac1956caa2f241f9646ecf3d998e3aaa0b71cc35166296541813e0fb57e0c
SHA512 002e23208404612d4733c80499874221d08dc7cad4d566839659a928df1ebf3f38fc17fcfb648c0198a09edf75aa47c796b21b2285b846aa8e527a7ddc7a2d50

C:\Users\Admin\AppData\Local\Temp\AIgG.exe

MD5 6ca4e63873e4598a0747ddbebbe2c9bf
SHA1 4e9a111cf6de2d68240c04b6926c8e60f7cdbb03
SHA256 0f559dba5c900d2ca4c1b52ca52bcfeef828aeb75227667837425c94d94c0140
SHA512 092adc212600357ec4277c0f40cab859af55dff958f71242b25fd3a9e11a1f690f0b1b447c0224a8b63ecb2b03d0e5ac40a056a384d52458433db7a7946b81da

C:\Users\Admin\AppData\Local\Temp\yccM.exe

MD5 138414d1237c1bcbf232d01bf436a6b2
SHA1 382e3c447b5c28ee49708e573bc41f21177f48b3
SHA256 739bf96f01a37e452640c8bb0e3f3d0c74427bd14b297c030d8e4deff56bd3f3
SHA512 a366e68a7ff5ea13a0479a7558f829a0682a9840ae3ff350a5cff257c80bab9a24a036d230f32475a910052a45b87c9cb5be8659b031963e0dc33eefd4ebf425

C:\Users\Admin\AppData\Local\Temp\aYoC.exe

MD5 9ac2ca4b77a7c0676514d784aebaa85d
SHA1 6ffd738eea68da4cc7497b62447b181c5aa66a53
SHA256 cc223a972fd8b5bebbfe3d2a8f11e8f9df2bea173117ce2524fa3ff0ed73fdbc
SHA512 ef9e374b8f1e19c91f6f99c5fbf576406a54cee74152f2773a2f154be032c55195dbfaa25e08c258b50eaf49c488888ef3330a77c6ec146ebd19abe61cb74ccf

C:\Users\Admin\AppData\Local\Temp\gEoYogYo.bat

MD5 40c54e8f0a03ab77f9ce7ec680ad84e4
SHA1 ed5d00714e90de09ce979e3f6200bf39a4cc1ef3
SHA256 a98a69d9738da6090127090b8f06f140f39d4988c567174c71f2ad7269f9ea9f
SHA512 2de8407ccc282e2b571693ef858e88cb08387595a7a53475aefb639f05499251b3216282821d24f739e269152b9d2869dc6405de4ae0acb2a1beec8dce7efb12

C:\Users\Admin\AppData\Local\Temp\gAQk.exe

MD5 e6d5d957964e194c6d5636ff3bd6dd3a
SHA1 f9ba0a28dbfe3b301e0361b9fa0442412ada79ea
SHA256 debf077f53ffd58376b809fd1d4888f28c2f90b98d864240e488acae4538327f
SHA512 68d77442b4c8ba9c841811ab7d89fd40249f2ff9d243a375f80575ce86c7d68693dee3618add2f6af6a4e5dad91e906e6c16bcfc278f37346414975a33b0dc79

C:\Users\Admin\AppData\Local\Temp\OAYS.exe

MD5 6f5f1359f2847029286bca479f2b25cb
SHA1 4c1906e750c2df7c4f0507baf22f6773b4934749
SHA256 1f98cdf61e2f39626943cf4a24ed6c53139bdeaf1a248388783b72a57ad1f02d
SHA512 03f1044024f8a7447429131cfd7e3913865c9da9972c4c9761f917c459a6297df338a286589abad3d5cfee5ce4059c38ae8458387ec2f66958cf58f324950ffc

C:\Users\Admin\AppData\Local\Temp\kMkg.exe

MD5 edb02edf82522bc84ccc2505335c9608
SHA1 3a17a6aee1b7bdf6b7d5a6399840869032ee356e
SHA256 f921eb84bc8ec4a47f0492d4c64fc52ab793b502331988da400a14caa057049a
SHA512 f63df6abfe5fdd384f880d160cb224b2cf545b0aa9e02719c894a9d65d0aeb06491a25820720b59d001cd7dcf8d486316143fe66b258d318cb0e64f6267ec5ac

C:\Users\Admin\AppData\Local\Temp\WkcC.exe

MD5 8536e10b6b30baa66c2e62e75cddbaff
SHA1 2f93b4ec5833cedae35e7017d125a14f76c23b45
SHA256 d8d581d3d2c79c1329bc46fc8b6d3edcc80b937e5fa056fa72a797631bc53a19
SHA512 d861a143d1743f85ce53e60edc40a08966c4b3040e30e562034d6c943ec3eabb990ad2d184c182be333c4e698fd83d2b6227bc2a93a06f0c78d5f9e8de4dd6c6

C:\Users\Admin\AppData\Local\Temp\uQcE.exe

MD5 b036f24f42647e8db19fa7e1d8ddead5
SHA1 d3adf7bbb62755aa3da19110761269f365d7afbd
SHA256 fc88dcc3c6d07db5665042dcb3884b4c3e2be9b48d81479af58cd7fcb030b2fb
SHA512 f2500670d82c9ef35cb81098d6d283e55ec405854a5b54d608495641c61594b81cc84243daa3e7ac94ac965348adcb3ef0492d65efead91c4cb0d3fb467e90ff

C:\Users\Admin\AppData\Local\Temp\icYO.exe

MD5 9e8b2428e01bedac8de19e238f249fd5
SHA1 ed77cebfa555cb69a8b967df1b91ebea17733c91
SHA256 38d6d50b94218e5a99146c5364d1a553097ebe6f130755374a56f3c7f2b900fc
SHA512 e8a0af16d63891a6fb33acbefadbc420437babc0f6a01beff0ac899a6607a06dedf30e2dfdd7fd399616a5ea38eccebe6308d17af36bd84e7015321c79dd84b7

C:\Users\Admin\AppData\Local\Temp\iwwG.exe

MD5 1415e1af818080eb12b6bb44f1bf5d1a
SHA1 93818278488a67d320a093a930a512d937d3ca04
SHA256 adbadad559823ea4469059182b4a67b15c02e73595648310dbd447902d3ddd60
SHA512 728f9f7e4cfdfdd24082e8891f9ab2a3170133b9e59761de7795555927bc0604b5e4fb048ad98c9a7d00c0e12d431b1d52b93fe89371a5618c67350a7a0ccb8f

C:\Users\Admin\AppData\Local\Temp\oYkw.exe

MD5 2fc9a0a74a403095d6a1a416f9d200fa
SHA1 56ba1293137719af26f0abec5bba49d70361e573
SHA256 2fe93874f6ae18ecce641b6aed09d1eb37b8aa6cfee4637595a5a6a283034f23
SHA512 c247723587ed87c8cc4c95c0782e1c4995c630af92c0daea494aeb7df3ac47eac201431c5aa9b40ca9e410a93db118517ff17b0c8b9aa7dfc66b0a15f89065ed

C:\Users\Admin\AppData\Local\Temp\yMgM.exe

MD5 aaf23dbfea9d63cfa98e35ea495bc33f
SHA1 d4588b72946f634856e51402f1cf3eeeb726d20e
SHA256 ba3ce4c387145e9a35f68754052fbd566b0374f05357d4dc410366afa25d6299
SHA512 d546dab9a334ea528999854465ef865ede1620215f4f08220a0d5e8fa9c0723459351502c5e82658ba59504db32600f96358320237a545061fa65d46c1f522c0

C:\Users\Admin\AppData\Local\Temp\AwwO.exe

MD5 69d207246a79420b166cacc3d9855fcf
SHA1 a3751ccc698efaef133a3feebf831d63877a37a8
SHA256 c903d7cdfba8a5ffdbdb483a8c8a14efa392e7ca9a58c153b78dc01556e08ace
SHA512 751653d82a74013aa00936a097587d1723fa4a10c41d0f7a780efa220969eb8278e894b3f9ffa18fe56a2cfbaff48c45101fda923e370a47ff85a423de7e7ea2

C:\Users\Admin\AppData\Local\Temp\moEG.exe

MD5 a7c843a852d76236f8ca7afc4a74381d
SHA1 e1c992de5dc890b7a44efe838c1751e8358f0952
SHA256 e9e90ee14c4a8d4f67dd2abcbb7e6979cf36ffd6efbed456042777d123ba9a25
SHA512 9ef80ac5b77b9b837956dc3090df3c622ad312e4b4f8e16b9a2e770decff1d701f5c6fe4eebe87f0a8fcad494d044bc85bff03e463b76377e95a686a776082e8

C:\Users\Admin\AppData\Local\Temp\NgQEUssI.bat

MD5 9f2227ed9df4e22c8af5cc20b82420a4
SHA1 53233e5b6f54c1afbc3b4872e9b8214304eb2288
SHA256 0ee2b2f63383bc9bee62f2a34a1382fbe0c8111e5f3d28c657bdae88f6fc1d70
SHA512 a06e47ffcdcc43fa0ba1a5282c43d90a1f8f3bd224e802118636cbabeb8b5c68a4ef58817a286de421b4f530bdfcd51250a57f00cf1396c63dbbbd7facd65746

C:\Users\Admin\AppData\Local\Temp\CggG.exe

MD5 9cb116dd467e09a0f756e5d1f00cc258
SHA1 7db1742bf21a2c9eb39f4d535b3c0405a6b0a4c6
SHA256 f56869586910f1b20ba68bcbe972e6e4c1031b7b611ef9eaabf5251f618e2a84
SHA512 e071c3aa6fd9e950bf5a6a8a7d9cb84d6587db9d740f1b446b682ac4256ab736516e81c83e1009e80f8e464dc649847cf5bae8534ef089fa73568e7e0b534cf9

C:\Users\Admin\AppData\Local\Temp\UwAs.exe

MD5 cba3622668dd44753665e6562a874e9f
SHA1 c5c9eb2d8853a6883d0594913cb0c341f67708cc
SHA256 23fbf8051977ce1f537afd62ea9cff91d5c5d8affba196de3ff04136016cfa6d
SHA512 7853faa451e841972ea14e28f73acd2be45f7dbd18f0c6910abb8480c4db2d84552ac73a438505981e7fae8ec54f534df93b230b89d8465fe28d4fa6323d9630

C:\Users\Admin\AppData\Local\Temp\ksEQ.exe

MD5 4e17f681b89e77dcf314c9ee4f2b54f4
SHA1 c4d3876f9e862ad99b848db180f8ce69115eb633
SHA256 37bcf1739594395b46b29d1dc16655d0e92f5ad28f4aa79a62ca5b7acad103d3
SHA512 4195aad35a68fec9ad2be048ee90e5bfe2122bfb5c41bd740a7b96795a27daa4b36e3a1f69f6a12ceff7ebcf4dad4eadc93971ec6926f448fb931e109005897e

C:\Users\Admin\AppData\Local\Temp\mQIs.exe

MD5 e36646d47b0eb402cbe9b1f2d008c0ed
SHA1 dcdafc763a338fdce19e89b32520247aab04e2b0
SHA256 243a87444be1d1c47150300a2c988634d7b5a5ec09aac936b2dfb161ad27836f
SHA512 109cea3810bc099fde3d8c184a8968602de3bfa3ad1b1f57207fa249b36f480ef6b22e7c765b0e77995b3bcbab74dfbe75b86fc1b0a24a2c8d1fb334e32f1e0f

C:\Users\Admin\AppData\Local\Temp\Qcgu.exe

MD5 1aedc7f05a62583d419a9ae823e5a2d4
SHA1 b4b0f18e5f6a0aa55886d0e28f39939181998d28
SHA256 7548aa0a3155a10596c6f8f22ceb6741ee03225c34ddb663a0fdfbad26b25c97
SHA512 199650bd75bc7f5ead6e1733bce192890dda7a6eddaf0cfef5dcc2bdd752c516f18837668ba031b6dbb058356f03d1a0889896b1526a99337c1ab1675e840bc4

C:\Users\Admin\AppData\Local\Temp\EsAK.exe

MD5 440fc45503de79bb785d540b2af02ead
SHA1 d1993a42f469c45b09f7aba0ea384be926df6c54
SHA256 52cff34fa1f6a5f48ee2a29cad80256621e46db1b138acae7ea0431fe805a09e
SHA512 d8aef75a37a32f22b472c6aebce7711ba91284cd63ed5ddc483354d53db76249b6b5feb009217425dba34188693bbef17244f99765ce3d01fd93def7eea774f6

C:\Users\Admin\AppData\Local\Temp\kUci.exe

MD5 c94ec0f6c33a553d485920adf7401941
SHA1 026deba835d3464e1a38c7c5b870495f47457ed0
SHA256 df3d8e3792991d62973a526ccc7d87b48cfd6f9026ba4b25eeb091cab3cecc20
SHA512 8b9a624f386df005f7ce5ed1bca16a253ba89419d54fc0325ac407e64849c0e66e4ed77afbb4b0d0ac06a228ca002cf56db464781d02319eac7797060518e3ff

C:\Users\Admin\AppData\Local\Temp\CYQu.exe

MD5 a9d24dec7c60dece2c051d825dbc67c8
SHA1 097df86f9e347002f9e179a401460399e786e27c
SHA256 0975648a458006c6059851fe53f267648090b67a1de535a4a508d56c1ae568b3
SHA512 a05b7320515b5754e826ff1653f1db444f1aaae87111e865ea2d67dbbcc511f546681ff79ea39b58a23b7f1e5510ef901973a76fa332c29eca2bb9a92655cd71

C:\Users\Admin\AppData\Local\Temp\cIko.exe

MD5 16bdeef2b818b84cfd4251666dc3dd6a
SHA1 2db6e4b656dcdd3c6723bb5e9d95447e254c1f80
SHA256 70225d00c154dd4151eea93c8f3f38461b0d7bbf263a1eec9c5426daaf1d09db
SHA512 1318bfad61e2a2275c44efae8e7e2aa3f6e5e328d189fde6ebf8ed5e5fd21099217dfdc9498026d341b1c1f72d938cd6bec12d111ac94a819205b57437244545

C:\Users\Admin\AppData\Local\Temp\Kgoe.exe

MD5 64663bf6336d6cebda7c8b637a11b539
SHA1 cdd038ef9bfd1511955eefb57fc02d0f502fbb7e
SHA256 a0d12e7d9f495f7bc5f688074e1fb4216117805b2f3e7ee375465d4211c479df
SHA512 b46c10b9a9f57ce16b05b8a334b2c08402023c721f987e9270b731303a979e74b704e3ee6e57309b94bbc31689ae17dc58e9909a39a0319bf538afca71f79d84

C:\Users\Admin\AppData\Local\Temp\EIkM.exe

MD5 d5ae9fde799e4a4e0c7b6f19fbcccfe3
SHA1 88a455353a8dea278a99b3bc181a223969adca5d
SHA256 b18b61aebaf07807830e2088afc1d24b881c5c4763b23453acb6e5751bff748b
SHA512 695d822c2907f63f600fbe8715e385c4e209dc82bdcd35bd1555d57e08a93089427d8c3563a7e529fc2039d04c9221022ba256b08ee4a1c38e537bbe84116771

C:\Users\Admin\AppData\Local\Temp\ocAO.exe

MD5 f358544ef1d07b1671f9a79a11e9c61e
SHA1 7c2dfebd281056adc227479ef9d25647e5c7fdb1
SHA256 d42bde10e47f1a2a7522cdfdf282136341eb69e399534d94d5b08ab24abdb8a8
SHA512 b23aab1f385387e511af059ee2d5cee1e710cda807c0ff74a5a2f6ca8033033378567526c0fe1696001e13189221f258532abd30385f0f3ae8982257c69743d2

C:\Users\Admin\AppData\Local\Temp\UEEY.exe

MD5 0d7bc2834357aecb451c53cdecffaae6
SHA1 5ae383b7abd5d7a41dd4b8c5f5e0086b502a6669
SHA256 c4460e6e33c8917621be5ef7466f8d0ab45f5128901a09a0b65cd4b8d77db913
SHA512 ed074ede5cbb715e4a011c4c14a18078ac5dc36aab50bd039b8702afccc36a013e7b1895243fe28c3adc8e583ffe867037050faa56e6f385ca08ae3b741acd82

C:\Users\Admin\AppData\Local\Temp\kQEY.exe

MD5 417b0924b2a01ccf75e1d1e1294486b3
SHA1 a5aa2833b2407a933456efba1a768494e8a1d715
SHA256 98614e5876ed72f575d6312c55068ac6654614d2429384174d9cb53c9f2310f2
SHA512 2bdf64df7d036e6ee89940e10ad51d6dcca1df525dd3e6da68c8102ccd70cee8e80cd549d5e67b5d24b933b9e3f0f4b786c854af2e4a6d8273a3f1a44aa33ff4

C:\Users\Admin\AppData\Local\Temp\iscQ.exe

MD5 031a23361620ae7e41bcfda180055646
SHA1 b79ce95ca8f0487d7e627c3b8a2ee43af596debd
SHA256 47fcaf1ba521da3255c07a2a75ad7ee6cc58e4126329f340460db49f22a66e4b
SHA512 c2b607a84b75adce43fbb3048ba0ed2701db9f4a4f2a8249394ba8db09c03c60d417ec0e88ebdb5cb51b918b8a9746c880cedf37faf93b5ce7ac3b23435e1dff

C:\Users\Admin\AppData\Local\Temp\AMQo.exe

MD5 ab536f9cc5b2d7f8ae5579159941b1b2
SHA1 7a20693035c9bb500c3bd3c661e6a0b3987f74f1
SHA256 6aa72880f4d11f128362bb6312a751a1b528e909086aaf27bda9a13ecd0b6d59
SHA512 93db877d7c40c2aa55a343565e09f80f838cf27308eda802c102abcd331030b5d2a3a7924ad23980a50cafc5187aa641cbf671c1ca0d0745bb617a7635b3bf0a

C:\Users\Admin\AppData\Local\Temp\ecco.exe

MD5 c0029fdb6da2ac03015c33cee52d19df
SHA1 a7992ac8b62451693c0261e062d70e2b912b2dd3
SHA256 18e8f4532335083c3bfdc2c67da0080be65bfef3a17e4e4d0aa07c70845d8a3d
SHA512 ff18654735c304f38bdc8bf9a2a2c3daf1872010b61fa24312ea5135d24274feb29f69889d80cafd7780c2d1543bc2e019b3a337b13bc485bc333355f44bbad7

C:\Users\Admin\AppData\Local\Temp\WYIY.exe

MD5 6918db32ca8db748ee988af9cba44ede
SHA1 56cc2559f0333c3cafd14451a9758e3a5d9581f4
SHA256 6fd78a59efaf6d96fa53c55e9fb5e5895ac30d6767461a49009e9616ab4f41ae
SHA512 ee21d2b56856421c1ee93e2756bc06a8d2123850a41a4908c46151f2942e992ae99ba863f16a4132fffaa1d4ad84c4d902b5de957e1d5a1079f0432079a06cd9

C:\Users\Admin\AppData\Local\Temp\eQsa.exe

MD5 1a041e4f24ec0ccaad637a7f29c5e039
SHA1 893de1266df597c6e785f78422ec933335c3c2f7
SHA256 c2cf097c85b9c3d06a563dbbeca837277200a9f4ea2074cb326826c09b1d35ef
SHA512 13e83fae011d9b93c590f080326d009fd17ecb661db4047e97155802276febb946cde06438ebd8d00418bc8517e931194e4b66848dac149cf8bc00fda6ed0290

C:\Users\Admin\AppData\Local\Temp\GEEm.exe

MD5 e124916ba195314b0b46ff16ba427ff3
SHA1 e8a28986e38ee6cc6e47fe68def6651cdb773286
SHA256 e50fd47998a573d86645a5125103f2e91d936499dbdbb17fd1a46187239baf00
SHA512 149bfaea4b9aeb8bf5360f306cb3a55ac0772088b5dd71c198662125f7623f5c4ac05b80c931c12868ba5d9819d2807dd33bb7d273605ce4eb0b5d1178f76359

C:\Users\Admin\AppData\Local\Temp\qwos.exe

MD5 436af2e6399e96093ff7ffce13a984e4
SHA1 e7235660c7c569c1f34435bdd2be0d4369e73bb8
SHA256 2ee532bb6f31489ae030325deb85c678981f3e0a6fcd090d11119aa0ef2afa12
SHA512 a2dbb8b41fcff4f3d78872f100ce7e42c7ed91a73112feaeaaa557785811186c55c3f39885e10a68607f33d82ec43ff8646a06fe04c2d95218e804e23305c676

C:\Users\Admin\AppData\Local\Temp\okge.exe

MD5 db8303af81f67de90c027b6da7d1858e
SHA1 680579fba7493ac917987ded6f993cdcbd61878e
SHA256 f95d691a49289f9e3d23ab13a0eabdef440c1ef1265dacef17229546d4e6d47e
SHA512 45e571daa036458175b42658a71b5a1b4aec37f1e32dc40fe991ee3a8e92ceca762d23692e3f803611e4feeb384eab4382aba189d10ac164f26975bb8604c9b1

C:\Users\Admin\AppData\Local\Temp\MkcM.exe

MD5 618e2d8a6c2ddda9f27982db8589abc7
SHA1 fd7ddfbc7415406589a058bcc82282ffe360f1c6
SHA256 13bdfb336b03cf81ef6a5234f1933ecbf0ecf53f8517eb62768ef586834f5b6a
SHA512 929accbfea3093ab5e26ce563658be4dbf61802d62b6baa76377f711ccba1e2e2d81fa0c3bb760fb3fcd819c6158f157e9c1fc12f11ec4bcdee4d2f247fe65a9

C:\Users\Admin\AppData\Local\Temp\KgUc.exe

MD5 bd058e689bee3a2fb6ab1b23ad9462e3
SHA1 80a8318039f5c28fa5c8e7bf731248509f7e0e88
SHA256 e36f71916855289970581dc5f220eedde9a66a0c7ddc17ba6aa184f52b5c3933
SHA512 bba1332fe51d587a2f388948a6fa4ee29287e2623d6abdedc8521f04d610660ad160b9090e826de986a5d76ef816db2df565a0d766c63d9072d46d108cb3fcc3

C:\Users\Admin\AppData\Local\Temp\cIwm.exe

MD5 aec6313e0d793c52ebca7ec4fd3264bd
SHA1 dcf6e3d7677fe53b092fb86c21bad983e289f7dd
SHA256 4bb721b71ab09ecdde96b0e350d16ef7198bd52e09e2850c7cf32a533eac8b67
SHA512 81d5018c1f99a200dcc86f19d170fc63a0a435604dde46c16e72a58dde1230070152ee5a9e91e58cb1a7d837aa358183de729c2a91dd74abd5dd0df815bc9d8f

C:\Users\Admin\AppData\Local\Temp\OoMQMgcE.bat

MD5 1ca820a4fa84100de7373b1d113ed305
SHA1 dc496453497e6b1b63c4578bdff2d0d8e8c01755
SHA256 3ab7c570fd94a807ebe99ebee196ae687f22eefbc507a93bf601843f2017bb36
SHA512 fd99909b1401c591c13867e87c0812013ded5b4ed2d2acec55528371cc185b33b2ebca48b5f5d26eff3214a68f7eb1664b923a81dff9b3f9ba97a8b188ef3958

C:\Users\Admin\AppData\Local\Temp\csIK.exe

MD5 b9c169cd201f2be7f7ecf8b201ac3c09
SHA1 795ec8dd3693979c6a94b38376ee7de6189f6db3
SHA256 1f42b739e784894fd741e8475590193fd5873ba6ae9ed7e85faba80c79606b08
SHA512 613189a737fc6fdfabd607c64be831ceb4bddb0a4d1afeb23f1ff7bf0e063aa3b13f944b6ee54a2b1cd86edb56684260bc21c65d698dc0c0f22587771ae57138

C:\Users\Admin\AppData\Local\Temp\qYMm.exe

MD5 fa07006fc807b85277bb49fc571c5c52
SHA1 426cbe54cf5c83dc34a96c09a77741fc458459a6
SHA256 938488bc037860cfa3dafac1a6f1afb09e86979602880d777dacdc0a06ca02e2
SHA512 b8de5d4fae1da0ca48bd2a0467379152d34747c41b0246f060cecfd62d07843f500de342e0cd398af682ccfea5308f9cb17b68a57f035c7962be943de07c274e

C:\Users\Admin\AppData\Local\Temp\Ucww.exe

MD5 94c4fd101d97752ef0a72b7bf3ad3908
SHA1 51f252c5a2741e65907e2ddbb78c3cf6b1d899af
SHA256 109d4613883f31c1fcf3516fba7716bcabeda5ceeb3cf0e9efd5fcd547790a79
SHA512 2053898cc59128c48f5b1c896db4de6343a6460857b15fc085dcb5527caa6780e0533e0e27343ff74dd396a7e08041ecfff5c439ceb66279879e2ba1e41a285c

C:\Users\Admin\AppData\Local\Temp\YEAk.exe

MD5 04c37cc37bc7d86e9331ec4e13f3b4f9
SHA1 e9e6445d6bd4dab2cee1ea442fce64c61f482abb
SHA256 1abaa571696bdcefc51464308f4b964e7db902b7d5e92351070236019cfd250c
SHA512 512a56cf027ac55c6e5c30181f90ecbadd1bcf95a4bc9a7da700680006176c9fc75b0cd14db38cadd950ad0212f2ce5b81864ad53609656cd1ee75edf2cbc3e5

C:\Users\Admin\AppData\Local\Temp\mUkc.exe

MD5 305c5955a285a02d6b431f244f51f6a6
SHA1 b270474c7ea9f43578db70a4b6c07460b0fd9fb5
SHA256 eae94551e6aabeb284b4052158de36a24157eaa1136f3b9a192db492f3334d36
SHA512 d98806f9b40d1b40f58d9eb18e53b39000aaec403969b73e682ea336ae76541d0c808e99b7832d43ad007427c2fbe363cbdff8f544821bed544ba730bfbcce3f

C:\Users\Admin\AppData\Local\Temp\koQI.exe

MD5 3ec51ef68051944e700029c7645dd953
SHA1 1a84af2068753bff0bdcdcb89fc47071df27a3c5
SHA256 85cbfa3f275970abdb477827c308ff548ab8e02c9e6dd2d57f880c75145a3fa5
SHA512 a75354e10fd1b4388fa9a2086fcb38018e33c09d3e2bb3ff41fc36d54e7f1e94a27e9fe9c571068dbbe9377f0b9b8e1355d678186975be971daa77af8f032dab

C:\Users\Admin\AppData\Local\Temp\QcoE.exe

MD5 c14ee26a6dbfa14eb1e353c0a104fd00
SHA1 0f97aa977ecad100502cd3ee84ef7f8f93b8810a
SHA256 655f0e659538f7c76a16dd325e41a3031302f673aab18d573c6c5db37ec6c23e
SHA512 bbba8b0367d1ed42dbf16ee8e575860bc9aae846bb76199682a65a9af9dce0f6496f19564d2870db9e2db28aa2d7e9fc366e3e3e518b36ed893a816994bfb20a

C:\Users\Admin\AppData\Local\Temp\aYwe.exe

MD5 107b98a3cab2e5377a5d4767420713e1
SHA1 d352829aed7ade18aa9c36bdb99c93565a21b5be
SHA256 f079fc738d6b86e9713be046795bae7884fd9ae9df4937791abd44668fabfe40
SHA512 6e782ef9e8662e84d8c129e7fe89f29c8705f477617c951adc840816708cab29c1110517d8aa8450d1e8551e075de0830cd9e43d2cc727efd68fe0f97ed4513a

C:\Users\Admin\AppData\Local\Temp\cUwAcIMo.bat

MD5 c248e697bd6ebc67dc95bbdfa3f65952
SHA1 00f5e90ff56d609d3b1aaf7f98180e1f7819bb84
SHA256 0a61c049d626216502e7d5afd48848c9115dbd6a2e3a33aa36b0c4b60ea82cfd
SHA512 cfa977b33599a66d0483b6f7e1e1cf06b96f23d8ce8410571717a5a5e51de87c19303b9309664f2e6f9c219a2407e2b8b477f8b67549026161ac8f73053d4da8

C:\Users\Admin\AppData\Local\Temp\uoAC.exe

MD5 8a427dcf88e1407f6809084bd303200d
SHA1 305462aadba6e9422f9a279728f0a424d7a90368
SHA256 728eb70ce12e7764b7c579c803655e51b8a1e86b8e5c8ff375a7a98db882a89e
SHA512 0d160a732104d154022b53113eeecce978697e5edddfdd238b27c49b774e7d37d381034105c6984cb6bc7f55de36ac0d32d949c8c86b49c31aea69bb19cc36fd

C:\Users\Admin\AppData\Local\Temp\CQccYQAQ.bat

MD5 ed87b2da3f11295eac165988192db9cc
SHA1 72a885888ea18ddbdf4ae8c68e174a8b38c8cfe0
SHA256 bbf8b96d290cecbe097a6565328de6c0f0381b25526d21aeaa6f0f372e2dcf3d
SHA512 1e2cf85e72fba228356593127fc7fc650ea8cd386493a79e5859763b1004b84cfc1c84310652199345cb1f51aeac31ceab017a0252732cd37e11a7cd5abf5177

C:\Users\Admin\AppData\Local\Temp\kccq.exe

MD5 ba4634fe5481331a9a0a203a816775fd
SHA1 4a5967a8b5840a6a4f61ed42c2cf61c1a22f2710
SHA256 4f066affb695ff94eb149a87c6eb0f5c06e22cf3e71b129a479b8820bfd8a18e
SHA512 310fd535b425ff62cd1bf402d330dff3a6d98e22f8e507d31a14bf7d2f61e6aadea9ee962ec2928ee6dd3174d5bbefac12c15a9f11c82e75e4c2bbc7061bc050

C:\Users\Admin\AppData\Local\Temp\cUIE.exe

MD5 a5d7973ac1b0524225fab090c4ee5059
SHA1 517776c5da670e22f5281e7ccda63ea4a07db378
SHA256 f4d244f322e57714a27077a4e5611d50c7987cfcb729b612938495e8bb3668d1
SHA512 94443f8db3cc97e5a240ad823ef9bc146a7ef5429bf5b7554c28fadbd5b26b3a2ff1031f75cc1ed22c3dcbef651b4133a7bae223714d05c83e117307866f5a3f

C:\Users\Admin\AppData\Local\Temp\mUoC.exe

MD5 991551a5cf48a6061621d9ee5248c3f0
SHA1 9ae7aca956457d2f224f6d192c2dc76ea5563276
SHA256 37334a31ecb5750e272249f7a17184c473771d4cbe3b7402cc51d0c30a419c06
SHA512 5e9fea8c8ea6cdc2833437e5b31f5e0969b1a2ca2bb3a20389be064f350446860fcd4852183dfa66107762b3f14bd20beb0ba5c36d7a3c5c4330997ef5fffc17

C:\Users\Admin\AppData\Local\Temp\uAgq.exe

MD5 4f8c0958d438d61f8ce08393e5ab0c0f
SHA1 c733d7e45570e9c1c26fba5651bbf55f8b8f39b7
SHA256 49bb78ea7606c88539365b77edaf437613329aa0e0d460bdc764f750f2b00dec
SHA512 7cb7ec1f8fac6d8ef03501908dbf50dda2817c474e9260ccf86f81e3960a32fdc58f9cebc6c9635a7a337b0a9d8549ca86fc31eef0dce22e74fd58ce0390edd1

C:\Users\Admin\AppData\Local\Temp\UsYC.exe

MD5 39f52620e3121d798154b46df7b6a770
SHA1 35ec5422f4d0f6c398a64c68bcfbcf4daa901e55
SHA256 63d961de3e3ea4837214be45940f87bcf2932634c72838223ce071a20a348dd3
SHA512 9bf0af14bb6c26c61afc1081a480ea2f24e00aefc773c58045714ebfaf00b0faeab78ed1ce1602149d3285b3bdac4472fc9d62484ee8b2f604939fff470e1e51

C:\Users\Admin\AppData\Local\Temp\KkIC.exe

MD5 c8baa8fd776a0a7c2b68f60582da7a31
SHA1 8b769456f85076d691997457684ae19178199177
SHA256 5028906e31bdbc73821591e9d65aba785fc1793b38789389d2053fe54f0915ef
SHA512 0e517e9dd7e6da318a799164cdee3a2f36bbbee889f5abf1fa0951dc9d25599b98b21b47ae959dfa1f89cf6e52a591f6c9d738e74a478eac1587470e1175fb44

C:\Users\Admin\AppData\Local\Temp\KaIgQsMY.bat

MD5 1729f784ce42957ced9b3e85fd1984e0
SHA1 40d68e2e596b3596c0f8be698aa71f6ad29736e2
SHA256 3e37a961cfdc464f201c8b013020f766940bae044eba3cb829755ba9aade652d
SHA512 4eddbfd640ffdec615319602acc5f22dfdda629edabf0a632ef259964b072b4e1b67b4e8c370f686b3c3e1f86f85dd4ec2a219425268532ae48b92caa0e0c7de

C:\Users\Admin\AppData\Local\Temp\AAUC.exe

MD5 fb0b107cc1adb42d016196faa5c7b455
SHA1 cc61f1cda64b3db74222bda29e0e9b745dd7c037
SHA256 065dad3fe6d5bc9b45bb569b9fe64e4081cb6736add70985d1877cf2a4ae7938
SHA512 213c7ace6beca47af258d3dfc1d17f026c58a11f1db950b03f7f32818b99ff8c311586dcd59c9b4de03b682e9f202a4c8ed849c8f2d0ff5f01e5ec7d865d1f4c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:17

Reported

2024-11-12 22:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (88) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\ProgramData\hiMQUsws\PcYEwMEY.exe N/A
N/A N/A C:\ProgramData\uIsoUIgA\OaIMgQgI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PcYEwMEY.exe = "C:\\ProgramData\\hiMQUsws\\PcYEwMEY.exe" C:\ProgramData\uIsoUIgA\OaIMgQgI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PcYEwMEY.exe = "C:\\ProgramData\\hiMQUsws\\PcYEwMEY.exe" C:\ProgramData\hiMQUsws\PcYEwMEY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGEYYwYc.exe = "C:\\Users\\Admin\\uAsMMMYk\\SGEYYwYc.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PcYEwMEY.exe = "C:\\ProgramData\\hiMQUsws\\PcYEwMEY.exe" C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGEYYwYc.exe = "C:\\Users\\Admin\\uAsMMMYk\\SGEYYwYc.exe" C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uAsMMMYk C:\ProgramData\uIsoUIgA\OaIMgQgI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uAsMMMYk\SGEYYwYc C:\ProgramData\uIsoUIgA\OaIMgQgI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A
N/A N/A C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe
PID 3572 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe
PID 3572 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe
PID 3572 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\hiMQUsws\PcYEwMEY.exe
PID 3572 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\hiMQUsws\PcYEwMEY.exe
PID 3572 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\ProgramData\hiMQUsws\PcYEwMEY.exe
PID 3572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2024 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2024 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 3572 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 3572 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 3292 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 3292 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 948 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1064 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1064 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4952 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\reg.exe
PID 4952 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 1484 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 1484 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe
PID 2604 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 628 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

"C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe"

C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe

"C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe"

C:\ProgramData\hiMQUsws\PcYEwMEY.exe

"C:\ProgramData\hiMQUsws\PcYEwMEY.exe"

C:\ProgramData\uIsoUIgA\OaIMgQgI.exe

C:\ProgramData\uIsoUIgA\OaIMgQgI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imMUMQcM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCckQoQk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOwMwYkE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgoAwUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOcgwMcM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymMIsooA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSMYwAAI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEQEQAEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUEgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leEkgcEE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsQwAMc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkgYIwQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgsogww.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmAogoAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwYAYUY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuAIcYkA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCYcEcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYsAwwco.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKUMEIcU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMYwcYo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkIwUccA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAgYMYwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XicUEMkc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCUQsMko.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAsMEogE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMAcwIY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSUkgsEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYYEwgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKUsAcUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYcIQAg.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcEMocAw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUYQYAw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMQEcIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMwcccA.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zycggMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiEkUAYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWUgMIgU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUIQsEUU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmYQAMAM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEQIskY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCsYoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmoEEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIQsIwE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcsUUsMI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suAUgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmosIoQM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmsoMAoo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWcgcksE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sekIAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgsEsMAM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McAQckwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYYAocgs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWcIYgwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMMYsYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmgcokIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYkQQokY.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwsEkAso.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwgIwQoo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUAYYco.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKkocYgg.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUUwMkUU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoAkIUkw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoEYIYI.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iioMsEMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGQUAUww.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYcskoYc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biUQMEwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwoYQoQs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCMQwIEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQkYMkIg.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIAUkgMk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcwUsksE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMgMswkw.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqQMsEQo.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmIMYgEE.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WikQcgUs.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQwYEEEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUkQgoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAMEsYEc.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOkAgcsU.bat" "C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
GB 142.250.200.14:80 google.com tcp

Files

memory/3572-0-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\uAsMMMYk\SGEYYwYc.exe

MD5 653c64e5399ceab6bf78ee0b5e72f57c
SHA1 6be60a27c6c55252fb2ee0f86c0a24ef5651b00a
SHA256 fd2302c18b624912aaf05ae63b3bae329d4a8d8de11e1f8f4a4caafdf8610758
SHA512 346a33df4dd3f98013f64a3394efe87a1126ef18eff1ae4f28c4d1aba5174352939e6ecdcc2f0a14b5038c2725f3ba3d7be53930de5a18a21a32c31d7e65f9af

memory/1000-8-0x0000000000400000-0x0000000000470000-memory.dmp

C:\ProgramData\hiMQUsws\PcYEwMEY.exe

MD5 23a717ae2f4199cbdfd630e89da0221f
SHA1 ed1ba6aef23ca762af768784bdeaade1761b70de
SHA256 f88f397e772cb1609805458b3e815f37a65c7570f06c383dd07ee09f53104b33
SHA512 f7b4ccf335189e78dcfa267c96ef6b126b2ba942ee30d8ed7053a2f6422cf982eee478f49b3b47ccdc39953c0255a71b4ebdec92c4343ac022732028e5dbbf85

C:\ProgramData\uIsoUIgA\OaIMgQgI.exe

MD5 36b115b8a98d571741e7ad17cc6cae45
SHA1 22ef004c56b0494a0f4477ff2e2f6df13e7d71ff
SHA256 76a4400fbdaff86314e599636ffe8a986ef5e3dae82f823391379c76fafe7d0a
SHA512 d8ce494d106cde631a3d46f4dfcef07b1d4502e7db6f55b27fa9acc05f40f408fb9e19b77376f6db06dc4fd0bff0908d6ce04a8daee7acd47712dc99352ca34c

memory/1732-16-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4426d13b4d05d7c7b54e94c5309411aa84c1c555383e61033d466a2df6efe0a

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\Users\Admin\AppData\Local\Temp\imMUMQcM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3572-146-0x0000000000401000-0x0000000000476000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 2c1464c8a40b12026358e7d2b67c4f35
SHA1 e2eaf61883e156bf8697bafd2865c222954952dd
SHA256 f9bdf79b89b08c8a9a0737189a810b54ad0aa34ce74da635d0edab7df7b033df
SHA512 fa1febd89bd9d3c3ca0bbbb7a2486fc29526ff1f152684d482ecc7f97aa9ced6f079a330ab947f93947cbb474717c1b0ecae08ecaf0bfd719b1860c33edb2534

C:\Users\Admin\AppData\Local\Temp\oYsM.exe

MD5 7434bb9f637b958e488ea6aee87af512
SHA1 0606fad1d90b6bd0ac56ce51d799dcb3bf81af65
SHA256 6872865671d7d23fef6a22d9cd60025a29455e0eb1d0f067ec6f219b673769a6
SHA512 babe977c6fd73b7cdf3e5ed9e4597f6befb99ef150af1215b4d396595d47e49b23753e9ce2ddfdd0b963595251f4992dd23d9806a69363ab0a2c1aa5de70e115

C:\Users\Admin\AppData\Local\Temp\ysAu.exe

MD5 74dc7118049b6e3a3c4b4ee20ac281ea
SHA1 077f3d8c022c46fc9b020e7ef889a6d6cdd6cb83
SHA256 82207e0e3fd3435d288a56889a20617f728234d5d610ba66a512814807100749
SHA512 a3dfabb193966663595f0091037af076560eaa926cb4f3eee8ac4fd0e1592ec1dcb483c508f19572a29952dd349dc4dc79c513dd5cc5ff810caa5b7b498f5e19

C:\Users\Admin\AppData\Local\Temp\yuMA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\sUcK.exe

MD5 5d30060f552405e90b48891254f2cd1c
SHA1 d9f334fc49fe088dc08794ba66592e03dc3ff8c8
SHA256 a644cff5bfc2815d20680b02d91ac1b510a24ad4919da73418e783be1918f0a6
SHA512 d63136e8259e9018e055311e54d7b5a71b107857ce3c9a86682d5249479993396dbe9d08b0b95460e648cc999c3a96b1ea08db0fc2a1a5ebbc6fe9f3bf583e4b

C:\Users\Admin\AppData\Local\Temp\aIky.exe

MD5 c180e8c99b573655e1b7c7e7c4dd2889
SHA1 ff2aec27e4591c80662da958dd68d97fa9a0349a
SHA256 a82a1e9c05f7b08263437d030f8ca5a154b67cb24cb2a01ef54e2805dded49ec
SHA512 a0dc95c3dae536b9cfd3c59769528bc9ed730aa3d97a5b307d7c35aa85123057ab697de6cc5d320f02c7346a232e4ec8a1cf6b193b48d7812c86b8db668ff41e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 70314afda5f271dc38a734de806a18fb
SHA1 aca0fc43f594fecaafa520e3f9349efe52774255
SHA256 9ee7d69a91e6c916de2a86e63e725a97d0a36407dfeddf7ebad00ae640db463b
SHA512 704743edf50cf3a788a71fc4ef82cfbb4600765bdfeeb67f56b27ca116c47df340f1363df17bde6f9e48720a9bb3671966304d229a2cfc505c258580a8abe07e

C:\Users\Admin\AppData\Local\Temp\CgwQ.exe

MD5 deeb3ffd164fe1857e0faadd9a62eb9d
SHA1 d760e74747685bdb51a27be5893778d3383be317
SHA256 da751d7030632bb4f14c6de64313e1713454c958f044845c47cc973015ac9ad7
SHA512 a2ca800c62d6c05168aa7c40839ade37a04c0d4b39eaf1783bc8e35e9a5939e621acae8bb3cac87830e4a46b4b35c4220ea1d8bd009a1421a1b7d6f39dcce538

C:\Users\Admin\AppData\Local\Temp\yAYQ.exe

MD5 546320879cd0cdaf7393d7fcbb3f3ee2
SHA1 ea3142b3cba9300926ac606b3cfe385b1ed19eba
SHA256 007c9ca5b8c920e8340a2cb25e8a62337cac8ba402b4603b7a4724e27f3150e9
SHA512 57be818af4fea9eac448cf78737c465cd5b6e15d2fbf839b9996acc2927625ebd30ccd598c3bfbb1332ae8050bacf001b640011304495ccd2f8aea8143bcb085

C:\Users\Admin\AppData\Local\Temp\sAMe.exe

MD5 6fcb5911b0a31580054be7be0194ab0f
SHA1 abed0dd5f91516fbbb89d7c5d1f1b9fba69c9784
SHA256 11873458c54ff6b822195f1698863cb8ec0fd5ee0cbb1d25c64cfdee76ab22b8
SHA512 5602113b6bbf3edf4ca4bc0888e96012c86b3c2aa9d18d89b7a247a85c2f874c120d607ce29cb82e4698d9bf4a53fe0a64103686ed0d95307b56638c03182b7f

C:\Users\Admin\AppData\Local\Temp\EAUQ.exe

MD5 946dd9a8c98436795a53ff2b5721053d
SHA1 63b213a6e79c6e89ba8ab274ea76f80fe6883781
SHA256 62dd3d576d4310386a83bdc3be90ee4730a22ca1feb388199479f79ef88dbd0f
SHA512 8ee7e5644adfeff95786e2dbacecf5a7cdd10b321b1f88d4331b724436358975442e8a6247d7cbad938287eaa0843ae3cf409675029d3efacf5ff48ad9de30d4

C:\Users\Admin\AppData\Local\Temp\YQoc.exe

MD5 ecc87abcf04494cbe5ce1bf62839de03
SHA1 e089504362a51ed961c34ff47566b79aeea58b39
SHA256 8da8d1760a47147959a1f29fad21f078779c516efe7cab9a060c375b32ab167a
SHA512 cb5127eb198346d73e468a585e4cf4f222aaa5260f30f0287eed2046e5635f7f6a1fc43d3869279e2310779aeec55f5097c8f8c9b812a97713ea088d0c459834

C:\Users\Admin\AppData\Local\Temp\uoIA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\sQkK.exe

MD5 7a737d8a628f2c01c2f54f58af57a6f9
SHA1 7332524346f45ccb29cc843774a79e53d095836c
SHA256 71d5be016f2afd5ac47bc64ad0cd65d0be5f21d4b8fd5ecbcf7b7f78b7e4956e
SHA512 6e0f0daea2a32b7915ec5164fcd8bc5ff7100d46d600260d282101b311eefb2f957f7c9eaf0323b8c56d1b09eec2554787d61546090af3defc1a16d326cee0e6

C:\Users\Admin\AppData\Local\Temp\KYsw.exe

MD5 797536cb5b730e90d5c26ec80f9d4e44
SHA1 ab6d711f0dbec9ab013ddf64b61c8e37889f9883
SHA256 71c2b62ee9ccf2a288ab51cbdb22abb6d437a0defb9b0849f7039abfe5e089d9
SHA512 adb208504cd2967d6ee99efbff1bf40dfaedd500eb80639ed40ab4b249af36562b9fae0a1c562efd5220837ed9bc124bbc20dcb651b15a99265db021ebdb97a9

C:\Users\Admin\AppData\Local\Temp\MYQQ.exe

MD5 d79d03c4dbf236f6a8ea052016ef1401
SHA1 eb1456b5e1f29dff4c6c0f5faa247267f92fedaa
SHA256 fe5ae093dbd46a6c44b6ee69a1779dd7903e05461e6c52c078a7517567fa13d4
SHA512 fd42d455ea0305a9573df143054d924e9f59da40b6a33d11f1aba10fe6cfe1774dd0dc005a78fd3d8b2247cee1029b0b356713b0ba598520a4e24867876e0345

C:\Users\Admin\AppData\Local\Temp\MkUQ.exe

MD5 7b5ac04faa724f29df6ae9121974675a
SHA1 b3f7ba7cdd6141662ef94ea295c64c62ad95e989
SHA256 75c74cf43502fb36b1cef520d4a91664df17fe9fa377967b7e7d30824e5eedc4
SHA512 d28d3600c26d1242e5273c6a475d6e1798c555f78413fc908563c84faa992f23a7432c6bab29d1516c3ad4e77bc1cf5ff49047bdb4d91654c042a2b6718d7f9c

C:\Users\Admin\AppData\Local\Temp\Awka.exe

MD5 322ef25b781d89c16ea1e40b62a6b6e7
SHA1 1924d83d2eeed60e21f48943b8d5e2b2b30aef24
SHA256 a6a5bc165ae7834594e6c114d79690cbe151c9a8caed1b82c9a508c8615783af
SHA512 f9f4beb5ebf580be73e7011bf048b40edff9829d196782291416826a577fffdf7f82f0ec60fd4c2b9c3507273bf6660136c8547db966de7860ca028be5c0f826

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 f736010c80177b4b1284cc409a669b1d
SHA1 5c82d31bd8481de8b6937eecf08cd6750299426f
SHA256 d5dde259d79fe41282110d40f3c9c9839760c84469b672038d3ba71ab75e441a
SHA512 81b0f2dfa8ffb0a2321ca643113338c759175e8240ac063ec192c74700a4393d222fa0eeb0feb25c74d386a8fbfa2ce9da22bdad8513e0917c8721a0639a257a

C:\Users\Admin\AppData\Local\Temp\egUy.exe

MD5 af8f8fb5f24c0b237471cd0204ccd5b3
SHA1 51f574f4c1e2df2f3d0fcb120c8e8b0df34070c5
SHA256 df2ff1f5ffcff98148dd0107fab0fa7ed5844dc65d03aeeba297e41b5d04645d
SHA512 468f697d6d7d486c6c294f4bf8177879ada8b2d5cee6d6b607c994db9602ab25005424c794e14424830ed8949d650faf58fbcf146af0f5ddad886299da60c63e

C:\Users\Admin\AppData\Local\Temp\YMUw.exe

MD5 1b57d81935e8f6d8686f15c99d6d9bdd
SHA1 4f2b7d25ef51ec6d35e7066037465fe6e7475dc9
SHA256 7d1bde8bf470429ef2a8a61e29e73ed88b5ff1e2120bc71d84c59a0c1718a9c1
SHA512 f7c76956a7d70223f93ecf1f2948578a3998e4ce25d8fa6a58491584599338cb506367351aaa0e7fd43526d68f7c221767bfd5fb78aaaf1b1e629ffed4505869

C:\Users\Admin\AppData\Local\Temp\KEUM.exe

MD5 97156c986f8fd1ce55ad8bb7b24023cd
SHA1 cdb99045959b859f13378bd828d79d9866a0ef5d
SHA256 96dafa31a84cc9e9c9a6554b6cd797b410ae4e83c4bd1af9cb002dd0176e1382
SHA512 d682ace5139fe26818663a8567b4f8a39e2b04d0470c11e504b191712cf2c1aea3b60e186a11fe4d5a505a7283add8c27aed9809aa10674ff7b30e6982995bd1

C:\Users\Admin\AppData\Local\Temp\mYQe.exe

MD5 8cb14ebf6e1fbe9663463805cb78d1b4
SHA1 b728e3594988f3235120e68ff2a764275a74e12b
SHA256 3ec8d674ea9b80096af160112434617b4f673ba383fda2dadde5ff635c46502e
SHA512 276253d4f68ee35c7c6d03ac23e2323378cc4a3f4ef4ee40c2b81d35673b46b234ce494969f6d7d76f9dce419ce75407666e6cb37fefae3e7cc9808af1c6fb21

C:\Users\Admin\AppData\Local\Temp\cUgG.exe

MD5 2dc15dd95186ecb02fc44f5eb24616dc
SHA1 07906bd15c75e6e6ed20b1bd645213f10925bcdf
SHA256 d127c672b6e2862c948deb3e821fd1ad7e394cb1606964b17cd396b071147f6e
SHA512 d8bfc4882fcfab0398f5f85aebb11358ed5362a77a8f827d9b8cf3412df8fd8ddb9fe634ccc4e887090181cc12557c296dffb383dbf9e059bcc92f429f6bf4b4

C:\Users\Admin\AppData\Local\Temp\Mgwk.exe

MD5 207955a870c8a727789f5a9815cef74b
SHA1 da8d20f9f572b7c2edc4591d507cb4c40052da07
SHA256 48e00336c3ad59fa940514730f51c6197fe2caa561d914728ebcdfdc25eff0e1
SHA512 6df70cf3a057c560d67573c92fef6bea891c6b56d039f8a7c7c3a27b644c7f3708687c03132040118e0785a762087116c9dab5b9c8a29870a6071a9205629790

C:\Users\Admin\AppData\Local\Temp\EMEw.exe

MD5 74457e99b483420059f681b2109e6361
SHA1 e6ee559d3f76f3112ae0399d762f570883ef9bc6
SHA256 f1e2e9f39e221f594cea2b225e3d170a63e74e8cb5e9fccb8137dc4a95ec3f73
SHA512 039f71a3f667f69a4a4ef14704ab396d24be2af48aeab69a655362366a68eec260c9cf492e559634142c874cc82504f89ecdeed6cff23b2898e5d7d608e808dc

C:\Users\Admin\AppData\Local\Temp\cowM.exe

MD5 683760ae027d90798b164327b38240f3
SHA1 c16e4045b9f1d3bb5604d96c5033f81f578d72f8
SHA256 90061291965c62e3e1c1ddce56d7d6abc3b927172e30716e4c55de8a9d292e7b
SHA512 72eec3f99c17dfb4b044ad2f86b5b6a56adad5a27c8ef3891083c0c7730a28590b5bea195b269ed26cc1e0590c6e4dd0e9eea044acd727458759efa9085e5f7b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 6fdfef4f3f8ac963994f5870184ef000
SHA1 553cd945afc2646cce6ef576604cbefedefeaba2
SHA256 989e220c486c0acb4dbc5277c976abba4bc001de1e36e86302b4baf466bf53ba
SHA512 98b612c1fde431da9f9ce73dac8a2d7b837d9eeb2240383ebd4f6d9545df6764d19220f815f7c5ab9a0345da21d780fdf0efea3907076464628ef5e4f3d6d857

C:\Users\Admin\AppData\Local\Temp\aMEQ.exe

MD5 72fc6925e05011c52e86717f7bc20982
SHA1 8f4ef4732d472a9cbe36066d887c11d98152f42f
SHA256 12830ded86c47150e9cf3c8300e2c823d22dbceb945e62bdd34776157d723ccd
SHA512 546009f8424250ba96d567b0dc9aa6e64d8f1951da38b67cc163b3fb5e597ab4b79f06ce99b12116805e9b624dca3471dba2d95cfa1c155aef585b4ecf36ce9b

C:\Users\Admin\AppData\Local\Temp\gMUE.exe

MD5 e98542e11de93c22a4bca9aed41c4a53
SHA1 ca8f919b64223feadaf90aef98f302c45df2aaed
SHA256 28db50332c12fd59886a9dfd8bead3c579c918f8e674c2342b03dd7104079a45
SHA512 a197c353a1c7af21452b2af8a43b4e42e1069acefc5a256e88fbe3560f796555cb960896b9af8a5f0b202ec3fb90fe921b90ec962e28fd74bc55faac8f8ec70a

C:\Users\Admin\AppData\Local\Temp\awYg.exe

MD5 07fc04508a29900c24ba715af23ef1c6
SHA1 bfe4e75a199d2bd0a53af78d73eb9bf91c9cfa09
SHA256 8d80dd28ad2f575205f058f821bbc585e8e68ef27c833760fa395be2ab5f9068
SHA512 2547d3b21b175f764c85c3d35e5145aeed9a72fd794208b8afa612bf3998f18581e243ef1b31c72f66b2cb6d7005205c745c07e2a1337bfd31d32dd98f1c0c56

C:\Users\Admin\AppData\Local\Temp\wkYO.exe

MD5 27049100dd2a4db4bc6b11eae7ec964c
SHA1 69bf7e0eaf1040f31c3d2e13f7f00e628862868a
SHA256 6544cd4242db9b16fc717477a62c1077cd1936ec32a2a0a6b1d74088746ff4f0
SHA512 947a475464578b535b839f4ef34bd190e2a75840aff392e4b4d93e68516401fb8455b635277aa76c0ea3302ce757c6aa80b87c2c27de2a6cf9c85f046db41f10

C:\Users\Admin\AppData\Local\Temp\qowY.exe

MD5 f48f354434d56bd956495b7be9ecb582
SHA1 417de3ff634e05597df990abb8e61c9e55cccbac
SHA256 9bccc5d6236018bf6da6e27fe1d9b0b395171bcb6abd922b4adb855bbc9eee29
SHA512 57aba9443cb93aa3f868dc19a53731374b18b6f1ebe970932de73c470791ef48f62577f380b2db176c00f9ac2638ca9bdde4719253233feb35cfb5016ab922ce

C:\Users\Admin\AppData\Local\Temp\eMgS.exe

MD5 55e684561b11fa0c313ac7959f4b6cd4
SHA1 bf65f1af49b165030f45b7e0e5ed0026e7551c5d
SHA256 e6c8803e34dac2570e02c52f168ae4b93d6a5648fec7d1181e2e9355898ec239
SHA512 604fa85d30de692faf27601c6ac403c3cb7fe79c6c8816923830fe3846ad36b318d278a6489611e5a9375732b68585aadb52de9ad87cd0990b39baf18ace818f

C:\Users\Admin\AppData\Local\Temp\kAUy.exe

MD5 802300a1b6be70c0dab84f099ca23fc0
SHA1 a21019baf37b820253dbb988d338ed3977e292b2
SHA256 f2bc7113dbcf46984d3403400fe7d1f72e9f48001fbef59762d6ce37e2fb006f
SHA512 66eb2f7fb1d20dc9a4b459655f4ec3e3d01ab44fd69e57facfaf437a9d417714ab95e673dac18a214f7e51d0e67bc8c66c317d55a9b229140440640fa33dbd9b

C:\Users\Admin\AppData\Local\Temp\kUAy.exe

MD5 606f40b57fe9513d4534841ac217b0fb
SHA1 f5c954bb2dd50a93c3e9c97fc1385d8cea39db92
SHA256 e6e446081511dff9007871bb55e52556265f37cb1e0db1a470c3244d3d3f761f
SHA512 43bf20574e00dc56c6ecac7be580cc0b43cdf8242f29e8453416335fd0595de02646166fafe047653fbc94e29cbff4d0f685542fc6a02f67819a92624fd2e7d4

C:\Users\Admin\AppData\Local\Temp\SwYy.exe

MD5 345bb6e263046594bccb68d1ff18aa80
SHA1 c45a0d43a52ceec3c8067f78d85198b6019fa1c3
SHA256 1a5f1f14786cd7ca49a3741a2b389731e699d9f09664c7b433b4b2b83d1fdd6f
SHA512 eb94e715a92321a109095b69c56a6799d1ffaa72c905806237e6f50ad009ead3f15c3eaf58998c3b425d384a67a9c5a4f86b9d3da8c743f23afbf573eecb2fbc

C:\Users\Admin\AppData\Local\Temp\wYoc.exe

MD5 ae7829ee595395efb902df03647696f3
SHA1 4263639d81450c1aecf5cde00a5ee6100fd2016c
SHA256 2c616d3e6e3788003f65d7ee462b9da6313cd8a002c150aa5eebb446b7188f9d
SHA512 780aac4d87dfedd001d8a0fffd981418e68ada2ae11272a4347aa6c90e6a4eca95448d6e9c83e044a0519f94d51fc1580af3ec085df652c32f65334d4b7d4ba4

C:\Users\Admin\AppData\Local\Temp\kQUw.exe

MD5 8807a2589e71544525d73874de8fbfb8
SHA1 5bbb512bc3e74acb5d7e42c30867d0df2dab60e0
SHA256 78f87abd13f9d347c4e04e4fd037a1d1af03597a4b6930680bd9a69959a7a09a
SHA512 934ff58ec1a3be3908900c68e6f9f08582f919d21d3a69571bd07e4e46ec0ee21a126dae84b943d5157ab2be4d2035806cce76a550985ecdc3a0983903f0f0d3

C:\Users\Admin\AppData\Local\Temp\AcwW.exe

MD5 49926641b33ed32832ecfa72b3a582a1
SHA1 2b9b56284bf26cfba92267896d29855e073a5e58
SHA256 c5efb12e619bef1f205efae2526ee66d516e60ba11ff9382e30893cd8ed42496
SHA512 2af9ff0bacd5ccaf863bed151bebe9e87da08a2d2d49fe663cdc354b43730489c57c6126df390912a931a7eaa4058a4c6f62943dbee05a41936d84caee1213c8

memory/1000-790-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UgAS.exe

MD5 e7fee9aba1c847078bf96362cbd582fd
SHA1 12f9476321c60dacedc832e5149f5eb01b833dfc
SHA256 9606d0f29e859e3f011184724e1088d00841ada2d2ae78d6bf00e9177aaf2c95
SHA512 9aac49d6257d10c99a90b795e1610b0d5ee49cdebaeab27485526183aff7ff9424ecc3e3254bb4fc117414e461ee79ae73bcb41f162289da1491dd55bebd8f44

C:\Users\Admin\AppData\Local\Temp\cYIQ.exe

MD5 f088f7fe28a8d79e3346ebb7b18da53e
SHA1 a95767c82481b22af89a1bd0fa1b39b088a34e8d
SHA256 ed4d7355fae5b3c5903a32fbbaf98c393f0a029a54c5ccebae1b71452beb0d9d
SHA512 c35390acf5f3252625ea98afb5fd6f3d5dfcb2d75165f5a842159f0f710f457efe828ae43c8e5cc69da907b5d63ad760a2e53225bfff40b19db457473212c3d4

C:\Users\Admin\AppData\Local\Temp\QIgA.exe

MD5 df30d5fb20e1dec72fcff06f818a63ea
SHA1 f3df08cdaa70ac80c2999cf28baa8fdcbcf8d87b
SHA256 e625c0f87b84ad1e8127fd47a3423abf033ffd2056ab81b7fe07428060884bd0
SHA512 b103fc8a90d972e00aeb3772cb48cc24db1ab7a7966ee40357ba60184182500bf60590c4cdf83c0d5582124640297dab99bf7fa73fadce7a033e91a88314632d

C:\Users\Admin\AppData\Local\Temp\SYUO.exe

MD5 15db7f460648f7444de458b8c378431c
SHA1 f09cb25e9680d6f17973a9ef9c2afcb81ae9100b
SHA256 f4cab5eec3c2e575d8b8d28d2bc563baa0474e2c6d6ffdba92c887e31bbcf2d7
SHA512 a04294402c14e5e54566d23b527c88273bae2ab8948bee45586c585966bf19f6965eec2aab81a7b5b7be765b75673594a8b1c86d624deb84105138f03861c808

C:\Users\Admin\AppData\Local\Temp\Qsco.exe

MD5 2f737f063c91ada55e750e3768546ff8
SHA1 5323eef9e3c0269c61996e1ff3bdb489232fc1a1
SHA256 411dd7a239bd438ff42f2f3be4c705e807ef44ea2b359726e27d66657560427a
SHA512 e68a78eb1a4ed537fc15934cbb67fb3d74bc3d5df6c1cd06307449b4d66a4fca5c280708bc45a3a08f1fb278353060ad703c26122e2b33cec0b0d1d1f9aa4db3

C:\Users\Admin\AppData\Local\Temp\EUgk.exe

MD5 967203ea440e10bc5f4fee35fec571b4
SHA1 afe29180797b9c7e2d792465b729b46e67c2994f
SHA256 5ceb38adae0e7912962417bc05f5ee49c2af183a92a914721e2e27c5e0d57fc2
SHA512 24554c53ac7063f5452b91bbfbcd1a3fdc3cf055b4d4d09e85bfac56db7b1d7b34326fcedc54350d5030601ef8448571ccf4667d9638b524ceee8e4f141f9111

C:\Users\Admin\AppData\Local\Temp\AUES.exe

MD5 353b9c5aff25c8c374b3e0962ea41de8
SHA1 ba003874d6675b6d45a3bfb1438968d62dd7f154
SHA256 e98b04c084ff283c696aabd0cd02d0d7804cf257fec6cb356e55a1ef273c1261
SHA512 6b2c960f76c6fbd61cd2bbd7f7050fc4f83272f4ae3d7a95fce6702d796987e650c5ace44dca3f81740fb999dac24f05d2e29f37408b209d2b8ae71f504123cf

C:\Users\Admin\AppData\Local\Temp\yQAg.exe

MD5 031be0763573fe7d12919749e8e73394
SHA1 a0ccd56e91281199f404a52acb7a52be151921b8
SHA256 33fdf69ea94f11623ba4445760fd0e9023fbd9f6a2ed3163f0991429712e640e
SHA512 827c0b59397acc1475a58dc2cc8d52452b2f3642328c9d66ad0418e4a8ef843242e9152b7ae6a58d9073eba075ebb6cbe8f974e9d27942014e1266735339fa70

C:\Users\Admin\AppData\Local\Temp\wkYI.exe

MD5 b979a1d64621686ad50aae1ff9f702f4
SHA1 78694faa7b04c439f55cd196c755bc34d41a9b0c
SHA256 9e420523d41cce2cfb520ad85be4e82cf674272be1cdd2b421757f7141aa25ce
SHA512 8c0d15986b1cf5918003d9426df817eb918a05df383c024463edd84e915507a03056238e5a45e9829ac9ca4d38dd81d2886e3ece77abefce7d4335295fcc5672

C:\Users\Admin\AppData\Local\Temp\GUMi.exe

MD5 f301f0bf73e43dfebebc6a147f9b098c
SHA1 148425a81bb979904c09de15494da377d0f5952f
SHA256 18b94b3e53f85baf7acbf3fef59c5f4cbc3b6cb518decbddb0562fc0eadb6a56
SHA512 a1a303d2ed9938b681399e84ca6583859d06ada2be6d590dd498b06eaa85f72fdfa3215ec84ae0d7a53865086b2779cf417f22102a017f2474fb7e0e3e8db316

C:\Users\Admin\AppData\Local\Temp\SUEk.exe

MD5 10cc9a82e768db67815f69e76b72f00a
SHA1 b6f133a6efab6cbc8173fa6d6ad5469fd6c6d185
SHA256 7c4af664d35520d66a2712fce6520a03470a3ac9aab73dd00e1d8387e959b1bd
SHA512 b43bb9a41dbc4dc8844a3699eefa9eaf18bcb5985b32f025b6ab5255e772e41d66bb141f3e6263c68b53a2072db28e295489e1ebfa030d855979af4027d04563

C:\Users\Admin\AppData\Local\Temp\gIUQ.exe

MD5 cf4cbf3180657cf37680c6197fed61db
SHA1 8abaeca0d140f7ce42fed095c2896781aa03564a
SHA256 8f55048f0d04b5d3150b9e2b75d403323bedf969a7baa6b8f8b3a951f9ab279b
SHA512 9277b51f3421a10a331c13be37ef0b5913bdde9bac5025fd788784a31eb5bdc7673db6ceacb27c6029e6b3f5cf1f5a111d5392f19c44ce480176b4769e6321ea

C:\Users\Admin\AppData\Local\Temp\UUsa.exe

MD5 055458b7a307ff10848733a7f3d80010
SHA1 c5325a317a42b638e6e9989745bde422089c22ca
SHA256 0653b3e821b476245b2dded297d08bf00dbdb9f739572c0f10ab044577b8c814
SHA512 85bca39f523dfcd97194201821f41d153ac53afbe8716020999c9797bde729c6024500dcffc6770e39e7b6cda2da6e99931f3cd8265bc1610f581149d25b9ab9

C:\Users\Admin\AppData\Local\Temp\iAIm.exe

MD5 b5c0cc7c29c8709b2e78c7f1193d53c4
SHA1 553c6184ef6a7025a45041cb093b8c4a3f7ec91c
SHA256 8bfb50a907cf7dd8be1edc1f03140cac19e309cb52c9321b781d796328a2ddec
SHA512 0d8abbcf8e9092967c4af5862a8109f5944bed417d8b18aeb2355d53759c4da5a45d432d54225a0d748a4f807d50bf4fca5d45ad5cf216431049fdd479e5cb83

C:\Users\Admin\AppData\Local\Temp\aokA.exe

MD5 6ca1846fae6e7b90554deaa3eb2214a3
SHA1 a0ccdf1c7cded5192a2b9cd87222078db0278a85
SHA256 d346d7afe9296c4d03c10a746459fb93ca143a4d6ffac978a4e634b32f17358b
SHA512 cb540e23a56c5a470fefe18dc65835384278bc6d6319cc9ba265a78664aac5953f9689478458f02231387428d70887355ed42987b81017cd52e4e903b3878507

C:\Users\Admin\AppData\Local\Temp\ecoM.exe

MD5 98d36d2c5d32117ec6064d4f85329102
SHA1 1c98d4a6b2ca4272eb53836d4355c1189a13b850
SHA256 5898007017696f4134d57f57230f04b9aa936c9d519c1c2df428fff19f19a56e
SHA512 9ddbf7fd62cff01a5cfef320bd26a7165ead27b9f0ccaefaf18d4d333e3e43730f2320c6d8406dc8a6c98580b7f9b974129e7d3b81db7594136db3a2fcf7c5d1

C:\Users\Admin\AppData\Local\Temp\qUUG.exe

MD5 6904390d008acac491470e9db3292d06
SHA1 93e19de66ba0ab22642a68b7adf6c671f5dc8d32
SHA256 91d5a40d6e532c50c0e6e8a93c777456eb03cdb5cca15566d2f0743bec0fc82b
SHA512 00563784e6038d35fe4f84ed39efde4fad8e7e7a63565030761889f7c4dc5b32958e99f135962fe03618f7e34ef4702130d2bc437e7697237910d91c733752af

C:\Users\Admin\AppData\Local\Temp\cokK.exe

MD5 727a1e554d462f4e7a54043564fc8783
SHA1 0672d1734259096f637e4be054927ab6481aa2bd
SHA256 fd8d9224c62b3b92d2a6dcdba968f663bb4b68d76b6d3f9ceb03dd5d019b3bca
SHA512 d29e291bf29ea2a0b32c45eefe47f7a208b7de0778d7ee4d6dd221d494764216b1489909e20a591b8e11afb3a216ae29ebc0151c4c0c8ea7b9c2e42929e59588

memory/1732-1061-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsQI.exe

MD5 d0f05fa0eca279bca6f05b62c649147a
SHA1 92051e065f91a77b9a211f47cd6d8596e808faa7
SHA256 5d937adf623c4465941bf29c8eb1a2cf04510f46ed6e72d0de6577e92356336f
SHA512 ca42350b1d0d68e4a8f5a9051e0c87d88f689cf5a551b2379ffb5293661da902187d5ec6d92070f5ae702e01c416243fef814880e7f4086b5a78416c24c3eaf8

C:\Users\Admin\AppData\Local\Temp\qoYa.exe

MD5 912aa9b36b4941b218e12a7c8e4632c3
SHA1 950a450d3620469642b6f9b905ffc84a6789eac2
SHA256 f9c2199e44611e93bed03019648d858c5d01384050f333ca946d40e8b9f14949
SHA512 6ef94f2c3e1dfe2b24f817fed06ee9fa263ef26a7748c17a2bbb45baccc1a3af61e96c574f368fa8597b9860aab1e097d8d4615b8ccaf4cee71b0227b7c6b3c0

C:\Users\Admin\AppData\Local\Temp\YgEk.exe

MD5 efd1fae9213ec7e71964939b549b8928
SHA1 fdfc2e775b1c723468fec13d94cecb91f75061ce
SHA256 79390a6dfb51240ae3dd1997e16bdc4e07c938f0720d865c0de688596ef2ca4d
SHA512 8301fa397ed0675fa346ffab47809b75bf39c2c0ce6f8bbb0a910170127166d92b4c8a05ae59aa932d0f4335df46f87769f390a6f80395161e967286d0a4ad2b

C:\Users\Admin\AppData\Local\Temp\EowM.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\GcsO.exe

MD5 36d94cd82a3557e186d6d888354953ea
SHA1 da5b026c157d039e0a79b331aab396dbc90845f5
SHA256 9e8731e64f06360d7b2782d3ea91beee0985647c98d1be9b902f1c05f42a6848
SHA512 f9b20a144f3153f8231856f6154eeb7f8ad26a03822f7bec4c987c0d9ed2910c40e0f3a8cc463390c182c423a24f510881be7b97f6e984df0eb4d46d97cc19ee

C:\Users\Admin\AppData\Local\Temp\Akky.exe

MD5 b3b34d2179b03120a060f1d04db9da27
SHA1 367a479c0dda1380d28e85e90e33e8e6526be57f
SHA256 095c2294a95d868e696d55ea20b3361829bc6659f219e1d0bc7d3f1ef6117a87
SHA512 d5cd71731fe83366661e095d47fedc1bf4952167052bd95d1e3b93a4486f55ff1822af949428b0f7199720e7e6df0c6fc14ec8450aa8eb82c354c6e8e635eba7

C:\Users\Admin\AppData\Local\Temp\OAQW.exe

MD5 ba51dfd2d21c2fa990ca6806af68020d
SHA1 71e07f65955cdcc562301681ae5262598fcfd508
SHA256 be62cbf15e826ff396164a40abc775f187da536556f4e3d8dc46c4c576b472e3
SHA512 765e2510ec63e1b577e3a042189abcbe6af867a515538c6469e1c95311830a8c73d45e888138662d9a92d435644727861c32a98a552058315e8337c2267c403f

C:\Users\Admin\AppData\Local\Temp\AQoa.exe

MD5 180b22bb6290b886b3c7b05aed6cd1a7
SHA1 463c3603185d21bb414c5c3a4b718478d182f41b
SHA256 1eb3eba40bef1c657c47fc9252a1c32bcf91f340d8d69a3a6e260273f6873330
SHA512 cf8d39c3baa70f3f253889d85e5716e70533d43df825b425cd6169d9f6729c8f3a83f5802d47c10c41aeac3677ed4fe8be2c7cad07fd121e4bfb78224f1c4e33

C:\Users\Admin\AppData\Local\Temp\SUMS.exe

MD5 5f7e6ce51a2c7967f8e9114c004dc25d
SHA1 a6879d2895109ca4a0024372c2254fb57bf2a20c
SHA256 91be55c173b74ad8e5059d58ca6c40c20ab6e74ce5dcf0aab1415f5422fa0926
SHA512 7ae987651a9f20486c66287601aec3fda9c6c2c47b9eeabb0ae79934cc4ebc06949a9b3c9584e36ab516d6ebc3318bccba91f26ae27545e10f5d2b937c9b6fff

C:\Users\Admin\AppData\Local\Temp\uEgW.exe

MD5 aba88a59aaf4c1fd51ef57075a9e1bb7
SHA1 8312526210061266f52340c58a53d45dd7958abe
SHA256 75f8260fc6014a7aaa07616e4b614d6ef5bcf2c8bf3001271ea9596549f62ee3
SHA512 9a4ba21fb4f4cf5b91cbd5161478dee9217df675d830fd7dbb15111167849bfe7a5f2def2cb27580b3853232bc94658983a7df8144d9c95c2902eab83b5ea9b7

C:\Users\Admin\AppData\Local\Temp\SYYs.exe

MD5 b2ed392e8e58a5af165248396a1e7cbd
SHA1 bf9e6f1a74155339852aa474216e179f32ef2bae
SHA256 428c76b0e367a872d4cf3efed97e4bc67a7ac6a35bb1af53d000d83addbe1e72
SHA512 0c31355c72b18c4ed36ce87d50ae622c062f6cd43cf44fb1f32ae7b27f5656b0f27ae90279aaeb2e610d1b771fe46e2bda08495bd2c9b4419a35a78891c4b591

C:\Users\Admin\AppData\Roaming\RegisterPush.rar.exe

MD5 90a715c468b7832e6408b0d223b0fac6
SHA1 6e0c7e459b3b9d4ae3d28779541a70dd892ed84c
SHA256 25b6412b27ef754c957ec944f227ddeababcff7d9afc7c785d76c56feb532b81
SHA512 e7244accffd15fed0dc1600da4c6b54326be7568499292c8e01b9ed1d59d9239eeddc603e9d3c35191c26d4ee34c51bfbe03d64b574c3dfc98946929988649be

C:\Users\Admin\AppData\Local\Temp\mwwe.exe

MD5 4b9c740687313328520edc6e977b468e
SHA1 02fb5a6a3128e1a10f105fdff89a48c40112a832
SHA256 2afaba67583d426e72efdb3566c9f3e968e5563afab9705ac41496f181a6f8dd
SHA512 2d530ffce3e672440149c13430b8ea3f1172991ee0581e959d657693c225124b028f2f449f5ab8f7913508bcd601b51d0f9424b07e961667cabb2ce3184c1b78

C:\Users\Admin\AppData\Local\Temp\oIkg.exe

MD5 7cf665ec7f17b4f39f0b908ef6ac1e62
SHA1 0b95c8fb63f1d46185bd6cf76118243b231c2d43
SHA256 21607f331d6301430412ff39821065470cef1c9019f4e4d5967fa38770b1ee69
SHA512 a65bf23cea86d34c9a5df21c8342381b54fa5a8253e7b5b59e1dfc956a97ab496f7dcfb1a0cc7b6f4484f1c5655859e8496d91064e95614f9ebb8a7b297f6c3e

C:\Users\Admin\AppData\Local\Temp\CcEk.exe

MD5 838f03acce4782a493c6e7594ac142cb
SHA1 6799309d5c2af3655e0383288214a4f87d765ff3
SHA256 17c404463556bd0fd25fcbf08278a09cedc6437149f28da0d22084e76874a9dd
SHA512 c5af053282580e433580be7cf8d6dc857bcb6a0d675474298ccd527be2b70145e10b7128c60bf4ae08082174a99f36c3646cddad5eb843872b9e400c5f966323

C:\Users\Admin\AppData\Local\Temp\goYk.exe

MD5 48d79927aa4530c818b4762006b85c71
SHA1 613e8271ca8d90b664cffa2bc00772b8db51c9f8
SHA256 ddebeecb258b521b7234f2fc4ce811074fada961cbca5fee83b5dadccf2dfcb6
SHA512 5a62019189021c71616b53833355272d10c6efdcbcd5b92a5ae09fac6c83e7bb9707f2f9ba4513727f039687e165e59a624f0bd72699bee72bd6e5103abf69c2

C:\Users\Admin\AppData\Local\Temp\sYcS.exe

MD5 288221adcf4cecf0ec57f25cc909f31a
SHA1 6846775dcb83cafe3f1436e3370702ee99eb975a
SHA256 160393e7d15a2ff7ed99791b5d986d41bf005547966a0d8ac1fad185ccf090fa
SHA512 4ead9ba690e1c4ae50f6b34097a5a55964e234e092febecd32903e2a791abbbf092b983f9f86b9c86df1ffa0e2adf6357b31878e8746b091cece104e64911654

C:\Users\Admin\AppData\Local\Temp\CAsQ.exe

MD5 c6d3923d244e2bf44d8c8c7071b8da3e
SHA1 bf0a6f8fe003f32b39326f49e35a9082fcc9d70c
SHA256 c9e8453c468dc8f0beb40f2b30ddce48c4fd2f7dd4c4ccc81da9a4a2e34f9582
SHA512 839e4f0cc639e2391f98a9e803e2bf8c9821b3d440d3704478b35cb78cc7f782855ac08df27b74d540bf847c87ab947648690f77de8123b16e707f00dfd82ba1

C:\Users\Admin\AppData\Local\Temp\EcII.exe

MD5 519612d93bde6a69124dc8ba292106b0
SHA1 0e5c1659b0e23b482735250ce85fe08e48718a5b
SHA256 6db1eac5b227f2e3d1766e88d2722c1cd6933617b7d92a2afe6124d1df4c503e
SHA512 237cc61612139cfd9fa2c08c87347d67e1de340e2559315eaf80f2ac6bc70fbf774c77594e7e0b00821955cdd1d51e661073aa5df087fc0502f3ca3f0380f445

C:\Users\Admin\AppData\Local\Temp\qAos.exe

MD5 1fe0195daec071755440176db3935b0b
SHA1 c91daf9a2afaac4414493c7890c5fb05afcdbba4
SHA256 b7347e30951fc886d52696454a611ab9b2a009177b99590e9ab0cdbe2e2196e0
SHA512 bba006defb7de9c1dd2ae8209476cf6ffecdca69ef2a5ff228c24eb52f5ec23e29e32073467f292d496f46591ef7c93de97693265377fa0b5803570a3d3d3179

C:\Users\Admin\AppData\Local\Temp\cEIs.exe

MD5 a871fb5ab481bd12f857a35a0a8526e6
SHA1 482366fa48d33abf654e2e586c00fe108f85ac43
SHA256 83b5a5dbf81de3bf30a56b56214010e96b63e62b26bce5a9d75e70452bb80cd3
SHA512 83ac8450f4fbeb84518e7fe3b07500810abde4e5237465dc14d6f0ac8806d4235f3949b5e76f2f6b5ef612942162f8e7500e2e1f9b7ea8104a8881d418fb51b0

C:\Users\Admin\AppData\Local\Temp\EuII.ico

MD5 03c62b34b94a861c4f99017a91bc749e
SHA1 2ca36583370792d9d56be7e5db98417188adf5a6
SHA256 6b1018b4e474afacb1c54331284d85fdbc2bb5e945466dcbda91231feeac5fd4
SHA512 4260811ca36c05c15db789932b24767db68b0dfa1a0590e8d4f69328e208c38693e978d892e0d229756a8ab9092265e19b0a0da132f0542f8460be54ba6371f3

C:\Users\Admin\AppData\Local\Temp\Skwi.exe

MD5 5d72b4c66ba333484257c965c6a5e1e8
SHA1 4d70b4eda05b308ae4a19bbb4d21b6982616a408
SHA256 9b69b4a3a7bbd9cd5debb152a7de0eb343579929779f2d184e94c6c95353dae2
SHA512 07ca5a0d60b314720075a3663b1d8e00de207d81860f671d581622dca81ad01b3fd37d0751d779ab212f08f5ac9ed43a77b1e4891da5ed73158f42a5ded95aa1

C:\Users\Admin\AppData\Local\Temp\EGsc.ico

MD5 f7858e48b74b107ab160878eb400128e
SHA1 d8cdd8be514077e101a9f0a0fdbcdefaea6aa72f
SHA256 2dd714e9df3921b1194d3d890f6509ca5ee753d81f9fd83dbeec831440d22938
SHA512 c2e950c96da0c901c550dddf953dee3eecbf9a1cb509100c93bb034351369e1547bf5b97d4aad78e2bdd516a09ea28e999e597fb0a91fb350da7b7d3ec08e9d7

C:\Users\Admin\AppData\Local\Temp\MYUI.exe

MD5 5bdafd05075acbc5c76f208d4fdcfee5
SHA1 018ce954fc728ae6ca7c78b54c5d8ccbf4c83a3f
SHA256 f1b6e3e79bea6aae6403c6b170032b6597b8f2fafa17ea4d111aad41f75752f0
SHA512 5455c109c00b1ce3d5b3fdb1eba908a7953b6139cf574848806245cff834efeb2f78b71132087f0f8379a2b50f5a2c9edd9b11f9ba83ea9886c565b7acb75487

C:\Users\Admin\AppData\Local\Temp\gkUk.exe

MD5 142ee55449d861682a6a3843c91c9a35
SHA1 29b518a04d1d80021faf9bbd199914620cc11291
SHA256 9e3d91448d02e622c3e117fb1ae87fb76d20f2464ebdd33450c33ada81057112
SHA512 ce36eeb61a850c63704b6662474eab11de9c1a9e3e7ea9fc73af84fa08126c8bf989a9063f7484e64a42b014753f7dd5a9d437a7c784c19ca884c19a5a0dc05a

C:\Users\Admin\AppData\Local\Temp\qQIK.exe

MD5 91d77d81b831a26809fa1d44f94fc69d
SHA1 c284718f0a43c83ced418840545e3e0eea0570a0
SHA256 c1b383c49f083888a441d28429b0ecbaef66db5c3e88e15acc602cad1d8fc8e4
SHA512 240feca3a1065e186eca6f7f469f2a8ef26ef5bb5882f24e8332b107d7d9c7a58482ec9b7bcb36ea9b4019e3d3521426b74e79cb4388e0fe381c9efcab4e7bd2

C:\Users\Admin\AppData\Local\Temp\isQU.exe

MD5 b4acdb32f6d4e5bfe642016b2330af13
SHA1 989c3bed2c9e494c54e282978907d42cca1c330d
SHA256 270ae20237d16aee7758fd52ea5c35a641bbac9a7b15107d95e21f21571dd4fb
SHA512 114817b39d2e0d0ea40b375283031f3b8d9acc323abbf0bc784f9f7742f7370be95e31fe86f19132a9b031e3ccccef8f1016278a9ee4fc5b6d198dc857022951

C:\Users\Admin\AppData\Local\Temp\QoAK.exe

MD5 9b435df248685962724aa9bcad488c66
SHA1 69c4742f02ddc05f114dcc50a0f0dfc068cf845d
SHA256 d124d26d46ff718504f2c40e732985a2c9c9232f00e5547ac1b8770d7ecd906d
SHA512 dd90ade1c3c18679f9494612ec22c0dd9bec26fa11654247d26e09c91c5386ed2b926e8fc8ef7640ed742bf625063107c701e513a5eab3a9637727d1653c0637

C:\Users\Admin\AppData\Local\Temp\Usom.exe

MD5 933eddc2e0542876ba7e7141c88159cb
SHA1 79a95b2cf16dde61e9524aa0795a50976e320ae4
SHA256 4526c0afe34fb97c75b5232368b7794a8c038953bdaa7009393aaa6546052d05
SHA512 661127a5717576c2af4dc2d8de4502d391da2facedd6964dc973d7ec5c3e62dea35367d74144cf03be90a908c56f73bc4c715093e9dc859c211a1854ca08aa1f

C:\Users\Admin\AppData\Local\Temp\SkAA.exe

MD5 3b13ac11ae680e97fed185ec88a7201f
SHA1 1a6739baa691dd95aeef1bba18a0147dea9c4cd3
SHA256 b41d2a56a893c99476b0caff2b95cb9a8a049ee6c331e70f2621561743678365
SHA512 ba60341288f65e7924c334371ce0e21da7c7d50f8784c7a88fe174b0ae0aff1cbceeeaf38e2cde7bb36f422bd25b2089f9eb9a105095521f0716171ce8b2443f

C:\Users\Admin\AppData\Local\Temp\Uogm.exe

MD5 8cc1c3cdb824cdf7719fa5358e59e3cc
SHA1 ab22ae25902aebf782ab3f1774091c90607b6724
SHA256 6dc4c227cf4d28103b5b3ef972a01ac6c79ad67c0a184d9bd7a55cfe21d5b428
SHA512 613ce741bee10760ca7407314420fb58f5a4014e2a4c3a9ffe3efad0ed5499ab0b1c06fa47f8a4c4c24005b483cb7398acd0e7bf10398f227d0c659341003488

C:\Users\Admin\AppData\Local\Temp\cwcC.exe

MD5 a97ac7080aba14c3a890a90a9c491399
SHA1 789d73484cfcebcce344b0967a3d091255bf17be
SHA256 22d31f41880fcfd8f150d8766ef422488e6c6c56c37c32d41dd58b48f2b46fe1
SHA512 6fce6af80012b4ce3dbb2ccd4b1dff03e322b6a0ebca3fd9b000139e10242968e508e3db59d3a962d289145cca5a9ac2bf89d1cd0c7a2715f586110bfeb9b321

C:\Users\Admin\AppData\Local\Temp\qAIs.exe

MD5 18891071998cbeb362a37b93328a69c8
SHA1 e650719b9c6c8d4cf755a852512bf452ee124472
SHA256 0a38b73b1b45a1f1f4e810e54c76371bb2275b49fc23a6d9e271a0a127d8c487
SHA512 3365d8268d364a47f5077dd3e9f80716bd28edd99a7ca06b819c724f8874af94274534906eed503648e9c40fa0f3aa3b83548a0186d5834a5089220dd9ded3d5

C:\Users\Admin\AppData\Local\Temp\SIkk.exe

MD5 6703ebfa806628d7aa2fb64539b22431
SHA1 3f4dc661391e3a378abb0b37c2ba720432aea16c
SHA256 f55b9567dad194e49a3bdce7bce203b723cc6dd5af6761a07a59c3e68ff235f9
SHA512 f872dc5e7dd7a77e7c8839f486919bc82bff7b758c3462608b5c1675fc23c5763f39d7770b92c087d2bee0d12ae43021edef545b4d48a7e65fcbecc06f9c90ea

C:\Users\Admin\AppData\Local\Temp\MMEU.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\AgMK.exe

MD5 cfcc2a87379bf63c080de0c4d6db7db6
SHA1 2634cc4250862fd3a7f2740a95cd4496f9e51773
SHA256 b5aad286a19be664af0e3af9ceba78cd3814394c836cc6c1593dd627d9da7e79
SHA512 9952508a5b52a87f6e1bb98968b5379a3426f9d435f51e7d3973ee647a60fdb0774079638a21c4c9ada29edf0a32cfb03e9928fd45843dd14c6799b6567737b0

C:\Users\Admin\AppData\Local\Temp\EAIU.exe

MD5 4e4f0efdd3bed302ac8610635ced83d1
SHA1 e146799d93b85b07d1eba2afd16542f373e52179
SHA256 247cea5e17c2fedbe4ff10fc2e4ffbf4d200b0f9113090e100c7ef6243dd0bca
SHA512 1310e7bd1056a10554bee225e86229eea1b3c2501c12315247c6fe26df18f726e8c955afb3c48fe8ab72d087d3cb520d74161ba4b8360662bdad1fef303e25f9

C:\Users\Admin\AppData\Local\Temp\SMYK.exe

MD5 2a55fd0ba814fbb46866b676eb9341a0
SHA1 8583b7ba6959bdeb876e03da4bb87761b95eed68
SHA256 57ccd61ac4ee5f0cec2e611c4ee8418c51b51478e9e4c6c9eb295e79e0888f9f
SHA512 75200a3307688bd6d000f12673c165d9b934dcc5d543aeea826d233268013a1c8c34a7be44a5e1d85a1c1338d6186120ba2ecd595d9de9b9cbd2c11175bf09bb

C:\Users\Admin\AppData\Local\Temp\mcMi.exe

MD5 568993937a2178772365b242fa1a7858
SHA1 1e5f0c89bf6a2fb58aa1cfcb4e9f51e42a6bb865
SHA256 d79713c62c1b82f822e44190e294de2c95fc9753638f1e66c9ee0d240d979140
SHA512 90f3400d0b35706f72457ee76da179bb50bac372e9b23b51d45ffc00e4246bd42c563390e23b48d6a9e5e388a2b339542a2363738b0f8d601d60624a0518630d

C:\Users\Admin\AppData\Local\Temp\MSgM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\AAMi.exe

MD5 d7a8cc252bd4e1f2d34149ed7e1012b5
SHA1 e5373d76ba253000279826229e2c08b350e699f8
SHA256 33f1b3a74db7079951d4a74e2c95c00211fb567cfb2a17ea57fa6749694fc087
SHA512 fd6a6baca61cf5ce3f015e5b4322edb43ea282165100a6644756a9ec9305eac5b2562c787f7006d124d98c726de10432b807238dec47c841c28b8eaf06b7fff5

C:\Users\Admin\AppData\Local\Temp\QoIs.exe

MD5 4abff283a25343db8fbc1f120d3d01bb
SHA1 b4c7ae537aa6f6b3a6508b6d22cf0f954c8d709c
SHA256 70f28581e564bc3c88502b64ac000dc07338ebd50d4f6f1ba223001ff162e599
SHA512 a25548cee68533a2d26ea40d389befd60e3deb7a23dd61c957e7da2d552bce3d19f14e06ac41a1e97bd4d29097954a1edf761407e7c912d3b512bce8f749742b

C:\Users\Admin\AppData\Local\Temp\iQYW.exe

MD5 15497ada3bc95cf208de91fc15acbe07
SHA1 2a244c6dc9ffa4aa96cf071cf8a1e764df36ddf8
SHA256 d1fa9fde41e19a70977b2acfba2d421ce5061a8d46f09cbc74fc2c332b0dbaef
SHA512 c21ecd0ac8b378707fc8de7415a60b9f0584c896865d0d8e8bb812671b54d8dff2173c6a3de77343ba6cd4a3f431d4b01e2dc6c1779c9e2e26e3860e7203b646

C:\Users\Admin\AppData\Local\Temp\qoIA.exe

MD5 8df9917a1a8aa64b5095b60adf982e32
SHA1 34fa7ea1e2822da55ceba980e30d80eb122e6449
SHA256 7642c3570c654608ee40a8981bed51d78375a6f0eb5d08e50788706b94e5cb77
SHA512 0181df3813aeca3fbddbd223306f9fcd609cffb7a047bb7cf08bcd60267375928bd2c3a5b6d538d8e5839fa955c9bb6adb5c41c9fe050558304e960354690ce2

C:\Users\Admin\AppData\Local\Temp\CEoU.exe

MD5 8343cffc29e50d769b3da96a189cadc1
SHA1 b968e8948b135afe9d502c8e49b56f62e8ec09b0
SHA256 72ae64673b02ac10bbbe3e1ced98bc0280ff161f480609ddc0491d79d56c067c
SHA512 682b556ad5057751a3289ca35383ea6e401c4b6d5e7e0d6cf96bba2ae1217694db79955676e8b93780fdf1bfec52bf123c1bbca4908a7ee093fd12bac73c95b0

C:\Users\Admin\AppData\Local\Temp\SUki.exe

MD5 d58a28d4c84385bb715771f4ac4c4313
SHA1 7fb48887de34603a436f9c5877e51cfeff9ad1d2
SHA256 495fdad7d0a703dca38fd3323ef09949dd0431965233ea39cd8286af322c3be3
SHA512 4566ae4194e69fda00ab808f67da2ae4904f7b44d54aa8f1e4239e515311d2f86811a916120020a7fe0f4247ff26e3c40d580d9dc251ffd708e0a0b5dbc07b9f

C:\Users\Admin\AppData\Local\Temp\Kkog.exe

MD5 44d5ce81c574c6683e9707f391575f1d
SHA1 6c2ca99a8ba5a64ab93a2b3c35e4e706d9b2a12b
SHA256 20863f37e790e81d583224bd53d70d48c1e44a0325995f67982f77e218db69da
SHA512 3e59dabcf5fbc73469ad25713d718890ffb8ccfedb929bec39f25cd0d21ace78ab33b669fda10b8d7b70536b4ed57479d242050a424413df7272fcbb82fb6bae

C:\Users\Admin\AppData\Local\Temp\UEQO.exe

MD5 e09dd6e618b479186343bd550843530e
SHA1 871adbd83b17d13e8ebc28f6591c11293e8dd83c
SHA256 3ac92fef0ed335d25749f9c174d904d5e650c3540c400f95d314b5aa97d17a32
SHA512 d8408d9ff3e7a0d6a05fb410455458c64db9b91b4d052bc87745a6f3e184f73b21095040d944d4f1ab263237dc373235d9508a6b544e6f37c0526747d882cb4f

C:\Users\Admin\AppData\Local\Temp\ukAm.exe

MD5 81dd2a0bc97dbd48af2b0b2c0a046110
SHA1 dedfe64e0b73759b5746762fe833205a4deb93a7
SHA256 9792804aaa7d1975e25b7dad5e72adb0aae1b809f8bbb3284842be1a5fdbaf64
SHA512 6a61c7583476afeaebaa81e37c51871e062936eb25704cc97bafe6e6fbce79fc898a5b517a873bc29ed5f178595a5e517a85689e26520548b7d589239e6ef890

C:\Users\Admin\AppData\Local\Temp\sMYg.exe

MD5 78ab59bd5030c5d89b5aeaa0b6e757be
SHA1 b8b3b46105b1419c5418e6dbdcab8d6dcd5cc2e8
SHA256 4bc9a7c27e3bef2404290f4eb43bf4b8278b11acd34681d5e251cb59b030f4ba
SHA512 bbb2c797f218c45e9fc7d20663e5b102e04e91bdd76e66fbe196d358b0541d59210535dd0266d68fd8c29b625cf2724581fe65f5abf951e4e258e6c2e154195f

C:\Users\Admin\AppData\Local\Temp\cAQW.exe

MD5 7f12a348e56f625b14cf39bb6b335497
SHA1 8e2f9e28ae0623015fda32bad38edde475bc4b1b
SHA256 087c18a86def58314e4c9fad96ce92fd78f268483f897795faac7c972310323b
SHA512 d55850788593778906805f77602d4152b28c75a8408dda2679b0c60cf9a41c2ca9b4bc86b8ed21cc870c6e27b47f7de5a472c431c168f31421bf58421038607e

C:\Users\Admin\AppData\Local\Temp\GgAm.exe

MD5 e8e8ac6ff24002881b063ad81975180c
SHA1 52cb8c6ed276b59df69acbb49470180082c1ef54
SHA256 7ba630425477ff61306ccf5a744836e82df9080be29eaed3b1cec1c07189e263
SHA512 234e2fb706afe1056f4aa8c607ec8fe1bac82a1374fb096725dcd2a45b9096f1e050d45d7f2807f9bc3b6916d194df4a516e05b793ad83d4b5297b2640b0a58d

C:\Users\Admin\AppData\Local\Temp\EEks.exe

MD5 28ed47423d47a1b2262c0c5d23777607
SHA1 253c8c61a7d726b601b2e440f6ec56a6d54ed02c
SHA256 200f4565a31dcf01f0a2fa9b75057abc72ba9b0aa47e7a82af3e427a02fcca16
SHA512 b315ec7d6ab6d0c04a2fa3b0a409d4677d093bbd80cc839a849c85addf22ccb845f07220350c95063374bd8cee9570387348e043adf164d3770c1b1d2aac7730

C:\Users\Admin\AppData\Local\Temp\kgMM.exe

MD5 60f9016b7c76f8faeea235a279223755
SHA1 b1f74f68faefbd345b2db758f7a35e6a37787ba7
SHA256 6406c365fd0dadc0c1450599913687808cd9a5d9fe99952955cd20b47ce17dd2
SHA512 69dd7ef247d6f297322c1c53dbbb231064ddcc47a1d0f3288418d831fbbae66d6ae14ab9c2934d8115257dbd63ddab42f53082d19a66584e52323bc2a3921b32

C:\Users\Admin\AppData\Local\Temp\ykws.exe

MD5 6fccdbb672d519ae6d50473b97ec7c06
SHA1 b47f4b7127b0cbc03b1e4130531836f91d7e39de
SHA256 62aed6b32f1f0f47576c93acca98530d85e6e49490a1c6bc4eed328b26fa9101
SHA512 cc11ae5a02eea5a963a851cf5dd40f6b046fc40031d5d4b40e8259c813032100be43b4583dcd5ad0058558a3c487bc1fa1b4878a51bd54add5b4e38639117993

C:\Users\Admin\AppData\Local\Temp\cwQY.exe

MD5 d1326f59efd1010a80c71fc5013af52f
SHA1 c7a8cc40ffd6806661957f3934298c3c38ed36e6
SHA256 3dae9570439e137b74f80a2ce52c4a5be5b1a97ad80d18929317138e8ac78da5
SHA512 ddb637d0270809fd366231e55cfe89e1e85939d7317006d3909c603b6ec4499342fd783a569e8bceafec6e9233267e299e920132a5992e39487e36dfcedb22fb

C:\Users\Admin\AppData\Local\Temp\ikoy.exe

MD5 21b764aa068b232e9d8dffffd1fa5ab7
SHA1 2f5af5e390d15c73b1dda9608432b0328b014cbb
SHA256 6cebdb93c2ee7887dfb8ac078c0766c6c913c91d6ca2cbbfe888e63f5e797dc2
SHA512 5ec24f4225818456f9a4cb312ff07b39f7971416bbb014e81878c97d3a9678e79fa4c9067dac3bc410530b15a809e72a06917bd690936a83e265d0ecd099875a

C:\Users\Admin\AppData\Local\Temp\AsYE.exe

MD5 036a70f2493498408ca83dbdc8ea704e
SHA1 9132f189a7aac52889c47b91ec37d245cf7f274f
SHA256 d6711d69d250e422d61661988f94fd925e19f9c12234cfbc10a30d1b737e73b2
SHA512 76ac69770707bb26d90723511fe8776f29e5c77590f16e94770a71e01cf3dec8ea35cfe09d54caf3aca3445eb18883cb5a6a4b13fdaadfe1e8ee111c4b8a10a3

C:\Users\Admin\AppData\Local\Temp\kAEg.exe

MD5 2cd04be34dc006bf85234a04ac5d9a43
SHA1 1a53b425a2bbc513935677c3840d15dcb9a310f6
SHA256 679eb652156fc4c001bc4283f764942c30d01ccee07241a353a886de56bfa1c5
SHA512 f3a7a019ed3e212c2c1840f714ea8c854a41e9f415e32ee2913e2cf1b41b9e3f019f0f57380f2eaf198e17671539d59c7997bac757fc84534d1e1c593902d71c