Malware Analysis Report

2024-12-07 10:10

Sample ID 241112-xvt7hsxra1
Target 031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6
SHA256 031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

Threat Level: Known bad

The file 031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (55) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:10

Reported

2024-11-12 19:13

Platform

win7-20241010-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\QsQMIwgU\ScwYYgIY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoUAcYEU.exe = "C:\\Users\\Admin\\PUsAEsoA\\yoUAcYEU.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tUowIQEQ.exe = "C:\\ProgramData\\FeAIowIQ\\tUowIQEQ.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoUAcYEU.exe = "C:\\Users\\Admin\\PUsAEsoA\\yoUAcYEU.exe" C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tUowIQEQ.exe = "C:\\ProgramData\\FeAIowIQ\\tUowIQEQ.exe" C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tUowIQEQ.exe = "C:\\ProgramData\\FeAIowIQ\\tUowIQEQ.exe" C:\ProgramData\QsQMIwgU\ScwYYgIY.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\PUsAEsoA C:\ProgramData\QsQMIwgU\ScwYYgIY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\PUsAEsoA\yoUAcYEU C:\ProgramData\QsQMIwgU\ScwYYgIY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A
N/A N/A C:\ProgramData\FeAIowIQ\tUowIQEQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe
PID 2208 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe
PID 2208 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe
PID 2208 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe
PID 2208 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\FeAIowIQ\tUowIQEQ.exe
PID 2208 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\FeAIowIQ\tUowIQEQ.exe
PID 2208 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\FeAIowIQ\tUowIQEQ.exe
PID 2208 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\FeAIowIQ\tUowIQEQ.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2816 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2816 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2816 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2208 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2712 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2712 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2712 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2488 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1612 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1612 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1612 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1888 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2952 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2952 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2952 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

"C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe"

C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe

"C:\Users\Admin\PUsAEsoA\yoUAcYEU.exe"

C:\ProgramData\FeAIowIQ\tUowIQEQ.exe

"C:\ProgramData\FeAIowIQ\tUowIQEQ.exe"

C:\ProgramData\QsQMIwgU\ScwYYgIY.exe

C:\ProgramData\QsQMIwgU\ScwYYgIY.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEEEUMUo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmQsUcwg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWoQcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEwwcoIE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqwMIscU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MaEEQoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUsIEoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gegAgQAE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmYAAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkUgQUcc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAkgooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAcUQkMw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcAIEoMI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaAEokoo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "21032406161580857976-1257379889-1084264273-213217404418044079811650649035448523077"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcwwMcoc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoIocQMk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEUQwMYU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoMMMIQw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCAwYssk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaMssAoY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13764820334996796481834660425-411229166-1976612241-2029493773-16078150511464595519"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "851997501-521274587-1575158615260601619253482051796468844361847644691574137"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWMUkcIw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14216612671627748814236961245-8839761141621999135635575379-15504141731501441381"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1976722457-93016413320667235394156067631686448587-2093495712-102360493844113455"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuEAQskc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqUYkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "43318728372768885681127637-1145080359-1977232063222844467-549129425-556814346"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMgwwsUw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1853985341594246081-16941931941459169226-1919337330-672594557-2580589511858209645"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQYYAQEU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-94820546-991657215434272129-16896763772084317775591560719503346116922540458"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEwQEQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-204397809016630043791241676976-306870927165711392511400493371927675051830681257"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaYgsYcI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-160196386-528894987-406773629-104479367-1497360926-153439130217506200262002336400"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11157516041120883603791664211-4076271081811737580-3806745381788533414-1801856874"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIYYIIQs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "165492721416545944141918581807-1662769109-5607378401064111206-927386997-1720124432"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwkEwUIM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1907706961173416442535196415-1005212680-961648357-102366759712131639771155220668"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-471697515-202572306-1490700964504536381205875519-895850295-209531269-913234754"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkkwMIEs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1183615582261802667-2022381842-15916740731520062166-912010412-1432153721351062022"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMYkcwYE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "90102671-1498181435-425689232-2045688300197641870315729914411356821464-985901787"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiwcAsoY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1285101460427464365984848646-1748459856-2013206795-10440006063849218631598443316"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSoMAAAU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "516387346-995618226-1996429870-557953872144406459-18201587201305846102-1567723565"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\waAAYUMI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmQcsYcU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2028453651-1623585339-17646051228591704371039057722116948260515450164711066408560"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\taUowgwg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1804423885-1660072880-19232025221238974219-129444768013313434672109653858-21096903"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1915857059-13963025371153063710-2123242323-238442565-1302498177-840808808-1995405268"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1865824402490031125-1059544731764255702-1086348625-1041015457-875093474-777983563"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQcYUMkU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-429424442-5586615798766355831327950679146764148-2010390703-5835273101830940454"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "59279488-1398120623596703176-1123618249147356900988166699059600169-1302454754"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkMcwMkk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1286679543-1797717282-1674844786-850075351-260944887-26183622-9883302952135583599"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkAUscQI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "285642852145008131-529223618425174741825863499-1363957843-634766856-312727844"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20502107271297357521-17092124761402578771-1787961251-141867511715057798511648895836"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp

Files

memory/2208-0-0x0000000000401000-0x0000000000476000-memory.dmp

\Users\Admin\PUsAEsoA\yoUAcYEU.exe

MD5 dc8146cfbb26ba5208fbe36e5d35ee12
SHA1 0a0d1f9327ac5cb3f2939d5bc377f6dd875c7f07
SHA256 ceccd8ba0c90cff2b3fc0683b19685b99f57f8ec81708a0ddaec76ab416751f4
SHA512 ebbfe0adb80075609c1616226539e6c646915c6c5e5d0e35526cbf96ca04eca6eaa4aed6dfe488952f04452743e466169a8e08319a9d7167ea8376d07b00e507

\ProgramData\FeAIowIQ\tUowIQEQ.exe

MD5 223811fc4561230b47b62d0dc5747616
SHA1 bf00c1b16acaff2f90584a82755fcc9dfb0d82b0
SHA256 65754fcc2abd8d40a44003e307d0311facbddf5ad4835fb44d3d115aaaf7f927
SHA512 9c8384e785e972d9d70d1b563c15ec0fb0ce34cc46bc76f698d9899f457caa068c5b509848b39df6486c7e861a26ab4b77a3936ff146be6d4480220f02dc86c4

memory/3036-12-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\QsQMIwgU\ScwYYgIY.exe

MD5 d5fbafb64cf079e76124ad3a97410838
SHA1 48e526f2bbb902003dcda3cd00d7d60ec31c01a0
SHA256 690ef490a4427df925cf7ca44658531810b7b017a451ff177463dfa40e45d78d
SHA512 02ad9f6a66f2361f57dbff9f768d7ef71c9c627f71ac3a4ead7b6cb43f470e90fc566388e5fdbf1fddc17e30d4d238b10a3caa0ec7ba7bd1a236ae5fab0780a1

C:\Users\Admin\AppData\Local\Temp\xccMwMcE.bat

MD5 45d46133a7921d6df724dbc81860df7b
SHA1 a5203d2e1f83c2ec5eee7c2f9f000e488d39c57f
SHA256 53148fdf4c62cc5fd2f62509c7c7c770ea7827f765076b017c1c928ef3d1c54e
SHA512 fce961365ae0e7357e0204df3cad25e2602b6bdf10c0eb7078b0341a0fff9eded313807a2a36323b8e9e68e75344c85bce3f760c4f2e8f61192cc8cb70eceebc

C:\Users\Admin\AppData\Local\Temp\hWUocwEQ.bat

MD5 2a0009cc3b1a64e3c3c8491fedc4788d
SHA1 ea063ff2d13e243ee85ad8d8f2ced705d9f74aea
SHA256 4e843ca40ffcdf7d7a1f78d9a994b5585751c5890eaded99bad47cd17c8c5002
SHA512 a2c6762820f446259c8803eaaa5687d1c6997e450b3b8d56f3abec3f0f81028e1ad18601db4ae5c3b92d72439cfb5981350b3153f7b56cf44d66a0e384da431f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

MD5 35cbde129d22ad6080dc8fed0fd3e185
SHA1 e29871c61fe34d7159cf12daa543e1679f3ef63a
SHA256 eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265
SHA512 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

C:\Users\Admin\AppData\Local\Temp\dEEEUMUo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\dUsIUwIY.bat

MD5 2348a90e2cd500f057e8d3afd67a24cf
SHA1 22f0c4c656acda0972f9f7566bb4df827f12cf63
SHA256 bd305f2446c2f760b0077d888567f2e59c74217b285bef4fb2599c7dc28205f3
SHA512 bf4e1dcd641aa96237286c98bf519806ba2bb56aee8a2d2f459c07cbe167d546462e6474effa43974ab53d73acc100f5120100afd1ffa7de887c88af84c1b0d3

C:\Users\Admin\AppData\Local\Temp\paUwQEcY.bat

MD5 71a1226055d0036681406721e93799b7
SHA1 b450f75b78ef3e0c1454f11bf7d1f9b8fe85650c
SHA256 d2840723a51622a9ee2f172a3d37b0565553a0becf1f713cd650cd5940b4dab7
SHA512 3527f48f488078749cd8c6c30165130ae55e89c3ecfe8d32f75b83d18234b675ea663fa945b3d791f77e01e10ecda98921460d4d893c7d61d4382a2f36232757

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\mwQgQogY.bat

MD5 a57ce36bf7eddaa7f1ac01e895f16cc8
SHA1 a67341de65cfd5d48a549fc0ce9d5e62ef3d88c4
SHA256 530859e84cace843d750936e3d486630b24b15dfc61bfe5d8ca60927d11fc977
SHA512 7a07591c3224b2aca46f9899379df6cdcf9c8c0b2fe12404633c2a2c9ef7fda0064ce9997051de534aac31752f20ab51e784539f5d2351d9cc155134ab0471fe

C:\Users\Admin\AppData\Local\Temp\WaMsYIcI.bat

MD5 8afd2ecd9f1ec64069adcf9cf9f5734f
SHA1 329385b4ab9efe2dcf748f0542fc47b26e84c5c4
SHA256 cb90093688cc0bbae90524be52c493b70984922a88800a99384ba59ae97688be
SHA512 3656674d6dc11e53c39826c345e9e6f570dc5b6f5fbac3d8abbd189b704e05ee1bed273b9d9211ebad0c0bee1bca0322f59b41d7202f3bd91a4bb19f60500fa7

memory/2208-137-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gaUkcAkU.bat

MD5 4dd9b5844acaa7972f5264dbd33da080
SHA1 06cccb887bd352d3234ebaea028472877b708d2b
SHA256 5eb00f0d27e2f38e59b7d057cad86c0df76f7a81a41f751646532823d3d5dc63
SHA512 44744b3a27edc459e76b1faf7d8a05ff43d48dba5df9294c05da3862b0d071cd28e73f617e9ceedb305f70cdd9ed1b64919f0633089d0357800597204b20a48c

C:\Users\Admin\AppData\Local\Temp\KWEowcQY.bat

MD5 c21555d1d13174635a793f356c583c86
SHA1 5ed03e1c94fa76ae5dfd36b710a4454b801cb546
SHA256 3c2df90c5e583295d4d695249274b7d1e3c36afafe13b52d91a03f787027d65b
SHA512 e53c654c57593078c72e61eb593bc8b395607b6d7aee98c06ad098d93b7c9daeb846b9c5534b86451bf682cc34b5b467fef2751c4933e750119d539eb80fee68

C:\Users\Admin\AppData\Local\Temp\uCwoIAkA.bat

MD5 3f376986d923c6e2bfc5460636299334
SHA1 f44eef7c354a6a6093074b49ea91f79b3b566d9d
SHA256 a3c9a672b5b5babe28eaa81d27a81d2df16217c7819ef67d3173e7fcbab1cad6
SHA512 53d48720c26540c82cea4dd6a612e1d708eff53189f1c833e43a18ffaf40d2e218eb0eb80f457eb81841cc16f211a181f998fde8d160a8133b4cefc542df1f66

C:\Users\Admin\AppData\Local\Temp\XEsMIIko.bat

MD5 194e31b1f2219e8127df44be1e950ee9
SHA1 1c9bd0df1802c77ab894442c4d07d503cabd98c7
SHA256 bb495143ea0d69c47d81d4a2c315690a01cf60494f4efb895490d15b842e5d25
SHA512 96aae10a6c0ac799d000f30a1c8e06bbe4187a579292291d1366189a3bc54e30ec4cb5b43ac9aaec05f08130da4555d3e9a3764121f6a3e08484a0d7c1d053bc

C:\Users\Admin\AppData\Local\Temp\nOEgsYAY.bat

MD5 675eb745691b39cf6d0d5a1bdbbf9617
SHA1 33052db583111628758aaa09a64f8aa045a50bce
SHA256 a0f7020224e28cc9ba35a26ee6e965676f44772b86e205444b2835e11dd78ed0
SHA512 aa63768fc943f366063216699c8bc97a66575575a3edfeb8e9b4767fd6b999670570da8a439ac1530d613d31fa627e1cc85e29e0f45ec5066edae8e354e9c24b

C:\Users\Admin\AppData\Local\Temp\rEEQIEUA.bat

MD5 9d48f3e3bcf686a0bbb7505562a9420f
SHA1 77d44ec4ad6e234c7f358f2ff79bcffdcf7b321f
SHA256 40eafb74ae80564a619ae622de76834ec2ef1681d58a5fa9be80dcf3b685c537
SHA512 8021ec14fa5d89eceda78dce05fdad4c0b87028899b03149f996cc03fb40cc364cc7545629e3f965b948758fc873efafc979ae7407c66d53ce1b1a750a30eb4c

C:\Users\Admin\AppData\Local\Temp\twIkgcQM.bat

MD5 883ddc04dfd0edc9c25c26e2b6be2702
SHA1 2f629ca7e0685e2dfa783cbcc3270e1dd7771db3
SHA256 6f80a8a9701ee0153417d208f7f9d0953e2053c2281b28de3030d07a8a706a51
SHA512 d1ea4e37818661005c2dde8671bdc7188d9b2d49c4b57430270203b901df99f58ff59d1ab028bfce85f9d99495f6f8baaab2a1c90cd68ce6b7c846f5cfec7ff3

C:\Users\Admin\AppData\Local\Temp\rOAowcIk.bat

MD5 44e1cb079b290546e92677ad0e9d7a71
SHA1 dcf27e96d50a099e07a961dd22632793ba814ff2
SHA256 e936999cf7839aebfa0a77057a480fddefde0c2044455bf7fe27f68889cae495
SHA512 96df6ecc2661278508342b20149365af7502bbfe29135143895fc7c196b4c5c6d8dd2387db4b5ff3eab6a2af5dbd84d79265cc5a6b3faae094f0fa033e5078cf

C:\Users\Admin\AppData\Local\Temp\LSAAscIk.bat

MD5 350ed98c96ced183abb84c88708617a3
SHA1 7c7b770f2c943e34877dddaf9d37cfd35aa8ddb7
SHA256 8d824aaffbeec45510f04daef40fc47c01295adfcd4b837406849c60ea5ad291
SHA512 4616693843707adeb613be3cf56a7e47fe7b79839089dd35ba6816897503d16599f382cfe8f70a4acb6886d38a60b007e3ce2d16f117972c5b331945d34819f2

C:\Users\Admin\AppData\Local\Temp\IAgMcwcM.bat

MD5 a8f315de96bf74bae7cb24467d9dce32
SHA1 1e68fbea20ffaae269a71e82fcadf495427cd88b
SHA256 e856c56e75a4d6bc81e8097ed0cf6411cf7ea58d4d41cf3fee5cf6f44afab4d9
SHA512 76ed10077e9df2092e6b7850997be162593539f7191f9808ae4c5abc11e664566e02cb75ec9bd8bd6ba594e9356d3d69707935ee0f3fb2a9d90595c6faeeaa27

C:\Users\Admin\AppData\Local\Temp\aqYYYEMQ.bat

MD5 aae08e6e5ba3e1b6f19c3063a85cbd33
SHA1 e53725480fa13d373ae79db293bbab860fd67b57
SHA256 162660c6e7c3770668dbd9d8366aff4af469c88c341555f45f84e3e19ddb84bd
SHA512 7c23adb056fec25770170e9a7c3ac84a21b128e797680d5c952579d97fddbb3a1fe996f568e3f4b0a9734dee04adabe0fc37f2d94351ba74b2a3fc235a9577b3

C:\Users\Admin\AppData\Local\Temp\mwQQswQw.bat

MD5 5c0d7a0d7f70977583dea6826d2b1c6d
SHA1 19043a14acd427117c547bdbf405202d8e3d2f9d
SHA256 94ff9b560551374a3feea2b28882d510d38cdf9dd0b3e21aeed176d11a836c58
SHA512 520b61d0a0ff3a43c051050a083373b53b4d451b970c0ec86fa154d99589e85d74d2e327af988bdbe75ffd1f42380f22d9515a4bd85054afc63d571a53fa9eaf

C:\Users\Admin\AppData\Local\Temp\cCcgQggw.bat

MD5 15c06a70525a73a6e90d6cd57ee901d1
SHA1 634d87b7d8bacda181f0c7216707633050cbb7f9
SHA256 c7965ef5c032af2e2d7fbde7cff6286cad65fcf27f0fd4eae3bfd41fefb0efe8
SHA512 b808ea04343f5933449a23a9dad8ca12b969f97e2d3642f78aaa7d527821822e52258c381b4d75b6ce16f0137de92dc38e45bdca13d0b8b11abac3803b4221fd

C:\Users\Admin\AppData\Local\Temp\yswYYEsA.bat

MD5 9886f596d088a375d4039c5499219daf
SHA1 68ec8f7d7f7c908a43ffe18a36c17cdf5a546593
SHA256 d5a614ea95bfc3438f3348f82d843fea9249d1cf98270266abcd26bb46dbeb84
SHA512 8e79cef9456c14247051d9e17c62deef9ef6bbebea974847411ae6f0b645ac7c296399bd35b2fa3a9a7ca52de46796d78fb445ab675165f4148503b619104950

C:\Users\Admin\AppData\Local\Temp\IKgIQUYM.bat

MD5 ffbed261ab107d19520f11648a9aae10
SHA1 fd1f656cb205b0c8bc89744f8256f0f443b2ba3a
SHA256 aeeab8bd19938867989ba9a8a83c7519d693e905bda20dd171062d3ca6aba6ae
SHA512 bfce67ba1d8810c13e2ad5c65f908772b185e299eaa11cc719367b4fd7bdfca6277ab5423904bcf1a341218b4d044b6d3b3d12740b22420532caa08864553f9e

C:\Users\Admin\AppData\Local\Temp\kkcgEMsk.bat

MD5 38f5a80ba59a70d25f769b42f489d997
SHA1 a2c44e2b2032b84de66c2842d6a83aaf831dae61
SHA256 f42c2106a68a494f976c5304a33cd061c71678bfe59c4bff73120d06f569fd42
SHA512 8c2bc6200bf6f1a2b1ac13751d3d2ab34b533d3896c71b58eda5bda8d8337bee5e4a337b3834c03987378e167c8081c34f2cae294e450b79e7c926f973d0d303

C:\Users\Admin\AppData\Local\Temp\PUkckIMs.bat

MD5 757de97f3cadc8ba0ce0c42882f09beb
SHA1 416f0606caf3209da9c9415ddeba1476c6e5062b
SHA256 8de6088abb970c34efe4aabb842610b707caa9c7ef4ac2fb89ccedb780973441
SHA512 62e0808ce4f693fda14070298711ae39e81ac40f83e8efd30e6e1509b1045ceed4359db04034a866396582c9425dcbdbb2ec664fba6ee7e5e3ff70364e1e8bda

C:\Users\Admin\AppData\Local\Temp\PKsQwEQM.bat

MD5 145a8df901ca0b3d70fc49125abd0eaf
SHA1 189e5fbffac533e39a57e8b04a094b9ff7b01d5d
SHA256 e412d1e4de6c83606b24147c588a9979a2dff4e1df799804a802c0fec4b5a4ca
SHA512 38dd4cae7e6c4548e6e7ac97dfb067f39b018e4867dfdb7fc046d73cd74144eb095ff75defb9047e0b1833db368e838695b226914514af16ff8e54dd6fffc69e

C:\Users\Admin\AppData\Local\Temp\zgccssoQ.bat

MD5 b0834d0e26c60d6a46d3fbaa13808159
SHA1 91af2d7a3613fde9ccc541d0fa246d90b56e0e20
SHA256 9d23451727fd41dd799dd5ec888fe9424d83bddf76fda1284e35a5d7c50c5ae0
SHA512 6c6e313e94f76b0513ebd13c020bb9acac5a2d77cb8fc18bf57f3ff61c760c52ada7e233789e09e4a2625226b8d481bca4f1f5392b6028290066552a172196a6

C:\Users\Admin\AppData\Local\Temp\DmoAkkwI.bat

MD5 87e139414f43fa1b0c67d11292e2ff7b
SHA1 8f5d3d9935d97fc905b7092fe34771ccbaf89562
SHA256 18abc8b32771c3f079e5c8fa767549178b77d0b5fe2de6210e3c393f1b0934e2
SHA512 00d55f7d054f6e7ebed475374252930ca95688e8e5742000f529296218cafef00237aeeffe5134a11e7e4b79958220078066da22e3abf3a04b58215d0fcdac58

C:\Users\Admin\AppData\Local\Temp\jyEIEMss.bat

MD5 39653a93f0d038c15ecee5b1105884be
SHA1 5d25c7145b9fd2d573e1e9e4c239a36fed99335d
SHA256 528b7802d99c23a8920fe56b3e1a52fb9cc807d780cd77e289ca8362df901d45
SHA512 c8b47d86511d964e9116af6adeda784cd9e8b9b7cd368acb7bd5e91a5ac78dfe2cb9836f16f8f072bed0e42d2c8bd67644c2aff2289ed9a8365b47dfe0d26e95

C:\Users\Admin\AppData\Local\Temp\FKocQwEI.bat

MD5 7182d2c5d1c5979e355ce68ca5bd48b6
SHA1 3171f2457fb562bb2f4612df3e56af3b4f65e1a6
SHA256 ffd212fd0eb9e8b7836320917647524bc90f06203ebfa2800d08f1b1b236d1ba
SHA512 97341c657584b13eb36a3f5a2069710615188f2ffd21daa3e0600edd6a03b0293fa40bf96e558829eff72fda94d43aeeaddee5012b670c4974222dbbe087700e

C:\Users\Admin\AppData\Local\Temp\PGcsUAkI.bat

MD5 e1dbd5307477f37f18c9e726c5fa0aeb
SHA1 bf6a8ea78e67a4461d29f9feeee021c87e9da416
SHA256 9c745362d43e18fac43f8b6e430538eef645e6a04371f56e3fe619271a605f2e
SHA512 988eec507723ae9adbda63fca8b397603829a57edbcfab3a97ee7c4873c55ce056e4ad912245e0a626b992bf7e923d58ddd078f6adbb543d79e136df75a65daa

C:\Users\Admin\AppData\Local\Temp\YMMq.exe

MD5 f6d8bb14dcbf33186c61c3ad7e455ab9
SHA1 03b3986776c4bcd9f3d49c3d2a8d552b92a1adf2
SHA256 f05caa2ae8dcaa5a924634503acab0e2797cd17e5dce269b7ed44e5d9341ee6e
SHA512 b9c88033b97474df3bc04ef041a700749737184105ea8b37d60e4aef1bd6cdc8a59e8de5f4611235c570d31d3110a791bbb07f4c364077f0cca6c2a1a4e33f19

C:\Users\Admin\AppData\Local\Temp\SEUoUkkY.bat

MD5 8f269dd4e3a31a60f263808cfbdc1667
SHA1 f562dc32a485d7faa82ccb940fe6b8c53df6519a
SHA256 e387b49867223efc9b690bdcacb30db7959f36bf65f3a6d74d19919d73c371d0
SHA512 c4e15b37f525c3aab2dff608c25d9eaef36a9ab24724632c4bf372b4a569a48b2b71cecccc75a81a29569ec93ee44a02d3e9418fbaed588dcea6e38aa3c1feab

memory/3036-604-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AcAg.exe

MD5 f286bb59bff8233eb8fe9ad72386d6a9
SHA1 e47c898110bbb6969ad6673ff7a086f2b353c1a4
SHA256 0ebd3a5fe32450e079a8bc20e30a015147f01b4f7c6f2bc165ca37767910f25c
SHA512 fcc2d10a888c1b737323529074b1feda30fe5fe06d92655e8092754f8925ec2be227a9bf6baab299e0d71264b1df19f6a0bbfd56a8bd98af5e5df64fa3682f51

C:\Users\Admin\AppData\Local\Temp\QYEgckIE.bat

MD5 4515559c2decf03ed7af9dc5ef9366c5
SHA1 690b13567c7246766215e2bcb3a67c6f6b2d87c2
SHA256 e2f9659a41fe8b34f07b3924b56cb238c89d050bd072a5d5e6aff2e0da11820a
SHA512 c2d955ac8cc807bcace85577b927e0d3bd69b322a0984529956a1abd31f9796cfee70a3e03339fb477edb0f7337964810822d9cd077d6571f38306bb4eb16369

C:\Users\Admin\AppData\Local\Temp\EMIYMswU.bat

MD5 2f6b31efded6b6ce692288cc18f30c81
SHA1 915f961a4c89fe2801439f727861584f3f194b81
SHA256 08d203c22fe334697eaa68fdcfb2bdc40b20924702d93415a2024bc20626a472
SHA512 37c54d690daaa682839a28b59c8b8345544e4a5e5e958ed121dc1421466bbfdbaffac0c91fe0ba296a80c3552dce7a1d6dd8b4f10cec09fbff91ac042a079c75

C:\Users\Admin\AppData\Local\Temp\qIMY.exe

MD5 a7266d706720a9fedac987000e15ced7
SHA1 79f0ffe9d8e024b6868f57af4ed3da4943a9a451
SHA256 996ca4aff686c09f4f41890bbc8e703d9890ad2c8913910243041fd8a7d77a59
SHA512 aeca77ec15163d859b711a5578ce39c1372aed3006096090b25281ef898667335d51a10780271b295c21cbe50c64a1588386eeec875e2ec711709f6b13f5f228

C:\Users\Admin\AppData\Local\Temp\yYMs.exe

MD5 a4e257fc18c911be47918a8e4ed8ec4d
SHA1 23f0ff267b6ad519209866c545c9f543500d7b5a
SHA256 692176daf76e2666720f42f97aa05b61af96dd115547cc9a22122d5f0ad9c750
SHA512 dc7893ca6abb4b2c763ecf6c45b78d401a27fc9d31d44e58dfa3224c28a2d93f8b11924d7178f7b1dd7bb2c1934e59ad6eb4fd51da10513cec7e504595323c90

C:\Users\Admin\AppData\Local\Temp\wWAwwgwY.bat

MD5 dfc6989f97e05c2aac8e7a175d1ecb1d
SHA1 fc19f38571bcca08d39d409a282ff0ce69befcfc
SHA256 c1522e03e609ff7da1c86dcfbafaa2e6f0432b23dd30bc96be47b5c9506f7f4d
SHA512 2756433eb1d65e799014dcc2006ecca74cc82840da650aa3009f7cf891e3d3f7bf1024df23c68e1868653a72c048fb4ce283b2467b7a8ff5a1bc05993e5179b4

C:\Users\Admin\AppData\Local\Temp\McsE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\SQwI.exe

MD5 f38e87e5399c3b73d79d263439b4766b
SHA1 e8fa61662800970edfad245fef36cf86728ecc30
SHA256 717ba543d4046fe605bb2228d5e5ff9d4aecfb82c43e4a56dd6007ee1675c17f
SHA512 efcd87818344a9303e547c625fa542e26434c9a4104b3b95cddaf6f6d0e2e27e2d5560dac29566659bfd5ec2b4559c106e35202d7e51e15e032fbd4b843152de

C:\Users\Admin\AppData\Local\Temp\mMQI.exe

MD5 ed5cd9c7f91654b7770eb3f99a406b87
SHA1 f41935a924bee1ad902575dd5f9e78a3b4ffd4f3
SHA256 ba620326e2a99a139b92b54d4c8f66e89f483efb3ab3ab295885313ad246871f
SHA512 6ed8cd899c1c35a1d9ae2e671db08beed4d38129c5dd82d8685c736c8f5080df6967ffd1a565bcf209eb05e7d55b5dba04127177bff095830e915e726c397aa5

C:\Users\Admin\AppData\Local\Temp\IgYe.exe

MD5 d72d0ddac8ceade6a6e65d1fe6d33ae4
SHA1 8f61060ca69be3c5702f12d32de5747bf4f42852
SHA256 eda5d034aa44b9702f68c5eab03250867194a870cf55581041e752ec35f000a4
SHA512 d7285b55af46d40eafe68007a59fab3eb1a985f0cdff5a84640203af52c9626f4ff56318e3c3703d52ec21fbeb43f26d35ff22b75cd57ea68bdb244393d9bea9

C:\Users\Admin\AppData\Local\Temp\KqUIgokM.bat

MD5 f323cd23777af82cb648bec80b4f3b2a
SHA1 eede2e1b01f493ca90051621de82046d7b5847e1
SHA256 ba3d1bc2b2d5ce3e3d2360935e0eb017994836c945c3eb370ee1c46b5088c9ce
SHA512 7ad6d9ad6476a4894ca4cc5875219ef27723e1d70c248e836231a8deb7d287cc5595b26d593c2f82a0b5650d87e70e49fce7d8f2b531616551b93666caccaa50

C:\Users\Admin\AppData\Local\Temp\GgUm.exe

MD5 d4a7688227e2f684760c016cd989b3e5
SHA1 27743c4421f3d854dcb3e34734dbe1bfcc0e26a3
SHA256 a681532acf75886b4c8d95c78ae4e958759f50c1b92217df05be149a0944c5e3
SHA512 9cc36de9d92aaaed830c4b468de389c4e8798aedfff55e821d144deaef14c613dfaa788802af4238cf2faf50e4bc712a41db9bb433a76cb26f418ef3a4b2c8af

C:\Users\Admin\AppData\Local\Temp\kyEYskMY.bat

MD5 4ec9b32583b662afd9e446337b283ad9
SHA1 76bc26713710f4dc2de9c592d0c7e72f158de50f
SHA256 21f09e9f0109153c28ad52dd298dd68728ca66c36f25fda043a27a0958568ddd
SHA512 c1eb6b2a42f6bfaf791a76f7cee704ae2d7bddfa3a61b60d45e41a9fd69c69ce6dae3074cc5898fb89f404a19b0c8ea9cccd70f47f4f97c668810e634e37d375

C:\Users\Admin\AppData\Local\Temp\qswK.exe

MD5 0010954c02285addb1f269a83f00a459
SHA1 7c3acf3bf51a4f64e98c83589765f27972a3c9c5
SHA256 cd2c99b91ef1b9f63a41743710c604894a22d46ee00168bc2cce07b1406be144
SHA512 5e246ad09ba331503535f8f4117a6ea2e82bd815ce8b2c94267c4604ef43d9cf5cb1c062f0ea020fbc304befc502342a9040d4ea386a2e0c6a0a68fb11ec3856

C:\Users\Admin\AppData\Local\Temp\KIws.exe

MD5 3ec33ff2f18993363047fc301c0aab57
SHA1 961267ec9d0f4735f15c24fba5ddf756e9f98a46
SHA256 9532a97d0d28e235c83db74700c618bef66a9e789e68bdb09ebc63e36fde3789
SHA512 0bc12dabd182e1592ddec55810188ca2cc6573758e88179bd0707c7a0ebc688cdcf40958f85b1a746674618b359f494453d9e5289ceceb8a08ad6cf918e8cbf1

C:\Users\Admin\AppData\Local\Temp\fYksgIAQ.bat

MD5 c3e585a2216767262393184bf1337ab2
SHA1 2085f2932ce5f10de5fc77cfa9180936bec31142
SHA256 a8f9130f54721dab1d970b29b96da26ff4f0771ed5d055094955ae7327d89d4a
SHA512 9d8ab065aac7c593aa9f190f0936aece13b322a63603e8a17652ea1b6be83a735f9361fd9ff1077ec3c6bdecc2de3736d3c4b9df7f2a3c02aaf504de2bf3cf82

C:\Users\Admin\AppData\Local\Temp\ksgK.exe

MD5 bdad72b00a1f1c7fd5f21145156a49a9
SHA1 3fa024d2c7bf295fb9349319f07c1b126ef2ee80
SHA256 b070d4f8234529859963890c3aa22d287182e8f59b7858089c90d16528130129
SHA512 e1367a59ca1ea4da8789664ce6f96c8a2083348062a9a19cc06b8a5adb215b377af4680f56fd76e3432719a87727499e22ae08e6592bf820dbcd6d66d960660a

C:\Users\Admin\AppData\Local\Temp\uYMc.exe

MD5 972de4497fb46f12b2679254b214941c
SHA1 d16e09783e9cda82353e95457b76ab403ce50b5b
SHA256 29f34b3451ebe938f440257cf32bb5fd1b91449fa0005615f3664f57386edc72
SHA512 8daa2e57afa29c68aa01103f7a7c4649208eacf243a7fdc27935de58db948d71e3bb95a195b5b093f93a06231e75ab5dbc5474ea5d4fc1425925f19c92ff81a6

C:\Users\Admin\AppData\Local\Temp\JIYoMIkc.bat

MD5 77b0fe578f7eb668fcd0ade64001a210
SHA1 7280010f348a374d03b94335f989e2c6a4f4af7f
SHA256 1b731ac4cab08479c444a70bd47f86a7ca14c98626b72cfc675ce7869e4951e7
SHA512 baa5782768d8986c60d7bc6e944b5d47951fea242afe32d4d86d5ab9e4bef5259a5ea68497edf0e0568f235bf043af67e4ee027119d556b43f2fe7cb423b11bf

C:\Users\Admin\AppData\Local\Temp\WwAU.exe

MD5 5a951ae75391508184aff77a140a679d
SHA1 57a4d4d2bafe06976abf409e63d7177dcfacbc4e
SHA256 8e0e0df074bf204b98b25a7048dfc1a0876a19507e9905c34b9a0622e264465e
SHA512 e7d6fcfe86994d5578f120de04349b57bfedb40d4314cf5ba1e94d0c1f60074f956caaf084d6760923e0def44b30ad84b874ca4d042dbb739ec38808919936b7

C:\Users\Admin\AppData\Local\Temp\IQwO.exe

MD5 e4db974209c2f911ba489416fbff4859
SHA1 4dc46c1c3f8d59edc3b9373d574d6e4380bbae31
SHA256 ed3fc4693395d8c45268a8177d306baade0de315ae43a38288e34d24824553b6
SHA512 963041442da5acd7c839880557901a8ea07e5e46aa49583d86936379c8ab5718efafbbb8e1b03bdef7f22c3914a2e62a269473b26df3fdd26536de552b0e94f4

C:\Users\Admin\AppData\Local\Temp\uUYU.exe

MD5 545ae03dfbde5caf4c8e728843ad8434
SHA1 25751b975a354d8800d0c1e78d16c8b55afb3258
SHA256 a7b050a68bdb9b17b4ea2cc5650245d6fcd6325a42fe244a02b6cfd37fc393a1
SHA512 df62057f2b83b68a6758b12eaf69f94733ac63174365552c68a0c95bc1bce62e9f282475c9ef05a78a16faf403a73e24e4393e8fa52647f7a91ae51f85e48341

C:\Users\Admin\AppData\Local\Temp\rMIAoEIk.bat

MD5 ef9f447eba7b6af53aa17143bc993d4c
SHA1 d458dbd8cf025a90242886e974a616e417f8af88
SHA256 fb27a3f9c40e4372fa71f579c62402920af3021dd6a440dce0cf6713088a6d6d
SHA512 836e40f1839d49c915c95b73144171ffe7f594b5f90f0a775386f441af13a0bf126464ae775ec9404400dbb8365bd8bd3dea83f546c3e3607037beb79d3f944e

C:\Users\Admin\AppData\Local\Temp\cwUY.exe

MD5 660688cfe8554dc2494509b72bd41056
SHA1 8929f049539f6b6e75076af08482fd9ac830aaf2
SHA256 5eda5f481728ee48b7defe021d20bb740933d719123f380f2babaf3a8bdbeba7
SHA512 844dd3e8c92186f40100c92c7072f3fe7d51de55df796f6ef3856932465dbee4b554174173fdffc850a75c92eb1a122567aa268cd59e138f7608ed46b80ab0bf

C:\Users\Admin\AppData\Local\Temp\uIUe.exe

MD5 78bb8d57d40bf4f322d34c77e253a1fc
SHA1 888a45103a8e4908dae8d7f3c2907164f0102e21
SHA256 54bad5d8f90b15ee53ac3032a339d46e3c09ec407e21a14e51fc84d45e92497f
SHA512 4573318556c3b9ea46ae40c345bc07df5ffcfbea245fe91c6322be9010352445482106e19665c2b7c506f82bf20e20c5eb936005c695689196cb15188cb4d811

C:\Users\Admin\AppData\Local\Temp\OEoY.exe

MD5 cfed248054fdf48373855bd925b5049b
SHA1 714cb9c84a312bea1c1ddfc6a8b7dc9ded3786ee
SHA256 fe9e86e86c51673fb3204336ce63a2717a5cea6135adc282ffc4dc58ae3a7032
SHA512 7cebcc2de659a35d8374e26487bb6c409589dee6b2996ccf86a0f32f138fb91591375364a33fd858f4c02abf695f8f2dac9a173ba65c7985b4602b10e9098a85

C:\Users\Admin\AppData\Local\Temp\PIUIkAEw.bat

MD5 a2f425e82a0bd996568cc67eb9b9c30e
SHA1 936724822efa33c694c2ffc4284c70daedaeacc0
SHA256 80778f4ac41f4846081981551f77c25d3740300cd8b7503953fdce2eec3376c6
SHA512 c16a743c095bd686c12f15142b7604cd33b664acd3cde09f5ed7b711e780b8cb3e7e2a79575cacbd68e107b1ad5b9db06dca6791f981b36f357cda6d299a8323

C:\Users\Admin\AppData\Local\Temp\eocM.exe

MD5 57bf2bf2a15f5d89f68a279d2ce1b43c
SHA1 5009ca6b6b1df443367fa23bea941901e538ff3b
SHA256 73666ef88b276ed94c27c981c9c026d324ed340b00df3db7602f621c1b99425e
SHA512 02af5b7edd6bd25458873bd770e93f33fcc2c9fb04c45e49d4f064390b0e5d5f03f64e886ec8579ee80ca6a188db0681627adf52457dc6661c65e61484453060

C:\Users\Admin\AppData\Local\Temp\uMMy.exe

MD5 1318c7d57e2732ada86f80f2f13a028f
SHA1 f72dfa3d3d451c937290b9a9a1825230ab7f507e
SHA256 f23fecd3dd4205b4319171ecb119caa254bd59a8d1d40e05dfd0a523c9a58dc8
SHA512 64f4640d987114716f5c1fa6c9b98680ba001c87a30b6413b7e3c6731d7dc0b60e8e55f6079d474b519da8dd3fb44bb144d228bf6aca7eb695f37ec18bb59f6a

C:\Users\Admin\AppData\Local\Temp\ygwe.exe

MD5 a25e26ebf1af708268403f5c8f5567f8
SHA1 c31877bb803c8a6772ca5a2ae2a600a95309f2e8
SHA256 da6977daa1a40fea3f36b42f541673f29ec0d6e98c4a857cb89b31deffb56730
SHA512 df43763ea8363129c5b7b8eedcf8beaae4707f886060202c8c24747867cf75a415353c701ed5342e57f79addb1a25eb3433d619f6ef328eecad855f756f25884

C:\Users\Admin\AppData\Local\Temp\IgYE.exe

MD5 29c8e6853e83c92984e505c9d89c26c2
SHA1 4d2c3545fe20ce0939012d34f8f4c72520e97ec5
SHA256 71e7585322178fcefa469eeee27c85013604da44cfb0f6e5c59b452fbe4ad93e
SHA512 d538efa348b6895e1556d738b15f29ef324c01275c7c2bf29028b7d77ee62c5196ca17ce306607948cccbbab38275ad09976c549c510d54f3b24f44f91822eb0

C:\Users\Admin\AppData\Local\Temp\egUu.exe

MD5 5ed47bb7f5ebbd3ff2255f19ee0f9ca9
SHA1 716ffddbae45497796fc66c2fea1edcf7657b285
SHA256 05f4259322dcfb127756762a2dafe9b04942ab601a0189f77e8d17fb13032dfe
SHA512 b97e1314db1dd3cbb7f155522f35fc4082b957fb97897d598b64328f046058491b0b950c6f3cd2f69f2bab2939f995846a1185c2a8e2eb982458575edbf9f562

C:\Users\Admin\AppData\Local\Temp\oQsa.exe

MD5 84c70229366a045a84371887911250be
SHA1 adf5151f817eaea56056f646975f3ef885205335
SHA256 f48591da9a4ce883c1833fc23904a6387bd79bd78ad1efa638a4c4dee41aa937
SHA512 ca0cab94dccf26908471fabb6adc6f13f9ad9624bf50c21d5bab63f97ca9e1f44b7d38f0f3900e484bc6e8d552304b75efa6e88d24c9e499ba10bd2deb5feb2b

C:\Users\Admin\AppData\Local\Temp\wcIk.exe

MD5 a594980d0eb2c19fa7747026a3e350fd
SHA1 96ab3cca7e3ba77a5a323c8cee6561e584b3c5f3
SHA256 db6ed6ba5086501d30191f0acef992f1a2b989307862417f306af570c4e2b398
SHA512 16b4d4da344ecdcf766e452af4c773f11718044bc023a1bd3b0f7070765cef93541cb01415179f8784faee00a8f6e3f2a7bdd751350fde791ff98b5a0b8db549

C:\Users\Admin\AppData\Local\Temp\kIwM.exe

MD5 8aaf252d42cba997d5ed6fff1cf85540
SHA1 656020c1b75f5c06fa788c131f60f2f320f55eab
SHA256 f1d12d7e7665da6e44a71cd12a85b8a8c6320eb66f6c1928687ef120095eb2c1
SHA512 bc18e56a35b4bf59395074ea561af6310c80a1d089d0c668316abe5130213d0f0afbaa5f78bbb48ac59c1eafa2850b8a83afacfd0fb9330b4ca8050868ff2e03

C:\Users\Admin\AppData\Local\Temp\IQYC.exe

MD5 71215d0ee12aa5e8b206c325e736081a
SHA1 ee6b38a9fe025c54f091d9e03f46c6b882dcdf48
SHA256 ca82f529634c5cf722b4e0f338fe27c789dda00341a7916c7f4cfdd98192dd9f
SHA512 f5cfce3577ea15e660c0eca5c3ac7d9e83ad17e7618400261476dec6c4e95d136e1fb1378bfbc84e8fdde710b58f68f3b02163c315cceab42d13ebd99d1efabe

C:\Users\Admin\AppData\Local\Temp\igQI.exe

MD5 f46b1975071b9d8dcfc8d9423b99955d
SHA1 17e07e8970dfbcdf9fe7d41d721fbb4c59cf719e
SHA256 ca82fa9d32428802dbec4c1296abec643861afbc2528e7428529e5c9c9e48d90
SHA512 fa6502511ad4f973e6b563586db7531ec9d9352fd895af3c8f4ab4a6783a5cf9597a4d969c323239b9ba1833c742dac9be4a6c6af7dac251feae4f3df1de0097

C:\Users\Admin\AppData\Local\Temp\msss.exe

MD5 30a14059e54c5cbde2cbdd63ac261d08
SHA1 e7133e99b15edef51cf7f27ce8fc76bc949eda1f
SHA256 dd9777221480e062c041e33e947adaac763bead9a6db3670b6103aaf99fb75f6
SHA512 5696100dd25aa4f3fa956a311ed90ff35e7d91c2cdca091fe9e2a8166c53412eb3312d4610284f4c66a363a31102786e54616fa6109143bb164d8b540189c3f2

C:\Users\Admin\AppData\Local\Temp\AEYo.exe

MD5 cd25c3036274c5bba8f243a1f77be18f
SHA1 ded46a7144834eccbcf853befa0a2177e7513689
SHA256 2a50215e49c6310d6722e9480088a0e13c491199da4fcfa21d55697d2f60e14d
SHA512 a32bcf1692b660a34e59323d9b0df08455b600186216d488f65973bc2362a03ab77e939b5ccf36cabf1a97efe4e7684f92c0f6b307bf417404fec22df1c672b1

C:\Users\Admin\AppData\Local\Temp\KgUg.exe

MD5 0ee9d4fb40ea6bada635e6ef6a1686d4
SHA1 ce5cb399e649701e6c919a8fc45aad6c45d24ff2
SHA256 13515a82649627c302a0a91f4df1e85584781a955ba94e38d5123fcce01e7446
SHA512 a45c2a60219e3723f953f259c6d3c4a7f146e2341c268a41689b4f6c93c7c6f6edcbff9b2465122577ac3520d1c661a95c4b0b5b2a1b1999e969bb6986b2228a

C:\Users\Admin\AppData\Local\Temp\ookA.exe

MD5 b0abe3d4223994766581ea09b2e5b7b3
SHA1 0d2956c211fa7ce372b6518972f6766218dea159
SHA256 28bb1c8b52c9f1b2d472eeeace0e2f452c877f865ad243dc6886b7c800ec2863
SHA512 1b1e33f0ac5feae4fd8d4aa792e6a844ce3e4ed8a7411ccf637ed92c159bf62c7c768fb7207e4103846a85ae9954fa4cf1790033f2555dc830faaeef7b9545ee

C:\Users\Admin\AppData\Local\Temp\SAUe.exe

MD5 4aa595728960147df608e746e8ad08ab
SHA1 83a2b2a2e0a6f41a8cd6b69c58454c6c7cb8e4f6
SHA256 1526f5c08f1fe1e0e94883bba167c412697327436936498dffc32cf70118ea9f
SHA512 4e29049c75b16e210961a473b59c11b22e2db8c9fd22bd89253d9f11eab939be0d89d33fa43a079645726d501453834d76a71a2e95997f886a1ac106319c4708

C:\Users\Admin\AppData\Local\Temp\cYoW.exe

MD5 dc2adb0ce6eea6246f1125774ab7ee6d
SHA1 05c58f00bb9cac7f05d7c1e0a792e852fab1243c
SHA256 4103fe1ecc710ebbd0190e2172cd4dbc57036d784e03884a145427867bb4b9cd
SHA512 1766853ea0d4f00276aa9c65bb3c585b53b40913814c92093d3b7755f2293c5e290156eb47be4de14538b18491cf6cb1573b955bf813054b0e75296679258b90

C:\Users\Admin\AppData\Local\Temp\EwEq.exe

MD5 ebddd2d7084f54dbbc7e063b27e7faff
SHA1 edd4919ebe3ced4c7d0dada81fdb7061e44e8ba0
SHA256 6e79ef8648f06a823084201a61706d320484deb6b6e9438d615b10b0be07e6fc
SHA512 453458e8de39dbf19b6fd59fc6c7e8f9725b18d1caba23e75422c6a3d372b2324df55be603a6214ef9280b5a25dd22e163593bc1de588ae33b9427e611044699

C:\Users\Admin\AppData\Local\Temp\yUcS.exe

MD5 3512c66be6f53e68f847073751c1cb45
SHA1 360d786616b14af6a721a7a3da91ae740f193048
SHA256 fb6463a231580b1b9afadc391a0d1a865b05d97c881b1e37dd99abcac669d555
SHA512 9d7e2becae1ad8e3aadc2df3aef690e34277c11c2069ac4483b17d5772907c09cb020d472bfbcd672b6e6b99cc91357b7d8408f51947b5955274a06986e6fd73

C:\Users\Admin\AppData\Local\Temp\cwwu.exe

MD5 fda2f5bd5bf62047bfe0f6becb656a9f
SHA1 299f3497b8ee7c275072db853085892246fbc73a
SHA256 efbca0099d18bacfa1bae5e8ed6a3e358ff6295e96c8a77615de4f200d8c22d8
SHA512 6b03254129d8d16dd46a9acfb57d97e2c42bc3e8e51cc218197e73835f3328da05e62c8f41494b5860c4127bf37ce0d2a2719cdc3bc3812d2dcd8e49a085e507

C:\Users\Admin\AppData\Local\Temp\kUIu.exe

MD5 df8d3de5d8e061ecc83283a39bf559aa
SHA1 d08a2de921913cb1ca54251ffc94b9a8cc9b4dff
SHA256 b9e68a5285b9b5620c6fe12d0afe749b783ef44abbb11d426c8f6000c6f4ee6f
SHA512 db548f8c6e08a410d998d6ec2fff248a3902180f2c2d95b1876ebc4e71fbe4b40bce6e49f84c9197bb59df060c1923fcc7e57683f9b8c94abf5a8d8d53aedb7d

C:\Users\Admin\AppData\Local\Temp\YQIq.exe

MD5 1aa03ae56e98ba093ac943f0bd6d3e11
SHA1 95238a834f4e91dee188a9344426a2f240919bdb
SHA256 b56bc53891409f47dccc3da6573b79ef714557637b72fb3c666b29b7e7bab2a8
SHA512 d1c0d4248a9a903904cfbb17bbcb6a9e2051d99eaa28032de0c3c8897b8c10cac4dcfff740b4188c0fa0e87c51a185176d18c137cb500ebb6527f44e507ce805

C:\Users\Admin\AppData\Local\Temp\ecAm.exe

MD5 fe57fbedb1c719fdaff93ca579bdeca9
SHA1 0eb54b118399ddf8ca2921733632f0762cbffbee
SHA256 ab4863465e855c7bb771e6c19ba4ca1f6aabefa322ba21a208e5607e06a98852
SHA512 f52fa3c6b0ebaf8467db8346f16dcf86331035e1f4c3ac5fa22694f2a6bad70e3e78bd3b096f9505c88c90453b7c3ab8102685cfbeda61c3e9c3954cf040a099

C:\Users\Admin\AppData\Local\Temp\qYUG.exe

MD5 2a015a4455181ea9a3f9990115a318e0
SHA1 b42e3f9fba048e3345a518f3f17af194fbcc0ea3
SHA256 d51f3f9b48917a0a53aad68a882f7d07de931f11b2a00f9073e4ce3db74e1bd0
SHA512 d346a210aeb5d54f1e4127b3d81ada947c473b1f964972e9846dc9a1f02bda8dde2299d6b4ee94ba66b82075ffc05e271c9c597685d835e5d5c1b999f62995e7

C:\Users\Admin\AppData\Local\Temp\ooAE.exe

MD5 5c233f9cc2567f0ba40896a8acacd485
SHA1 5aee788c8bdbbc8d86b024d1d52c26627508e528
SHA256 a9714ee1ae3601b2f4b0caed5c59286427ec0988cd75ed5cd3a2994679de61fc
SHA512 5dfa7efc1ef58d14039e38b5d026d0e08e47bf7a9027177faa531d49dd82c7989bcc5c786a7f157d1343bcb895d6eeb7b33e97720839771ac767beb83a390b35

C:\Users\Admin\AppData\Local\Temp\YAUa.exe

MD5 aadc05d2c2ce762d0596e2df78398273
SHA1 cf9a86447da5691bd920473764170385596d1781
SHA256 baa971486a8df5d086b0fbe67d82ffa80636fe300284de53511999e3b3f978ef
SHA512 7eb5aa86a0ce68e6b2d7d2b6344293dc16323aeca0b2a0b786642aff673daa0e7aff8cb1a2debbf2b4a8f3f12ec9e4cd6452c418e06281fa33c1539c0131031c

C:\Users\Admin\AppData\Local\Temp\YUEu.exe

MD5 d7713617ce9dd2f12565b28b96211087
SHA1 9cbcb6b1689cb0860bee0e8ad1ead92de73a3cd7
SHA256 2c1997c194b60dc4778d6553935b52201a4e7e068a36b0be8f761576b6bc6a88
SHA512 6ecabe3bd165bcf7012fcf8224e736318f52ba8ddc9b4c68347532959bd5285268359be4d4ec72998fb34cde56650ddb3babdeb62c90cd607485ef8efead7b84

C:\Users\Admin\AppData\Local\Temp\uEki.exe

MD5 8f75bc7c9d229e51b6365fb040678690
SHA1 124dfa60dca83ff766d63a20077ccd7ec4f8d0a0
SHA256 b3fe1192d4bd4825b69059d8029876ee64acf2d5d3b8eafb86e12d0cb7318e1f
SHA512 36ef6ed8d1bd016697b8b288ea2de1a3e867fc099e3c8961f9cbf20a1899b670db82ea48c4e9ce96212fef5859110659658d4eb0deb2da6f5cf2302130fda057

C:\Users\Admin\AppData\Local\Temp\OAYy.exe

MD5 bc7227fd1618ecb3ffb37c7d0f5e4f59
SHA1 98b9913feb74e429887093da35713e543ee2de43
SHA256 f7ff968a40d3e543062506630e701f71ed5ad698f42bc18f00aa7acd9f0e6a07
SHA512 83da81f4534056c50926575c281b0ffd9c212125259e168561372c62a74377248921936f3264013dccdf0f402ddbfc9f482429584be05b6d4c47efd5da1538f8

C:\Users\Admin\AppData\Local\Temp\KkUG.exe

MD5 cbfe3fadf51a22beb6a54ce3aa98c366
SHA1 1ef8753b303515e8a1c7ec3eb507ba3f34c7a9ac
SHA256 c9dea19d563006366d946824f55247270486c9044fde82639c9933dca9f328c0
SHA512 39524d374f096b95c74be0929b5dfcd0173dbf94791cf492d7838e0e097cee054b3a49ba9f6a70090326a62f9175f3318d114f5a7ac9feac8a8ab2caa4661853

C:\Users\Admin\AppData\Local\Temp\WysQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\MMga.exe

MD5 c7850d6ab571130ba1ea066e30739390
SHA1 5ac265b76390a19e037cdbd52360ca94cd149783
SHA256 3e3b887055068593face20a2308d6ca465e21e7d4341586f133e4f9d947e248f
SHA512 c1c3239e5043950fd8ed40750a188c280f660087ca3279003416c746c9ba73fea290dbaba59f5866260e1d527ddbbe0da8714ddc79a798d2f9c3826f520e3c4d

C:\Users\Admin\AppData\Local\Temp\CkUg.exe

MD5 5f62dcd86a992baaf14a3b420b1c815c
SHA1 91edec9a3bf2861960b1f5e40b127251675830a1
SHA256 0e0f7aa4d9a3b32eecab113e76caf6836ec9ca9aff1c271c8946ab501ff9eeb8
SHA512 2c91f24079727e301eb4621a478e3842088cae6a7b6bdbfb872d7c55a793d3d3f75f295c8507b7c85d8dd1014b7d490cbcb1d24ecc9e3aed71ce2e342ee0cb72

C:\Users\Admin\AppData\Local\Temp\aQUO.exe

MD5 cf05ada46cde8a62b5edef27fb03e5db
SHA1 ef0060c0f4b5ec032673d9275eff7c39e335bb49
SHA256 d16cc7a27a462cbaa66f656bca9de4df245dfe1673ff7e68424de76f4b27e0e3
SHA512 2d751a784336a04d29b87afa5a68484713565786f4971ffc80ffd7358873d70233d9272627a3f667c7112cc10d0fa4bfd0524259140ae0b76beda5bd5b55e97d

C:\Users\Admin\AppData\Local\Temp\agEk.exe

MD5 041da7599e9b07217f70fa1adc61f3e6
SHA1 f07117f5ed1950c6c8e0450ce743cbad852e0513
SHA256 b4421c79d64e4b88eb6b3bb5980b27afe52e46de555dcbedf91be829bb929408
SHA512 c881bcb8c927822ed4b7df2e9e3e7c8a6a3e8f62bc292b7f5dce2f0134b19a436e5ac7ced875ea1f941c666c1baa9265b24768a704418e567eb30ad14dcf9f85

C:\Users\Admin\AppData\Local\Temp\yksw.exe

MD5 7fbaff0999576f48bde919aec399be8f
SHA1 fb8525c6416d2b5f029cf546d1039b70c065070d
SHA256 bfa21ddf9efd26edd8374bbe7500e4f51e8aa4d3d468eda10cb9df6ed7ffe561
SHA512 533fd6ba1bd579b463b505a2537a364abe00c7427da95b536784f3e8688fe48e1802da09c61525772d565d77ad7c345872a4ccb7450c281a0c06c497921e7e36

C:\Users\Admin\AppData\Local\Temp\skAE.exe

MD5 cfae64da25bfa28f0a10d06238549bf9
SHA1 17271acd12e3c2adf7ac65d15a05373d3ef51e18
SHA256 9824e45b933c7a6880f5c24dfd0bc6dbb2b635ac06c98ca69a0a2d7e34b4965e
SHA512 aa53db2d253668118d192471c275ff490b10d13a5683fdedcc735dfc8d529e2043903e4484b5e3a0efe5458494de81d2e512bf57cf3d0bb5139b8334adad8aac

C:\Users\Admin\AppData\Local\Temp\OYYY.exe

MD5 b6101ea141264191c3cb8db33f4ad0af
SHA1 7aea050b76bf65803c08ab6da1e314598ad1566e
SHA256 5b6433e7adc09095ddc7de97bab6b641866f4af3ecdc53a3fa8b2bd04e0c5b55
SHA512 cf7133525aee0f027caeac2aaeb74f3eaf645a635313bc9c687401eab24815683eea8d26f67598ae962c48f6eabdf091fc3cac423306b7ceacd7dc8d5b66fce2

C:\Users\Admin\AppData\Local\Temp\esYw.exe

MD5 c25a14986760f4d1cbbbeb24eee4945d
SHA1 87d4747f778ad29c01726b51a125c0f273438629
SHA256 72c41223555a8138b36df8a31380e182a337986dcf512ece94236a74c7bb0e63
SHA512 dca50f254a3409b842fe97ce41a23402480fa9ae621b1050fc32ad7cb369bc2e9e323706c54be1d43ffe79f28c74d99e0c0cf3fee442db8bdb9b8b4e25c854c4

C:\Users\Admin\AppData\Local\Temp\UMcG.exe

MD5 ae0172a3bc520733a5c4d49494734b6a
SHA1 0434878ca6d5fc23a1b46380280432b5c7118c96
SHA256 d18f5d3f8b8dcfc37de715d89b9eb3ff7c8a5bdef3839cb1ac592b07d94f0d25
SHA512 a5ec6acd42e32bb17a9c2ad3c0ba72bb8efe429e9f06083cfa13c1ffd4bd04d63cac37898e14ec19826ea65aa356ebbe6a5ffd29644b1727ccc9adc8fd7ea93c

C:\Users\Admin\AppData\Local\Temp\AoQe.exe

MD5 1b8ad4964c6a70a1f3b2877486adfdc0
SHA1 f0d319ec8262cd779eb10a02c073c227cdbabb56
SHA256 8eb058941399d3cab029ccdd29007e55f78d80b42603dff3edc7cc6128cd4589
SHA512 01cbf2a17d094a2c01415a2872656b7f139c93f9fd2b564efe27872c3ce19951aa7594d234cc14f03ef76605f5a15916635069e2ad65a418e51f76b067d105c2

C:\Users\Admin\AppData\Local\Temp\QsYg.exe

MD5 fbe9be73376a9b1c741799827b619ac4
SHA1 55b87ac9feacc9f779158def3381c557efce0ca0
SHA256 3e23502048873e6623d7124996f7b1e0e2be5c4692eef34fd7b06a79f65c4610
SHA512 66658ed8679bff875a819f5eb8565b3cbb3bca37211cf5dfd731b73d54edb22e901e1bb77643482e64c06e009fa9e7f76d319ee2a6fe34fad6ca39c6585b5ade

C:\Users\Admin\AppData\Local\Temp\akkm.exe

MD5 bd2eda2ebd7be009ddd45b185876eeb7
SHA1 1e088000cc82b28c4494737458275022454ed3cc
SHA256 c733ef22f428edc3464581f1339bcfcd90fa1ab5468229bc39563281829b0416
SHA512 4a9d09e27a64636bbb64f38febddb4bf818fded47e56101bc9fbc8670d2e634bcfb0236713dcdd0e28b8136220bcd3870aca2626b6039d43bb80812cbc462cea

C:\Users\Admin\AppData\Local\Temp\CQwc.exe

MD5 c3655eeec10b1096db050e164902a2b1
SHA1 fb3afdc81e0dc683a03d4249a2621cfd9af31b80
SHA256 94b18d6861b8d2731516cafb3007c99d257c766d6f281fc5ce368c16d16992be
SHA512 f92c1ed177cc4e40b531c8816a4488aefc7ef413b8305d3becc7cc4d4c10c9cc024433c717a0e6cf3fa8667c7387bb1a4e300d1f19e481314443784844319d3b

C:\Users\Admin\AppData\Local\Temp\mUIw.exe

MD5 468efcd5cc9f6a26a96968882a1cab11
SHA1 07dc6fe5653c63fb934f3162146a33dcd03dd2eb
SHA256 bc9e317b48840d7448aaa31b4268f56ea155ab73eeae4d418beacb5d696a1e77
SHA512 be9c556de597205b4bee5bd38cbccb48c5819ae1748b0bfd98ff0faf9edff786ae91ce6dcdbdcebbd90c1eb87b3d3009710296e8d6f20d838065f3185f27064c

C:\Users\Admin\AppData\Local\Temp\kscQ.exe

MD5 02bf8d394d12fb898441f1f01ebfa96e
SHA1 2b59d256abb4754d7b357249e1624479baaf5d58
SHA256 20e51fd569977e463b38d9ed833ab8dd34ab1213dba2f60d49527b947d8d9fb1
SHA512 68ba2e2e42981e9a52afab58f74855b2e60fe013b30e6178f7d5ccc914356336fc59ae6a30d63d8ac2e54d9a7c02027d40c51ff4418b8936f9ec405a775adc6a

C:\Users\Admin\AppData\Local\Temp\SOYg.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\uIcA.exe

MD5 11840fadedf596b58a753b23f5d2f503
SHA1 1e7e8b72ae30e7f26ff5bb06f04767119e38c306
SHA256 9dc7f60c93ea1db84e9c4049ca5b1f4b70785dfc8e5f571c242edc8132d98ab2
SHA512 0e0f325e8ef98e537303acb5ddb09276061f3f3c43199d41ad427309456a620f3235f5025356f2675e9b31ecf00dadfc415ea1c124eb62801b245e37832a4131

C:\Users\Admin\AppData\Local\Temp\SUUC.exe

MD5 0fb30bfc45cddd15bf586266ebc9f5df
SHA1 94477532373cdb0997b1ce2f042d0e9822840f16
SHA256 8a1fd8619e4099f34aa2fd9f2276a35e47914d444569ff9e184e2f290d0a9d3a
SHA512 517ad6ae12914d0028e4c04ca62769b963f446a7d71e56ea66e8e0f9c4ddf0ec0b18a266f34cfcf974e27da4adadff326fec07f33c73bcd348259047c66d152c

C:\Users\Admin\AppData\Local\Temp\CUkW.exe

MD5 1fd991e8fbc0e8d5cfed1fc280eeeb77
SHA1 c51b7c9934f7eba611affdeae0e4c572cb24c1f5
SHA256 2a60c5037420c69fae8f965101cf8acec95c87932b902f672e6c55d50803eefc
SHA512 6472991b2d847d89b7f57eaaf3ece34ddd2fd68bc5f0407e8c6aad4f029131e41c79f172e784153ec59844bec40bdb4f3ba338252182cc2f785fb4393cefc833

C:\Users\Admin\AppData\Local\Temp\wOMs.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\wEoC.exe

MD5 e03bbafafa58b722381cfa492b76820e
SHA1 0ad40ff089e1ba5a7416b85119a08050fced512c
SHA256 8b9985d14a93408cd37989c572f2e7fd9ad3bce571bf3a4d0e4d173891fc6668
SHA512 ad89baa5813286dbd9aebdd9e063703a9c6f493a45a04e8a6341bb1814883ec115bfca226ccb1236c1613f3bc867710269db4d611779ea37b7a1e1574a1e5dc1

C:\Users\Admin\AppData\Local\Temp\oGsI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QMUQ.exe

MD5 8a5279fa8472aca959452a3777add081
SHA1 df3cd8741b9b72d20b8db291a830dddaddb1c19c
SHA256 1d882ade2d50e3d437c8341090a037908a29409e52443e8a9d7026db4cc22b73
SHA512 68b5f1ccbdd31d9b865c164b2d02434381e42ba04ce5f29537f6357a05317e4654004ad1f7a39c64c625a6d64b75c6c24d5d2c971534bb060e4562bae83034ee

C:\Users\Admin\AppData\Local\Temp\Kcok.exe

MD5 62b4cdec3141eba635e91966fa4e5144
SHA1 7b43a94d6d1afce1f60d1b04dac59a8a3973fa60
SHA256 24b5ffb74d15c9d87a22b0bfb94557cf602fe47d8853e58105660b3c86c2d50f
SHA512 1532319f305d9eb19f946ff1de398a1d5a8e1cce9f3061edd994fcf70b9b48b967a10b0603faaa34eb8add1665ee06cb0edb968c1e42de5baf031d88e02b5a00

C:\Users\Admin\AppData\Local\Temp\socM.exe

MD5 60f3b2f38be1206474bbbac722047072
SHA1 9b4b47b9b98937ec9d1ad39389db9096de85777d
SHA256 de04d24f294aa5dc65e7fe259271ae01c23a451478cc69d682ea8bb6b3cbdbd3
SHA512 d7b19b5fba8b7eba2687b0675f3602465acf116d4eafc9d0bdd4d35308a93b6ce38b492f8bd5d9da8138236090a084d6569eff8795cbefd5e1675064c9e68e23

C:\Users\Admin\AppData\Local\Temp\MEYM.exe

MD5 062d76b8c0cd25824a6573fbcd8941e9
SHA1 bba3ea907508d492c027cd520da986044024955d
SHA256 526879101104fc42a4294edca21e158d1858a59fd29917881cfc7ff89dd62710
SHA512 4687fd0a1d5cddfffa7933045b01c8a54278e0da7081424d15261bcf7ca6c385cb7e688828f7882e70d7225fb0d7f3f5ef7844ecff1433a6699537700c2ccdac

C:\Users\Admin\AppData\Local\Temp\AowK.exe

MD5 fcc16318fc272c6b4ee26d104f8e2bbe
SHA1 d5d9a1ffc275e7519cd6de37b40dcc3940a45b80
SHA256 61b8a5d6bc02975c7f786e648660d84365692fedba60624b149955825580a9c1
SHA512 f83addeb2218516d5208a934bf57455f658ab5f2ee0e12688e7eec73e201322ea978a2f3b62ca72126ef9f8225aa8b742e748c716f8733a1e86869d09d6c3375

C:\Users\Admin\AppData\Local\Temp\uUoC.exe

MD5 cec7b94580d524cd457e030a30a50293
SHA1 2917e0fb6bf0567a9c1150c577be16089e620a42
SHA256 44a250d2d889593f3793030045af9e6b8f5b033b78f539c5ad2cef349e720f9c
SHA512 81816f4265de7155112cff19934a5d247c9e8575a651afbccde53bdf6a0418371942f60bed7d1942cca5ab42850762dbe8f9fc259c6deb0bdeaa16cd7336972e

C:\Users\Admin\AppData\Local\Temp\isYA.exe

MD5 734be336474244b749504059068d4c27
SHA1 f1c01119b331ce2dcf185ad5c2885220322e4927
SHA256 458428cd5a99eaab21739bb5fc82b98c5d44933b8d20a40ad938de0e4ee9f7e8
SHA512 54927d527ab2756144b4338bf80e41c8516bb90b78bd3088db55288ce3e7937cf5f7c4a36649c16d8a2272233535a68ac1f0b3ff3f75a5525cda0b854712abf1

C:\Users\Admin\AppData\Local\Temp\AkYa.exe

MD5 01d14c212c0b38b03077a2463fab4ee1
SHA1 7147e0f7683b35b38ff65663b93a382decd6a1c0
SHA256 a58f0bad841c48f3ef0eb1ed9e3868ab035186e445df29414afff9420297393b
SHA512 4ff6a88a9637bf14e7a9e48a51a74b8b777fed65585b5155ec7fa3e181379bea9a9e2c4f5662f1148b99d8260e757ad3970b3e1fc87c424d1afc35190fd39bb8

C:\Users\Admin\AppData\Local\Temp\sosI.exe

MD5 aac0d8d55be37260323ffdd786ea7b73
SHA1 05701aa61c8517f7c252a6465c9be1d62207082e
SHA256 d76e35f5eb3b2e07b09baaa43724a41c2fcd3a6d9fe0f6c477f2f56bad99eb45
SHA512 01b4adb08d972d5f80df6ff1a74325608e450c4b76f3f491c2952357deed5a3a961946aa0bd977f163420909d56e65db353d66e81debf7b0f779cc781aa9ce35

C:\Users\Admin\AppData\Local\Temp\agsg.exe

MD5 d098589d4536c4eb0a341331d646c49c
SHA1 d205378452ac9ffb5c27fea7d003b5659428359a
SHA256 206296281e50606f702a48d23a9a4332e70e602400fb34fd138fb452111670bc
SHA512 910a3a2c8dbfebe6ce4d86a70170368b0da3b439788f30803dafd67ab315624153cc1011ca36430c5f7e419b0dbecebac2237681ea516884578a23d5451db96e

C:\Users\Admin\AppData\Local\Temp\wwEe.exe

MD5 2c7b6e24b222b1918d4409d197cfca6c
SHA1 64128bf1aa422aa117c15a4cb4a0b9a6a6cfce5b
SHA256 82c004c0fab531bb08f1ddd80c4c3060ea551066c6e1a7db8ce8bad1469094b3
SHA512 c95d59867a1d879a28ceda4145f129ced5fe4f72da615e0a12a5506f20a02e789b3d6ba9c8eb8eef9fc0a2f96d33c92a89e90932343b1d737c255fd8d39d106a

C:\Users\Admin\AppData\Local\Temp\gwEi.exe

MD5 be92fe8c500d36f84f4c4d99e4058214
SHA1 f0185332408c6f0a439a7cfcb9dfe4fadcb1a3b3
SHA256 00e70bc7dbf7c341f4632d81eaf277be1d5824f92e5cb2f547ec562a8bae26da
SHA512 ab06b8ad1daaebe66a40b238d151c1acd1620a5e4ea2363c809e3eba4996214e0c43b07741742e1b7b34f46260ae56fa1b04ce438023c14c9e58eeedd85af995

C:\Users\Admin\AppData\Local\Temp\okgW.exe

MD5 1a3cbc1f2a744deca54a45076a15705f
SHA1 5a69a04a92955d500bf9fe2157da98800c5e15b1
SHA256 d5106a44bc102b57bec04d61ef90cc05d37db23180659e0ab9dee16ccda04940
SHA512 888b9b17b16e7ee92c7917f9772a5f503d98ea0753a65c0b1adfb934529ee71618bb3331fce8046089197b63ee1ea81bb49dbc4367dd215285185126848c32bf

C:\Users\Admin\AppData\Local\Temp\gEga.exe

MD5 7310b5644b435f66bacbd1969f89235d
SHA1 a8db7e92fca29e17a30d629c4679976084e816fd
SHA256 ed07ef6533be0302ca0668eb7f10093a4a3cf67279e7130cddf70dfb7ba60e95
SHA512 13dc612d900dcc19511ff10d2308dab00ff5245d5bc9ca5a95edd4126adb753661bab815feecf0726268cabc09d7049f48790dbe1c49aca759baee39169c5823

C:\Users\Admin\Pictures\SaveApprove.gif.exe

MD5 4b1622721ebf8aa08b7e4bfd057cd526
SHA1 38443d82aaa97375d247b0dbd5fea0c2c41a0080
SHA256 a5e8ef7b9978bedc22c41913282ee3d4b93440632c9b33e573335f2e922b1f01
SHA512 d85c2708f39cb77ea801e7f01efa320bccdd454d68a9392be29eaf4e5a712eae73bbd97b42d274c697ef36bb78aedde8400864d08a10d57b1e2472b79e3a2741

C:\Users\Admin\AppData\Local\Temp\MYoY.exe

MD5 40d39e542533a134ecf06c20f9f42e39
SHA1 85d03bda5524ecefc999d2681a14302342bed4b2
SHA256 9cc61ef525a36ee6a4311e6e1ddeb3f109775ed425327c9a488c40e3bbbf2108
SHA512 4ea1682b7d39b9266720f18e7f01118c6c29f4908ae19d15e1ee586d65428c9ad960a16cd787819ab6f0f402218512e91ca23d1fd7a28a61dfa08fb28c873e19

C:\Users\Admin\AppData\Local\Temp\IIQc.exe

MD5 6e6caa40c736ef969922f3f9b1723c8e
SHA1 8fc919ce702edaf048847706f582242a2d4a519d
SHA256 f9bfac17e3f6818bc0de2e514f292013081aed2b684c322b83b0936b0c863c4c
SHA512 bfd7c1f916f7f8690606513d1be9c3d95e3712fcdd9c857075b6b03aa68f7e5ec6bbe8d683c6cd234b1c7d914bbd0b05c8f205e5e3fa0337eb77bf2daafa6da0

C:\Users\Admin\AppData\Local\Temp\yQks.exe

MD5 80733e4bd5ced00baade261546da3ce3
SHA1 bcf3b1c9686db603d52612caf71eeddcd943c67c
SHA256 14ae41302704040fcd44227713675b4fc5d3acacc9386ef1817e3592d80c5d5c
SHA512 9a1a8ead5205f1d7d88ca382caa51c30fe43bbdc160c9ecc46d7f1248ff7d68df86d0fef8f54cc66b6b1014e1ab76b455fc431e01d3e2a5b6957fcd9c67621c6

C:\Users\Admin\AppData\Local\Temp\uwco.exe

MD5 704f3e5fcb305b82af273d634ca931a6
SHA1 9786a863c2774880c6d38718c68745b851d76ffd
SHA256 b19f466143cd424aaebe4aa4fa94ba12bd24f1bb7cda94c42bb6733b770d972b
SHA512 16b18edb0b4ebb02e48b6c63742a0a04e547db779942e2ef4d0229e9398b99a08d48a0a32b2117ea51ad27e59ca51bb12a470303514670bfbe7aa32c8ff7ef0d

C:\Users\Admin\AppData\Local\Temp\wEEm.exe

MD5 e0a8bfc0a1d060130c4159a3563c3902
SHA1 3a628185bd808ff4b995ca69771eca543c01c623
SHA256 0d07a82154f6612333de50e74bd5b91337257c2eabb7238d842eb489f7f54cfc
SHA512 e815e070aa1a26ab37a833bd803c63038da5999ee276b6b3fce70ff18b4239a68c7cce8c96111bf489367b92f3fed85a80b9815ed379ce806435ea1f2a65afe9

C:\Users\Admin\AppData\Local\Temp\iMgC.exe

MD5 78203cb599f1af726e0206196420dbb0
SHA1 fe16b46d8a9f168238c61c7b9a309b255425ef7f
SHA256 e99a3dd7b18dcc58d3a5e26de8e24532c1b48a02e0054d2e4ced11690c7994cf
SHA512 13c5461d90510c9439c412a587e76ab2d4868d09d792fbdc5c99e8bc5f7f059d7a0511f3d6fa43f35aa5c2b7db637d274ffb3133a478a2ddea494b2b0163bdef

C:\Users\Admin\AppData\Local\Temp\Gkcw.exe

MD5 7b88ee35a788f844eb8279675371cf4a
SHA1 99f35ca819868f80ed61ccd1938207d873861c45
SHA256 7c8e59ecb744b8c53d341b0a72081b5ab962e54b2376280530b0f9a86cf9286d
SHA512 4c60000d3be980bb3f6918e69c46b612f238ad558483e8948b53f125a9eea19798bddbb4f22d45de44a263c44e6ae340006444fd276e0ce7336a9be3ba3a1f9f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 0c7e69a0efa58e75631dcdd1686c190e
SHA1 8220b335941f5b7b709c7d81933ba766870b339a
SHA256 c3d227a976323bf74779651a340e1e19e1b73f02b40372eeabfc6f73241d8fcd
SHA512 4f9883453764b67e7f941eda76e77b4b4da4223f6bf560b1b973bd51a80cf1b92be1edbee77002ca92bc3b3e09e1cd882dde6b8b484ebccafb4d5e0df96383af

C:\Users\Admin\AppData\Local\Temp\wgoY.exe

MD5 b6ee260794b36d44e5fb305511c59f9b
SHA1 0dc8de83bb4dfdb278c0c767e9c0addf728e673c
SHA256 c6d31c0135f9e31c22900d1d8d154a76aa37b9e49a2a6965c0df303c6e6f87c1
SHA512 afbedb5d9426e95ac968bdfa4eff69671ca1203909e767bc51620d91a777f9ea817605864dce2a9300821a4dcdc47f27f04136eaa1b045c82fcf7210e8774d59

C:\Users\Admin\AppData\Local\Temp\cIYq.exe

MD5 921a221c54b3666248f0462aad7728e3
SHA1 148b6b9688e5cb92cdb95680866d80717d5af975
SHA256 98e38e4f2bb23c56980ef78a67b20eaddaae6eb9f473442c2fe2aee4e66c6c12
SHA512 0263969254900f5db0827def506ff112cd7b29e49e0bed112325ed3cbb4e7375f1d5c918d8fd614284cd02c2f3db0783a1e4d70269541d4103de4655adc56cc2

C:\Users\Admin\AppData\Local\Temp\qEAQ.exe

MD5 8d7d4d32b43416b4560d5c50b90c4fce
SHA1 f5a7bd6d4afe5460ae51b7ed05290f6fffda8442
SHA256 69c325abe6bc604d088cece0d44fdc1056f8ee88216ee78e26b29eb65aa6975d
SHA512 b93837c2b1e68ce18d7912211f2654209aa4ac024526fd8507b767563d9b8ad73ab6907e6a126bd262fd77b2310ec1e0843502411304de5d2f99c6db4281b2cd

C:\Users\Admin\AppData\Local\Temp\Gsko.exe

MD5 b7360dbba83eef9adf518f3a12b0efd4
SHA1 0f4fbd373df8c861fecf1daf227117bef216f072
SHA256 ec4f0cbe79119c0d5b77e3fff117a995f4f6183501d9bf9cfba0486204f01a04
SHA512 10213f46bc87485de41f989e74d328e2bbdf139bf1cf68e2e1676fb593aca22db4739cc7c720edd3b8ea64f37c9393bd6dd5200a5af76ba421195fb4453cd370

C:\Users\Admin\AppData\Local\Temp\KoUO.exe

MD5 d97792289d62508ecd5748b3d7ba9296
SHA1 63aceb67983956d831a52c96f067635f499cb073
SHA256 b8f57892a70c9121699e5025c7699f68805cfda894ac81810d9aff5a13184d11
SHA512 310e263d7910cc521ef32ccc121c4671febb11e29ee39ce6eb0f0b78b4c568c9247ad6e5b9a12de9b1e8d7a40cc001ab8b1f502cbda447bb991e08cd651895d7

C:\Users\Admin\AppData\Local\Temp\GQMW.exe

MD5 fe7c77d0185bbb1e86fa647dcfd596bf
SHA1 9bbab7d07471e54bf28e52f54d7b9ae616ee46ce
SHA256 8c996a96a7ea5904ebb67f55b02e71eb49c6c8ffdcfc57db01fd82c42bd833c2
SHA512 ef81d8ac935a23392380c24d3bb69723ed867c11b541393ed6e34103fce77c1233fda384450c8fbc8b257fe4e907f40183b20e1241cf94ccd9e091adb7768ba6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 f6226a9608c15afcf076dae0f4609e7f
SHA1 e27546996330fab010e5fb6692f7758ca96aae06
SHA256 012944d4ef831ece689d0a457dbf9950fc76d11ede85b158a9bb171a087d8fb8
SHA512 4d211421a7df25aa110ea87754bc320c70833a833233951159b3586e36dc3337cb554adebaa988d8cc72874347d5c3aff56aa5387c13264a0b836efdfaec89fb

C:\Users\Admin\AppData\Local\Temp\mkEy.exe

MD5 a4a2f246b41dc4bfab0572f76d606889
SHA1 37ae85f788b50f8e5a956274bc3cedeec045d781
SHA256 e9ff9a901050bdc2d0dd2ab886e7c97b8e7205bc369ee35a787dba4e495f3203
SHA512 0839fb3c575cb2c1b2617fb093aab7031cf5a3bc24848e163cafe3bb3c8b3cd34dc251381a3d4f476f3a288912446f69624790a00b1341e7376a1fa1dd09b19d

C:\Users\Admin\AppData\Local\Temp\kowm.exe

MD5 87850224673aa0a0c607c07d1b8ffd30
SHA1 1f05d4c5db1449f067e613dcfd9c5dcdabe9b8ef
SHA256 ce51d358945465ecf734b581dc87c7674b15ca92f7f0ec55cd30e9538d9d216f
SHA512 3d0efcd2853f2eebdae991f070d7ebeda20024b6b391040590e9b5d4cda4886ab129aa8e42daf37b54fbd7fa3862721615eb4f7061bff4cc6d3a3b06ea9f42cf

C:\Users\Admin\AppData\Local\Temp\mcUu.exe

MD5 2f5c5b740a68077ae5ce42a09123227a
SHA1 c0a60054d1c2009f0fff6d25868f2a1dcae78204
SHA256 10aad5a292bc23d1c0f0e2737d915a1bfb5465b6b3467024af13c1b602b0204e
SHA512 c1669fc8437f875ba5e7859aeabeb48fb6f36b61a95221b5c2bbd5a662c938d94132d2007225699afa04b07a4b04b3c8f87a4983a559ad6b201487cc55167963

C:\Users\Admin\AppData\Local\Temp\KswI.exe

MD5 dc30f9ac4fed75a6dcecdb818d53a8ae
SHA1 655ff1c770ae848bda270da1d02965e6491c6595
SHA256 dd0bb3ab01ae5e15ab5f5e1c73103ade14286e761a5c0846ec371875b411a5de
SHA512 f2ffec73cffa99127ab92fbe7c0a1407713d59fe87586c0ec92342e5d945dee85170d5efb3294806fe37e7bec5e691ce1abf498b5576d298f9ea2853cb21c239

C:\Users\Admin\AppData\Local\Temp\WEkc.exe

MD5 733bca19fff7ae0c8e26c29d5fde94cd
SHA1 8a295bdce7274cd1c477b567470d192a1dcc9ea4
SHA256 d918daa2632e5f7b1c9a5d4015d362c5245528de2b71db2da2e3c3ed79813df9
SHA512 d158c7066f9167e04960f5575755a30b506fcee525c98106102bfc1409a0da3a4d170257f8bec1e3e491823794ab08c4316532cfdcdfcb841e462b7e46dcfed5

C:\Users\Admin\AppData\Local\Temp\yswU.exe

MD5 5f7e6997981a1cf59baf59bba9f6880c
SHA1 409eae1dedf873b47a57101afde31abc9b0c67d2
SHA256 e98be483dff106f40db6b9cf344f9d66d572c56bea60f843cf7bafd435b513ab
SHA512 1a261a23f17a81ab4d52f5716ac58d43ae3f066870881b1c8edf0ce4b09abbb7c414f229dd0197d720b78feef46b9e407a51abc357e5d61f0a601998766d60ae

C:\Users\Admin\AppData\Local\Temp\gYIK.exe

MD5 be53391bd92409da1c2a4055b85a3ea1
SHA1 8ffecafee1ef790c30cb4dd61c158d7e0f9353fc
SHA256 cb3e421e0dfd48bb4e5e8feefbfaa1adc089822368b55f04a5981281f7c52a01
SHA512 cfbc63144b8075f9bcbcb8693d94b7a01755460e417bddcef5ae574728cf4e9bbdf18f54b7b0956fb0b404820e92bda6f86e0b87746d168e12454698f2274205

C:\Users\Admin\AppData\Local\Temp\uQAc.exe

MD5 c2a98738b9a9b5a7b35d1f1dbf12745c
SHA1 30b7aabe78e9e2c1f0bbd757c190b9c96d6711f0
SHA256 5242751dbba7a78be02c50e36e42dcc41f15189280caa77d76a8e1eecdc96ae0
SHA512 9eca5ebaa4f16b30ece382e95852439f58e9a6cd79bb01605c68f8c61daa6be594389b73b2a70fc46cb72d48099bd07313d8e7a046363fd10b274ab386413619

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 8de17895419f93a05f2bb2e47c33652d
SHA1 aa59e93a44f61f2ea5999c4f18f8c36303bafab3
SHA256 609f1a6770261f35841ee4ed1e8983b1c0d6ae78adb0f3d2babcdf76bb28a214
SHA512 c89c400616fcc6cc81d7811caf351c039fabe4dc5e79c90cca92d8e26eacedb82b2d1329a9e8c9ea0e80bd6a80b705a3b93f1595194cc070ffba9688a519f096

C:\Users\Admin\AppData\Local\Temp\CQEI.exe

MD5 9951063e6e91fe17e59831db688b06ef
SHA1 77f60e4c4737c70b2e8a51b83dc7b6bd5074d7a8
SHA256 34e49de8eb4a8d51dba0395d756b8677a48e6f3a53872575d3c6c8cb69639cc9
SHA512 e5945f49b068cac4757d8f436dc0fa9b192e2fc3016e9333b6c22ff0c12f195defe31f60bcaedbb887b8ec63cf79b3975bedee73c82f96b934a41a925cc083f3

C:\Users\Admin\AppData\Local\Temp\AMkQ.exe

MD5 04bebfe918a8d400b8aafa42441a6424
SHA1 1d50cdc8a6b5b2361e3381922a763d28d982102e
SHA256 018e2faac8cc43711541f1a2f750f7c880388e08af9ca99addfddcad3d26521b
SHA512 5e725d492293c5eed6fb065ee4fb7505429e9193cefe5b5eaf01e8376c590ada892160dbc8dacca336ac4c752d23f902eb7b17f81998fb085d83f19dd4f165e5

C:\Users\Admin\AppData\Local\Temp\MUYS.exe

MD5 8e622995299405028800ae13d08f7cfb
SHA1 4f27d52b796357c5f2da9bfb5780cc44badf6075
SHA256 b06b20a3d312b6c9c26cd3eb95b27461ceeb08de61fb7697c2c7bf2044626134
SHA512 7494ae0536f503198d990f730bc3ba249a5c290dd089a29a7aa7ddbfe37ffa614a85a6ba69221057ffee63fe5389da01a2e9ddfc1379e2cf38ed224aab02aa95

C:\Users\Admin\AppData\Local\Temp\GAcC.exe

MD5 f5d6e03b640de1f22700d300ede0f387
SHA1 877b01a283edf9ffcd3e805c24e02d3067ce5af9
SHA256 171e994fab81621dd6eb653476cbbd70ad873fa51559d0fc9077bdd70dde989c
SHA512 ef9ab4d845d26495e223eafea2bc7bfb8a3667eedd0de690fc329c6cf47a251b45de16ffa92992d77c95a270d4badd1d66cd9dce851f3af0f5bf698d2939c759

C:\Users\Admin\AppData\Local\Temp\AoMM.exe

MD5 1cd4a9548ac0879f56e118ab77a33dfc
SHA1 37d8e7d38a169a86aa9a09ba58b993f99afa2d29
SHA256 cee74d79229c34c43ebc5370e049aeccec0f4c3edca81138c9468a957139bc8d
SHA512 2b4d2b8df7be8b4c6e0b1a510142edee2f9bdffd4ceb2bd3d13a646ddc4d9f1dca6cdf3b7dd71683f966a396988e2fee32f9b635d95f36b2218eaf221c7e7928

C:\Users\Admin\AppData\Local\Temp\eYAo.exe

MD5 fd789ccb50a39c7c9f4992229ed852e1
SHA1 3ff1dcf33e7eeb956a72e63240d181374c9d8347
SHA256 3f301ff9ff272117817071342ea2fc773649860df6e231b5cd60bd21f98e5202
SHA512 cc1cbe51f2dfd1176065ca6800600daae5faa4736adbcf28e641448d5ba43be0ad890c73781cc09c4ba00378caa5c01c9b59279b815573f00a0574f1426d5efa

C:\Users\Admin\AppData\Local\Temp\oEUO.exe

MD5 9f89c444d8c0691f08027d4235ca0c5a
SHA1 74a18d35c6fe93b74edd13a496eb5960925f0319
SHA256 dbe0cc26b5f06fba4c83aa1bc6c65350a8dea50baa55da9731bd99ace47a7419
SHA512 06e64931ceaeae4a34dd53dc956314a8957e47f11f652020376ae77cacbe5e5ed278f60fb1ea9fe4d5ccc09a8509b26d0ae2d0ca2fd9815bcf0ad01054883da7

C:\Users\Admin\AppData\Local\Temp\IQgU.exe

MD5 9fd0d8dbf8e4e8ca13d975736ebf5115
SHA1 b1a9ffa648e763fde39b38fd43e698ed81405524
SHA256 a9a5d260d76e630cb586c85d713bc268cbf3246625e5ad8abd76b4ebf432a295
SHA512 c7ca67c7600adba639d3e76261c3f7ae822b56ada6be2ec88187741a138f4e9df1193a743cf1317823697c9bb593cd84c279d7ba65a4fd889fad16989879d1f6

C:\Users\Admin\AppData\Local\Temp\sgYA.exe

MD5 5d8250cc7e6e7899124db8dd267af090
SHA1 1673dcfca990e06118a72955d14bae94fd82fb96
SHA256 73db04e52b2e975666bbe90aafe5f0434c9aaeb6379c19d03f4fd620dfbb2ba6
SHA512 95f263110d3227a5ec78bbde19608c16d661f8b79aa4584e290248f5dd2867c5b719721c07daaf5ac5a5d16a3f1cf16d2a5db404543a7ff0563c6d5f2bbd7119

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 25903fda72c06c24a96604b0075d2c1d
SHA1 b1b2b67df79c7677cfba4870a656cbc26b8ea310
SHA256 65e95eceb6ff882a6cf631b20ba0631bdf1904742b7efe8b42cd0ebe40f8cb14
SHA512 55639af1baf635f59e772f9825af5caeffee6eccfef5ce0c6d5da5c190b6683a3e5ae1a931562084c30ea8e7535f39919fb8e5f06b88d81f9f2569599d4a04e3

C:\Users\Admin\AppData\Local\Temp\ckYC.exe

MD5 7bf9e86f931c9399a1ade3800cc92139
SHA1 65c964c517705b73b2df0cd04137cad5c272f067
SHA256 d09d846936a0e5121f39dcf4ceb89061cc3c3b3b8fd85f127bd27682093a4a5e
SHA512 a2cecf9b83f0ab50338c3f2ba13fa2f5b2e3ff66adc9c6e67152f575cc3b27b0dc668cade5396b6c82425e711beb031a33edb109fb24bbad12ef8819c81931f3

C:\Users\Admin\AppData\Local\Temp\yMoI.exe

MD5 4060e0d4b91fcfa20456e91af49ad6fb
SHA1 e3c90f8edf5296bffb3a824b18a0fffc7b8cba8c
SHA256 ea2f6ba0dc3ba435e4d7b6864b8cc440d90aa0fb90d5e050b14d39566a05a922
SHA512 aa840aedc4497d375c40f7f305af57a67c237bef123910608e79f0e762cd5b823953b58f6db87b9525cccdd354849d8170a16f5cec8e3542ca657e6d4d1a9048

C:\Users\Admin\AppData\Local\Temp\yYkO.exe

MD5 5640d64848e9ae72880a6c211b27c226
SHA1 4c939038ba4eb1f75616cae40e397f50a661319e
SHA256 d5001166c1432eb2a99df2461faeb1d230e581be901a1e9086e83cf59295b5c7
SHA512 a144f9097c5027e952b56354d1efc7494d175e4efe6be4e5cf6b59a2e7082504a8365a49218abee2c19afb0432d0eada56e2fb80aa1f3773ec596db4c4b64666

C:\Users\Admin\AppData\Local\Temp\MQYI.exe

MD5 6887aa53ebf46a8b0c2ec75fa8fd575e
SHA1 e4346daf55e8f40236e2f233d9fd562e9799a93e
SHA256 b249b8f1379121ca56b806127e54501018c633420fa4b7dbe802bc52442b130c
SHA512 f396ed019116336a7f85b4eea8e7adb265fea69c0bd02ec8d08f41517ec0f25e5d7eedfc5218b3ab6bf8cc184b531b559fd137bc8b5b8f79043eca78c0d741e0

C:\Users\Admin\AppData\Local\Temp\ysQe.exe

MD5 457796df0a3d4ad59ddc2c75c7d2ab95
SHA1 5a2fa180d16fe23f110ea9f4155720d603b2a67b
SHA256 ff7a0131b039865261cfa9d7f630719b9f6bd530a1a708a4c04f3e1615c4a1cf
SHA512 4be41799e483957e8bc8a540f0f2d4b1cdcf249fce90394ba94f739823e5417625a84e667b040ac69b774d223fecce257113c18bcc589601e1a5c76c7037595c

C:\Users\Admin\AppData\Local\Temp\ewMO.exe

MD5 be4726e28648ab6342c2a0c7212cabdd
SHA1 bcd7640dc45d9d36362b6855892b7aa4d90c6cc8
SHA256 bf8b5d6ad9385915264c7a63092dc1b6fdae93b393065e3a7cd18fda13f56f47
SHA512 bed8cd3929299f4ba2f1692b8bac53690acdacbdcc6ae85695a019ef257269cf623d0eddef79d78bc2cf4965b4fafd2b922326851374b391f04297c80d63c963

C:\Users\Admin\AppData\Local\Temp\OkQM.exe

MD5 ed7cbb7759c585cd4fafeecf91182bd5
SHA1 7046aa780337a554bbd15eec5712483723aaec0c
SHA256 8236b902c5ec73629daad70563eee96512d4465c701cdeb6d5c3d96c7aa6c9e6
SHA512 829a26cd7fd7b08f90f417549dfc862e41ae396f32dd1089081a670cfa1557c49ad030f0fc5c96e0ef10cb603df30c2644c46f8cd5e71e710e1a7aa5dd01305a

C:\Users\Admin\AppData\Local\Temp\AMEG.exe

MD5 d8d3653c6a53ce732794e95beed7b1a4
SHA1 7db708578b4c2deaeb69856339d3494543aaa16d
SHA256 436c848a5c4b4cf9d3d791022fe90400bd7900588a55201a5ade900dc29d0645
SHA512 41fd260de1cb67099eafe8d039eff713a8e889ce0e0740d6173552ff28767068309ffd10aac56954b3b13b33b5d2a6de9fb3f65de76138f6c890575a6552cfa2

C:\Users\Admin\AppData\Local\Temp\qsYM.exe

MD5 ac7cee8c3f98aea817a4f743024524ac
SHA1 d1dbaf0ba2a803acc3aeb07dc89bb9073c7be67e
SHA256 cad01ac81157a4cf728ee69bdbcd559790a3cf09d5d595363c07a4cfdffdc15c
SHA512 5b7b37bd19dfd051efbb8e5f22eecd0eb4ebf84dd20cc71c00aea7b202126c597cae7ea58ffd7d1973f756b75fcf7cfa70c579f4251b17808cec231b2c50c064

C:\Users\Admin\AppData\Local\Temp\MwUq.exe

MD5 c2a662594cc1a9e6107935208be557b8
SHA1 77a119d7d0bd90d41c9b1bebecce849a6fa4df1d
SHA256 41f6c4aa94273500cdde889df34afa8906af4dfa5fccbf53a66a01401ec8c178
SHA512 cae239ae7a96c17f34710c6998af3e6bb1a0fc3dc6b7ca3062eb238d7103d6825f0503655b7e82768c30bae2c18beaa12ce411111b06536c26ae573722876d2a

C:\Users\Admin\AppData\Local\Temp\GWgc.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\UMEo.exe

MD5 6d2c545a2cb6fb4b7efc05ea9385efb2
SHA1 1e8b4903f3ac59f13e34a95aab0d6a08032b538f
SHA256 88656069b3f3f4bfc74bc174a95baf04e31a77590395af070a8d4696bdbbaea6
SHA512 da9b2a156faae18b8972690f4791f374b4bc685ec224de8a6d7fa43c8e3f69be7f25d55bd9f6f9fc7abcd699f7443ba3f3644485364a44cc7e1d1094af35ceee

C:\Users\Admin\AppData\Local\Temp\ewEI.exe

MD5 2b0f7aed79f33b5b74b532a05f85a2f3
SHA1 c56b792b57c1db42093f6755bc65ed4b53521d78
SHA256 1864e1f993c8951bb308ca1b59224355be4967a862eea316008436e01faf8602
SHA512 d74a481632063f1ee8d14d859bf72b95d85bdc9aa7e1b1711f5c3446a20cbed8b02532f259685eabca6344de5315c8418658ae065c2d72272ff4418243dee004

C:\Users\Admin\AppData\Local\Temp\WgAC.exe

MD5 258587803bfd6493e99fac5c942d1e98
SHA1 626a3cb24b4baf34b0ef6bc50a2a3303c03ba562
SHA256 65a0005a347900b369f2ad23821e88a7f4f1b578cc0423a2d39e79c08000502d
SHA512 3ab73f34d9016cf8b89072815dd38ab8a6a6aff7cbf544ad401e6be242865448ccf62cb96caadbcd47c428a3e7e6c5b61e3a38bb24f0317ac594c5ed9180fea5

C:\Users\Admin\AppData\Local\Temp\CsQw.exe

MD5 ea9134cbbb4443e832ae9c2a3d8c5b64
SHA1 113de165f599a0207749fc4dce515b140cc82a6e
SHA256 edb79921b465b91af4110f3e92f9ef52c9f87de7782faeb7098e43b578006c11
SHA512 cd7b50873423b47783c4b51b5c45492e0fcefada443771d19fb59bb381dfec6ede136cd61678183bb07a110e73e05ec114240ec285d474073da48245468473c3

C:\Users\Admin\AppData\Local\Temp\MIgg.exe

MD5 9f012a1eb698675490722c671a091b1a
SHA1 b1690508629011112d1c36871c5f520907053745
SHA256 4e4660d894eb699807892bf504e6eee7c07e95a2e6368ccf6546f329cbf4e0ea
SHA512 9c897a70d0031d9d9802c340981a4a7d3f24183a0135de2bc148f045e28dc7995b83c93d62a31135d0f50eadcfe9f8c9e432a9b0e416fc49188afb20420e322a

C:\Users\Admin\AppData\Local\Temp\qoAc.exe

MD5 39519df00d852bbae41570a2a4d13a60
SHA1 0a154cd8251d57df4541540430fcc49cc2ab54ac
SHA256 dd00db4ab56523e43086db134cece5ec0f360570481930b74cc04c95f72c3bd7
SHA512 59ba6acbdfd15284f58d6957d16f0327b9b64d83b56c99b7d47824a4e95d04511d06f0ef6ee0e8b97b0c3829b44d3d634232eb9111f2430d1e79f25e4eca0950

C:\Users\Admin\AppData\Local\Temp\icsQ.exe

MD5 abf9095a3e0b05a3550164a8b7e37269
SHA1 256340ee7cb3b4a6c5151089ac20ec80b6b2dddb
SHA256 18dc47a53860689d1db81aa8703f6c67440ffd7225a1532b8715500bd26c42dd
SHA512 1a94434f237d13f1c7a821851a0a73fbbcaaf35eb52b1a6557b62640ce1ffbad88db2399e31fa4562658154b3d0a45a0ce6ce26bdb5cd5be07fa0b1b3dd251bb

C:\Users\Admin\AppData\Local\Temp\egYm.exe

MD5 f24a05bc978aa68502449a028b6e52c8
SHA1 585e643b535dc159271c7873baf4c2b784caea60
SHA256 e3435024df7ebfdc607354d912dc6ac2a6cd7a00509d728eab55cde1f2f2c142
SHA512 0172ec459831251a2ef324bac88d546b00e5d41e2515661767849a6efcf3eab753866fc37f9716603d5952b76cd71f1d7c2d213a283c369fcd6cd2440b0e9ef8

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 19:10

Reported

2024-11-12 19:13

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (55) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\ProgramData\xQsssMsg\xWAsswsc.exe N/A
N/A N/A C:\ProgramData\HeskwEUI\oOoAUQYU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWAsswsc.exe = "C:\\ProgramData\\xQsssMsg\\xWAsswsc.exe" C:\ProgramData\HeskwEUI\oOoAUQYU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciwUEYUs.exe = "C:\\Users\\Admin\\XKUkUckQ\\ciwUEYUs.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NMkIAcMk.exe = "C:\\ProgramData\\wYwcUgwU\\NMkIAcMk.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WqQEsgso.exe = "C:\\Users\\Admin\\LOocIgMQ\\WqQEsgso.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWAsswsc.exe = "C:\\ProgramData\\xQsssMsg\\xWAsswsc.exe" C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WqQEsgso.exe = "C:\\Users\\Admin\\LOocIgMQ\\WqQEsgso.exe" C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWAsswsc.exe = "C:\\ProgramData\\xQsssMsg\\xWAsswsc.exe" C:\ProgramData\xQsssMsg\xWAsswsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheFindPing.xlsx C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
File opened for modification C:\Windows\SysWOW64\sheFormatEdit.xlsx C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
File opened for modification C:\Windows\SysWOW64\sheGrantRedo.mp3 C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSelectProtect.mpg C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\LOocIgMQ C:\ProgramData\HeskwEUI\oOoAUQYU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\LOocIgMQ\WqQEsgso C:\ProgramData\HeskwEUI\oOoAUQYU.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A
N/A N/A C:\Users\Admin\LOocIgMQ\WqQEsgso.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\LOocIgMQ\WqQEsgso.exe
PID 5076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\LOocIgMQ\WqQEsgso.exe
PID 5076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Users\Admin\LOocIgMQ\WqQEsgso.exe
PID 5076 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\xQsssMsg\xWAsswsc.exe
PID 5076 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\xQsssMsg\xWAsswsc.exe
PID 5076 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\ProgramData\xQsssMsg\xWAsswsc.exe
PID 5076 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 1116 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 1116 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 5076 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2488 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2488 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 3364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1432 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1432 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2184 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 1004 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 1004 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2176 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2176 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

"C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe"

C:\Users\Admin\LOocIgMQ\WqQEsgso.exe

"C:\Users\Admin\LOocIgMQ\WqQEsgso.exe"

C:\ProgramData\xQsssMsg\xWAsswsc.exe

"C:\ProgramData\xQsssMsg\xWAsswsc.exe"

C:\ProgramData\HeskwEUI\oOoAUQYU.exe

C:\ProgramData\HeskwEUI\oOoAUQYU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEUEgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIQwEEAY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwUYIsQc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqEskwUg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaYQMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgUYMEAc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIoEIgI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSsokIsA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LysIkEUI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUIQwUAI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUIYcMM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoIMkAUE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsMgskYo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsEAEEsw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgMUYAUU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgwosIkc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWAEQYgs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqkAUscU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIUwsgkM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQQQwgMg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIMIUwgc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mykkQEQM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkoMYYEA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcsAEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKAcYkMA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOAccQYw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKMgIYwA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgssUcAY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWwMgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taAsIoMs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DukcMIIM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGkIAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIQgUkY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWgMQMgc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgcIMkAM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUwIAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkgUwUEI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAcAkQkY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cwgkkwco.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCgoQAIY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiwgUwsM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqwcoUQk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diEUEAIU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIMEsIYs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMcoIIEY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewkcYwQc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiQQQwkw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGMAkcIc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWwYkcEA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIIMksE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUQIEEUw.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuoYYMoo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUoEEMs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSkcooIc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQosoMME.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NicUEsAE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyoocQAM.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkIwIEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWIsAssg.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcQMYcMA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMIogUkk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiwQoAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWAcUggs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCgYgcsA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyQcYokk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIoYQkos.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QccoYocA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqgcAQIc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOoAskYk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaIckcMY.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEIocwAo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCIQYUQs.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awcgsAAc.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWQgYcAA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkMAYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYoIEoUE.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgkUIMwo.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyMQcMkk.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOAMcwII.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqwYkskA.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qugYQYkI.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\XKUkUckQ\ciwUEYUs.exe

"C:\Users\Admin\XKUkUckQ\ciwUEYUs.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\ProgramData\wYwcUgwU\NMkIAcMk.exe

"C:\ProgramData\wYwcUgwU\NMkIAcMk.exe"

C:\ProgramData\YEUoowIU\pUUMIUks.exe

C:\ProgramData\YEUoowIU\pUUMIUks.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1884 -ip 1884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 284

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYQEIQIU.bat" "C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
GB 142.250.200.14:80 google.com tcp

Files

memory/5076-0-0x0000000000401000-0x0000000000476000-memory.dmp

memory/4252-8-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\LOocIgMQ\WqQEsgso.exe

MD5 f10d40e95d0d83cdcf43f2d171280cb2
SHA1 a1e15c28e32e66fdf60c68ba9a1b25fbc34506ec
SHA256 5a39981573ef6c78e06679cfb9befdffd4dc5c9f026a0f9a19bfea9e436f4678
SHA512 0d795ab251cbde703ceb60d70460ed4d816d43ba807d8f298b9c867bcb03f77a73477c85bfaa9dcb314016c46c22a69fb1409768bc28ca2da64a42ebbede7346

memory/4476-12-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\xQsssMsg\xWAsswsc.exe

MD5 6aad41faa906a635723256a737104115
SHA1 4a524db6927c1f4662d8f2865b8850715c0434bf
SHA256 d7df371f0c84dceae8e965a84311d9a4c085d26f83d767c7bd5679dbd6bb163c
SHA512 cbf89e9a445e2952d8469c2fd93e7bf3928cc91e648184d8dd6ba8906fee2f618c51a75d873fbb7be344f3582d0a338c21a80d651b47bd56ea33483ef8ea317d

C:\ProgramData\HeskwEUI\oOoAUQYU.exe

MD5 70a248b5cb1830197deb047de7d743a4
SHA1 69541248f2f3254da1c3999aba700f705361f732
SHA256 61f4637decc4143aa0801ec757154db18d6cb807f27aa92e958815170d69d76a
SHA512 fb90f2df55be763942b4d49517ba1e2378f307b46a13aba1c2dc5f57318bba692290d6e8e38873b2e593877715374104cb04732f721ecbf7c99ca2f5e80f95fa

C:\Users\Admin\AppData\Local\Temp\031d26192aeea01452c10be569e16f95007777176cc841cc97d75267c47991e6

MD5 35cbde129d22ad6080dc8fed0fd3e185
SHA1 e29871c61fe34d7159cf12daa543e1679f3ef63a
SHA256 eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265
SHA512 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

C:\Users\Admin\AppData\Local\Temp\XEUEgcEg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5076-180-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yowi.exe

MD5 5840031bab4a5d04b50382f8f856e360
SHA1 e838ba4fea61e89e3097f625cdfbb8aa6b249c3c
SHA256 403dd886fe0b64cbec119addbcc6d5ffb5f3f349b445ea36851f5f2136014e89
SHA512 b61fa0ec1de79a7d1f5ce5f9ec2308e12a4578eaf4081615ba931919e9eccaa275d9cd2a3c68c7b1538b24d2f54b1d08b866f7c9ba4475a69a9870a2193e8322

C:\Users\Admin\AppData\Local\Temp\coQi.exe

MD5 4ab13734caebea2a2c3c8e1fc074a546
SHA1 c30ea918c29bf980c2723814005dfcf24c99ee39
SHA256 5c237e39289d02d35cb9d7e0a7df44966b477d344e0e8aeed366f447fa60bf4e
SHA512 77466a789e5b8f6afda8c0aa47222bc09ca2e4198d2da95d2ff181a0e0e4a57e8ed0458baef75e208be052926b3075066b8959ee07e529d366223ac51939180e

C:\Users\Admin\AppData\Local\Temp\QcME.exe

MD5 0f5275decbbd27da480d9ce178167bf2
SHA1 b268f0d34089826972ef99f96fc26614bf8d4bf7
SHA256 51a035c59fd64df4fd1474d017b59aa4fe10c61e82d3b844a83a9b1c250bd149
SHA512 61372e63abc7beeb03df619785fec26028c4137a70ecba952cb13cf6064de3beba4afd251c08265604481c867352976f137f71002e58f7c3cba9109cb54d0dfb

C:\Users\Admin\AppData\Local\Temp\EqUI.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\WokW.exe

MD5 adedaf4bf90409206b6b1c68200ca406
SHA1 17217a8ad737ab756eef9d031acb86d3c4bca28f
SHA256 c18f5846ddda68220aec504a48a90ca6d0e88ffcaf89d027cf8e51dee96bbebb
SHA512 247be1a9665c041744653f0a36d5ebd356728f5bf33b096dffe5baca4c198682f8f47d4abc642617f173597b50b06b6fbaf25e2f07b1f23c4cbd1b1e7ae67362

C:\Users\Admin\AppData\Local\Temp\UIci.exe

MD5 167c384d104157fdbc69547ebfba543f
SHA1 26ea1062953c983b36a5514f28e8415934904779
SHA256 927da0533aa62172fd408a13191aaddc071e25920676eb740233bec3bde3f7eb
SHA512 edcea4897fd0e92690fdfb6a9cf47efabd9024c592a3b132dab24eb9d22b93242cfa60199226dbf92276086eb3fef2bec992c8b2fd0d9d187c02ab6ee7f4474f

C:\Users\Admin\AppData\Local\Temp\CMIq.exe

MD5 17d3463a3f97231bc16754077f5551e5
SHA1 4e87a12e6c96178e49fb6618308a201971bcbf27
SHA256 7258817ba781468ba5a729c68ef591031e4e8e0d19ed2d221799ede148b8406b
SHA512 addacb3e1deccfa4244b60bed7e876741d10dc2b6b49d7be3e247216aed887f73d1e726837d00611e5f7faa4f0dcebd654176980f4246cb1d137bb1d07757664

C:\Users\Admin\AppData\Local\Temp\mkYa.exe

MD5 a11d852e2efc8291638456665b3a21cf
SHA1 fd6e10cd40bdeeceece84f5d732067b9ac116003
SHA256 1f871da8c646b6f5ca7f56d85c5f8737d642c3f6b60378ba2b93bfbe506ea29f
SHA512 ce4a9e5dc07df9b650c92891251ac9a79a3dcb59eeb90f52aaea5bdc98c95b75011d4ae37ce5adfa3b7c8959af3190b157296d00eb6ba407caa8e7830e3e5334

C:\Users\Admin\AppData\Local\Temp\YQYo.exe

MD5 dc9bee1f0fc0a137a1aec6f697693c6e
SHA1 28d263d6400855f7998de4cc511b2a16788ec179
SHA256 ffcef70820a2bb4dcb7982fdb3d588de63b772baae8f646e514a9f627af3348f
SHA512 ceda909c2cd9bb16cc34241ecda13d70b37faa9d3d3d9f9dbea23a5303c2bb4e77cd95abb2d14aedf63e6520b30324e3f7220d536b008840168aea1e9e1cb975

C:\Users\Admin\AppData\Local\Temp\ekQe.exe

MD5 3722906d7b12225de6a1b3a41ccdf6d5
SHA1 daa5e490c57089f152136d87c28a74a14da5b029
SHA256 ffc0453564fdfe5b56fb5332d0c16ac55d147a979680793474c2fc55383c89e1
SHA512 d69105de39c8b6441e836c869e685319a0b507ff61f59447d8c5bd0c7921bc881850973c29279ab66031d65c63c1dde4f68d7ff7ea74712725cab47a2cd09c9c

C:\Users\Admin\AppData\Local\Temp\EMUG.exe

MD5 1e5a69417194d7dff63b527a7cf924e0
SHA1 6767eade566307795a43fcba1eb108775b5ac1bb
SHA256 55772dbd505148b4d26ed8d6a9681dbc2802075fb0ec4d3b6abf1651f297b3de
SHA512 519dd4be473723721e2414ddf7dd84ec56be84ec548697cd8a6bb4f7571144c5c503f63b54996f0592c5655b1a61a129a1bec5d921965900c0cc4b421f154792

C:\Users\Admin\AppData\Local\Temp\IkYK.exe

MD5 58315a43e24f9801f4771603e8f28753
SHA1 0eb6595b329324d5800e54ad03625cc85a4dca66
SHA256 200795e8d809ba3ac9d2035879adde0141350718f7cc50a1311f4693e276fd8d
SHA512 622dad9ee5b86bc27303136c849aceec770dad192906cdc180dacb450ba90868c7f5f9f0e9924a254dbf787e3800256f76d5941e0b1778fb66903e1b7cfb0297

C:\Users\Admin\AppData\Local\Temp\cEUg.exe

MD5 c5e22312f75b0cad5e132d93372fc110
SHA1 3ab45f466c21c2ba39524b81985157559563bb7d
SHA256 84793f8e4cad24fbed65712ad1886d1d3c5ce5e91a6bc86a770af88c3ee87b82
SHA512 46dffe49ba63c1aff2db23361928ca5397b1aa548a96b7323fe977a8cda0e470dfeb7272f58bf496b127a4ba23f655e8f3cb6cafc5ed2b0694baba3bf664f74c

C:\Users\Admin\AppData\Local\Temp\mQgE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qQMA.exe

MD5 c2526d7d9dff84674b9bf3442da77250
SHA1 4f631dc792ed170898c3dcc463818ffd871ef2d4
SHA256 8e76f6cc6f9a2e86df338f9686a8a05db7a43f7f78dbf94354287e36de6f451b
SHA512 e9b064d738d0f65752b1f191615db8ea52a247218e489a266e41f09a845729c80725ac207013859be53877c705ad8e1c64fa1111ff60510105ee9393f3ce4cb7

C:\Users\Admin\AppData\Local\Temp\yIIe.exe

MD5 62edbfa164e996347c7b384711a78cf9
SHA1 7aad052c919829827c524f38282710fe606e4a51
SHA256 b22408e4555835205917343bde6944362a327d8e66c97c67c13ff11bc1166d82
SHA512 cc1ea98ea7a02b5083d078f3da0b8c9bc92b5ce61e591f29059d42cc3f50b40c8ff5ad8d2b418f3d406419246462bb71b8bf684c83aa9d3f4eb8803d81f4c272

C:\Users\Admin\AppData\Local\Temp\oYkM.exe

MD5 3b9b417056942c2274761fc85be1db7a
SHA1 1c892b686d99c444d8dbc7ac146a3f885a1bf2aa
SHA256 c4b74bb4518ac2301901f6523ab29380510b5dad162b03cde80eb03a89979f33
SHA512 f9acead8300b87de4805f14bd257198885e0db3284c0f269e20ebb012914a0667aa6a330b43dc3907af562763e233725ee34d94d4a455976635746ae8eaa99a4

C:\Users\Admin\AppData\Local\Temp\cUMY.exe

MD5 88cf77f249ab09dee4af3ef3c2196dff
SHA1 5cb5a81ecce7c9df2d77d264ebed986af8d956d9
SHA256 8e602605d046cb59a6db266981f009827ffdb490a14be0185c1fba46237f497c
SHA512 965043c7d9b5d67a77aa87d923f7dc2eabf626c10410bc8be6189ed5a9fe3c3d2b72283d5cdbac76abb70645a632f660bb8a603a206a13aa437c357485f25fcb

C:\Users\Admin\AppData\Local\Temp\cEka.exe

MD5 dd977a4657fd776d4ded68693f6127fe
SHA1 b49ad67c9a473aa8a175f2033ccb1b154a863455
SHA256 6f27835d387d04b37892dac6a19823cca2063460b17898d832f5646077d6dc55
SHA512 a29dae2c83637c295571b08ada3b75ad831b4893d36c7aae4095f34b2e44755741606af2e547fa3ec1b128f1f7acd93b7c7f018f18120317a478b4e0b2719bba

C:\Users\Admin\AppData\Local\Temp\CcIY.exe

MD5 6bfb29a4180c2fda43d2baba4eb2d2e8
SHA1 bfc93f48c78adf243d2ac1e94b101ff74f4c86ef
SHA256 beeaf17f0f28a02974708114a8d82c364a0ca84e1a4662589c9a8b7a442dcb61
SHA512 ed0e4216c442372d9bd0c62629570ca99a656c24eeefc74ec7549c632b9065b2d2cab36be164b11696b2a766f90afca5d44bbd5ff234ef1dd7d6923a618f48ad

C:\Users\Admin\AppData\Local\Temp\wgEe.exe

MD5 c93ac1b19d899753279126577924ff10
SHA1 c50502b8317eadd4052408f49fb44385a873e8dc
SHA256 6662836d00f971d5c7fc343e806c3395de7b99c1f40e2b08d714911733e10ecc
SHA512 229e67b0596119acb8c4e8f29a6b1bdcf8cac11cec4747533425058a01e56f7d89861474a1f8cf3d6ab58b093ab581d9f9552831dd7f3e00feccba01617ec5db

C:\Users\Admin\AppData\Local\Temp\uAos.exe

MD5 80f29cf5c2a75d483b10a444a2d3c376
SHA1 f70ec1889d3c019081f90cb606e357387a58b2dd
SHA256 d72a1605f1f076185f84d630f13cf45c171905df67414e3a12b471e7b30bb362
SHA512 9b553a93416ed176d878146987828d814f4431c295afab0bb4f568e7c3bc33d7243202998e8f0d70ab9c508357bc4251ead27fa816fd08fe7f602bb9ad1760e4

C:\Users\Admin\AppData\Local\Temp\SoUO.exe

MD5 35191857119f58866203f1006ffc90ba
SHA1 2971ae86d44db9307e565083701b972ded3a24eb
SHA256 55de3ed98d73230849891f8e13abe4c46a1579e65edbf0da53f7275a78472583
SHA512 5d2693c562d8662d54c57720e9ff1af9234872582669e2c0017db7a373b707b86a517a22b380fe5a652e60dfb16c8407bb604d493b96fa1a9ef75c86e699bd4b

C:\Users\Admin\AppData\Local\Temp\qQcY.exe

MD5 72a45737004a674a3f4fa075008def21
SHA1 56bc1c941a707753a06e7b0fcfb27531ae55ce22
SHA256 40d7d6d7230e3fd6a0a8d4ffccb0b70f6d5e404650deca18a3a46ec0e1f4b7eb
SHA512 71cc118f843177b4b3382fb5e7979010049e9e3e4ae5f1d3796c0571f48df3448e3b2de7eeb26a89d623e1b2d840f830a9ed45f85712c1c3ff99ec42954f3101

memory/4252-586-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okgC.exe

MD5 7bcf940248d7422ef05b2815ff437352
SHA1 ea19f4badcf27c81e3e86c70d51c5f64d44d75c6
SHA256 a17312b93b2dacbef690bc2d00861e12e56f907b9e262410fab2a4d14d2298f0
SHA512 8c2935fbb1f40193d3297550145386e0ab5fcf4efe5264642a75f33f26e811b1ade26e27cc58cac9f812a63cc70964ad67c6f1a75c58fbde523184e92697657d

C:\Users\Admin\AppData\Local\Temp\CcgC.exe

MD5 9b393b26a1e137c9deb7729c8aa9a823
SHA1 635e15d5104e671e4a1b7d5b65cb4e02b3ea2fb3
SHA256 ba4259bf6564d34feddca13009db33afaf48b88b72ceb82a28134b8c9e411fdd
SHA512 53be3af1c26d2b0f71b7b14676b5417fc05d27759dbc7c24589abe93e0e7f55cacab5cbf2a68979a787253a684fc1bc655a6f9a6a6f7572bf816ac8173335855

C:\Users\Admin\AppData\Local\Temp\WcEG.exe

MD5 376de19766d3c40ac12d046238cc64ab
SHA1 e0529c7c8ac05200ca503414c50e53cf2419f6b8
SHA256 2a549a8f87e5623fb156bb8ffa5cc880988a8d909f8c3d56dd035b89c8a56473
SHA512 cc5cf7e919810411fd4d2174a266507bf0bd0efab4bfbcba5ac58dbeb5e30a3b24183e9e440763bff6cdfc37f0b0b0a08f8542fdc910fd32bd30b92367005f43

C:\Users\Admin\AppData\Local\Temp\qgMA.exe

MD5 e0bcfc7aad25baae95d770645a5fa0de
SHA1 d69926936e8ea9d6f6c7b017236c767be7b65959
SHA256 b2661e7668c3d5b854cddedf49d644ee1f650fad9a3d33183c56a76d97f872e9
SHA512 e77434f9b16333cec2d674f2e248abad91fa0ff203bbc63c3d1acd04bde50f1a196015785ceb0f416b9ace4e161a205b547eec7ee773f04872e267d0ebac5ecb

C:\Users\Admin\AppData\Local\Temp\qQUq.exe

MD5 726032876a1653f459b52b5f79b405cd
SHA1 f643766c6856486e78e1c600a18ccffbce7970ec
SHA256 291be985b2b85e91c6d3c125ec651b504bc0561dd44d16543804bb036a13ab7b
SHA512 8641c167ed223f602482928474b5af1d5477c79d7ba981c1a045a5a5e7990bfe4f4aa25d12430b12df51c4974a4454ed847dffde9732259f6094abc40758478c

C:\Users\Admin\AppData\Local\Temp\MIMG.exe

MD5 15970bab3e732e9ab52b503d6a20accf
SHA1 0c97bc26855b06dfa1c38278eeb3ea79f0ac0dd8
SHA256 02ab0570cad0c55847f60a13e70a4105ea6959a32136829da049476c0e994d60
SHA512 766d6fb45a73ad30367eb1ea93f2b3978dfeb62be855e2b17fee4e0e6f6984ad0ccecca4f5a2d7507edf5b31ec2b394cc0a72534d40c5fa7dc06c5236ee321ab

C:\Users\Admin\AppData\Local\Temp\sQMs.exe

MD5 ca49d560a85c2a0e1bacc78e1f8c5bf0
SHA1 1dbc91e35fc660f2d3dcfa230b9cf568b6d7ec46
SHA256 eb34f753079d888d8810e2dd66881d5b79b2125e69a3ef612d6f32c91e722d7d
SHA512 b76768dd763654eb2dca122d936855a8a53c5336f97cf6c9741ad76837d1d7cbed23e47592b857c0bd6b2efedde88265b1a637542aa53d97c1ce95af243f8aec

C:\Users\Admin\AppData\Local\Temp\KsAe.exe

MD5 24ed274099bc73d184ddf9e7d017a8c0
SHA1 90b21d8f5893b27477eaaaa1574c07302f8ae700
SHA256 a1fd368e950cb33ad141516ca62e4323d0002cd943f8bdc2a270ba65dbf180a6
SHA512 9d81fbec72c4e55a0b3171d94850775edd231ea3ccdbd0169b407f2738e4899f45a1b5345c2adf707376fcfbdd868d7ec62bebf50351af2e9c4eb84fdaf40cfc

C:\Users\Admin\AppData\Local\Temp\IwEc.exe

MD5 de89c87b3053080ed95a6bc8e483c413
SHA1 a1363692ae89fb84da272c0dedec3d2a16241607
SHA256 f9e5f4eb98878d06e62faf01bb38b80f9737cef828d29320e5a3be62135d1d9a
SHA512 5ebaa2b6ab02b7f91624d174110e646a951a5d1bd4efd6bcb77c9d6ed117f8f5a9bfcd0e1d43759697afc2ae132b2188ed4036b546bcf197a5ed318fb3c68ec6

C:\Users\Admin\AppData\Local\Temp\SQAo.exe

MD5 668a1717b0c36c121b6d4fba0b1bb63e
SHA1 f647b95d54f971ccbaf36c0f0b9abe5b47ee01fa
SHA256 dc05576b64fe99eeb06968d38c453a5f5ec3be9e32b28b251cc999ac92f5190b
SHA512 30c636f88e86e88350181100f9335b1d81b8b63804530fe751b41a86846e8810d3a97a60d6452ee26b23d106c603f9300bde0f18e3fa289c7a4c652bd92cd0b6

C:\Users\Admin\AppData\Local\Temp\ksME.exe

MD5 f2b04a41cd8fb209e49174b115c2c388
SHA1 40ce93cb5868810c7963375bc11321dfa16b546f
SHA256 3f0477a85f3ca45edcf1544c36c90f0e2ca05d42c86fba4493c31ac3e13ddf33
SHA512 cf2c12c708d0757d3f6432e39fcebeccb6e30549f268f872a3b0cfd56138a4fbed14f6a7cfc5713338d54e958b70dd294907341e9fbe04b6932950d59c0f48c0

C:\Users\Admin\AppData\Local\Temp\KgkK.exe

MD5 984640bcbbbc12c44a9ba30e921d6ee6
SHA1 6b83c8849f2f0e0b984fce5665efa0623a6c42a9
SHA256 cbc47ca093d37f22b0cb4e0eef889c3bf3390a14125d8928aef31c558feed86b
SHA512 5bbbd090d06ddb0bb7896c4a4ae0abe1b617d4c85ea867255833c47b46d779ce70a5a33c6239361b5568f2d8c2228e89b69a87b3746bbe6d4c11fb43ae897889

C:\Users\Admin\AppData\Local\Temp\gwMo.exe

MD5 78af8dcdd5fa0512a43613b731a224a1
SHA1 3b3eefa1ec62135cb77915d4fa59e9423aab3343
SHA256 415ab83ff5d1671bb05b82293190b3e214560a64c6ed5448f2d9a36743a63686
SHA512 df508f32affcdc0c63532c482b8e741b358d2f8a43ba7c6b4697c48984a44fbe581b7b2f6db115a69c7b59b9b7c73cae8e2d2ab2f6095ad2d155bb1ccfe70665

C:\Users\Admin\AppData\Local\Temp\UoEg.exe

MD5 d91a2fd86dd8ac6822127d16bfd9661e
SHA1 8ffbf6e43b60cfdd6746264c792123b61e08a08c
SHA256 5d3d3b4c129fac689291eb7cb1cd02fa73f10982544f34d1f7ea5c553848444c
SHA512 458a18248da09f14153720d3b7b824a7eeb67af9fc9be124b64ea7ae389896892a68db86a15b7ae03602feb3146d99cb0d7e264163527acc0c3459606abef30b

C:\Users\Admin\AppData\Local\Temp\qooG.exe

MD5 938fd5ed080d592b2d8092f33dcc5e25
SHA1 e9ea3d152d350acffa3bf83ed4e804fb2ea3ecc1
SHA256 ea2a5ede087d5aeb11eb70234a37c67ebd96912281284176b55e66360c7636b6
SHA512 14483c6b2acd6f0c4bdbfd5cc6a57b3d8b724fe1f0360fb4d8a3f7b974ea64f840988fda5ca3726994a95ebee34811c3a1a6324fdf52545b98cdb851952d25ef

C:\Users\Admin\AppData\Local\Temp\ykok.exe

MD5 7455abc94a30f419b9d5360e4737a49d
SHA1 6d5747f46595b4fa242b564124dbb8735c10f174
SHA256 75403c4893e0fb6573efcc73b2d755b75488d8e9bcde3cb67b7a0297bf331f2f
SHA512 6ec2ffe24a3169c189d266d902bf6825319c80e2fdb8397cb6058034a5f0dbc800525105927d5113f53d67b0f5f46e613818802f98011d7de3b7b634a20d2f13

C:\Users\Admin\AppData\Local\Temp\CcEg.exe

MD5 34e8691be515c1208e041eee31be1cd0
SHA1 eae1fa1d509d08cb648658cc55464e519fd4d93a
SHA256 73257d62cc3c46e2e0594c636933b5318383d2ec3ec6ec25a42e2ca247bdfa2d
SHA512 5731b7279c1bc8cc5768de5a720858c9513f4a52923109396bb05961b46f7e3fbf86d77aa4aaa7e49479f12bc7f8d7dcb851040f6b745277b2f09c5a4541767e

C:\Users\Admin\AppData\Local\Temp\SwMw.exe

MD5 e99de72363d4d069a164955a057ed01a
SHA1 e834fabe6a95bcb2ba595d5a1b75814b774fad29
SHA256 dbdad7399f8da53be0e8445f4fdf5e3ed2764d0a4e2dd3d5c6c7c96336d155dd
SHA512 b82929651e143fb1657efa90142aad5f73f9cc69c829ab8d4972daba5c3534d7759c05110585e20e0db0c69a9e9442f33c3b38dfbdae0e425452b5d70107d0bc

C:\Users\Admin\AppData\Local\Temp\aAgo.exe

MD5 54a4f624a5c771eff8c18f3d3e250884
SHA1 fe1be17d223a3b3a547d0d93b31a4174cc1091d0
SHA256 152ff1dd0b09cc07b86f4788392b322852fd9be08187aeddb02c609113688339
SHA512 0916a69be1ed7a2091f5828f72fb2440c8e57f250f35931e4b9980b1377ac26caf22ab0ad0fd473b89891bab5e185a77c4dd52fe1e836503d4906bce9a3c6a14

C:\Users\Admin\AppData\Local\Temp\qMEW.exe

MD5 1a84a7747f239709ed6b6c6bc1dc7a3c
SHA1 d1c2361e2672f1f4f41135a1bfd2bb15d7d19125
SHA256 ff5b809979b7d62a8ea29a1d4d73f1ba498f9a370a72ce70c999271d8a420870
SHA512 41ddfd3bf3bab85ed6925ad4bd0577791894adaf70f7bc6ac8cf075a52ad80da97c653378b4f99d5101f882a0de449460968ab8cdcae1a8ac71561f9b05fd69d

C:\Users\Admin\AppData\Local\Temp\AMcM.exe

MD5 9715dcdbb95fc8866cf33aebec718b96
SHA1 a6255579fced4e618c1a3c324dbbd6821803641a
SHA256 a5eda3c920fe5442f4a036305945047391b2d09514f64e6007c43d9d833b5a07
SHA512 e4ed07b9e0670c7296234f6a3ea4a4a2bc2d5f01ebf43a1be822ef62d2686f5ef2376c26bae6c200a6039e42952b8f13ab2989913295a6394d280bd755ddafb4

memory/4476-896-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUwS.exe

MD5 f7965e2f8aecef5a69ec74eae2159e0a
SHA1 e26a629382b43a1754a82b5ae60c1802f4cb0db4
SHA256 03cfe0a74e9f0bad975b40b536fe8b8cd88266cb754d2074a2ef3914874a114e
SHA512 60c5aeb3dcabbb9e91b4556d9b63f4c251fe415a09cc0a14d2ae19bea7aea1ec9689e5dbcb9da495eee90c6f948a4384e92460eb925d1549b2769a019d238c5c

C:\Users\Admin\AppData\Local\Temp\IYEc.exe

MD5 1ee6cc2d465c70765f26d9dc17b29891
SHA1 aec9dd9a25864db7197c8689fc0c908e0adac597
SHA256 b23b1c7838265e35f2efa257205ea525bad08059a8a08bdf63ea45daed048fc2
SHA512 ff46ecff08335d09ce7f8d38f1cb47b2a237cad5f35d7dbd2838e036daf40f95d3947cc71bec7885c8c77174625b475920bc56a30cf7b21045ab3d19d5112238

C:\Users\Admin\AppData\Local\Temp\eAYG.exe

MD5 b781946bc6f4281d6e763c95eef22668
SHA1 bfe30e6e024e656edfe603b66e05894986beebb0
SHA256 67b6ac4fa63b013ce596cd995db9015b81ec10fe20da85ab9eb59c63934e1394
SHA512 1e422566b4c9533291d33a2d926fa41f515d82975b07ce61262d69d343e0b818fae0d8562f7f6e3910b51c3f82788fe0ab846d717ea7ecf72fe3bc9f0f30ae94

C:\Users\Admin\AppData\Local\Temp\OAok.exe

MD5 7aa9465cbf1bc54722c0661b5c1c9569
SHA1 7db2007940adc141571057629ff32d9e8766d3f5
SHA256 954ea52b7c90b622b7f4a64b97ab4cf2890e3f5cfaadca33293be0a77eae9f6c
SHA512 96c4053593d39ea2000813ff15d22592e7f71cc75572a362e5a7d96cf907a1516cedddee70a35fd2b479237c082bc3c6deabd671f37a91ca34a4db89ed3450b1

C:\Users\Admin\AppData\Local\Temp\osQo.exe

MD5 e718787f25962fc87655f1cb21aced6e
SHA1 917dda29101a35c9cd1e6b64e80bc35a0da48e03
SHA256 09da4333a5ad2296ab139be933c7a49ef013737c6c1d6941887dcbffb3b34491
SHA512 9e4198b3b3e46f62f9c00564d1d63a60fcf86f4632d90d22f32682495b455e6872c94b4453d3ec3a809b2901399cf9259b1a13a9068e6ab63200b463bb4874b1

C:\Users\Admin\AppData\Local\Temp\mokK.exe

MD5 4f4b937165038376b440f1f87f1a9447
SHA1 30a499f1ab940f4e75db19a0b8f4286f915f2e26
SHA256 80232806c4c79599d6de2ac58a9e66520a087c3ac0b69553e213c3cdfe7f3515
SHA512 a8745653b88f737d5616c062279f40312bffd33e76dc42c2826c40961511e81052c6f748fd8ef2ce03821f97022493469bb0f02d7aa812dcddc34df82b4e2026

C:\Users\Admin\AppData\Local\Temp\eIsu.exe

MD5 305059a8cf2afa7b73261c46d710d917
SHA1 ba6dca9f735b82ef58010b35549504235dd40cc1
SHA256 51aa372da71e9c0d5aec4525704095caf41ee5e497c55d52af366708d52eeafc
SHA512 aeb7205cd5ade9cf959bb8a3723fdc3d5412bbfb1ba9e66c53d4a8416d83e4c8839c48dfdebca5765af3b6d8cc8e29efb8da9140456f0d331d2aae9535b5a55c

C:\Users\Admin\AppData\Local\Temp\IoQe.exe

MD5 c5fcba58e4ac88d0a2a6cffe7234a37c
SHA1 f7ebc05a378d4b0fbb3e8204d213d31b6c908c27
SHA256 facd5e5fec53d611acf4d4a34c607c08617d9e73b4c55b1fedb4c854476cc0a1
SHA512 7fcc704ebcafd48fae2e6f05124f8b457d34f91f30566ff19f8fd935638186a4c6c2ea95360b713de01049891776870aa0f049a4503fa2c3155be30fc2ef0cf9

C:\Users\Admin\AppData\Local\Temp\GQEs.exe

MD5 2931c43f009f0b1a19b3e2fe9ddcffa7
SHA1 8cc3e01f280ccafbd6abdaae953bf879162b6c95
SHA256 e0a3b1be3071fa84958862e780e86f915f137ff3c15fa94cd5c1715a2b9bea62
SHA512 add03adf039753a8d8d946400351ef0346818fd2e7c5c756b663d0803635ba437b267c781c245d2b545ed5dc6fe892db9ab2ac58f02cd76e234b0e30362c97eb

C:\Users\Admin\AppData\Local\Temp\GEUu.exe

MD5 b603060b6952e02a5945a8c83fad5a14
SHA1 7eef680fc9680ea026a33b3349abfecfb3db9f84
SHA256 63e0ed1c5b5457dccc7cabb9c6c95e8a491f19416976bb12b504810af5057087
SHA512 ded675e3da95dd3a8643f8851e2fc92fb505c5c16104cd4f22d24efe290e502b89b8473b28de6547595d1d9f492e51009315d13d9713f22d848a6be3e6170350

C:\Users\Admin\AppData\Local\Temp\wQsM.exe

MD5 439f621f4a979585adaaeb52d2c0c2c5
SHA1 0ba8933a3f2ae99e061e8962328e552a380bbe4c
SHA256 e9fa951c84d366d9d61a46621f97e664583331433ff3336287ea5604642f78a4
SHA512 9877e2b24a6e59de6cf098f85526e45a4965328fd5e5343a18a9c60f32d51ed659e6e592838d3a5c48983188f2a9d7900d63da868e6a5e9abf7af4bf9b68e700

C:\Users\Admin\AppData\Local\Temp\CkQA.exe

MD5 7943fb9d7791d25f1d61809def021f37
SHA1 5857758d228f1f5b056a1905897a455647388a51
SHA256 d602f4390f01bbfaadeea4b94e05468c2c7da474504cfd317cca608f8ae151bc
SHA512 98b2a77e6cc1c314b2c99aba109094198a6d9442ff2d61595d11ed385ae7ebf08e1c055f0d13578c0953cd36cc1eb29b93c9173fe424aca75dd4bcd1215a3233

C:\Users\Admin\AppData\Local\Temp\oMQE.exe

MD5 899291e33b76646d8505a95ff97ef7e4
SHA1 d37b7887409990aa07a9c5aea793120a333970f2
SHA256 83dd78fc26997cad68fa6157f010d3585663ac9be05d9f0f8f0389d297c13121
SHA512 146aa85415c419adf1be7d3af3f88aa592b9180ee020d62e3518426b51e22919b7a438efaab288ff246d6ea2fd83c959504b96c9fa65ce48d1c495971cf450aa

C:\Users\Admin\AppData\Local\Temp\SIYS.exe

MD5 f9f9578f44cb13958d6ef0cfcdc1ba79
SHA1 8d55b959a4a0987c4c0f55c3bdd93f6f245fd479
SHA256 59d0d436157834acdbc122fd3b094d138ab44d2d26730b1292690e4c3a74c917
SHA512 92fafadfc5eff609ac46f7e5419e23559944dd400c879ee013f47b42c354e5d8fcfe1e5a9a06ae5a0aa53e552eccb02e02fe1f489d83a3155a644f005f8a8bd4

C:\Users\Admin\AppData\Local\Temp\IoMY.exe

MD5 39d14eaa6b60df1c3a9c0618a86bc142
SHA1 e13ff740714949df6ae80c795e5f36f05bc1cea6
SHA256 c3bb29b8d0aa5e66844f82d79941818488b9b1ba7bb6aaef10692dd6d1fb4663
SHA512 b95279386e96e61819cc21dfaf1f9fd2847be55aad0d1c0b9f4816cd6dd68a4f4d086baadfea3f0a4ad868673f1936a27ff057ed2d8c4414f30f002b1699794d

C:\Users\Admin\AppData\Local\Temp\qAQk.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\ssgm.exe

MD5 e40436f386687c4d49168c559d41278a
SHA1 0f699db846e7dc5e93ff6c12132440a9c67920f0
SHA256 eed7cd99c139f085f13da20d088d98f0d5cd48204a782e99858b03fc67d8d4c5
SHA512 d5249f9fae0d4d37a6e546360d879c0fdb942c993d6a858f4bf6dccf1dccaa51f463672c6f9829f96fb076d6802fb68129f46c31526f99e4fc8a84e03a22392f

C:\Users\Admin\AppData\Local\Temp\IAEK.exe

MD5 9779bef433652672f6f54f98933ce4f4
SHA1 6ddf53c92183a0dbe62bfc6bd70b7ce93537913a
SHA256 7c530f5810c068a3766fbf9cad405adbb1c132c25a93b80e03b709916060b76b
SHA512 ca703a227222611802023cad6fc3b27f7e1f1aa82062f99e1fe48299d0cb42870ec2faa4e7f2978c7ef8d486b681eb29581b2a6bda8feb44b1dbec73aa0b8467

C:\Users\Admin\AppData\Local\Temp\esEU.exe

MD5 53316560cabf4292e4edbb8cb9e04a23
SHA1 df205903549ca5a7030b972e326d0ad740b83b84
SHA256 f53d696e010797e314303231fb38d37ab37abfe6c367415480a68040a19bc311
SHA512 b11e44ed09c77d3dce8de7108a3ade1a1a0deba87cca40a9533a379d654ee7d30ebef7a873e9d029cba41026050aab27a7c39ddbaf49d66959e4c743485c872b

C:\Users\Admin\AppData\Local\Temp\mUEW.exe

MD5 b9d8bb2bd845109e5ce4a49ca14bf858
SHA1 03bfb7075e11fd35ab5d57a534891355d25a50a6
SHA256 565e868a389ad6676f458b03620d78dd99abacf76bcd6c0761991e8c3962c17f
SHA512 dae1596244ab0b3c8981769305936e3990fd352bc26626742e365564d04ec3af5e7621c489f314ad77892d15f41f3608a0b7bed11df6ad4791a61931f52f53de

C:\Users\Admin\AppData\Local\Temp\Eokm.exe

MD5 b94e2e623f66213eefae3f4aaf79de51
SHA1 e607db2bc2145091b39d553bea33a31290b99546
SHA256 881084f88bc077f47e32f445b33a415c724f303e7adf53a00bac6f5c20e44b38
SHA512 3aa818bf4b5d9b28b0f8d786c5af56fc2f6f7d7ef6db3938dc7731bfa983723f59186546c6e333aaa810692c0ff6e435c5b3faf9159dd901fbbfefb1895d3741

C:\Users\Admin\AppData\Local\Temp\MYEs.exe

MD5 deb083139e13a1e0f3f0c2d16785e86f
SHA1 7936418d5be0c7a048b437d6b7e0093a21a1cb01
SHA256 3c7314ada9568c2175b0bf04ae82320a182df2675032201b7b277aa9c1aad74d
SHA512 e95171c13d3318035377fae947536a4468ab979b0f69f8c4cbe9b3b4d3aa58e8c60680e05ea2051224aa7ecfb2e307b28c6ee3749c2533f650ff2c3376c26aa6

C:\Users\Admin\AppData\Local\Temp\mkgC.exe

MD5 09273573b5c30b6c10766d077056cdeb
SHA1 eba50feba4c0a716a62ad43663ac35c8fc737a21
SHA256 be3c099c1df8d3f971e2cc9b297165a70ebe948481b93b257daee05f6a74c6d1
SHA512 8eade97f77b23229dc33d224f54a5a404456e55042a59667ad2e577a97311f77258419a65c08ccfb5e62e88d9579163bbc8bfc1cf4022f28ca1a3a9d37f313b6

C:\Users\Admin\AppData\Local\Temp\cEcK.exe

MD5 bd538f90f6bbb4425613147b26f82827
SHA1 f382ee22e3f514720b32299f347a2e5ef5488b22
SHA256 bd1b7f20fa2e4a9381fabc5c0c802fff780349c99443fb2306479c05f59fa206
SHA512 d3bd5cab745021cd8c33542b1f8bfff92e19e3b2248a9a74a5e3be8d5b531e189b61fc8e6f9f9ddf69f9d3ae1783f4191a18a075061562bff70afb1390d451a7

C:\Users\Admin\AppData\Local\Temp\aMUE.exe

MD5 8650d0de086e3b98fe1a26692120570b
SHA1 bba2ec1388aa0d29f219ad90ab90c4b542217f0d
SHA256 5657c02eab17e86fbd09f5ef0998dbfd8b5c10c67d2fad31fce308b9ff76a1d9
SHA512 391ca86165d8c426e2ed97989a61b1811eac886f505a1f9c0b1a69e6e6cfbc9c0a0033b9ff278a3391e16aa94aae8c37658adb24c15b3c710b4b97601690667e

C:\Users\Admin\AppData\Local\Temp\WAIa.exe

MD5 8a1211386a13c61c15e9e5df1830192b
SHA1 29983b29a0895963a4781aa372f6f061c47e932c
SHA256 7d4a3f4a1cbcab59919783650896b3fa74526e0488fe5f7a2b6de9aa475edee0
SHA512 76e4e981e227dcf56fbcecb484937b1e345cbe72ffd0c24cdb2567a4f2c8a838126d1b2541243e317372c98048c50d01d62b52ac8c3136beb25a0284fba93b35

C:\Users\Admin\AppData\Local\Temp\eYYS.exe

MD5 823dd67cb045917fa17373775744c1c3
SHA1 25509c1b9efdff87bca1708b2977f241151a73c0
SHA256 813b39117698ed53f941cbb08de9385ab808c5b6818a1b91a7c5c712453b77d5
SHA512 418dea9df7f3e43c3fc3cbbb42c7c530cee283ee7d43fd0831b88c6ca6d26aab5f18da90e1dd17a866921dc87cfbd939f04a7863e05471215efe85ee207e600d

C:\Users\Admin\AppData\Roaming\SetConnect.bmp.exe

MD5 affc67bd21d37e995058edfe205f81d3
SHA1 cc913060fccd6db69978c24a29638dd06bd8ed3b
SHA256 5bdca2b7bf747a95c30911d84bd54af3436c1ab8216464718e7d20da2ced4ce2
SHA512 1998c688b2a46de21386528e5aaad889f652fcff77457bba1308cde7b49d08f8c3ae2a895e625523fed60e350cdab1c62c277d94c6c499793244b39c0ee14cb3

C:\Users\Admin\AppData\Local\Temp\Eswi.exe

MD5 31aab0c9925ea05ec3f3aa428a89e7e1
SHA1 620589f89b8e9ffe1fc2c107f655359158c88846
SHA256 5adee8a4560558074caa2208de77e656bea2e5c15a1e151fa5ea4ad9955afc76
SHA512 e971537670aa8da59f72e962340b8363af1b756463c27c633de851d332fbf4b616e9757d687843f9b03de9a25ae49fe64b0c3eeff3d03cdf8f20777fddf39bdb

C:\Users\Admin\AppData\Local\Temp\aAoo.exe

MD5 568588285aca14d44c0c9308f7f15a97
SHA1 56d00b47bdeccf3dfbb63c09817119fba9bd92ea
SHA256 34b0b94a43ed60af3da2cc2bd509bf1eb0052c5466ccb8b2faca0ca74d5d4951
SHA512 2d630292096cd9fd3db99ab5a9fd9453dec2f220cd65603de557e876c79a9c98e3662dfd689e498955a612fa65a9fdbf4cc6002d2a3d16d216fde0bcf15bd50b

C:\Users\Admin\AppData\Local\Temp\IAwi.exe

MD5 4b2cfa1c1bcebf73d4f4ee541e9037fa
SHA1 4c41e712a749f7a5f3adbf71ee2da7cebf58b4c6
SHA256 76fe3f5c3998d6ed715b42f05f85cebd795e08b37ce2735a8b3f040a30085978
SHA512 d67cc20257b9f34bf8b9b3b8076b9da8d1f6089f1e1d3a78b065e39d18cf47334701bcfe05fdfce118011fc041ba2c6a1ff44b58d512281ba767e93775d27d36