Malware Analysis Report

2024-12-07 10:06

Sample ID 241112-ycwhaszcrl
Target 0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f
SHA256 0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

Threat Level: Known bad

The file 0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (77) files with added filename extension

Renames multiple (51) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:38

Reported

2024-11-12 19:41

Platform

win7-20241010-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (51) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\BssUIIQE\xAQwIIcg.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\WqAsQgEM\IOwYQAMI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\xAQwIIcg.exe = "C:\\Users\\Admin\\BssUIIQE\\xAQwIIcg.exe" C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\xAQwIIcg.exe = "C:\\Users\\Admin\\BssUIIQE\\xAQwIIcg.exe" C:\Users\Admin\BssUIIQE\xAQwIIcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\casYQUsw.exe = "C:\\ProgramData\\rkQUIEQI\\casYQUsw.exe" C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\casYQUsw.exe = "C:\\ProgramData\\rkQUIEQI\\casYQUsw.exe" C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\casYQUsw.exe = "C:\\ProgramData\\rkQUIEQI\\casYQUsw.exe" C:\ProgramData\WqAsQgEM\IOwYQAMI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\BssUIIQE\xAQwIIcg C:\ProgramData\WqAsQgEM\IOwYQAMI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\BssUIIQE C:\ProgramData\WqAsQgEM\IOwYQAMI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A
N/A N/A C:\ProgramData\rkQUIEQI\casYQUsw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\BssUIIQE\xAQwIIcg.exe
PID 2472 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\BssUIIQE\xAQwIIcg.exe
PID 2472 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\BssUIIQE\xAQwIIcg.exe
PID 2472 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\BssUIIQE\xAQwIIcg.exe
PID 2472 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\rkQUIEQI\casYQUsw.exe
PID 2472 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\rkQUIEQI\casYQUsw.exe
PID 2472 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\rkQUIEQI\casYQUsw.exe
PID 2472 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\rkQUIEQI\casYQUsw.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2372 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2372 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2372 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2600 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2600 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

"C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe"

C:\Users\Admin\BssUIIQE\xAQwIIcg.exe

"C:\Users\Admin\BssUIIQE\xAQwIIcg.exe"

C:\ProgramData\rkQUIEQI\casYQUsw.exe

"C:\ProgramData\rkQUIEQI\casYQUsw.exe"

C:\ProgramData\WqAsQgEM\IOwYQAMI.exe

C:\ProgramData\WqAsQgEM\IOwYQAMI.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMAgIUYo.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWwMQAMs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQowkQMc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQAQssYE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECswosII.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMUIMgwM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwMIQAcs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\omkIgEgc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCsEMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWEcYYcY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyMskEQY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYEQAQgs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DskMYMUU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEccwQwA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JiQwMIcg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcIskkUY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "197548415956424273-128965524222569606568663567418262471729130860581075748553"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCYQcsMg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmUEQUso.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYogQUQg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "213993147211434857241503787221-15083672381735277059-2129839840-13270224584463977"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIssoIMc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeUckkcU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcMwsYAw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wiYckYII.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmcYUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pigQwoQI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWQkkwMA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "774073208-639019901-2089289868-14730482502020192435694089035-15167009911610979291"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIgUYEEk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYckMYIo.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\peMUIoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1025780487-1705664660-14629316821379817270-1921610933630898739-1465465694-1527136285"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYggsMgg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EskcMIso.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1846770694-867643260-1527795854-15596984351697517757-1242959939-410369540-1246588219"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqAkIEAA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1195260086676234330-88068446257121933-816864382-2118315630677566991567801581"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCswkoQc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEMwwgMY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7473547551987394030287859168-5805156131685614233124371594720393531761564161297"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQkwkoIg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-669639820950285650-3488200141341276846-2024775117686307123361914935409205"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "398783209-107216546-597973874-1328537248-11916216741668612531-130049033671895446"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hawoQsAg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyUYYIcM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1195516031-488770741-735807761-14352507472046300027-2051699348775629504-330628691"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIcowAsI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "977989680-1578095899-205439836121237660331456893095-497560225-1938721096141647052"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgIscEIw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1776719339-107635133719781013151968499081135560588-6096560553168131210746755"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1237128909-1464724440-13126518781412295886-1724022258-462536630-266509099547407053"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwoAEQQM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1248510613-1211931315-16693045531084817683-5926858811709775248-1801054132-1886342625"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-189500419-1286625719-282944531140341885311687535581936294193631695637-466589346"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10676951991466966204-1048872379-94911935770271113-738051118-1455021631-394132231"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1710112433-1010741889312000238139429489-1641461425085001949580540531248315628"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEAokEAM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16298659791551848644-2599594001354180668-18544373797042501-18503323282093083340"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KywkYgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1495132683398947838-155040584-3221735181992435096-717719759638815683-1217425388"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacskYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "815603609-641147567-1862743447876182504794180379-35640637510125680-745075940"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1535582158-2015231965-804067807-19970799121708336826-5556767671425398811757280140"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckMQIUQM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWccQsUA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1159041316129940690214152816811990806380-5035371115858404738538604801385118992"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "910768623-981148732740192699837181491876637816557230996-14424177651432486851"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwccUUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2030921830753488280-327194476899489559049389391046436290939895632-492128506"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmsAIMcc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "39955344113713160991317051248-1385310643-670922382142198958-1510918967-741653114"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2014708925-6659109771205449102-1591059486-1772782880-1241438393922568854-1915366253"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1675705414-851912381-16443217601441480789-76682516116146698781111990766265693761"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUwEsAYc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQssYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11803682281605110532777221842-963043181890740422-20355258664148795761422921483"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4840835371407678741137357688-1168939563-1775621963-548219354317961760752681517"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "854642282-813807411-2131114020-1796497788342300426-11941052779067889801813581164"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2109613767-590730361507791570-1322445313-2004916382399619669936766661964214853"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksQYAYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1891562482-5898274741065142412151966590389524303-696416363-1853580951-661020291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5431146771573712149275776417-1886444955-4385177071499325733850595727-1665892908"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgggYgQM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "128881718789747918444981858-53523781-255190320-25448650477214464-1311054024"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1213390282-612985397-11863748901354811072452122805-692649227-4117961201356857500"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqIosgEs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1012478299-810361461-1891558821-3729333031902223170-1939124734458084593-504834779"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1018095024-101778714481914348626600878319425024881143496369-430504269-382913621"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1220167501-372845043-16627691562110695139-52966743-382924110-303861567-2106795690"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqosIoUY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "146813763218619451681748846056-692836831-1449408271310124829-212984421781691633"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1644891734-959820430720584147-12305628552420023387000997691880569327-400137928"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1197175031-1713709297-5012211685035206981708428773643259266-144024401250809024"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYUwQUMw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18930748211752660252-9708727022114090116983779649-17744833791465917029-1485035876"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "23833193-1675205613980747872-614934854-982928387-349574022-2120921857597903901"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCEEkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "321688935969583304-990688252-1350217446-1553422647-16109738021442416431-1791015500"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16444281362296411904666809231256146680545390920-829075235550122171-1706289759"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nagMwcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3616800901265259358-693875577-20639797341887459760-1908759655349910726-1614256000"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1654311608483948845-713262614500050712-1484750559-1262536314-2042086541124440262"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqMoMcIs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "32386270411342339401994203121-183616868994469744-949051428711376642047802548"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqcoQUsc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "955031461956240739-561845708610527239-14756182561974906196783409230-1650283069"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1931681710-137444195234237068-480281107899614665-695896672-15789671111029113946"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1858431361827131525-2678800171213142603-63473684-658226161-676431542-188970656"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-177892206-174745401212424531872973092001087374645536983663-7734290441639511069"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgsMIsIg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-276752714-20623505842099136943-419378578-2043351471-1892100570-1630459980944615954"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-446403674-1733954680-1554573008-739004809-1440161923116222736-1331703768284984281"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2031300448-2059485941-356431716-1279847963-1544739245-48155737-4220189002088108193"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18087157971403886345-619223361254334728371739109-972342963-848763711-1177796281"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1107874536-49790058447333510-2027330843-2086308634910703946-13941718042111424665"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeAgsggE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2022262018-1861797141-1992150898-5124792241474222523-8706087471118859732-1050258591"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "797740831154597304216004666181837124666-1049877172633007469-1416982476-1669371021"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-242184539112824063177774944-8685547519620376036448965001023541523-923645337"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sicMgAYY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-408569169-243228951-665680845-19116486512118757359-1798336723-1026623228-1841234039"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGwoQcEc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1440568613-164427031-282631891196105577270567839275440371-1334474510-2142459231"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "921734007-16193117752004412104-66480731513301429921481405821291939093-307398572"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1931665675162154663180863911-737942481-1134694690-132980088119874384231456458863"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "833988091445027810-30919986415507553693972485371639167706-730747704-1639028621"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEsQgEAg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2118313821634088760-118720174113111761616287607651315046582245794987-1252908860"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "883334949-1824395993200323985512990928581013052067635343855-688209615-494821317"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1042573354456103377132441481012549998288600535619411047511246245182-673186910"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUcEkAYY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-878607049-637160480161431700-13544440022883513431704193512-1353908181107161801"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5467318711870589788-419788913-314660984197152033-150484936383096687290542584"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1215291456-1485259-1667941322-1446539456-881777559-3058103761688959942-79114420"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-142261717913001471387072094971098082481-170457745742328810410815072412122632547"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1485665257-654502639-1747263190-166432929916816149881686878338717519354-963420090"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17407658692060936548-1448003901-517395899145582577211924068-231981494-1163785183"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuIookAE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1960922581486643520-1585828955-2142455445708885204-471252042841020812-1873183993"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-887637378-225423621-16287720933677628081267336591-88124708-1472799249-1371115436"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp

Files

memory/2472-0-0x0000000000401000-0x0000000000470000-memory.dmp

\Users\Admin\BssUIIQE\xAQwIIcg.exe

MD5 727555ccf9756b3eb4976c7e9c5a3eda
SHA1 f8533e4d9493f24f67a7fd2bde27992065ec5501
SHA256 6965b0ff5d0eaa62b7700fd605d0aebe9ea91341fa07064079d64253cc67f052
SHA512 634b14f48c15f8262138d8bc0cffc38c181aabe22f4046b91ea3bfc6a36d8011e36f7cdabf774ad02ee835e5f5eebc5335331d4a3ff0497238c073548f2dfe33

memory/2768-10-0x0000000000400000-0x000000000046E000-memory.dmp

\ProgramData\rkQUIEQI\casYQUsw.exe

MD5 214a5f25e1447d2d4351fe7b5e986c9a
SHA1 b81dd6f9729cef663e1e4e090cac76690f10ea93
SHA256 bd75c4771d6091e05a5f486f88bdbbd77840b7a96cfe3fc56100dd3d1faeafb0
SHA512 b1de05344483abfa9acbca146a53633cedf507e23b3deb12d839683c99f10048f241f1bfc79964467185d33b23fcd979e04e106af0876b312dbbd7f2f2234a17

C:\ProgramData\WqAsQgEM\IOwYQAMI.exe

MD5 dd9d506ce3b620df4344e4c44ebe5e07
SHA1 e06d7057aed770687ea2902371258bcdcc1b7f5d
SHA256 d406a394501b0348f0f741326cfa04c24320bada68f05ada7962e056314cff9a
SHA512 9a0f8bc9259287c7c5e9e0e317ae1f6fb3548150af759dd9b6eefb1f3e9856ed3090decd56983c640dbf259217d68ca12082e1ad3a0cb4aa97479bde793ae897

C:\Users\Admin\AppData\Local\Temp\fgcIwAMk.bat

MD5 5b44c0c649140f6c94933aa096097235
SHA1 6bf69024b10b08bec88249354b8de78ff91c750a
SHA256 113db2dd38d62eba2de2043a64e09e2186ec72a81af43923568ceb1a3dd99bbc
SHA512 55aedf2520d7c2f47ff7d514091daff513723117b609a758b00c071f92b3996bc4ff775ba1cfd4519b95b72e3459e83414af3b468a67a0ca15e479a315616801

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

MD5 5ff7bacba16eb1d890efb16d34711153
SHA1 2d8514c647bc757d6bc8164ad748b75b3111e1f1
SHA256 6b841f5d22f63bf660d8a4b82537fc9cd3588f7ae0abeedfba56711f89ec3381
SHA512 518f280e5e34f51e30f4571558c353e99648289e2d6b173604232d611d391280b800b3843c39fde7312d882b36203850f878312a5df0a6d6a8ae625633778115

C:\Users\Admin\AppData\Local\Temp\PegwQQEw.bat

MD5 d872cf74ad205ca22cfeabe9cc63d965
SHA1 27c07d92468c057968a7e981dc9b9170ec34c3e3
SHA256 db6a93c6545a3afa684795ab8744a628fbbe33d4f42c42acdb9c13b1fe0d1461
SHA512 4882ee7291cd8db1182ee411614244a1add7522d55963f3c119e4fc2899f6686b0be0c936bb944f25857e2548a68a2ac4ca830e1047d793ea2747ffcc9976ff3

C:\Users\Admin\AppData\Local\Temp\jMAgIUYo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\POcIscoQ.bat

MD5 2ca1a2f58a1ea7883aa7614fe218d17f
SHA1 43f7c1b051de5ee6dce74bfd26914b4b15de85c9
SHA256 9a939cba24d1710c31c6503e97bd6dfb970f5ceaebb651ce7f3bb8025895e4e7
SHA512 d7ddc749eac5baa01d5e615dc6f5099c6ba29ddc61259b46bc24a91705574dcba83fa8f0fe7ea1c09e6dc8506d8ba4e1f9040c3e902d42a7847f7edece2269fb

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\EooEoMAw.bat

MD5 ec4a088aef6081348040569e71e4ce6c
SHA1 b94c8dc6b1db703e5578301dcfaf00350a9a31f3
SHA256 b929fb9d3fab7d41a47c1ad4d73ced8c25612f686373902e77fc365e8b6a05b1
SHA512 10ec826fe7be8e55b300139a8a60a13cd16bd9916fab476537c1209672056b21d494383aed808aeedb729fdc38518400190aa6243b7e3c8647806214326eb41f

C:\Users\Admin\AppData\Local\Temp\WCAQUwoM.bat

MD5 dfd0659d5c320a0a299141cbd290b942
SHA1 3364ce0974477e14ab294c52ab9fb55e6d0a7930
SHA256 fec0993f76a5c81482065c687d777e72ca52b965d30aa14fd4a7bcd443b4dfc9
SHA512 576de6a98259a557b5e2fcb913ead6ea7d5a8495796cd0927d6994bfe5593d70df04d798c5a5a93c044c439ad491dcfb84d56ea73f14abbab8370ed43bfd9e66

C:\Users\Admin\AppData\Local\Temp\UIcsAQUA.bat

MD5 9781f2aa8c55a49d0c77552a844fc22b
SHA1 f3b37d423878e76b51f4fcbd277f6a4d3c090eeb
SHA256 a7a4046a55226c863667194945f3c1b43b03f5a31522ef4464ba241b5877d348
SHA512 499ad6ddbf015e27d76db074288537c194ceebd09ae5520441c7771e885fbe88d47e53cb9526b79c58350dd67c7803047b4c6e8ced2a085f1b6787a74ed6d803

C:\Users\Admin\AppData\Local\Temp\qGQgoAco.bat

MD5 ec8211b69cdd90b97b5862b510abddd6
SHA1 301e7fdd4c19551ab379c11245200e903e515c45
SHA256 0cff8033e184aa7ab65612e3b98b7dce38f6e17e30c8c9e69124181c9e2581e2
SHA512 25074a452bf7563a92c1706fe094752773aeb8ec91376d1d69483e1e3e0ba0c95fe8426dcfc60ba285a5ebbfae429c0a1e9e2a1861a61a3080871329fbd72db0

C:\Users\Admin\AppData\Local\Temp\KqcQUoQM.bat

MD5 d33fa9eefefe68fbaa2ae10bb6f084f0
SHA1 b0b44637468bcf398f654924cde2907cf531ef23
SHA256 5c217b3f65d39d249c2e73a1dcf2947bf2dce850111d1f1a96fe6411ecb0377e
SHA512 dc1ec2c9df0a800c09b399f1e2249aa09ca88ca04394b7fd483934d9c450ae40c32e76410c9e92a41a21e9eb50b91213ea638c5c23845301c0f32068873c39c2

C:\Users\Admin\AppData\Local\Temp\OQkcAQUY.bat

MD5 013585796994d1aa906e50a37c670e1d
SHA1 986e9e1d392c7a2d26b95fbf316379192d01280f
SHA256 8fe2c7307e42c98f5e99d5c7c1e6f6dee49e100281b6205b828c76f25c7e4c3b
SHA512 06ad619273cea3c104bd49d83aab044dbefc818f458a2682781d461e484944fcfe44000e398d6735070afea9a108516c4360eefd7b9b77244dd215ed67febc25

C:\Users\Admin\AppData\Local\Temp\EUMQUUwI.bat

MD5 8ca4e8dd89c399da4c4ab435f7627a38
SHA1 767e718a78468ed4079826b56fe1c169578939c4
SHA256 a94f83c740e0324d9647f039ef1fdbd3bebaadca4b055da4d8a4a203c98627dc
SHA512 917a52df1db80b052d9c5632d21642a61d8c4d10765fc5bf18d1d48b43275074bdc2e88dd6b19a5e99d758fae3f39769346e9b79a494cb3494c588193f6e3c02

C:\Users\Admin\AppData\Local\Temp\bkIEQYsw.bat

MD5 4322af903609c0426357fdf1faa758cf
SHA1 c0326b2976f2f919af43d6fb9c6519f6632aa6b5
SHA256 36326127fe8cf8e05937c76f56f2849e7b4da8c1ad7b0a50907421b78317e7da
SHA512 0ba1e5cc72e62c4f0adff1129aad4bc0e75454a470fefd74c22e48ac605da9a1304dad77c611e72ef2e3ca01fb9dc08dd837d8c18ef5aadef8ff18ef90847a51

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\lUgwkEQI.bat

MD5 a8cb6ae469ad22e1d665dff1f0cb46b2
SHA1 9f90d31e057a22a7eee33c29fe5b77a742df485d
SHA256 fb9c36eb6f168d7b3c294a86924e2af232344cff04adaf76afb76db4e7bc136e
SHA512 341d5342c6ae8e8c6c4a212fd37b9188404a1a3d7285e526e03de75d8854c24ce3edb3120ddc740fa1dfb02dfe260efcc5668d29768bc2830ac06e5c81b8bae2

C:\Users\Admin\AppData\Local\Temp\DKQwwAAc.bat

MD5 9a5617e1fe2ab45fb936c77301860ab5
SHA1 8b40a1a927466803da05a73a71a21b4ae2bb6900
SHA256 706da5baf67ff013bdbc66da1801cb850c665e0c2d2b2a2187431e98215092b3
SHA512 bee6462957cd694380bc63c5cd92f491e72ccd01e7efa70162bc6e8f77a5b1e540838214b420ec4df693620f554311cf10ac94a6c648052436726d8695c1cad7

C:\Users\Admin\AppData\Local\Temp\LmkAYkwE.bat

MD5 dc8cf11ecf7b353ffbf0cb0d3af8a460
SHA1 8722f6fe4835412d65e5d6a930c10b114ab59cef
SHA256 eb7daed44e24c0d615c92ba1739c5e86fa271ccaaae99f9c838a569b8a57ad5b
SHA512 c41a868f4ccd9d321a5bd7684d0dede9739e1d61f9bc7ff0fe5f3af456ff416f98d5692c0f861862f743bf23e18c7d1d7e88cffa59edc7e11a7bef591cea72fb

C:\Users\Admin\AppData\Local\Temp\RWwIgwsc.bat

MD5 d76f1d779929ab0ae93a0c9b34541bd8
SHA1 87ff84df8bea36648f5fbb72f1ce71beb96b11a7
SHA256 e0045e15e1ff9a3cbb9c2e10c1d16e5119d8ebfd3b21bc849bcdbb5d1916cd7b
SHA512 09c5ecdf5f105c6336cef9e3df50ab2e154d56a95acca84a25463bc5cdbf7e155f8a245b6a359d751a9d1420855a9765f1eaf546f40f3e4bb132f1ab8e890308

C:\Users\Admin\AppData\Local\Temp\RyAgQEkA.bat

MD5 bd3892624fdb0eee5adf92f05f2c4dba
SHA1 d374a322674b18e5f4cd996614ea68a36c43f582
SHA256 aa1b90ca0e3c3e98b5abadf1cde6e06a7edc94a22d52583d2ebb9feebdd32277
SHA512 e1c214c6f35cbf0c51c2b27ad70c52fb7086b35a4a9f8a529617539b28113a75d1f49a81010fe9a66abc72c6e6df740d0c4cb329b4ce302a3714b70a3bf6f888

C:\Users\Admin\AppData\Local\Temp\nEosocMc.bat

MD5 0fc3accb65cc67ab5356d89aa22a5b10
SHA1 2254a66ef051de8ea1a6d54c50ba84dd38e643ff
SHA256 9a859557e053bdfbbb13410d7da6d58e2e72d0aaaa41a8dff6013a3187dfb680
SHA512 3fc2c3ac7c5a97de9f0955a614f8e5e6b37017845f033b09648521bf24e229314ecb8c118af15edbab4a0bf760fea123fcb03f692799a4bff4546a7270ffeb2d

C:\Users\Admin\AppData\Local\Temp\JGEgwYQk.bat

MD5 9d3c0a0f609646a5f48df7f132616d2e
SHA1 e026c75568bd0871461b8f34cee6fcac8a9d7c60
SHA256 800c91691b56e05282a9e331f9fcbb36ecd1d1ea68a705534ad79de66645a907
SHA512 0a6fb4f995dbdf6d0372045885b916ce61bedabe38c48cc960401814bd1a8b38cf7bbe334dad54bfad4d5bdd2af81b94fb8facf27ee7cdf8a25c282995e4d8b1

C:\Users\Admin\AppData\Local\Temp\sIAwckQM.bat

MD5 a071f294afa5e4413f7fe195131bb498
SHA1 ec16adfa99cb03b05274ce35f203c73298996133
SHA256 2bd4ea2922dfe0d869693995a9cee5921028342ae122a790ee8db4ff21820659
SHA512 d6c8342d255e77067aecdfdd88d7bf2b6aea676ade98ff9d2addb73d7c8b0d47b9acd4d79d7cab088c8283d0a0739d5474c1a998d8045d4006319a59bb8a2a8e

C:\Users\Admin\AppData\Local\Temp\QOgUAwUw.bat

MD5 5d8d04b7b244fabd7b154f40df75166b
SHA1 0d380c451007e415eabdc5885a801b4662d065ff
SHA256 1476e9bd68382e1641b7b0c50bb72cc2fd47ee4d3911d61343c4fbf6400c6f58
SHA512 74ac367a653ea241ae5b0bd4bec19cf1d6c250ff6ea866b148b00abdc9cc813fe705deb2ad1de0d6d4c0108c8081a5943fa4bca7b6c2e8b17da3e13d4cd92d2a

C:\Users\Admin\AppData\Local\Temp\YmYsYssU.bat

MD5 6bdde4614c2186e231e6d25296b15998
SHA1 34c9f4d010f4a47f03d7bdea9f35f6061332ef34
SHA256 32d2d1112c942b9d4121f8dc19f03c34f126b7bc699ca29933b63affcd144d06
SHA512 f1bc59fddc3a7c32fefd7b2b8692a6355c338a5bab29f8a2229e7b5f87b66629b448be05d1100bdd94b7381a70a75d5656416098d794099e6558d6befa9afe45

C:\Users\Admin\AppData\Local\Temp\kIEcsUQw.bat

MD5 a2ae3afed2717598d87a56c700a3a429
SHA1 9f88782edd030c2c874d8ab7c5cdca0d54b68f12
SHA256 49218c53a1d73c912fbf1470534bd5e2ef6540fe9a5d5ce192563d13ac69cb1e
SHA512 bc57b7d1112226d0e4e26b58fc78097c0c48c930858dbce7f91d6c780d81946c2caafca0128a18e5d0ca34fd68f154380d2bbc73a579bb351b6dfeba2656512b

C:\Users\Admin\AppData\Local\Temp\CqccsoUE.bat

MD5 39d66ef5decb44b9dacd63fc92e71afa
SHA1 d06e0ba267d6aa0c67c83a2ed3fc4ade678de357
SHA256 460c8699be87f5775592546007008591882fa13e50fa0de24b78a56eea09c7ba
SHA512 cfd9ba850e16bf0f46d92f2b4b6f80f56b8701757e110a87bac72ef08754c35d3669cfe81a815ddcf4fdf0e36b7bd628654d8038077cf3dc8cf6a40f53541400

C:\Users\Admin\AppData\Local\Temp\MIscEowQ.bat

MD5 895095040fa747d6c4b73c3640f858fc
SHA1 59d7bf6f035f69c030ecc31f7d08d00d6fa9bf1c
SHA256 68750591efcf288a1b49e3a1b310e169407e61408470e0b94566e9e2e10474df
SHA512 94782c58b8c149fdff60c7d4c97242cbeda6574b233b0464e5e07a55985bc0c700e367a8d40513728149531e05a58ab55582c998b39f7a59fd80ee985d6fb02d

C:\Users\Admin\AppData\Local\Temp\HsQUcQIA.bat

MD5 31bed58a80f50e8198c8e3b430c10ce5
SHA1 72b8d1fd8a1405aee80b56d595d9d5aa94a1413d
SHA256 40422c0ab7a58069320121bc61eef0eb4d9ee1e9fd82073d5644845b1b0813d3
SHA512 0cfc8ba7b9e57e930ccce09ee47bfa4a75334486198e8f859a6729fd7e7d38e81ee6aefe60735b48800b44925185174a16ce6c3daff8c1371e82b73529ff9770

C:\Users\Admin\AppData\Local\Temp\dqAcUwIk.bat

MD5 7e02f8eec2975edbb791df56e51f7638
SHA1 f4ee524d453f207f33e66a6665b6605f768cf00e
SHA256 95decf51cd344b15087b19ee7dda25a69d71e6c3ef17149aab080bc961af4925
SHA512 b0947c5cdcd00971325c31b1f9592c1efbf0b58eb7a8a02443999a0ba621fd63941b2777882e928f2bb0f9cb6479033c6fb537204bffb1079558e178e3e77924

C:\Users\Admin\AppData\Local\Temp\NiQIEMsg.bat

MD5 e730f23ec8128010a44d4581ac9c0140
SHA1 f8996f71a5c679dee8ecbb5de8f1755d21a729c1
SHA256 c82a4815380d7f74f04448384b59099e28a66bab4cd189e955f2c46da575dea8
SHA512 a8e805a43840a854e1ba51d3d8ddfe0ac247ade55bf9f15c621ac24b7963d18545867dd23b527d0aa6e432494c5f61e9d6100b72e5b9f0d59cca6a5596df88ed

C:\Users\Admin\AppData\Local\Temp\xqcskoAk.bat

MD5 db564699137788a3b1ffc7ed786bf487
SHA1 4bf2afd4c748c9ec57cf9000b4a33c6d822b8593
SHA256 ec80d6084f8004c0cd93d353ece46682dd98b3d1f3ecf2e00f9b9c0c97c57592
SHA512 3ecd48382cbe880a3800c602be2633866ba550ee768225b74a8f3d91e4196f1396d23a1ed76710c472141f08982ceb4cef6a577a94df282dfba45e603e5f0d60

C:\Users\Admin\AppData\Local\Temp\TeEQQMMk.bat

MD5 f2959bda7e4d23819b1fe2e8f159615c
SHA1 30e11d02671723a08ab89e2b341b6c53393b41f6
SHA256 8609c0970cf8e5f6e0eeefea114b1808f54ca1f0db39c960b69e2f914ed1c339
SHA512 567e1dd67cb9bb761a979ec16f80cf3a64981e93fd9106852760be918b969af6b619b8baf236096a2298a674b0e8ffd5ab3243ddaff8153d8dfeba97c88d3a4c

memory/2472-546-0x0000000000401000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zMMsIQAg.bat

MD5 4aa33b00055d25edc3646bd1782e4bc6
SHA1 a09e253689c11670a049c06b85e37688ee9edd05
SHA256 fe901e07ce098a46ae59991506a9ff0c76226e2091faaa1cb3bd54f5016e98f1
SHA512 a2fcdb0b06c7e12f0677e0b360c1fd9df6beff120d68cc17886932e21ca58bb0c00958b7b730670a4110d7df8e680b5a40042928ca2892e806cdd696609eb4a4

C:\Users\Admin\AppData\Local\Temp\BwEUgcoI.bat

MD5 48fd8c9912d0cdfef22f6f4bc5d08787
SHA1 d016b13a42fc099005f7674fc5442813841ee8c5
SHA256 c0cfa1e0f5ac243a4d15cd573590c07dfcff168c5166d47036baca08b7e09f3b
SHA512 1079d51dcbe6de70930c23bd5783fff15a9f4d9050473284288ec5199bc88f6164ea8a0da4e93e3019c51cb080b2055a3e7eca113a7dc8040bea5451ca2855a4

C:\Users\Admin\AppData\Local\Temp\WIUAAIkg.bat

MD5 8879d79cd1e169e5c8ba0581dfc49edd
SHA1 3b968c2e7f1fadfedd097a6d2c1737ad6a444e83
SHA256 5c1e52cb9e6351f6fc542d0d887d5a443fc4a5e264aac9828fb27dc9450e6fd1
SHA512 32d03b596cc4ae1cf8ba3e98669e9240cf3350f97ea4538d4616c8a4de1e910b2448e056c69eca3519659fdc4d00ac8dee92d939a278ce062662141ccc07e51d

C:\Users\Admin\AppData\Local\Temp\IoAs.exe

MD5 3df4a83e200938ebe88a07842d82c253
SHA1 f025439044d553928028db4f7a34250eceab9f3d
SHA256 27e9407ac1f5f50d929618121c18aa89e27a80245494e20183779739462443c8
SHA512 d4ffb64cd65a9dbecd60af97cd496d77b30d1a941d46d809e6283fac37de83cd785f92cbe47c3b25eca9ffcc4ff20174b0a82aae2bb6751b4f06bdf4ee3ec593

memory/2768-613-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAEq.exe

MD5 e8fbc114d4e942ed17131e1034b60f7a
SHA1 7e8468eeff30936ccd22d57f6e23c178aa7355d4
SHA256 9177d863691a54b50b67917dc9849e657db327167aedee21b10a88a2e195c7c6
SHA512 0e41bdd73c2c1d66bee8242eb78859a96cf26bc84b926a7d29b70fb868a8d99d98f41c77215c1b478790136365eb112d7025957e3ca0323a779e8b712ff0204a

C:\Users\Admin\AppData\Local\Temp\YgQgMMQg.bat

MD5 01f34799c13f23b55623774bf15cbbc5
SHA1 9c7f5d3e7824ca8b7be7abd4c79c65d3d24de514
SHA256 3459b4ad905361cbf01c09680528308b2469bd8ee79f8e0b28b48d580e4875d4
SHA512 6ddafa4866ef671efba0707370e3988f25bfce9b876e6e5ca43d5d531b8a58e8a27a7fa4a70a41f19867a4111001c821cdd017e36b2006be86650ed80eaa7c93

C:\Users\Admin\AppData\Local\Temp\aywcQcUQ.bat

MD5 d085dfa6408dfdb2e8c3704cc501058a
SHA1 a803dc21ed9f74eb7c197ef0b0656ad7f8c12b6b
SHA256 c17250536ca49f3c43dbe98bb5a83fb0e27f84930bb74298246129056857c5b6
SHA512 e75087411f80f2db54d6f03a8c772971c22e68a368b0ca5d2685c731b06b3434704b24019c0feca1887cfa3030fc99c2d785313318a437a6c9a93658866c6c2a

C:\Users\Admin\AppData\Local\Temp\SoYi.exe

MD5 90e9c9a8828a93647b2aa78dd244244b
SHA1 72d1fed34e032025a64ba246fe2d590f3eaf9fb3
SHA256 829aa68477d3cbc3ce10847d972fbc83448e7cf26318ce6eb9e21c20a561a908
SHA512 894828a110a24ca05c08be89eafc977048d7bbf60b611b431132abbc483b8fafc21ce45646cbd85f2121f11d2e80aca40f2c18723bfa9082116195cd7c422dc6

C:\Users\Admin\AppData\Local\Temp\Qcwy.exe

MD5 7ab0d1f4cedd77f9748c7be0c085b54d
SHA1 2eec2cbe4f823a00a57a284703edee059e84ff65
SHA256 ba3c604239e2eca521172b8304b60fca1aa2e8d2047d3581e1b6b71a672ad5ea
SHA512 f1b672473b5fb045fdcc4e7390a73da830d8f744c7bc3c5059961dec7c9264cf11f2b5bf875379e3a07c6d808e32b7e1529e20ccdc8f54d08b065b6bd246fb60

memory/2472-702-0x0000000000401000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cYwA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\wUke.exe

MD5 68d2e9d761a9104c9fda5b37e060953c
SHA1 87d3c38018f3d08606dccce27793c81eff1f97c1
SHA256 c67dff8771e19b4c2d8e3ab2023e8f0e1f06cfb0ec9d3d6e129f0b0fcaf5d21b
SHA512 708668b1cbb8ec038ed535861d669da10da283d00669a21d47957ba5f8920edbf5ef00ef6890ff51bb6df86b176ebb94f0b2bead1a84ffce98a2540bff8a4cbb

C:\Users\Admin\AppData\Local\Temp\awkQ.exe

MD5 96d31039df8f395ec01a8a822e1ea28c
SHA1 7e8d5f841d985c7a1c9176a990a071a3bf24614f
SHA256 25d5f1a8fa8ae95e58caaf33a843aad148d530c908ab1009062d9cf02a59eeb2
SHA512 b881f04ac7bdded28278a23faf7cf2fec22137a87a308ce17552114f76eebf40c5dba6c49b85c886a2b17eafcc021146a88e56e517d4323a8873d48946e186a2

C:\Users\Admin\AppData\Local\Temp\UCkUQcos.bat

MD5 50aedeecdc25d48adda52732a34a38c2
SHA1 d79c95ad670d1846ac3dfdcee4dc79be64c4ca82
SHA256 05a2fd2bc0bc52d84d7fa3834807bfcdf2a314e2ecb21fd738384f6f6c762fcf
SHA512 ecd019bbd1b9ff7a0260f98471ad6eca29a950042ed8baa03ce5d6646399076c6378b343388a7db0914a50ea2aba64355664c61eef6224508678aa3c886c187d

C:\Users\Admin\AppData\Local\Temp\MoMA.exe

MD5 6c480a6ea5c9e1e3ae3c7df10e902865
SHA1 c27a7bbc0134aba79f41b1603f6a1f04cd53afb1
SHA256 cecda332a7e064b48c649b27990951fbf9eb8621d824260d22384de593a78687
SHA512 af52ee8909d0b3df545b6df4a3baa34c9426ac3cf700fd4ce7d0c47a94c199430f68c6d5d06a5ce3989566edbbc86e6d74504eaa2f91f4d9a65c53788df80d94

C:\Users\Admin\AppData\Local\Temp\Egce.exe

MD5 83a6a75147dc769c02facb5aa0e2036d
SHA1 44f3c2acc1951fc5c2626818087c94250641dc84
SHA256 56d2c8faeb88f1570e9e4cfc3f2ed23ff890eed1788f04c2b9dab4a23247dd54
SHA512 fb1dfab749d80cdf0fd7f9453ee02c1da0644fad0ac5e377a0a91655c14c39b369cdbce2e78f771037973a6caf3f443c19f5ea48f01b982750faf74919a9877a

C:\Users\Admin\AppData\Local\Temp\xgwAYkAE.bat

MD5 3c64822db130e32278a55b460ccbd080
SHA1 7e6abbbf152187ecbbdc35e3d59577785df2526a
SHA256 d6cb046b56895de9dfb970fd0c325daa5018ceb54b63f71e61bc0e50ab11a68c
SHA512 8cc8a256276c1c8c9ce61c5cf9e5de28136560348d1810934ee9b69e43de2fdec65bc20d445df252346d50fe9551faec19795a55f1a1431d334b2e508e3e174e

C:\Users\Admin\AppData\Local\Temp\yEQc.exe

MD5 ce52191c1fcd1ad975e56d13e9b35ed2
SHA1 c6f0ccf0930677ef447507d022c4500891891b8a
SHA256 97b7fca9c733cbcf299b7f103e58b2942c6aa0110cd6eced17ac491951a58e55
SHA512 22259f5d3ad83389e645084d9eed7fbb9bbaabc1a5e4b511c28e3f94d124b2243cb2b266ada8b12f8449eb2c7cdea00cf9301feffd4a70ec1b7c568bd948da21

C:\Users\Admin\AppData\Local\Temp\buYAMYsM.bat

MD5 6c281663a555543a4419769f3dd62401
SHA1 e52498a7e344785f92b6ac9ce7182e8454ffe76d
SHA256 12583992ecea029376f90bc6018d4607bccd3b5187d944b4754488f7c9db77b5
SHA512 a5b09a2ae07bc5eac72bad61ee3e70912c5d53446856408f48a2743c913b2972263f606164fb6aaffea3ee66f511f3fbb37cd5b66dbada4b0115c40b13a6896c

C:\Users\Admin\AppData\Local\Temp\awAe.exe

MD5 729a24c66b396e6482c4a62013bc2232
SHA1 44a86bee281ebf249545e3e48692977155401184
SHA256 9abccc476ec8db31911e19b4683ddc362c897757d28b346125d6620ef1283e95
SHA512 fabbf794a0b51b20b7edd5a5a7875babba9bb605978ca1922a388b2fe55bf379a9ed8a08fb81c3b07cd32b070194b97c76f7f3a66ce0a9845f7e40b0db0ea8d0

C:\Users\Admin\AppData\Local\Temp\oQEy.exe

MD5 85ead1553eec3b535445c9e71730422f
SHA1 6ae7819ac97c806ed4f86162b1b6985104d5fa41
SHA256 831f09518b465d7813c94059d6e87a9e1ba7e5bde65844bf9209da78e792c029
SHA512 080cffe014d5e018a94e25b4f7f9b9b4b0f635bf1b6456a4c4a3cfbcf5c1d329f0b94015d4a991ea5bb01446acb8244927f4ef4a161c01f8b0f40fc768bfcc94

C:\Users\Admin\AppData\Local\Temp\zuYQYAkM.bat

MD5 621534db01d02d290575d14397fb48e0
SHA1 5aa33dbbe5209fb74ae904b9f978518d15f4779f
SHA256 6480ca6ca90d3d478a928cf8fc7323fed642e440738ad6d687d5521409d7bcc9
SHA512 4d5d4581c8e2c1327d2edbea8a9809c30914a608f5066091aca4882d541b82df477a1e1cd888ac3077d29778f5549a5a6341ec615975f03e953aeada1a06c6f0

C:\Users\Admin\AppData\Local\Temp\UIcQ.exe

MD5 2363a7b457f7ade493e9d437fb2ba914
SHA1 b4c3e3d9f7a37a36e1eee6a33712de647f28e521
SHA256 21c927a26d3827b3bda097f013660e461f52ccd888ce46c2b936ebcf90525f45
SHA512 9d03f36ecb75702fbb0ccab468b452e63d57f2f27b61147eaa0f709fcf3abac8e4beb7436d511703a596ca2044dc9bb44f9ef7990a21df2cd9cc4410b587bfff

C:\Users\Admin\AppData\Local\Temp\EAsm.exe

MD5 7aa91adf51c3340a87fac9c3c050475a
SHA1 2b1167ccdab0592d4b16ee65d72ee6bfd70e03a9
SHA256 632e69ee326719facfe452e99178c2901ae6ddbccda2c5adfdddfc17b5f81c67
SHA512 efb16e55e7c6bf05e1f6b3c0237e71bda8b255f392343bbf5c21fedcfc2c3b5b691fe3a636752fc7d27785dcb9aee016f5d6d30d3b74e915bb5d72a8562f7099

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 f2e57709a2d65b6f85c3ca8a9098b7dc
SHA1 12813d49545514ebace7d668e952d54d3a2d68e7
SHA256 b2e2686864e461f223a8a07e5ca002ee9dc73d57d4292e22a6be6d59d6fea48b
SHA512 54d60653a3aaa1ea72443bf3a25f996d5df679c7a9872b8960ca0ef357204dc71bec6d01b4b3dc3fc839b705996e28041a163d0fd07155c7c66d9754270e346d

C:\Users\Admin\AppData\Local\Temp\pGcYAYQI.bat

MD5 eef5ec0316b5b45bc9b8108ba0ada8b8
SHA1 aab59394729fceeb078af8e474d86f2a33b61298
SHA256 2511b5934bc9d006579e36cd88b9dd8b84fa8f6b5e8bd27036e65e7edeebc71f
SHA512 6dd6da50508dab107d5603f1d67a38d073aa9a9af8fc89656f164a5a80c84d20df404239371fc4073f28f069b739b2c3560cb39348634f9496283086cace5ed0

C:\Users\Admin\AppData\Local\Temp\cQAC.exe

MD5 142bf595f4a517beb3cc0df46bdc3f94
SHA1 f6d9d10953a65888bdc7d5a0df68e4852077d75f
SHA256 3f8d942bbc6afeb5b0f9b4751508e02ed302a2630fb099381825c60cce0abc88
SHA512 821a992bc904f29e0a4956ed258f8e04da188b2a74898dbf204a7a356f6faada63837c7272c689cfb9c67db892d428d8fd77c208eff6c66a0eb20f36c06893ea

C:\Users\Admin\AppData\Local\Temp\aQsE.exe

MD5 5f037152fe060f13dacc5669b8d01fa6
SHA1 c1c016a7561219600a2734c51d10ae4247333671
SHA256 6578606435702c43c9236c9dc730827b37a3e96b84f517f18c85afb1f7150b13
SHA512 f85b78a054b0b4c45210ee35db0b6491dfb1358e995da681d9d981f45fcffd83ecd10c64c4855d89c3b74490be68b48cab180f7f61e57ae8dc04a756fa297d61

C:\Users\Admin\AppData\Local\Temp\bAcUcwAE.bat

MD5 83a39169ea3b3909e6b56d17366d731e
SHA1 955ff38f5091430c7aaa4b3686b14666e0ea915d
SHA256 666357c0c429b68bc029f4ab0b21b6f50e31a7c350422e6243bc80eb5273f7d7
SHA512 f34bb377793a71784a694c0ebc8830a04180ab26432a1781b85fab2e2588b4cb1644205d0733ae9baaadf35db103b4fc2dd70a83ba7f7fe79fb26d2533b718e6

C:\Users\Admin\AppData\Local\Temp\Ycci.exe

MD5 aa8a0816e52022baf5b43520ca30c7cf
SHA1 172acf0ccd23eb3f41668df5b4ab17d8e6a84b65
SHA256 ff6c205b162d6bca5b2130e917a16940024529f024ef26849a446276e123a0e8
SHA512 aed114b70a391c27bc2a533d1dc0b510f22a4cb65f462c78080055233ef6765b0e3ab2529656ce0c9be2d113f9961f86c2e345b248ddfb8ca11c883c00e5eac5

C:\Users\Admin\AppData\Local\Temp\EMck.exe

MD5 8037b6e14d9fb8ac1e83a4f5308c6330
SHA1 ec1f7c3b49d7b227bdedcb03b0e36222281848b7
SHA256 1eb7428f1bee6e1cb76f27ff8baaabb82e080b7e7f3a81b42466008e17fc40e6
SHA512 675b38d133640c7fa8c6ee6068e6ea314dcd7d786c4a56fa850748b04389e3b5581100b85e18e1ea0ba9e328e699baedf49ca5e90b28480ca37bb1af6b4728c5

C:\Users\Admin\AppData\Local\Temp\YMMAIcgM.bat

MD5 59d533f9c78940ebe0dd14c9106fab34
SHA1 b41240a644a22bfce3358d4b1d90946d0d8893d2
SHA256 ea64d3f2381fedcbf184d0df52c068954b6421f0c7a5cec45e9a7e08193e83a1
SHA512 6472fd6e1ef46aaccfd7eeca526b7c007e7a64a369b0b1b4857e47fd605091761c2ba42fe89f3f3569a900cb82db842b6c8024b85013d6f828115159e4f049ec

C:\Users\Admin\AppData\Local\Temp\EcQs.exe

MD5 9806abdae0c36a08a925dfe97b6a338b
SHA1 0f314e9733ca3e75246ca461ec5458625c713986
SHA256 6b6cf960b1a0338508f111e3b95f106ce5f27668d61c853cea20fc558301e2e0
SHA512 70586eaa3c9e79751d2e77d449589cd0c643e63ce24a6eb7317c506979f2fb4ea77625f942c9a3b2a5248708072ca95e40fb7e3cd73714c6afa5203c587f7f89

C:\Users\Admin\AppData\Local\Temp\YgAe.exe

MD5 2db2a8faad855fe7df3a4f9ecf0f4200
SHA1 2479619dca103eec438f9b5eb5dda922d108ce40
SHA256 0090c25f7af965dcb2e73ca2917ce9587f619c36b053f2f62e3b0fceba9e8057
SHA512 7afd362fcd63d7e64b3c6ce1d31707e98e72b073f8fc68722a55c7f16a878cac70015e771508fe3e386c2e7a382921ccf9b0f5bd81f62ba8808530298c2a9795

C:\Users\Admin\AppData\Local\Temp\mQwm.exe

MD5 f9d9906e88dc7718a540e94155854a44
SHA1 55f7036527f5b5cb2e1f69c88353bc34c8f64af1
SHA256 b8c7f4faec4f567d2ff51c8e7e9951b0c57f70bb51127030ffdb47fdac1de6cc
SHA512 1d0d25c1724541313767e00cb37979e57aa3a800052ce17026f89ac1785048293228ae6a292bc36d29d9ea774718725554c358eb6a050324dddbb3036d30c081

C:\Users\Admin\AppData\Local\Temp\icAU.exe

MD5 9f0fd9eb9a093ba10b6e5c74e985dd60
SHA1 6c8c52086ab599cc914dbf715b30377d2fb30825
SHA256 2ecb9f9db34f174fea0678052ad854df0c1a8f0de449801bc6e574f4d7d776b0
SHA512 a61dad457d6d17f14bd2df1831f9ed34d3e850d7c592f7ae58d2104516b3aaf1d8648d4eb9c84d1ed3baa34e1cdad425c9b7d361c59e173f0f6cc780585a8bf5

C:\Users\Admin\AppData\Local\Temp\GWkAwogk.bat

MD5 cfb5f8e6d0b89dd479ffffaeb25d3f1a
SHA1 c61bf97d3c8e4a28e2df77ff82db8ba514d79f0b
SHA256 37a7d0552cb9a07849c2783d559d59fe4a7c0be6f78f8f952943e225bb3616ef
SHA512 8525fb3e70799dc420cff18c6b5ef001f4856faedc5f15df66799186d6b0c006160659d7edc9584754f3ef748f6204d226f4e5dd2f3ef0984e2c6d61d2b75ee7

C:\Users\Admin\AppData\Local\Temp\ooUU.exe

MD5 3517d1540d0ab416878fa7dbf67253ed
SHA1 8c059e84382eb1988d9e98b13f30686b37a984b7
SHA256 6a579027a2b5e1fbafd7da8d55d0892724004e7fae96f74bef08af4324b5804f
SHA512 c691439ee9c54860da7b0d04a7d3ca4cb00be3757ac19a182557ce9246db541a01c939ec8cc59b1ae4cc9b59cfde04852649dda3c85c8d1247624ed8aa5fa437

C:\Users\Admin\AppData\Local\Temp\oYUM.exe

MD5 98b58814772b9de567e33501a55d5a90
SHA1 4be11dd43cd9ff298a96094feb7f0dbeadbb9300
SHA256 23c86ac27205b8f96c016dd0d7dcde2f0837fa12472aeb6f8f4e1f1e54025451
SHA512 9f4aa9344b3603f714203685bc25d6257e646052a89ac70ff9924782030b76e3899f4e0f23250d06820f8d65c3a6c79f8cb0783e2f162304caf5adbc6ee4b666

C:\Users\Admin\AppData\Local\Temp\YwgI.exe

MD5 0bd9bcb091100030dc69b1be02d2ebf9
SHA1 de483d4c269b44188172e25df3166a0c331d346c
SHA256 c9093fe45134eb0ac8d5f005862c8a3426ae82f7c37ee513311e0b734b67a130
SHA512 31d8fc151995a57b3c8b9a4deeb0bd4a2556137fcbd8ee921f19b0f6de07f72206c47dd43026dfed5746c643119f73a96744ae3006b133ac714ae0302ab7971e

C:\Users\Admin\AppData\Local\Temp\qQcQAAIM.bat

MD5 5afaf07247110e406b50a5b8db4c80e2
SHA1 718a75673cfa3b481ddf0f3d7f9d68f5d86d68e2
SHA256 1e044bac8ba91d47df67ff601efb8aa281f78aabc056d47cadb65a6a3297c659
SHA512 f4a2247679c570a24e59edc81b50f17cc5b5fccb4e9d0c2107d7732d46cb88034e9406ab583f8a606dbccb69b9ea34275be43f8dedf68837516c7722d18a7129

C:\Users\Admin\AppData\Local\Temp\Cgku.exe

MD5 d11611fdbde754507ebd392cb1476f6a
SHA1 eb8b4c6b95b5bf5f1658c3fb82fe9cbd9e0f29b9
SHA256 d4f6fa7184447d3d07c8a2fd779a05cc18d8e095984f6e76f82e971522ee1f7a
SHA512 1c47ebeaf5569ba31797a6b1d7a78bcb0f21dbc1e3dbba26ae42cd0cec93ee5e48970ae78c1f8251cb9f224299671f78717042019e8945b60531a6d180ca57c4

C:\Users\Admin\AppData\Local\Temp\WAoS.exe

MD5 8ca03ff34a68e067b81cdab53167c9ec
SHA1 ee03f8f6dcc00580854d2461d7a8eee6eacef027
SHA256 05a78a460afb74bdb1a3e8c227dcde86b48359988712c4fb6dce334ba33c814f
SHA512 3f00832bf150162124d6d6fbee9ae2af568881ca0efc5c25853cfd177dc0775bac8c2ee6894706de0bf186490835b7cd30472182a8aa2f96b3e7a2761141e1f5

C:\Users\Admin\AppData\Local\Temp\YswC.exe

MD5 f3a0cd8ea117b495d7f5dcf561ca2369
SHA1 1ea2351fec9638bdbe209ecdcbc5de1f4517ee1d
SHA256 e750e39fbe9e32cf2ac984ed5cc7405e6559ed2aa78b986452f1f54953da463b
SHA512 d0e2896a6ba79121ee81e7f3f6fb24f16d38014fab1bf51e4a2208bf2fd56b78122bff0e2b67d800e48a2165e4a46aa32f98282e57c2e040b2ae1156b83177bc

C:\Users\Admin\AppData\Local\Temp\WgMMUooM.bat

MD5 999ace7916e9bc28b47c01d802b4f45f
SHA1 42e60ff5219af8cedea3ec4000af89da042da7f6
SHA256 8d29e6f9f24ccca79a2c4308c3c39df013cfa7b661ee69bfbd3ce1287b5f9eef
SHA512 a5a120fce308e4f8f0e9c4c6222b28e7d987e68ea76ce7e22ff3beb8157eff38595fa6523027b8951c0d367de111da71f1c5c78970677f6fc81617daa15f3cc1

C:\Users\Admin\AppData\Local\Temp\wccO.exe

MD5 37fba578e8bf7828f62442d97554895b
SHA1 b8720d9983f89e22a353ac8246f840b866167b8a
SHA256 49ff7fbacbc1816f473b72cf620834b56314035d72c48e80da44392add3dcf5e
SHA512 d1e088fc4ddde355cdf662dd25b088b15ad610b9f218d137b1fde0febd84f2bd7895392cb33e3155e8065f0acf1441f37f06b927af4394d935310f1fe645eb44

C:\Users\Admin\AppData\Local\Temp\CcQC.exe

MD5 f0b088fba3dc18bf28faea84588a2dba
SHA1 485ee17b78b575ba15d35503067e52d7849a91b3
SHA256 d82d0d92714fbf332380aec2e482195c3f6f7a37920bba41d421c1ca29f0e811
SHA512 c1a8924021afe46c5fb663cab663395159c07f957d810e6609f65937816543276e490c1ab113c43835ee66b1c0e93de07df0cb209124d7ff6dff151e07117574

C:\Users\Admin\AppData\Local\Temp\iaQkwoQI.bat

MD5 2b06ae0adba28c517e562b208545e854
SHA1 d6c90ff2a544a52a4a1034efd50004e3382d3444
SHA256 b630dff0397699d24c2c78fb0e28e65053be9582f9283b52b6b3cfeca0da79e7
SHA512 aec2d18e311ccc283264d98946b3e15db4351c9824ff6da367ddbceddf08798c3abf9c8cc3c9d2cf5476a9779bccd48a4cc4850ca871067acc6198e10ff930b7

C:\Users\Admin\AppData\Local\Temp\AcEq.exe

MD5 fddafa526f2413f6af2f359e25a58232
SHA1 e555fa6d14c9c36798e0150d6f15a815e44b1241
SHA256 bb341aace759dbd1efc83e2eb5de4b112fdb7604cfd269aacd7c38a66c304da4
SHA512 9fbdb9d8167bf05961f41d203282c924211ee6399476baba8555d42f8648a5aa2e45de6d5d66a38ddc8a1e6ced24819bfd70bf03e24adf06bd7164c623eb8950

C:\Users\Admin\AppData\Local\Temp\csAm.exe

MD5 1ea9c718f1f455e2759e8dd213ce108f
SHA1 1079af5e085ca46dd2517d07001a561b5c401e7e
SHA256 e58cb5c592e07a1308705d977965111e9040617ec9c09ee65083f0ffbc5a0b41
SHA512 1f58cabdb1ee61ca66d0038fecf9fe5dc460ead905354675b606a0cd1c56dc8eba39c6642124852cc459fb80079a880da15c1e994a1f2258a66c24d121212e35

C:\Users\Admin\AppData\Local\Temp\AYUc.exe

MD5 45e282418e0b07416756c69d52a7fc6f
SHA1 1b3df62585d3abcc30fd17d5cc86bf5ab783c687
SHA256 b6ba3b0d250f50cce97de9edbe78f5bd361946f27db7b8817e8bf13515fc4b6f
SHA512 2d197eac7e062752a226acb41c241b5b3a6a96bdf79537166d488cffac8b533e5de44f6fd8c46130f75deb1dc45f36d3f5ca56945045086193911f1d4da9788e

C:\Users\Admin\AppData\Local\Temp\ZisEgwIo.bat

MD5 63a6a871d40cc8db6e6f601e42150b25
SHA1 496f94809a45345e7e151dafa53e394a6c11978a
SHA256 1ff4b3be526b99579dc2a2420f40d678168863b95457a7b0a361a7d7e42c3822
SHA512 8f7ee2cf1176bb6d72b29f17e3a4a8e1c8c50c3b145192f281000c28f66c11f14f275e41779c646d589eb20c6ddffde30b7294164cf8d32815241f421494b82f

C:\Users\Admin\AppData\Local\Temp\ksku.exe

MD5 4785161254827d228aac996d17debc97
SHA1 8bf1235389374b8c40327a81fcc3f41d0898b5f2
SHA256 1be87aa7daaca2140af30f5c30ab5755efec931ab35dcdec4d634bb4439feb45
SHA512 cfce057be39e631f17db744b3e2b4d440cf44671f6ad00854c4a7ca2aaf254f3f11b1eeb2145e231da243f8b6d65e78eedf287c46c4314f4e52051690f19403e

C:\Users\Admin\AppData\Local\Temp\csQC.exe

MD5 3f8fb7beb8214252bdb6cdc4a3afdffa
SHA1 659d4b2b14952709deae71764843f59fbf59de0b
SHA256 1dc9c4d550a1892b1825792f1e4a0775475a29278200f00494ac80036a7abaae
SHA512 65bc9394ff560255d4b3b2a157b44d2ef01e3be9b8812609b53a72eb0bc9c0ef7a22c1287a537edfb948325c160d4374e7af0666327381f0c66b56cbad493c81

C:\Users\Admin\AppData\Local\Temp\xOscYwcs.bat

MD5 c09fa845362fdb3d87b0fff33ef0bc2c
SHA1 e1d14a9b9f0a2d867669886c4f63c499acb5874b
SHA256 e224c04c9c1ae9790bf7d160a7775e2b3b2b90c19f5b1361ebe2b5cc9318ee86
SHA512 5e79a9782f1d23b2ab008334906167f57e1e03a79f8b795e7db4046125549bf2a0d59e568bd65b7a0ce9807959e752056febf4e237b781bffdf4cd085cb6b936

C:\Users\Admin\AppData\Local\Temp\gkAu.exe

MD5 30f488db1837787e2019b2e3c5fab387
SHA1 96c5a871967f61b9bfb65b2e485f797e3ccb008c
SHA256 123df61eb9c9bc70e66820bc189852628a9bdb11b6f78aeffc6f890466ec8322
SHA512 077304137b1da602d40371cafb28ebb389d126ffddc467ff4ecd271935844c047bdb024c1b327816d5e4b4dacf8f3f3d853c8bb379bbe85c6064b7fe6b50fb45

C:\Users\Admin\AppData\Local\Temp\QoAC.exe

MD5 153b972079e4d6eb604421814bd299cd
SHA1 1955c53b29865e3ffbba061717204db10785192d
SHA256 4d1b9c127bf7b0833dca327a83bad4fd5a8b24a0ee53e2a8b08929130162ee94
SHA512 eb241d4ae6160537fe79db4cc1afa405582f6816669220427af03d2395c543fe233cdbb3a14278cf6387578e6dd5651444509e236b163f33ac6858d817d3ae12

C:\Users\Admin\AppData\Local\Temp\iccG.exe

MD5 d5c90ea52bd3e323aa729b565cb3ca94
SHA1 6a34699ca15ba323d9912db4dbc691c24ebadc26
SHA256 72a86a1ceae8e983a081d37fc777b5aaf553a5c38e797f253cb80b00f16c2def
SHA512 70093bb02f29f821c3593a1431929a7b026f5d2dfa1d872218cfc6bf1760fda76c35c986cfa6c3ed8a5f4213a11818948c2e3f07d4c38424e1056e39ddc2029b

C:\Users\Admin\AppData\Local\Temp\JIogIcwg.bat

MD5 dd70fa97e914ef7ad842b45c70ed2e2c
SHA1 ebc8268f8b000ce60fbf5d8e02f16fee4e225f05
SHA256 3e57eda8d8e691f3115224baee64611d8a3179bda58bfad535b4a7dec63892d7
SHA512 70a320a59c4b23e35a10577fda6aba5f282fab057abdbb9adc5f94cfc2ad984c9812c618dd31a42685e897b84cfa7ed6b7f29b79906dc2bd4e258598f774707c

C:\Users\Admin\AppData\Local\Temp\mwwo.exe

MD5 301d81b8df76b5717913416b39f8f45d
SHA1 bc6b942c6f7cffb5d5444febe1c6a78e437ace6c
SHA256 7a6b3e6c11573702029964c771ab9596790db6ef7627aaf615f6e15b67f6a38c
SHA512 30a6c15389c946103b9c1573e2f5df92d1cfc91ed81bb7913af909790f05c46d23a450f057ba5c062871b34b4a7a13850ac6780442190043ee5d67bb6d888ff7

C:\Users\Admin\AppData\Local\Temp\QAgg.exe

MD5 f2a8b22e8508ca863d7c29f8347bbc25
SHA1 e765aa023174ce9fa1c36b4a74e684402e98bdf0
SHA256 23e1f061cbef4705be66abd7ed6515162813afe62f34e5679be02729d2948396
SHA512 9494e96de2caebd96bb93133df15d9b496ac91e3df5a7e99c23c94871fdb8b52716bf51557933f5c7ae76d2678f7b7a828781d4e7e6657fcac10c2cb931e6ec9

C:\Users\Admin\AppData\Local\Temp\fKsEwcIA.bat

MD5 5bc2e57451cacbcefaa15565cf399e3f
SHA1 44fcb90371713af52cb934e49f055433e3aa7bd9
SHA256 f0a7cad6ba2b8f0012b582567018df5d945a00c12fe3027ceae1b8cba7278a09
SHA512 ab4edbf497af7df19daa876de1bf4f3b5675afa7a479fdf598be88925ecd75ae09be595750cbcb180dc00d6f8fe689c3c8a75a912890913b4e6e075ae1cbadc1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 c8a16744c2c500d08190c3025c6478cf
SHA1 05675a8f35aab36b14430daf4c4c1bac1eaddfa9
SHA256 8d8b4daa2e4af658bb13dfa5282e55f2532f17c984f974cf27c94aa2e5a792a7
SHA512 8321ec57a0bfd2b644ebaf745623642b3eeb2d0435db5c0f94532773a4a57ca36a786553c66a86b63fa3f0df0b35bd77016a2a2af02c48e44519a994776ccfe2

C:\Users\Admin\AppData\Local\Temp\YUwU.exe

MD5 f94ab469e09ff9718da39eeca28dcdd1
SHA1 ffe263e892a7eca726ad7cceece4afbd8937fcb7
SHA256 917d304944974d52d0b9b707a79770727e3192d58d1de65393e6deefe5adcf25
SHA512 8e43358fa71667583d229f425d1ebeb4dc1ce03f900ae945fc4e66f522021012093b73846e6e4a8c87b08856836bc066351ff9b468e5b7d7a122f8ca636395ae

C:\Users\Admin\AppData\Local\Temp\XYAwcMMg.bat

MD5 71118fb9657cf7737d7a1a118665eda1
SHA1 4930fcf480edc5dc8e749ca210da4b1c279ef691
SHA256 488071e5772768828fa172514e620ba24d36d305118645cf45b38e4efa443d53
SHA512 4d112559d80544cb0fa1a039132e21b5b4d0943e405aba53a5f79ffd4a2daa9befd591a9676a488590099ea84403d551457f8d24f39c2f4a6497c79156706739

C:\Users\Admin\AppData\Local\Temp\sMsM.exe

MD5 d125061fb10c68b897f309ce62d8a41a
SHA1 cf43992a646f3a11ba670282e3ef5783fcffc904
SHA256 9b9431bf7c2574275e50454f7899f63b9d1e3e2c8988d95269bc26a0ad7fac2c
SHA512 1085bb34a669d4a3e90825d217c83e590a06be6105d7732c095ae72b5370a4d2083b47a1399c6399a027d47cc061331618439acd2b77b906182c82f481687e41

C:\Users\Admin\AppData\Local\Temp\moka.exe

MD5 438de3e8e180a3c03eedd114139cf20e
SHA1 c3537d45fa7a36633805d13be26a3753a7d1d9d5
SHA256 7d2a3129af35e4a1e87f2b09d20826d4ac565a51f62ef21dd07f8346b7653f94
SHA512 ac52cdba843d1af3e14cd2c234bc4e8394bf52c84a49ee30ad5a87a740ddc72d2bdd851c768043846befee7a19585e1f3717385a378326cf48d53dbec46e7568

C:\Users\Admin\AppData\Local\Temp\SwMo.exe

MD5 6c56e7fa419a5943fbd0ff2e2ccc42be
SHA1 61d159a052edcac5e6707f9f14ad3270c965c647
SHA256 98ff5475c8c21738d7da6e87e9fa1f8337e1066135d423a2a31227844667a366
SHA512 e942aee43ca0934a942d39454ef4ca22efe67ba983a915b26946ca8af6a9efb51c4d348519c5a0d08ef9290599e6442c412f5f7318dbb33ebd40c800a7ef8421

C:\Users\Admin\AppData\Local\Temp\MigAQgsM.bat

MD5 198fc0251761b9cf40584f9b81a05a9f
SHA1 8948da9cd81a7576ac93f7afa24e70ffba0fa453
SHA256 0550d7483f526cbb3aa68c75796b11df170a8925684a866c19125430081c1188
SHA512 23d97bfbb7c8d840e0d0304395665dbeb6ccc20ae53d0e3f33e6a8caa2d6bef964c5044a6e349b3dd7f8167b041ae31a197d02575069cd434eb6330a9da869f2

C:\Users\Admin\AppData\Local\Temp\qcMy.exe

MD5 d5443e5a31d540d6198b74650360c884
SHA1 d837035a500226af11f48a16fb8c70c4210d4565
SHA256 8e1c324d1d9a9a5b80fe6a880fda1b074994aec1ad81c0f5e33b211e147e716f
SHA512 d3f23f27917612dbbb92a5d6c2d977e20e604db1c3677a1f4bc8c72ad02a0328b94c43c03ed8fced1e5aecf7543e8614c8a3fb2b0e0a4e8a2448de562365e636

C:\Users\Admin\AppData\Local\Temp\wSUY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\Skss.exe

MD5 f8b6b312a8b1c171e7cfa57e82e90c09
SHA1 84b486ad39f4ae6f4dfd643809f4af3271b8481a
SHA256 7f2279a1fcd621a2b295fd6bfcad0f1b2041534a00faab3a09bc38207331074f
SHA512 5a3b7fb939178ed1e3e7718232b1ababfefe190100afee5433d8a5ad7b00768a8a26c938665dc540bfcf81cf414248e8d17425bae637eef726592d9f7e40243d

C:\Users\Admin\AppData\Local\Temp\issI.exe

MD5 63126170dcdbfa4998592ae76458aad8
SHA1 0a3e3aab277355e015adcc7439bc70197dc40d17
SHA256 952ea02db4bed21bf50e823aef1a714de992a7b39c661794a85230167f5384a7
SHA512 de49bd7333b5b6e383e6bedfeb35d15d1047c13c9199d0ac8a85136f1ecd8a8753260495cfa363e3ce8d87d5c5022cf8a828629efcb21c11d034e32e150fd429

C:\Users\Admin\AppData\Local\Temp\uUUQUkgc.bat

MD5 f15df14d6fc0aa5b2d49d70f1b5afd7e
SHA1 4723258bc5ea35df3209ac4d23a18b9dbc2bf6b2
SHA256 ba9ebd0c7a98c9625a6edd6cae6695ba8b53981c513f979a76d7726f0299a5c7
SHA512 d3f516ee1aa7647d1d13036a7e36fa776c893cb214454e15f025b58f46f08128152442beb8d7040528b41fa537af55cb6f29fe33adaa5ea11bcd08394ea46233

C:\Users\Admin\AppData\Local\Temp\qgYc.exe

MD5 6886995bed779dca83d4aa82db7e37d2
SHA1 b8f01f434456c955d47aa4004a223f6de8372ced
SHA256 5a67507fb88f03fe9e42a83967ec4cd6330d0f9c8cf6f22fd0c65127c2cd21eb
SHA512 734c31e940615f8ea080032c7d4d280d71418d71398857156bfdad8ac35c92259a8248e3b7591a71fb3341a842a3f34f87b0fd400eb33f98246020353f04da95

C:\Users\Admin\AppData\Local\Temp\isIg.exe

MD5 2549d58b833020d0fb02e8118891d798
SHA1 2d6479e37d9e5d76d029662a89798a7cf12bb49c
SHA256 8a665e201dda789e543a2101164d2de05dabab3ec5726261abe1072c472325fb
SHA512 1b654fd40e952353ed64eac916ebf5c8f62a8104b4e842e07e6a654455f9abba3bb33d4f113cb645bd0f27524023e46f7d8a3ad21e30a4e6f6ac8f9be81c31e1

C:\Users\Admin\AppData\Local\Temp\MQYY.exe

MD5 01cab5559c25cadc6390f17401f344e0
SHA1 92c5ed5a8997fbf8e36cad65bf01bc72d4dc69d6
SHA256 28715417ea5ad9a5d835d816b6725c502f379fb906d3d248bafe26b3eda06de0
SHA512 2c3e822c9776a2f4899e140871b4ea0fa176e4c7ebdbc6c846ce7c18816043f4cdc3c6936a2d3d3540c65d2eaa7aeab3509500762a66d830df931199fa8e0343

C:\Users\Admin\AppData\Local\Temp\WuoUoooI.bat

MD5 ff5c653d93a1ebf636a28697760e5acb
SHA1 b91f6b2f5f460f5aca5eee314433cd1eb2ac8547
SHA256 cf37aa6bff7ccfc4066ddd138aa21898f876cc1da91f60997dc40c07770688c4
SHA512 aaf15fc707a3c16aca5a1a1d0e905ce90aa3e6697be266a5c6b32fe96b505cc00c28a923bc2702ee43f710bbcb13176aa20698d99a3c8e2262734e92493a5457

C:\Users\Admin\AppData\Local\Temp\Wkga.exe

MD5 a792b3d15d65f9f17faebd785193a15c
SHA1 c12968b865875a0f18ef6a539f6bd03d2dc19d49
SHA256 62d49ef522c8469c88c7cd90a823d5ffced1dc08d7022c7b1cc570bf6423dae5
SHA512 948478c3921d1f5a709be04294879c55f18f0f19acfd163229e94c2705cecdaee34fbcf4ce6c56b2dab78bc1c2c2b1b98091a6253317a527cc502f3de0b8169e

C:\Users\Admin\AppData\Local\Temp\EAMw.exe

MD5 e7809287c8f815b34694f990a3837095
SHA1 22f19ea2d18b7f98e65678106866ae78d50934e7
SHA256 0b904eb48ab12586005bb5b95971381976b7d031ccdfadff24d3bc4992629476
SHA512 e702d9d7eb6795e431a8f56489d1814c9e5914a6fbdb3e2aeb10c32907db179c32daf4806afb81cb90d0f9ce12351b9837815338fde1cf70bcc5dabedfbd5fc0

C:\Users\Admin\AppData\Local\Temp\oQYksocY.bat

MD5 39f2ab7d6d77eb686dcd99b1b40cbe31
SHA1 86f8f6e78dad36c3cf922d9770d1134b861f801a
SHA256 f877ae7ce2783ddef496480d173c42c3cf7b3a0653bf6281fffa5c1256b30fb4
SHA512 c298e0f38b540a1a6cfc1120c7019207d899e053e7aa154f93d23df6436dfe42f6c926b4c6ffc646e032a1a5071be39e8278dc5c971d0a48cb838f8b1a96fc4a

C:\Users\Admin\AppData\Local\Temp\gwIC.exe

MD5 8ea91233d2cb23682152045609cea584
SHA1 0337abb6fcad836684e12f2b7890ad973c6078f3
SHA256 2607841580fc5735377c92b72988a0ae6c27ec2fb7667885bab3df80a08ca22b
SHA512 2956fa9f2615ad34f9105fc3b02da04c59b4ebc25646ebabd5113cc395c13c99ac45f06c5fe11dc3c4f5811768c9f12db73bc6311feb17111c4c9477390fd6a8

C:\Users\Admin\AppData\Local\Temp\msUY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\XOQMIwwg.bat

MD5 c3756492fcf1f4a6438ba2e123fb10cb
SHA1 44c46d7ac743cdcd813e39dddbb08e158981f7cf
SHA256 b50d4069562f8109951baf7806c9956ec8c84fd6109ed39a4c8172be8ab823a7
SHA512 f12d4c61f19f92ff48fd57c61ceb4d33b6ffb1e6a4f85f1aa58bda56363d9e5e251c1b8e182b51292d4c77f4206877f00084542de05c382cd62907eb6455e0d8

C:\Users\Admin\AppData\Roaming\ReceiveClose.wma.exe

MD5 84c3ccf33ef67759f1c49d3e4080178e
SHA1 16fe5e29684b9d57df57357e650dd59a500e0039
SHA256 5a44e2363b7ae406ed63ee15ae8b5cb550312a728cd13b9df0118537e9968ac3
SHA512 5e963e91042e118fe574813e28320823de38cd34ac25b925140b60004c08f167f1323f69c3715cb1fb06effefa1b1d70c927b38953bb170fe675bfe6a9722044

C:\Users\Admin\AppData\Local\Temp\igQC.exe

MD5 fbe0dfe17e5865dbf163de0417bc70d3
SHA1 b6c1485d15e1e4414d1fa40664e662a01a5043d8
SHA256 45b31bdfca9e529ad817bb59a4a6d6ecbd8deb15350c0b0459a40c65e1dc4d5c
SHA512 f53fbd31df4f784739b9466403b7b397aa85058e6ea4bbeef6fbc4a1ce5e75cae526d4e7467b776c86b416bd776d718b07f0d548ba95f3847b061fc9727f3599

C:\Users\Admin\AppData\Local\Temp\nOMEYcAM.bat

MD5 877b5240e961a91680f9a6c749cb9451
SHA1 c27ef1dd6f605731bf558309fbf5942f0cf4f1f9
SHA256 9dc6af95a9698390242c9b1c3030bc40d33aa3b099945245260fb7f6400b4808
SHA512 6d4f978523fa9cf90c48edd9c8d07e71a826520037669da26234e09bf731e1a033a0b80bcdeb09b5e9aef8b75cbea6334183799a3e1c723b0da39ce6db3baeca

C:\Users\Admin\AppData\Local\Temp\CUwc.exe

MD5 831f14a9c69c9195a3a58c02b1e1f5b4
SHA1 615ecce19823ba0201ca67a98a64a762d0814caf
SHA256 bbec15fb947e1e4b9ce4c70e3221f5db3a9ed096584dd344127c5ea12aa79099
SHA512 a9b96a1993bdb36d1dcb5322de97d77f76e35688f215a32995100fadaaf3b925df9a3619f7c036a90998a9c1e92477c62d9abfd5d788c3c06d8f86c98f410cbe

C:\Users\Admin\AppData\Local\Temp\SMQk.exe

MD5 8d9892f4b782566eb5266f902a8eec2b
SHA1 f35f80468ea4157736896ccaea4d21a1bf5230f5
SHA256 2e153c7162022f6d6faa8b124a81f29cb691c49f42e09cbe770ab1f1ae36c9b1
SHA512 e810c2249868bf030887a5708d503c42423d0f5b944593b573d8e6ad365f83b43e787e1edf70158585c19e7fb94aff3d0e5151333292832402e567724afecec2

C:\Users\Admin\AppData\Local\Temp\ZYUsMMMI.bat

MD5 987030ca5ba2d04f3ecd21ed16125ca1
SHA1 a019cbf897c99a546f74a39c8b3c64c97751d0b9
SHA256 e527810f270996bb26229a41bbd526008735cfc9a0f1b67051b868315323ac05
SHA512 3c35e6393aa0913702f3a5a9e11b8aca85b13fdedf6cf31fb1d9e8c118bd2a66a1504bff355bcff484b180a8bf0085b13ac3427dc915b441dc9e22fb5588f02b

C:\Users\Admin\AppData\Local\Temp\SsMW.exe

MD5 5d0badc1d264456c16ec51802eae5198
SHA1 02b1a2f4c8430c8e9de1863f716b881707e2cf4e
SHA256 c94d53162d2e0e7c3430cda4e795eff8f917888a9626120eaf22ac33511c662b
SHA512 230bf63e4d0b90071d0a1aafdb0ace87e20d9f6fe1b4a885faa62abd65f0685cb47dc85e61ded0b4d1b67b3b01f4036742791efdad2655ba6ef9a6aad32998e7

C:\Users\Admin\AppData\Local\Temp\xskAcsAo.bat

MD5 29dd14270921b26697c3bd2389177f2c
SHA1 ba36946a66a591cc2518d74c287511a45fd1ed99
SHA256 cebb544dc5ed57c87f58dbdc00fe75a9dee64c34e832efc85bf818e1f916af2e
SHA512 3a5ee7054f2ca73261b7cd62d724f682a4f79820af6a6d6a8099e32a37c3a78d8114dafabf424c51c67f6ff53ea89ff32a2fe15df974b3838ed559917ac984f2

C:\Users\Admin\AppData\Local\Temp\IAkQ.exe

MD5 2c0c4b90454c4c77e900e24c5e497ef0
SHA1 c581ae0810b9c5bf55a805a5344fd0786afcb3d1
SHA256 481983b8ba2b4a429e0c12e24089974295d5d1f24931ab3c9a23a242e8b118dd
SHA512 95c14beb46fbff7d6ecfe11d350cdf2bb1a7cfbbad252f3b2f7954ae748095554fbb49b38046f5a98418465eebbffb7b4d69a48a87c77dc1f3e064ba1264386d

C:\Users\Admin\AppData\Local\Temp\iEgY.exe

MD5 bd823ae16702a76a9096ee8d28ee0401
SHA1 57d39afbe7d4daab54553d85a158b66a7e7358cf
SHA256 95a9acfe445165125712088b173baaf796686f1a6a199331ab13b8ba4957b611
SHA512 376662ee07b4ab4a7edd10b9ab2ae94fb58d748b75258366214df0d2278f8e316a77c811e870e26144ee52ea58393a364a7000b183cdeffd35b0b4923521ed23

C:\Users\Admin\AppData\Local\Temp\gsgC.exe

MD5 98c299199e68d282a80b866d07d7d35d
SHA1 c73048f6639e88143c9d770469dbc4f63525e89e
SHA256 7f6543088c30b38305559428c543f43cc5235fa41dad9baa155e0ecaef779a77
SHA512 df57822885cba85a1d8d916d12a1ece0b25ad0e215d77197076c9ac94aabf078d871e0466b4a84edc3891a3145fc418fcebd5239c35a9b010a59bdc47c12613e

C:\Users\Admin\AppData\Local\Temp\cYsY.exe

MD5 2122a02fa4a6a08330a23f7022f653e3
SHA1 3f3960e2178581b384a5a31051f7ff2a40e23f5a
SHA256 773194cdf043dfb7bfd00196d15f0a3435fd05ab40b29aef458d29f9949b599f
SHA512 8fb3cec901c0bf2aa34c005fc872dd7f88b41b457b72e04fc80fe0c4b3cd167c1974c598ee071d1db7d54eb78651c9210c5d0b01c7d6c82f8cacc4b534d62a52

C:\Users\Admin\AppData\Local\Temp\fIQMsQss.bat

MD5 e15001aa6697ec7a8dce8c2f050651ad
SHA1 ef99e41cf9102f19645aff729b05117f54580fb8
SHA256 936f63387020cc8aebdbae47a8b1657e8e1ab0b429d75c6c762e1df65fcef85c
SHA512 68930f6c6e61d3ef75b74563d30f60c261631b78b3a9e5f3bb8a28efbf0554615304aef849cfd5d790afd95384de798d60bcb891975bf480e964af07b322497f

C:\Users\Admin\AppData\Local\Temp\AeAE.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\IkkK.exe

MD5 e5595ff94c27fd6f7493458f54fea347
SHA1 c768355360e388b9ddf838f52501543c5e8913fc
SHA256 85a2976f02d2807778a59c05cd44af4a4d0398b272c1b4efcba5b4cc047441c3
SHA512 f92581f39f88215db3f8189dcffeefbc1bb924cb05ab2bd21370863b1b9de98e681e892cc498164a0aa8f2df13f8d0d1716132fa7bd2bed1fab9258ea6c031e0

C:\Users\Admin\AppData\Local\Temp\cAMMoYow.bat

MD5 e513b2729ab304a3e10163a31b353f15
SHA1 9f29058c204b7b39979d66ecb9195b0c06f75e57
SHA256 6d98d864d33b9a254b69cfc1f292863a9a3376776119e07e380a250a36b1e0fd
SHA512 ba959b5c87bd07d160b659eb0b20ad88a3cfcc3cdfaf7a2da89d1f66ba00522937937a269f7d2b5892845bfae0ad54d0cae6599879dfd2615e3d1bf0938de7d7

C:\Users\Admin\AppData\Local\Temp\gIIU.exe

MD5 a6aafcbe915fdd017f1e5f10d44b5b12
SHA1 cb9d12665a0364f67f90a99fdc4d772683631f3d
SHA256 09e5eb620d0e7c09e08f582de631587d584ae70508be8f2ab6ee9f0c6e71cd53
SHA512 007ec2a3b1e16021f8fa936efffd568f23b034de12ded94cf9f60e553924991f23ef7e64bd0fd81a78e1439802225c41d007d597978237a4cd599de20aa7c49c

C:\Users\Admin\AppData\Local\Temp\OsQa.exe

MD5 db1260966de441fdadb91ce1bed51364
SHA1 2510f45a25b4d42072fc951670c999a15db2c07a
SHA256 667fc823e26edad7244b76d4e15f2924bcf17d6e9839ebb3ab9b7299953f0535
SHA512 ea15268b4817da9ff6575f3154148f6e444a832d2a2bd9976c9e7b5f98871fd0579bad15bbbde2b7e6e27216abc333ae2eda24dab296221a9a7d02f3fd8fb35a

C:\Users\Admin\AppData\Local\Temp\WUkc.exe

MD5 a6ff4d19645147da5ee31ee6659d4eeb
SHA1 0a98f2bfe23ccc9d301ed4cd9885680e549c0da6
SHA256 cbc746bcb5749e3034555e0b12dedbd1de83d6567fc2148a0ac9c6f9d2bcebdd
SHA512 e8cdb43b9cafdeee794ab8e04fc427af2d6995fc3c3e4153366c84fc5d476b39f77fa642b893a27d3662f7b6dc32ff0b59669bfbcbc7ce964a8853ec99760b05

C:\Users\Admin\AppData\Local\Temp\qoEAwEww.bat

MD5 4e250f9f160b62126ec720e69f78680e
SHA1 f81552320101071702782abf609eb21dd089766e
SHA256 ec8f9dcc3a2d11d3a95a3b85e005d922450d2fe03dcec5ed42b13c5b004e0325
SHA512 85eb1941c30c48e444887759377e0ff92833f386d3a255a958126623bb59f49367abab1a75fa7bf63cff71b20da16f4abc33da128ffe3cb24ea69f2bf5533314

C:\Users\Admin\AppData\Local\Temp\gkoO.exe

MD5 8e36fb28589551758d066e4b6aaa7e0a
SHA1 6fee33b1f8fad601768fe63cefb812ca553e74b1
SHA256 2172ee790d51dc9120658362701624efa7218e579f5fff7dd879cd879628151a
SHA512 14a02106d28166d00fad049fcfbb8180fbe4c9d5fa15e57c9b4efb56addbbb2358886e6cfafa882e646375c4aaaaeff1281b59ae19d7e5289799c8fef765236a

C:\Users\Admin\AppData\Local\Temp\coUs.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\ykoS.exe

MD5 bd52eac7aa01fb1f9beb7fddce085f1f
SHA1 c72debe847937aa8a2a20cb8f5b3625e93376573
SHA256 f6e2c372ee3d16f6aaba02e69094ed2dbb32bbe53f0e5eabe9faa7168155d431
SHA512 6430021d6751dd45242c7b8cd2a4edcd713651b64c66abd5496e83376573623be94536465b74047e9fdc8637b94aaf187021682e39fb62220f6b294644e0e8e3

C:\Users\Admin\AppData\Local\Temp\QsQy.exe

MD5 f4c5cba263e1b9ef37c0afe02cb32fcf
SHA1 91741b51e2863d6630e128b903429e52828da95a
SHA256 96e3322dfdaf8bb8aa52288bb3487efc2ad2e407dc239b44b8688b53ba9cc197
SHA512 b573f31642b07fa3124c85e0081a78c068e0323be9ef4914b52c1ff89c1e4b233a8d2038dc3763b68138e1a9e39e09d9346748e77487e23e3bee3bcf9adc8e15

C:\Users\Admin\AppData\Local\Temp\gEAa.exe

MD5 0895c35e99ed811f579724bf266774eb
SHA1 8e0d73c6c0310bd4f4fcb157c3989d72f2129b35
SHA256 74f4ae618e6540fd309c633d3ef38094933883b47fa727263dc4152838320cd6
SHA512 8d082818d84e7950f156888578dac6cedac69414862532db024bae85c945ac97550206723a452890bd24c941477ed3b969dbdae768ad3031a77708c8644b25a3

C:\Users\Admin\AppData\Local\Temp\cAIs.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\yAMW.exe

MD5 15ebdb241287a4e288bb72018a48538a
SHA1 aff5da31b5605a986be9ab3d7dab5b63c1684bb4
SHA256 b18657149c13915e7c837415e3e26119d8d2cd5d8c7d26a710a210f6ad62041e
SHA512 f8506c69233da0afd9c77888f87aaf17e7d8a1d9138176c016bd56f534a58943a72e6a1c7aef73ab885832f4089843b0650d16f4ceecbb3097d0e5e18acfc8a3

C:\Users\Admin\AppData\Local\Temp\Esgk.exe

MD5 454872b94f89a1a347cb64fe53161f08
SHA1 c8edc68bbae394caddea4610ebdb9b0d371e174c
SHA256 bddc7c0de5b1173a580d6a96433dd4d1448cff3a54d2689bfb94fc707eab4724
SHA512 ce8cbd497afe64f8cfb64a3b425398bfa735856d7c116ec8df8f5ead3e6d9f10866dc49cfed0800cdf81d83afe12fac92a428edf1f8dfd2b842c923d1407d596

C:\Users\Admin\AppData\Local\Temp\GSsQUcAo.bat

MD5 f22e25ea6b0d57b4c66eb5a1526697e3
SHA1 d03486b608c9e767de609bc759be85b84f67b45b
SHA256 a0892f44dd4829167e5086375e9f17323b0530d460f42238805db0296df18cf7
SHA512 4218226710c0c4051a6c53e103ac56ac8825948631b604a3c4c9877f8c560e1bafcd7c41886cc58c469543e840ee99903bb0c83f08235b5f5c585d34562afe85

C:\Users\Admin\AppData\Local\Temp\fCwQUQkw.bat

MD5 bea9e9756a90f0cf685dc47cd45cc2a4
SHA1 cd063fb8479d037978700e56af082f2485b971d3
SHA256 31a9333a79d053e17e55ad57fb8e578af28d01b4466dda6eab525de832f02e17
SHA512 0514c9e137519fa077eb8dcd8f6752a79454ef9441d9016962b3b386b18acb8943be7776164fb7b1db01a30854b4f39ffb369c35a8192adefc7f499cf184c51f

C:\Users\Admin\AppData\Local\Temp\mUIu.exe

MD5 cca58b0d276b0f4682bf8f8a741aede0
SHA1 c1a3a67373e0bc24be17b583baa1f8d22afcd986
SHA256 0432eb76c304f02a09690c0c46686e41f964c2e2736f2c901f443187fac3c051
SHA512 8579baf6ea1c2a40a0056cc29ced74f694e7977bfa10b2e2a806cca4b75981ed2597558771d158754c251706cb905ce52cce734c3b04fbc75a1ca4e2f20bdc7b

C:\Users\Admin\AppData\Local\Temp\egYe.exe

MD5 1d82fe8684beeba45836d5f95f8ec8c6
SHA1 53cab311a2382a87d8e7a0dd9c61a8cda78cbf79
SHA256 fcad9d561ae705d90597126582d4a90e7d33e01a2c58b430ef430944340575eb
SHA512 fc6598ca21973951e94ad8cb09c60c1989b14826e4de47fdaa3d781a43bd58cc4d6cf778c1a61f90f3f39268a261879338964b6c6efa7e95c5ad87db8256fb0a

C:\Users\Admin\Downloads\CompressConvertTo.wma.exe

MD5 2f78c3c8aaf3d838b8a4c56aab0bb724
SHA1 54ec4e54c786bd60bcbb0d3e3fe619e90fda83e2
SHA256 aabd16674aeee8afaeab4fb7f72db50c1d02daa8edb5376536d9398019cc58dc
SHA512 40da1334cedb5e4f031cca53a65f84639076aab7f955a2f121b9ff4ede985e8e469d9cf4f0d12305496ce56687525e7e38cb8a7abd677675133625ffa11194de

C:\Users\Admin\AppData\Local\Temp\fSQoEIwg.bat

MD5 2f19c61e026c82b05344f4e25614b1d8
SHA1 f46b666e9dcd5ea09d7ad73e8834bd5469e11b3e
SHA256 a1750499b06fe66037354687bce40aff5f4b3c4e936e227984e848e31e0b4697
SHA512 3a17cc251f5866a04e1e936ce13b0e11bd524679a4fe8bcf65ca3476d8ce24da8e89ed8bef08b674fcb3af85cfdcd64a7f970b2a3eb09ffa299a5b2b068432a3

C:\Users\Admin\AppData\Local\Temp\OgQw.exe

MD5 464475c5935451321eb7f811e6078eb9
SHA1 b05d2aa28018089548b567ee05ed4ebd87873a69
SHA256 d1e231a80f3e7d8357fed01c5fef8614a4420dd7d81f780271a6dc679ef4ba8c
SHA512 c9d6fd88209a71d8ccf24f7e05ed06362e8489f441ebe979530f6a05ba30c2e653cf7493528b4fe9f666ac64f02c4a79e9c90fa6f567dca0bb65aa62c0454b8d

C:\Users\Admin\AppData\Local\Temp\KgIs.exe

MD5 b183143869c423c0c2cadf05070eb751
SHA1 053efd391be1887661a1742ebb50c1e6cfb42516
SHA256 f667b06b8213f69860681a73423853d98d2b6ad71f0a59fd6bde3d838c97b2d8
SHA512 4dc26ab8696e3849e9e6f1fdbb578f17b87e2ebfe2addc2fb57bfd10e8139d032137edaddd53269168c8833de9e721f4b69b831ce922a16f8824803af9532bcd

C:\Users\Admin\AppData\Local\Temp\AEoe.exe

MD5 70cbe7542a80af0a70ad349a24f865af
SHA1 cb6397a3c783d5fad910a7912d08c090e1d6f898
SHA256 0af815c0b3841b1efaa137d452cb743c0f1e45101cd5a80c6a86095b07c14459
SHA512 8e2974f999f6a158af78d84fbc58831ef6c1bcc8e063dcb4a5e1a0815495b1f5c7ed4e14ec8f76419257b517e4c8ca226ead87a44cca1225596780211551d9d1

C:\Users\Admin\AppData\Local\Temp\GooE.exe

MD5 259d7ca5b8d3793b690af95b971ec345
SHA1 f1429ed7b3a021a18b070fc33d23484355708939
SHA256 29de3743f7deabf72156c7bf9567c94ee40a344b13b1d4b10827862c639aea2f
SHA512 95598f2f1ffa75b12f16c6db7a9a89ea0b8a61539f3157dd3d0474042d2294a45f8ad02d2e962249f5e4bf9b60bbea4be4fefc882792b3c51cf78d6b8ad109eb

C:\Users\Admin\AppData\Local\Temp\LsMsYIwk.bat

MD5 2610792b88b401c2d0cda48494f12cf3
SHA1 774329163e50621481e62c46e2cd3a08e553c55b
SHA256 d50b18cd678bc6ba10a1cc3e0c024e7c4467b3320541c04c2a5d2bf5b1b2b4bc
SHA512 b8fa5d6b704036ff040258e610139d28b20989c55d8cf43775a0b4365e30eaf6d8155b925fabfc8a601925a589339b7d73d9e45956c7b99e7ff1f0fbe3f98d7b

C:\Users\Admin\AppData\Local\Temp\yMEu.exe

MD5 de14ab711fa78b8a5e92ab8643656e27
SHA1 c3e7cea79622d1dae4857388b5a79c720763d8cb
SHA256 262186e1f9c426b53b4305284d5c01bbaa8835115c34f12d0317f843c40974e2
SHA512 88ba1382e783936bc07eeff554a15de2a68e757403ef9a7205816e7145989fd835fd6b500201391204c74548cafd349be1a4594f437d77fbb7160d021fe5d26c

C:\Users\Admin\AppData\Local\Temp\Iogy.exe

MD5 43405f4f0e9c3b134138eb2c98b6481d
SHA1 26e73f278273e74e9feda3387141ca1ed0f2a450
SHA256 66cbd91577565e5eae716ed8d5abfa4e917cb6dd1484c59f40cdfdbb118ff713
SHA512 fc132faaa74d09ac67be9f1b044ad1c18a3b4d23c2602e696f0511fb2726f5c9e868a3c78fb6e647359dffe57ecb056a97ec4bc8a4b262db724e77db271eac29

C:\Users\Admin\AppData\Local\Temp\uEIG.exe

MD5 61c8073b652d036456d5da6b923370c1
SHA1 f41e4940cb4f228769bb6117af78d85b2617555c
SHA256 fedcdfc67a9866db32c881aa2da45527f00b07d199141c3c5638c21ad01da0fd
SHA512 e0e952d3f1910b1c3e2fb6c41329e8da2d23f4167044650aabf84f77e8f2e695099c02120f891c6252bf3f3bf5bf0a77c06d22572ce0c8605e3fdbcebb948825

C:\Users\Admin\AppData\Local\Temp\OAoC.exe

MD5 e538155930c8c790df95e64aa02deedb
SHA1 053cb2cb48bd5e530a42f62adc6a9572804ede70
SHA256 2ed2b1ad787310b0192ff689671280b2a6d0cbc0882d21da6206cd61f3a5d57e
SHA512 4dba7ab242ff1a45b996154d342bc251db2b7e1cf4102abfc349e1fce860bc4dd3036b54f9af8de2a82629e3825d86fc5ba3aac4b749390c85ab9b708aad43b3

C:\Users\Admin\AppData\Local\Temp\WEgo.exe

MD5 bbaf1c26ca989d74b32fdce3b7976e65
SHA1 a79c0203f7232a9ec245b54f224aa7f456544ab6
SHA256 8faee4bf582f2481c5255f6bd1aa5fb783e92f454a07693489ba194804ea14db
SHA512 4e2bed7835a6d98db1d29b032d8d87e4dfcae86967fc32efc2c528099a2b1333215dda181f8f9f86d2c5a48fcf8e9a520b1eeaa874720041adf4131632b8f69d

C:\Users\Admin\AppData\Local\Temp\McAy.exe

MD5 f6548802e791173e50eecdc08fdf1d90
SHA1 8e89d46ee2f78aeeac871553493c733e93f7b9a6
SHA256 5217235d9dce70cc779f6bcbb9f12f5ed81367ca4af9200350526b52a89a2d80
SHA512 5c0060fbc97889262a409f120171b2cfe35a07f6c0bab88c6829c309574bbcefd753be5da0aec708a35ec4684089e837f69cfa3ca87da63c855d25d60e4f3496

C:\Users\Admin\AppData\Local\Temp\ggIc.exe

MD5 1a7c75b9f8706f25983f89612c980d30
SHA1 7ffde79ff00f2abf3a3e4f4c0212c0096ced4f95
SHA256 33176fde188e6a9c717f891bcbc9f202ed55448c3a7810f3658d9340a3ba9f8d
SHA512 3b15049f4a430b9145f3e42748f4ff806c27133acc2e3177309a0e4ebdb2624758816cc17cca477d28f452e3e4553fc16ae3dc04611760d320a22d5a4ec8faa4

C:\Users\Admin\AppData\Local\Temp\IsUC.exe

MD5 936cd1bd3abe0fef3e8c9936ac663934
SHA1 e0225c2fbd1da7de119fdc7bf4317de1538b8c86
SHA256 3eb4a6b473be1c7cc5224a318260ec9efc65a38b79b52f43fc78a86be5fdc9ee
SHA512 64586d0cbce4a7fa21e6555a97be755d1765cd898017250acaff4399696c09556397cd723ea5e35e266500e96822725486fffeff00bcb2f53061e48f78091ddf

C:\Users\Admin\AppData\Local\Temp\iYgy.exe

MD5 338fe030546f1a72bf16950cb50ba7b4
SHA1 aec988e5e1fc9875ad4a6dcce98eb1be649be90d
SHA256 c0c54f2bcb76c042afa8a3b0c5cbb0245c77ab4c14b1ec8fea01e64802ecacb0
SHA512 c98acb08c6e9a9ad88eddd41ce0ec272c4d28f8195611c37f55c9596aa1dfe255b8814551d09e9be6273208b1da5d09aca8398f185d823053d0dcb50bb11785a

C:\Users\Admin\AppData\Local\Temp\ugsQ.exe

MD5 ef5dda9fb784093d4aa404b0de8a5100
SHA1 ce71b6f547006feed9a2922b6f7c4449364b4431
SHA256 08e265a2b286a305dbe355f38eb2031d3afd36cd3eec150e9ca4e66ed6faf5ae
SHA512 a583e22cad36a87ec3a45f6beb5b8017fe21a60914917cb6a034a19bf24e742f4a64fdbf04e420b3426df09f606fdcac731e264e1de04c8813b1a4420e3dfb96

C:\Users\Admin\AppData\Local\Temp\YcQg.exe

MD5 0f27233dad24a941e2b6d50e2a002d85
SHA1 3b2c87327820224a171b92ab772e47fe2c0ffb28
SHA256 95f77528f6dbbc63b826f10754810ea4660915e34ce3983a3d406f20f8f7ec48
SHA512 d55c68d2f869b5e99fc9d0c9b173bc1e77ead4121122dff2c05fed98be38ac95bacf68977ac98a287eda96c91215f8acda531066a873fc8c8fbe567a1fd09a3c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 085356c84f4a93b84b3bb4fb09780647
SHA1 c1740f4d6d0847edfa9c6a2cf04d89f179cdf664
SHA256 83065ba38bad3e435d6a920e7063bff11c699e11c93e8fa597158c3ce8258e02
SHA512 3d168574f1c3c2684b8732f068491f9a5f60936ee1fc6f95a7dde76f8190919370ffaddb4959986e1cd0b0c40b84ecb44fa1f8515b999ad6e11451adf1a6e527

C:\Users\Admin\AppData\Local\Temp\ioAI.exe

MD5 ca31f61e17bb5cd0bf6bfe4a192e018c
SHA1 4dd732a640c2df87de8c6d7cb7aae82e13210e2c
SHA256 482e8b971d34c79635c37aaa0c7a47615f1f299c67f7b86198f958f9169b7698
SHA512 892761dcced046090a9697cbf5cce12076dc3f7d8b2a20e300b1d5dfa7d62bc2a897118d457e97d7aba0ba7df270f2d4c6d9b98744aca1ccfa10deadd4e1fc4f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 5cb3f3625a5a571ff67ce140056a39f3
SHA1 a16f343a9a8176852c35b9a73a8b27a5b003d48e
SHA256 02c864bc46fc7e159b566396932645af93e68256bda9a9c96f701b32a2e2a95f
SHA512 cd77c57d53d00a39effd412c284fae8d5f6f6126eee79224e725a3997de015268ca4466b825d7df0eee03eb873388087c9121406f0e0222e27b42916ae160b33

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 a133d32b86aae016af35795788551592
SHA1 471a569ef9bd44c25dcfb75f8206f9c0ce5c31cf
SHA256 be027997b230f5e92a6ec45d89aca2da4699ceb97ef84e4e7f5b739e2431be68
SHA512 9325f4af4cc85e4adee755f2b58f1684f41e1e21bd7156a6a72db8bf824f0e1b301eda5d77c5f0b46c2c524e587343bbbcf477148d8e736b38b299574ebc72f2

C:\Users\Admin\AppData\Local\Temp\ksUw.exe

MD5 80256f6d5f34b1b24d9ed482b38f536d
SHA1 1e6e4fddfbbd12f00a16032a78029a1ba2330e24
SHA256 47ceb0f128455b11e0fbf57ca63f660fc663444132cee5ee38c8eb7709e8fe28
SHA512 77880d6f7d74c17b34501b880d283fc6344225c7dd07efeffd1bc8c6197bb5d3c0cc7d0931352fd0f67af48287cd24b7de1b5828f4b500c2afe48dc96b837ca2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 70b1a815ebea1e4f8e7d95b98e53801a
SHA1 366c82f29bd0358cbfb78402982d5775f0dd5eca
SHA256 dedc60f46910064ede7a0e08bd2bb1dc0d3170460ff1340c96b49cf8d277bdbb
SHA512 5ea4e390ab8f9887ded1a5937cda55f8a60bd4426b1bc39498d8e7562154f30e759cbbe659f898635bbbf98d9e82312b5125a73ada6159881d2ca51e6678d654

C:\Users\Admin\AppData\Local\Temp\wwII.exe

MD5 6026227fbb7db51dab2ce276bc1fc46a
SHA1 5d05eb2fe846a04300bc84221d2ec3ae7f40f380
SHA256 a1852584cb0a758a1654230acd8ef6d466c1e7e3c63143f65df44021029528af
SHA512 59dbaf8450ec3e5f61041a5a1e56306e655c42893267f60d434ca7f7cf34764e690af83cbce8c996ba77723ea9dfaa9c6a888285cf9d19eece3c208ecc037f7e

C:\Users\Admin\AppData\Local\Temp\oQkm.exe

MD5 a47a39f2636963a299a5046e208c08f4
SHA1 3f3c5fd8e3344456a58140b33662c53b3cff8a6e
SHA256 1a8d0248c70e3bcf452b83a522cea7c7d3d08fd682f538f1a8d0795697393a76
SHA512 9bfa7b858624001523eaf3b6efa4db98a29c9e3b697b4c059924c77f77b262c9fd7816be637cbffe8ca22346d6d05eb4216acf987cdf7a76a6b7f59add14a039

C:\Users\Admin\AppData\Local\Temp\IIMs.exe

MD5 c603a39bc8223d1bd7aa32bd5095705a
SHA1 df04d101d0cf48e55226c5daee297af11cbc334c
SHA256 51db27f42c289437b2aea59080ec7f389f18665550a340d8d138a9901a03a18d
SHA512 40d4de906f5d6613d31aa36e485d84c9e7a6f948c3ee04c1874ac1ae94bd4b363a13fb80748b345459d4198c80253fb43fb22fd3c1d67e600d995bd65ff5202d

C:\Users\Admin\AppData\Local\Temp\IsIW.exe

MD5 b3f4076f43ff199603c0bf1f8349e864
SHA1 c78054c7b568b443be0d44c66283bd255a5533f5
SHA256 bb976762c95eb45371e3aca5b7c581555a03da76356ab2989824cc8afcd47813
SHA512 f1422e2fe12aeb8b2bf15e05bb0dd6b278995f71579c9baab762b49e51772d5c3030ea706bf9721bd984b3433732103e0da024b9aa6c725584021596d13d735b

C:\Users\Admin\AppData\Local\Temp\Eosw.exe

MD5 dd7fb5eb227814e669f95b2236cd2735
SHA1 58f2a75e0cb0a82dbdcdb2098ae51346e06d6804
SHA256 ee20050594788930754a9eba9886b0339ddc6a7e600f3079593f95978354a5e6
SHA512 28986fa511a65f83e63374e09045fcae25f84d88b5d2548ca8f889452e11e3181fc161f680077561d7beb4a21806b75df4f41595d7a4b001824badcb2e02bc20

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 274b3d47f230a01e2a3c84ccd1df3c04
SHA1 e80cbfd0bfbeb0186ec88bdd1a7fe12bf7fef160
SHA256 f58ecd81a1755f0305bfd775829a7b2874025eed9addd3c1367b6e0083072e7a
SHA512 27fd55211ace2fcfcb8331d5bdb3a222874ecb35b14febeeb413d99b345071c5927d130a9fa0f5e29cd07a118940904c71bce1e6dc1bc343464432eabf89b353

C:\Users\Admin\AppData\Local\Temp\CscG.exe

MD5 cee30c7159f51a2c18f9de1c2cbd4a38
SHA1 497a98ecda86af562c7c3c1700fb15ff5177f78b
SHA256 7c824ff8bd4dffd89a9f0cd7ea93b6051f53ff03531cfa6b6a255c449cc13b66
SHA512 a888d2bff63067f63691754bdb46dc139135ba1410fd9d6b68754a24af72be42e6802db2538b85f63ec07555519be18afab1181bc3b486e261fd36eb7696a65a

C:\Users\Admin\AppData\Local\Temp\Mcsu.exe

MD5 7d33d9e16e3b463d494ad241480e5ec0
SHA1 82367edd39f38eb0cc9691a6240ebfe2b9feb996
SHA256 71938cab86127c5021418914453b7f6de912f687910ff16d0678a7454085e511
SHA512 f60a9309fbfdfdb12be5620b03ac3e989116a8565c9f531309625cb9274af195bb45aea951df618799daed31f68f673e29fa6a2ae0a9605680802bac69cb2084

C:\Users\Admin\AppData\Local\Temp\OIMO.exe

MD5 be65f050d7e1d67a52a53a8d6ddf0900
SHA1 89d24ea80670509ba856bae2a8b8f6bbe0ac030a
SHA256 fed7e18626f3be4a36cc0ca2ff5438db8f02427a43d1bde543561c23e9e39b9e
SHA512 63d3d989e48e14ae7e84f2c55fe7d81a6844e179dc599bfa81b04b98999ffb1e7f5f73c4a27fda1e463890984d433466112fea0727085de41b88a30f644f16f6

C:\Users\Admin\AppData\Local\Temp\IIwQ.exe

MD5 e9cf34c851ae66aaf3131dde49850e6c
SHA1 37d875ca781331a09abf31121f28c177585c9aaa
SHA256 1a3136f7b278b1178584558c56e8f2397029f9876b2a4533afbed4a4b2e863d5
SHA512 d55793d0822fbf09698def6e5c73fecf401a95e3b1104df04aead5af2520f1dfa47eff7b8cb4a1393f13fd11de57969fbc668362546cbd3591c641ef76e4d6e4

C:\Users\Admin\AppData\Local\Temp\IEss.exe

MD5 cb15de18872c7629e3271cb566f49a7b
SHA1 9c907a03d7d18fd60609bb832c02a421e493c116
SHA256 07165d682be4f20865580010fb9458853cd64dda08be3288158e74768977d318
SHA512 75d7fe85917a23ed0ffd4446153c67813f95026428dc494acf3b6d4b7dd36bded48ca19eb79b4615c3a3ec3315769933fa6e9efe3daa1a14366e568c7c85c648

C:\Users\Admin\AppData\Local\Temp\OsMI.exe

MD5 e33e2ce7007e3afba723afae0b6b8cb9
SHA1 dea21d684995c813e0bb53bbb300994165e9bf73
SHA256 530568b107d9e08a09ac0fd62f88ea5ca426c7cea0a04f4f0ac1ec63c1499f64
SHA512 16cecba1ebc12d98e885658d69e6b8069b44c70c8ffdf43e94246bf9e6dafd07a478f17001a3e36cbdb14108807bbfb9e5ef46229b057f154d3dc29d7b95fbf1

C:\Users\Admin\AppData\Local\Temp\mkAK.exe

MD5 54377d9bb411e53fc7044d14309722be
SHA1 e1b86e8b362c4f07e4a23360faa080d4bbbc0c72
SHA256 4967dd9de4c48294f164a6a4a3534eb0d6bd5428b9f72c6391e3e2c2732caaa3
SHA512 e1fb8a7d8c89e143a4e06d12f9614251d568624e68266c86c3bc0f01fd4e227600dca18281137d0c9bcb8a2aa3223f428cda144423a69643e46e11bc7abdc7d1

C:\Users\Admin\AppData\Local\Temp\EEUY.exe

MD5 38f247bfb05bae8e18940a3c16b6d36e
SHA1 4e7aa35fb6fef47ea7faff32fee3d3c14bea26a6
SHA256 824ef3d2268dd6e7985651e252d3acaf45b5f857c7ec20ffa5e18178924591de
SHA512 db0fedb8497c0ceaffce7a30bf78456fa149d4f722bbcbafa8d658db3c514455771519830aa90f0eaecf41053bdbb78ddaa6351e0602f16a2aadc4b429dcceb4

C:\Users\Admin\AppData\Local\Temp\sIQK.exe

MD5 078ef91b63f57941911d5f4e46fe097c
SHA1 e78a806d0eab1c9bcc58b605b1daf3a2f630165e
SHA256 772a6e68b55ec13234ab3053ba86071eea2b13b3a693b6df38586e74234b2622
SHA512 7b526da3a773d6c5fb9f959ad1132e1b3468bbba1b877aa398dc2d733a704191433c628818698a3552c740862530808b7aa7b59f798d3933d31372a5cb4c4a24

C:\Users\Admin\AppData\Local\Temp\YYQO.exe

MD5 60f04ba201514417fd27bae9a4e60f9e
SHA1 fcc28e5ff561eae6a5f30e62f6da6d9af7f88699
SHA256 2ab60b37542597331cb6d30ef8dd62d55f780dad9d7d91d02f7257c5c1b6d915
SHA512 f26c3c28f09f344ed512fb22758fde4524bb04423f582e32f05938c3739b669fca308b655a75cacf4341f4b8074f18a090be22db43221359f9a68f04a1d6ee5d

C:\Users\Admin\AppData\Local\Temp\ocUm.exe

MD5 166918cbc6ced9fb3577b72d3049e26e
SHA1 e198d68440f8247fd36d58cdf9c23b0a8408c886
SHA256 aaf19e87c921317fd5aa46a50d8bc7a440dd1d5dd13efe36f7ada112f134022a
SHA512 9be7b5f42d8d2167b64755552def6a166ebc6beb5c63ffea33bc8639077bef1a19636ddebb7312a1645f4f4ec49cb82a582159da2846881828c5a5b82aeb4349

C:\Users\Admin\AppData\Local\Temp\gAIY.exe

MD5 2407b9e549bd283cbbc5df6efee040ff
SHA1 c0350dc541bb80f8697959547fb6cae7d0c4673b
SHA256 d11cdc4b2b085a20eed038ba4b01873d55d320bc945975060a0975337d62b2e8
SHA512 5f5c4233c4e139fb3218565965372fb0944acc11a9153d719e3ac2030fae9acc7fc7f7cc962d2836577f202c769d9e0578dea34e806f6d2146d8509c9f0a4551

C:\Users\Admin\AppData\Local\Temp\IwUq.exe

MD5 e728ac5aa549e8f40ca51e64683be91d
SHA1 aedfd74707034b528d36f35607249fca0a439d10
SHA256 283c36f007fd23786c05fde55c21426960e7d7cba877408d30c7f05e3bc27659
SHA512 05dc1d9a0ff1fd3aebf4835937b612daf24d43950be4356b0e009c0fdcaca961e717c00e0ce45e82edc0fe4998da37458f5c84ccf7080f0b4e56e47ad31b296b

C:\Users\Admin\AppData\Local\Temp\yQYA.exe

MD5 fa300676b1dd9b80c5cf3ac1346d82a9
SHA1 b410671e83cbf639f951d96eafd63fc7509c5ea3
SHA256 ed7a25814f224557c26a75d725afdc00fffb100d2a08d3b1560a49ad1cb19ed3
SHA512 7ca6598db784bbe717852e1c2b38cefea5b0445401a0bfc676946707a26e80d3b672eadccd17c22b32b4165bb28de8f932b75bf7c6a735cc13c874c9bf5f73b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 c9104af620cf47675b206e8820528ab5
SHA1 b95fb49c364ba4589f6fafc54faa2a4bf014a847
SHA256 ccfb4bfdafe6a50c6a851f6c3df672bae6b576fbe667d9a4dfa5ca7131c14192
SHA512 a01d7c804a3b6343e0e1eeced06231a35e0020d82932009c068baea353336f7efdcdaa29030cc7f98f46cecbc74128118950f1e1cb1b2d524e056533b11c4288

C:\Users\Admin\AppData\Local\Temp\IQgW.exe

MD5 d81f2aa279ef9b4f9db475c9220d3449
SHA1 6c10e717ba641c36594eb12e111ea6a154f430c4
SHA256 407efab957b73e29f887e9f6c561d66f61c08dd995652ce23fda715954ea6dc5
SHA512 bec9ac65545c1d73c5805eba05f1c8a3368d088ddabb88209d3a0b371e56f61e33115b19837b668972c60877ed38bac16faff849ffe7407a536330e1bd3fd86c

C:\Users\Admin\AppData\Local\Temp\eUYo.exe

MD5 61411c076b251cd2f34b3723ae3b8f62
SHA1 a61c6e4126cfbe338a4f2a904fec6e414ad6c6b9
SHA256 c78efd2558ec4092cede28705be1591dd806e26e229b26da5fb2e36b5318289e
SHA512 1697fcd7051f18b9b4cc984e30dd9b02dcad192651311e0e1ce2033aceadd59df8caae94ea9a2fc65548f045af011783847bed8d93cb8d0638e277ca4e36a435

C:\Users\Admin\AppData\Local\Temp\IYAE.exe

MD5 ecbe6030557c878455fe6fce7888a0fb
SHA1 4aad74dafdfd01e2a1b804b166b98325bbc822c2
SHA256 d8c640288451312547841fe097b89433ccb174849d92b2c8dddfa7c080d4b170
SHA512 0273c9657d9df5c0c825c12b0d03c5b2ad8b2743ebe4b4aec8050e202609132b7ed09e3e375bd98b5aaac11b2a07c2ee6a282971426f337a08d2b859d65ec8bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 84cca3bc60975ca40bea1019c8281ed0
SHA1 c69079687ca3a5404b94536a3271a04ccc33eb4b
SHA256 12106f2f77aba031c379ec39537c61259879a3772c71c971eddad9abcd993c0f
SHA512 4a9231a4fc4baf0c59bb507b81a24d07866231234326f35934c5b5316ce20bbec423a5dd2a84b22f91da56e0e47e22bca7c1c1944b6bc23410993cc822fb8e09

C:\Users\Admin\AppData\Local\Temp\cQIQ.exe

MD5 7e0bd0c539c83201faf5fb21beea9138
SHA1 ab8ada96e63d585981ad3fbc48a4ab0a3b11325e
SHA256 697026f105cbc608bda47247d6427047a9e25ace7eb50ac1b49641a12ac60794
SHA512 6759089d2427d21782bba10114a132a96a7e904bd3efb20b2713df5a4c9361bd97d9d679bdfe5419175ed377ea8c871172cef96a0c07ad811b17a341bf792569

C:\Users\Admin\AppData\Local\Temp\SAkA.exe

MD5 b88de2277a13bd07ecdba5a2a3998bf9
SHA1 4150e226a97a2374bcc40d121699779f9461bf90
SHA256 86b0d906a337541381b224ea135c299243c179a6ffc2010188809a66f22cfe94
SHA512 b693ea635ea97f7852eab0b2167cc1d235db252ba8e57780437dc76b4063c7baa898e58c080f17627ae9df58a5b0065b08d4a8f56fa14de9c95e12410db30d74

C:\Users\Admin\AppData\Local\Temp\kwMw.exe

MD5 dd1c9489c02d5f55b56c060c09e18281
SHA1 cf73549f723735e649b2ed18503cae7d9325fe85
SHA256 ed6a1a4c786befb9977d2aa96fafa376a014ca6e53f39d40ba6dd5b2b6d8f67c
SHA512 4601e728b0a63b899cf4be1227888932873e190348b7c1e0f15352db2a0b71c83c6a3006cdd01a1ab4b697fbcca7cfbdc02e2427485ad2555767e900b4ad2a89

C:\Users\Admin\AppData\Local\Temp\asoC.exe

MD5 f06b750d6a22c3976fe6bddae74691b5
SHA1 b6fd078c9972c01c5e2a7e103b8918f5dcf7cc9f
SHA256 13b4758737c357693c43568ff9721b4c5f6ee10a6b17b5454de366afbbf0a742
SHA512 e733d901fbbb66db289bed67cc5fd03accbac489893d8fd92dab9eec51719627061aa9828fb258eced61ab59c2cb74ad98ce59784c66938f13c2092cda2feccf

C:\Users\Admin\AppData\Local\Temp\msoy.exe

MD5 81324e3a973279e57cb8066199592274
SHA1 37b0e3888b13b667131400eaeea60a57c05761f0
SHA256 e468f80db3b4e908df6aacafdbc1e80f5885a84984cf649c4f0b21852f6cbf90
SHA512 61081d5755fd27c33ac766414c52f4d18567dfd2f2bfaf7ce60c9969ec35f2d07e7b2a4ff1c5089fa5951f91d41d80a8124b8964ea83f7b174e9f74a7546c4ed

C:\Users\Admin\AppData\Local\Temp\UkQy.exe

MD5 a7e8d7371632aeabed0cfccac45009d6
SHA1 83cedd272dae9caec4f2e830c5ab86bad3b950f8
SHA256 a209a9c309a0afa05a24453aa82429b3399acf72fcc863bad5cf3274da9059eb
SHA512 924caeaeaa0afd5014224618d316f3a7a1a1d32d1cf1a305e020d108385aabfb68e4cf8e183eb8a2d1cd0c46252364810bc8885aa47366681ccb66b514c0a956

C:\Users\Admin\AppData\Local\Temp\gYIg.exe

MD5 000f153a5b2cab4ea5b50b5c7cc98d3f
SHA1 17ad9eb4bd9b32c8b5c8b5ad3728f9f6f6c8ce37
SHA256 d66eeb136e91d528a526ba46821e4792da014e9dd8f2feafb93ce82afd904426
SHA512 0ef9f6c0233a5f950f65e511a1bd5e668766358d2789c274c53d1fbb30e964f77cfc06b076b1ba98cdf40fba1eed726b5f808bd4f61720377b5299b7b311da88

C:\Users\Admin\AppData\Local\Temp\AosI.exe

MD5 4756c1fbab76bf0a058c6f0f3227b457
SHA1 4b3e61177f16e1e50e15c9d5e7f0c0a8913d83b4
SHA256 29d1069cbdd4a7babcb9f83e5a221e9e3a2bdaa247192e8c08c97afd64a13340
SHA512 ef4d833f78352902e8d413ca74f3f6483b281fd396fb255c87e36c60103ba5aa5c1796ff36129305afa0e7959d3b77590fe6ab711c692f3dfb6ef57dbc3367c9

C:\Users\Admin\AppData\Local\Temp\eEgo.exe

MD5 784851018da2010b4b5a6351a1df7ee9
SHA1 a39bce12942d83ffdb7021afd82478c854102069
SHA256 bb36d83cae4181a34444dd107e3836f52572d35212dc8bcbc38cecc54576f5c4
SHA512 4655824ef86a88396cbf013d27287d52f0fcd7b96304a96996126e7593ff6c3775e23e2ea20586a258c083f471acc9c413b6d9b3005f254f5a6e9148cd7319a2

C:\Users\Admin\AppData\Local\Temp\Swcw.exe

MD5 02bd1f3ee245cfad909112cb2bbf72e6
SHA1 cc1e7d75f7f5b7d11dae70e9a4c24a469f532f23
SHA256 c4e337c008362900c215c710a45aee97d48aa879b07a7fd5410ac5a0758ceb66
SHA512 c4531fc80b94a9f9d1af1dc8e32a25fd1a4fe67fa94abe82ed426b6c2488f513dfe5a227c6669d32d511cdf2660928eb511a25e079f55c94b27d3c49fb9fdc19

C:\Users\Admin\AppData\Local\Temp\mUgK.exe

MD5 73850f7ecde3e187812abf0bf172ae22
SHA1 c6eb31485f84fbcd1e3ebfa15905c8f5c3edcba5
SHA256 9f2928a2b49dcaa1e05b48a1ea395b85de1ecce1f95559aa933ddfa48357d930
SHA512 63c5e7dc35fa2796bb4e9f206accc0097190ccb7577d4a4f67abd6e27b7f563a30686a9d3fe24b83a74090c4087c2dbff9f9b4734a0fa5c13e4edf7ca62200f9

C:\Users\Admin\AppData\Local\Temp\kwEC.exe

MD5 3909791e9133d0e0c20b4ab55fa672aa
SHA1 40a0a0c59518af16dd91bace08ad9ab5cc966295
SHA256 5980493838af644344d991ef0517bca65a8e089372cff4420cd9b78f8c043904
SHA512 b2be6ca74cca0e86104a7ca530b57694d2a8f4f565216c8a8b5633f6990159628f26dc6386813cc86ba9bf06b7ef5b22cdb7dd2034118154faffb4c45d764c95

C:\Users\Admin\AppData\Local\Temp\QMQU.exe

MD5 256099699db4b006d4103e8a42c95aab
SHA1 176a57ee4ce42078ec92dd93085b687862f31957
SHA256 2d0f1aca897166ff1abdb77dbb2d5b956195e4c873c1f03ed510f163ea0740c0
SHA512 2f8e2af53e3fb0a7fbbce3586eda858191ac308c1de81e94971d92669a91987d0c302a5cade20a20b19d2be48a82eac6c319ec4887e76970864e23cb8f1afc9a

C:\Users\Admin\AppData\Local\Temp\UsEC.exe

MD5 1a7945f0ec44e754aad6f3cb7ff78712
SHA1 2904e89674113de4e529fca9d8c0169786ab2131
SHA256 668cf199d175a8cd9b900e6593bcb37cf06c495129ac7fa67e3f99bb77129187
SHA512 6383e3fcfcefe2b45532bc534017ef8d0f5c4bbe2474eefc5f2868d9c511481cc35e2380f8da06bb501cdfe8aaff1facf1085288ac4a370552149b28b46c6916

C:\Users\Admin\AppData\Local\Temp\sYIC.exe

MD5 96b54a2084f177b875bb5bea463c6dcb
SHA1 c48aedf57ca503c0df1aaca46bd8c39a9701be6e
SHA256 53860aa843f58dfb3a983710e1a76d65516b52ab823cb5dad71306183be421fc
SHA512 f0d1460fa8c1aa6ddaa2269ba656f656f5e1d60ee4328e391a5bda6795a9c7cb4d208c0b549c7355300d0ca0ae53f7d8fd017bfcf6e188553056e9a4d898b7a3

C:\Users\Admin\AppData\Local\Temp\ocke.exe

MD5 1fe74e1f002efc8c50f25ec496e32cc4
SHA1 7b80e0b7d51d420fab6f9d1e731fe59149486b19
SHA256 83581d3d8ce960176322c36e65ce7ee1c7d36652c898d8da5515096ed3ad516c
SHA512 53e6c46bf759ed44931bdce728fcb34dd7b83c90305bde55e425c909f46f15e3cd6c20e786628a5a85b6431f96b88d78bea4f0cec68ba6b373d02918c94150fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 19:38

Reported

2024-11-12 19:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (77) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\ProgramData\piUUoYUA\HwsEUAUs.exe N/A
N/A N/A C:\ProgramData\RoQAkIIA\isQQggcA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CuMwkEQI.exe = "C:\\Users\\Admin\\uoIosssM\\CuMwkEQI.exe" C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HwsEUAUs.exe = "C:\\ProgramData\\piUUoYUA\\HwsEUAUs.exe" C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CuMwkEQI.exe = "C:\\Users\\Admin\\uoIosssM\\CuMwkEQI.exe" C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HwsEUAUs.exe = "C:\\ProgramData\\piUUoYUA\\HwsEUAUs.exe" C:\ProgramData\piUUoYUA\HwsEUAUs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HwsEUAUs.exe = "C:\\ProgramData\\piUUoYUA\\HwsEUAUs.exe" C:\ProgramData\RoQAkIIA\isQQggcA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uoIosssM C:\ProgramData\RoQAkIIA\isQQggcA.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\uoIosssM\CuMwkEQI C:\ProgramData\RoQAkIIA\isQQggcA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A
N/A N/A C:\Users\Admin\uoIosssM\CuMwkEQI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\uoIosssM\CuMwkEQI.exe
PID 1196 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\uoIosssM\CuMwkEQI.exe
PID 1196 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Users\Admin\uoIosssM\CuMwkEQI.exe
PID 1196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\piUUoYUA\HwsEUAUs.exe
PID 1196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\piUUoYUA\HwsEUAUs.exe
PID 1196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\ProgramData\piUUoYUA\HwsEUAUs.exe
PID 1196 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2224 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 2224 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 1196 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1196 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 4644 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 4644 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 1812 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4704 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4704 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4612 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 4312 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 4312 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe
PID 4612 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\System32\Conhost.exe
PID 4612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\System32\Conhost.exe
PID 4612 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\System32\Conhost.exe
PID 4612 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

"C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe"

C:\Users\Admin\uoIosssM\CuMwkEQI.exe

"C:\Users\Admin\uoIosssM\CuMwkEQI.exe"

C:\ProgramData\piUUoYUA\HwsEUAUs.exe

"C:\ProgramData\piUUoYUA\HwsEUAUs.exe"

C:\ProgramData\RoQAkIIA\isQQggcA.exe

C:\ProgramData\RoQAkIIA\isQQggcA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGAkAEog.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skwQYAwc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osIsYcwA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEgYAwsI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyQcgYkU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGgcwoYg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQMUMcwI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryIkIkUk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeUEoEoA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcsMYIow.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUoEkUIo.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pesIIUwA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSEkEIYY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agUkkggk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQAwYosE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMMooIgU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOQsYMIU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYoAkgwI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DukcscUk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYUMEgUE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKMMkEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcUsQMAY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eagogsUw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSsswUso.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYcMckg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyksgEEU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgQAcoYU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWsEIEMU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCkYUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSoIgcUE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcEAIsYw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eeokkwwg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckssgMQE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSYEUwUM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncEEQMQc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmgEswwQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feoIQMUk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCAsMsYU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEQoEco.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syEocwkU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAEwYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOkUsEgM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUMsckEM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQMIwIcM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIkQYoIc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEIYogAA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCQoYokc.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYcgYQcE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCsUgQEs.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQEMwMkM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmQAogsM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGEsMMQU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEUUgsgE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWkUoskI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgQMEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKIsskYA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsIIgckg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgYcgIkA.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSAcgQso.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUIgYAso.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMgYkEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKsoQwkw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyMkMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaMkgwEM.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyIwsEkU.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAUMkckk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeoksIog.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMMcoMg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkwkIwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcwgccEw.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQUIQoss.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIkwEYo.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyowcgIY.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIssQcww.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOUAkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGkMMkYk.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BygIgEAg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSooMoQI.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dicEoAck.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgMcUMUg.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f"

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEMQgYUE.bat" "C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/1196-0-0x0000000000401000-0x0000000000470000-memory.dmp

memory/3052-8-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\uoIosssM\CuMwkEQI.exe

MD5 24a622f9816ef795d4e6b72a1c8422a4
SHA1 8d5841d6c5f91251b61a162c3a94a7fd4a718d2c
SHA256 1dabc23e829d229935cd967af9361fe465a5c9a6aef7bb43ec051f79c1225c4d
SHA512 25d13c74b6a02fb6a5bc59893c2a651b3cac1ec17160e71c44c0cb42047d1ca3b3317a5c972a21abb1a79b93e77f41764c3fbe93b5376767f54ebb16f48ae9f1

C:\ProgramData\piUUoYUA\HwsEUAUs.exe

MD5 3f5344509e1cff6f9c252116d31e64bf
SHA1 2acaa506ad6f0c11a4d1cbd4b3690b274538f125
SHA256 0ba32d47d6720d63b95df6308c241f0c727bda456442855a3eee96a053f5be4c
SHA512 e04f4ff1a03dc11f7cf0e2e9cffcd200251c72a5abd0ef8a2fe07d4b150ee9fa81d7812588d1cafb8a1fa593b2dc5adbcf2acba9e08d48eecd3592e3ff6ab235

memory/4008-12-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\RoQAkIIA\isQQggcA.exe

MD5 9266f19d2d818a2be030eae75d458296
SHA1 6b9790665fbb3f033e1216c5148df62c5ad9fa7a
SHA256 1122ff229f3c0c4a9f553a7d3c63ae5abcfc10b484832ee42251d475ea682477
SHA512 26e796f1ae4d95df91dfc6dc66845adfce144bcb72c9a2a03d86ecb20e18b343de5d3878d70ab11eeac9fa1e26f72865dbb7a50fe38680336792b46897fbf033

C:\Users\Admin\AppData\Local\Temp\0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

MD5 5ff7bacba16eb1d890efb16d34711153
SHA1 2d8514c647bc757d6bc8164ad748b75b3111e1f1
SHA256 6b841f5d22f63bf660d8a4b82537fc9cd3588f7ae0abeedfba56711f89ec3381
SHA512 518f280e5e34f51e30f4571558c353e99648289e2d6b173604232d611d391280b800b3843c39fde7312d882b36203850f878312a5df0a6d6a8ae625633778115

C:\Users\Admin\AppData\Local\Temp\XGAkAEog.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1196-177-0x0000000000401000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mkww.exe

MD5 c885df02fd7927b7acd4cc343038de10
SHA1 34914ce60dd436a6f189190699cc1fd90d7cfd51
SHA256 9398fe7d48cb531e8c92f8a02169db31c9065fe59892be5648c53ffd97eca231
SHA512 6a750a0693c24f33d18e8ee8583d56f8cccb082241a6f9fcb7d3db0ff62e0ba6cf1ba6ef9aa9740f493100f04b1df814ad42bb10f47c83e3353a36a68069adfc

C:\Users\Admin\AppData\Local\Temp\awks.exe

MD5 d8d50473c864f42adc17fdcf99948265
SHA1 b45f44573fb793cccacbc84bb83883c4cb72ec53
SHA256 324e8dab921f5deb9d64fe9fb850146becd8f6894d2fcbb4e76c6b03edc8ff39
SHA512 855f99174a22f07ae6354283bbe80cca2d884f03b4774836163f5ad5175b9153a4cc25c070516711716123c80c9676ae810974f0670fef3c075d095f90499e07

C:\Users\Admin\AppData\Local\Temp\acUI.exe

MD5 046501e8059a057dd8814706a3f66099
SHA1 1c27fcf75bb9078b6f2c12baa7d6a8e7b4d6e011
SHA256 9df204d13cda4f317071d364fb138f967abf58f18cf2eae378e240450f4d2e98
SHA512 47e386b3da4fdec55044dfc5b0f6a4d52f49cf511d71ce4a8f07d04b83c27555c2b30440b52073a7ef359143504d7a2c23341a5b7942912c787262d03eb423be

C:\Users\Admin\AppData\Local\Temp\wwYs.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\sIoO.exe

MD5 91706c5563014350faadaa2f282d7004
SHA1 7528479c688e49da7a32f4858b34ba21f849978b
SHA256 ea8fe1521ef970ab9a9154774cf3f78cb1371ce24ab32d7ccf96fafae9344931
SHA512 2e24e87a7a1465b61b85bcb531fee6ecc4735b793976df1b62808ea84dff5322ffe919f007f17143bf6d7adfebdf849efba0e2d49b72c3c2a2cb6737b154b30d

C:\Users\Admin\AppData\Local\Temp\GIYe.exe

MD5 5b40daeb0df704077c6bdd920e7f3952
SHA1 e3732ea7dd2890ac939c956930c4d8819e51fb40
SHA256 dbe917bcbc9685d332e36f2cdcb690de1ef7f514e91471bc044ccb67f510f1ad
SHA512 9b0ebc539c2b9b340fffeea1c5a1cae8fc09d561fa429a30c3bd44d8038eaa38480d822fce4b55053d79c7f929d322eebc36c2eb59ad0c0037a3e34576e267e6

C:\Users\Admin\AppData\Local\Temp\mAQA.exe

MD5 596fa949bbfe128c175b91066dcc3650
SHA1 4b8e207254ff09bff60e0b87bc4e33a43413644a
SHA256 13fc9f05802574e56b3e49be258346f13638cc6942f28f06f7c8fb3e59cc320b
SHA512 fcf36587d8b193285107ff1297bb54143aadc9ecafa5ba6c3f2d3b3bf5d7090c72ed7dfad531ce31863f268b0b8f78b768bbe2514e4947d854d289fc42f1bc51

C:\Users\Admin\AppData\Local\Temp\Isce.exe

MD5 01d1775d6b136b068f67fcab5040c4fb
SHA1 76be9198d732886a453328ce9474aca64844ea74
SHA256 8b12d8628fef1040c605585dd9560a2545fd7a254835055e1d2f7b0fac050258
SHA512 94bd0248c5d04a0a463a88fedcd82232d39e5733bf139de0dbcf20f65e711fa215d55db9d917650443535610c5b2118fca7eb640d6609cb8e7c741489cc3a8ae

C:\Users\Admin\AppData\Local\Temp\KUMs.exe

MD5 9a567ce96f6b1b0786cd9c370832f3ad
SHA1 854d332a5741d9f59d19b0861a8e93e20258e92f
SHA256 b9cf158580a0385e4488ee4e3aef76439f4cbd6e7be869c13a1147ce7aab8fab
SHA512 080bf52945d7c37fb753efbe5791f3c4dd083ae36bf6a51439270810acfdcdc2edd76e5ba79754fc47970a3c43e61b48bb2a768518402834f932e769f731f9af

C:\Users\Admin\AppData\Local\Temp\QwQs.exe

MD5 0762982167ab2ef46a796800da058718
SHA1 6240915a16f5a827f0dc50d86f6d595c24158ac4
SHA256 6ac5d2663ed814552a64241d84c26a961873fa75dd3062950161a06ddd2f84b7
SHA512 d75999a849b71d9c7a7639055367e02d8c3005f5d98623896e596dab388c8788a0b71209cf454b038e62125ba3a1a028a0d31f2d3241053aadcf6cf5f4128a54

C:\Users\Admin\AppData\Local\Temp\wcsm.exe

MD5 efe19072a6e5156941af02dd46a87c90
SHA1 b07aa23c59bb9ba61345c87d8007b867f26c16df
SHA256 97b5c40c84fe580c5ddbb09eab36ca531ecbe360a2f663a3b0074187b05cd7d2
SHA512 9398fe024562587aba1bfaab347e93bd64e7d051c9bb871ccfc5e45092809c979f0f04de2779effde737d6de9c0aa4721372b9921dd5e9100e825699c59ce31f

C:\Users\Admin\AppData\Local\Temp\ccYM.exe

MD5 0ef335d5625ca26e9c8022c7f5638ce1
SHA1 efab30b3d3a024aec7ff989b461f4bc897a87906
SHA256 ee02506940772187843681c68d02b1a1563f92209b234911b761704c8b8a0677
SHA512 6bb96d8288e1c17ff2a891497087695694b170494a2c5d5f787d909cfab86e2ea606e9cb3d9565fa7fed766aec68346ef0cfb45deacad6df74208dedbb47af5d

C:\Users\Admin\AppData\Local\Temp\kwUe.exe

MD5 cc78e0b0a33fef74943d162f4445c255
SHA1 fe7bb2e0c568f648cad2b0213c872e059787c29f
SHA256 f41be7a152e9b787440a71f1642c1c6f22efa846d36d43bec281286afa626f7a
SHA512 bff4346dd16e7c0f79eb3c0db741f49348e470418a098de014560e5cffd7df3c760f8cbc11ff8056f8ab3fa7f13f49afe1bd74726f681fa134eecb1fab6b0926

C:\Users\Admin\AppData\Local\Temp\wqYw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OsQo.exe

MD5 0907ff2a1da6237b14a499876e6632bd
SHA1 9152dbda5fff629a6a69d8e13fbd57332e8f22b5
SHA256 3b9f09a474ecf5ed151d158af2f4e299fc9a4b37b69f9293427015906573154b
SHA512 c07de23718a22a5d9b543e7e6515f6e124ca7281a198f2205a92a3672e32be24e0190ea7d32380ec6912785f874bd6f4105d434c43f39ae52c69bd4b610f91e4

C:\Users\Admin\AppData\Local\Temp\qAoO.exe

MD5 50223deada4c446d7b985a375ee282e9
SHA1 f2e8af8d984ccd4e52fb6303e63e64c01519fb5f
SHA256 3eccbc963af45467f7f84ea98c41bd50308616eef010896862f025248e4f3d7b
SHA512 9f7fe78dc33d2a93797dd66cf59593c23a1778e83fc4d8a3e67af5f84d7e50a51b816d14e17815de5b1cd75286c9f89508d1ad0439f652d90105a9a730745349

C:\Users\Admin\AppData\Local\Temp\SQgY.exe

MD5 46835c8e869c1082c5abc9610420aca9
SHA1 e3b6533d6a1a3636236bba37b6644c4c4167989a
SHA256 05a623aeed978d58cc81a11ad9a4b4f1028b56519173d931f47f86aa6d253805
SHA512 9b4318b540df58620e8d1160cceec9fbc55f89010dd34ba593e627132b2a65bb2ae827cc01f4c163586334c8836461ae0fe4038494c68983eb293c318e34b4e4

C:\Users\Admin\AppData\Local\Temp\Ucga.exe

MD5 f61c053020da64b7fd68a12bfac6cf90
SHA1 430758ba007f4bc662e755b188825bdc2a651da1
SHA256 7217c4011ad4be1b72783514d2e7c8d8d41da854187a4c214373ec2d93d7a9d2
SHA512 d778f6efd3f076d3bdd4390a180f8c49aa3d32db315d6f7b61c6aacffa09c9798f649f1d32d5682e62b5a61ea8de72cbce90af3ea67b02c3242020a0fc844c65

C:\Users\Admin\AppData\Local\Temp\sgIc.exe

MD5 7043472702e49a9bd5066b6735a7edbc
SHA1 ab6c2137795ba374062b57633b1c8958d8102384
SHA256 cdf55fa44d5393c8fe0ddc1f1a7d4a451d8ffc1a9d506ddfd07b419dc092ab2c
SHA512 3714c843ed97274e07e8815294215c803eb60b1443e79a85331b13187307a8a821bb7d42a7259eea38b3bed6010ecb18b13697564e50b917c0fdba5c3f9708a0

C:\Users\Admin\AppData\Local\Temp\QIwM.exe

MD5 9550baee1fd3e1a4d67e15500d7b6094
SHA1 15f3100d87824e8fc266e71fa6cd3439ce88ed18
SHA256 7e39eb19dffed69b9da6e3cd5a3aa1f8bf1958d8772e2a9e220dbec9ae893e97
SHA512 f7a5569f28c733b6042f0211cbfe89bb9234d57ae94a9e9757453e7f7f1137229bdb8fdad24cd137f177511fa92c29b38ca82c42b7a72cfbb366cbd5913ed7b8

C:\Users\Admin\AppData\Local\Temp\IUAK.exe

MD5 31f13a0bfd7718c2ee298bbecb6ef6b9
SHA1 7f129f2c558962e16b211c5501b3b552a496c3d7
SHA256 105edc2aa6a2ec709850c5eb55a0bdf3f67224096b593a13e0c577112c202235
SHA512 a395d550884cc2a2f79d27b1120c7c6e305b066c3d858b3ebeaba477c22db43cb9f49ec20f115a1f596a7f26b2e3fa5315f4170e9de25127f9b508c8d8149ca3

C:\Users\Admin\AppData\Local\Temp\AoMM.exe

MD5 6f6edafb9cb68f2e6ee81bdabf1f120d
SHA1 80d79ed6920cb807c62835b1f15feaac5199494a
SHA256 54ac5ab3d39584d20ab54f9fa551cbb8585619cd2e65b5b91d703e30f363146a
SHA512 21419bec44504fd765932c604d4e0d4cb0ad820092b98d723176a193b3644d1d39436aea0f7f14a81cba16a402322f43d81eb3b3236776c0f5987c37db32a8b3

C:\Users\Admin\AppData\Local\Temp\GsEU.exe

MD5 5cbe729909e2783900984a821863b3d3
SHA1 366b0b02d44940a98019557683c5774d3c3a4253
SHA256 07fd91803823b68e2ccc11b6b4a33121dfe48b5a439582830be6a8ebb605e6da
SHA512 30f25290774dfee9fa39c2dcffee8f137ac89566e5d6a4d2125561089ad7069409a3b805037c4f167976a806c13a19fc15f7d112a004e9dd0e8f26a42f2ccb19

C:\Users\Admin\AppData\Local\Temp\mIcA.exe

MD5 2f5996fcb47fa15a83b43537b695027d
SHA1 0ee0480b90456a1786936f0a5a3b5a814ac0c545
SHA256 43267addda95a146b81b1a390f8d46cf124aa0fd400dbb86e778fa62bb022bd8
SHA512 063931f2c5b7f6f6997837df4cc2af28ad07e821da296ff6f038003faa371b11262c02fc59d56cdea97f651df9486015c5cd8d5e4224ca5e5b31042a313dba09

C:\Users\Admin\AppData\Local\Temp\eIEC.exe

MD5 6d01c00408b2f19569da14ac7d4ac868
SHA1 655d7ff2af531397a37c04ba21e073eb00158385
SHA256 af25dd36f4f7492adda0d0c168875a06bfa74b86db15407d1296799ee0682ca9
SHA512 518f3a5182f8ae4cc48713e9ea703b423315b1ba9e473b4976f62d52c73695fe60b80924a25c879dc263759b48160a8556fe358a1009e4626259b125c9926869

C:\Users\Admin\AppData\Local\Temp\qYIa.exe

MD5 07998be17f218390cc75e50e93f796d5
SHA1 1862345d9eeb0e6bbed047b6f8c9e0afa52f0136
SHA256 dc2e59da3f011e24cddd53950a1d4fe12866ffe138387a5d079bd6233f4c8863
SHA512 63da1a37385235918ad9545da5ebb53e60424042f2947ea5ef4e74c1e5ac7701bda7482eff791851ca6f4a06be13ab06c8f66494bca1b26825b65f50878620a3

C:\Users\Admin\AppData\Local\Temp\eocy.exe

MD5 587754ae5929e997b6217b4101c46ef1
SHA1 48f6428a5c4b9a006b7c632e39d185af89228cfc
SHA256 7b81914384327533f7d5cce9911aa112905f24622e5f85146900d852d156db3f
SHA512 0f6e2f090464c3eed72d0e264b2b3363e4c34e2939526f31d1323a327c7b55c40c195e7da623af6680f34acb4b5bc70876879300a026f1986f1eaa1f578a7033

C:\Users\Admin\AppData\Local\Temp\kUEo.exe

MD5 7cc44ded84f3ed764fa4056d617b4351
SHA1 11885ce4e80cad8510549d522682f3a24287852c
SHA256 c82020b117c1e7e397b5b5c83a8368d6d31a6c856a1283dc0d875aaf1bdf230a
SHA512 e0a424473423e244e8324f5404b3cae5ec9c6d991f76e906590aac746eb6b87d3b34cff9122b2b8daee51a1e66eb7b0ff34c00021033aff99b3442472ec0f615

C:\Users\Admin\AppData\Local\Temp\WYYQ.exe

MD5 1dd654f7692457a3c12ef65e3db6f28c
SHA1 5d7d17a2cc944d655061bf3f2b18b32666d7f64a
SHA256 8bea1932c0d5a7cd7d963a4805d4d66907a156f04e65861f083cfdd9972af721
SHA512 d731785d188d3762c8b56936f1f9cbb7ce50601a41807cc3fa9434553ef235cf9281a82c6f3f87c883200d068162923eb899472b4d70b84f1b15966a1b158111

C:\Users\Admin\AppData\Local\Temp\wAkU.exe

MD5 bacae271d1690403a3dda7f2480dee62
SHA1 9faf76a93d5ef50eecea8f56db757df565b15110
SHA256 856c3780ac87c394dfda980c2b82351498cd4e2bbd0a01fc0e3170b8710c0b8f
SHA512 3e9783cb75025e4a75392921dd201876837d53a95614838f810b31ed9049f496a9d097d374e17942f811d35b1a31be22d807c08bea0b9dfdf4219d1f030a472c

C:\Users\Admin\AppData\Local\Temp\sQMm.exe

MD5 d31afaf29ff8a325f945a6aad90a91db
SHA1 01ee235a786cf77bfff33a3f3a36f4ce073f5a91
SHA256 1636c5c5200b43f0d4293952e0cb92037bf3dbbcf866c603dd12f06e70905133
SHA512 20ba61850c698d4b75ba2e04c83926361473f4be8d0e4c57797680af346648870534afc3ae1304328458afc8c72a75b5a7dd0f477c37a4add3cc721154f96655

C:\Users\Admin\AppData\Local\Temp\Iggo.exe

MD5 cae145a8d01f59cfd2caa348814fba9f
SHA1 16c28c1da4b568da65f708b573fa647e71033d1c
SHA256 7ddb6c85a30d457fd21ccdc86aea978b24ae4955319b18eff2b9b0cf5058c246
SHA512 671460ca55242c14cd9a457ebeab7b888626234093a41b01da6d9ffce8b3144e88d63547bd72f173c8054e769362bb8a4bda51aafd5c55f9a63221c267d24370

C:\Users\Admin\AppData\Local\Temp\kQoQ.exe

MD5 cb4aca9a0efb335dbe0993debda7b2a0
SHA1 f28d91178a9e740453b50fde0b75061cf24aa281
SHA256 1962184b32d67e6392a2d33376b906659c10720041c4528675f553992664334c
SHA512 b9987e1de221a98ebceb1ec850dd660740cbac371471ce8519775c2d1614dfe7bd1e01bc2f3614262c9ee2aee742c51ff2ba4c1a827d5349f1e5a0d9571e7348

C:\Users\Admin\AppData\Local\Temp\YkIU.exe

MD5 a79ab48e9fb037b95f97d8e28f84cce9
SHA1 fc57095c44c67735f9616d8c6a95d9cfa9787f30
SHA256 b1eb8b6376c029706f0ef1d3dfedc4738a3dbc79d746b32b32a08a8691779567
SHA512 dd28b0cdfd76c889032b9bc54753c9194f662a6e43ece13a7d040a925a438f48dca25b46090304e9b90205f69b5b6290ada075e55247c68513a9e4313d1ec39f

C:\Users\Admin\AppData\Local\Temp\GYgu.exe

MD5 313707a859a3a99bee5cf18415a3c4c3
SHA1 4c2e3e102f4c4aa7aea90c84a98d09cb7cd9ba91
SHA256 09016920b5a4105850b7a63b2506ffb50763add2aaeee110bd05f06583b84878
SHA512 38bc25791c71c45daba94b76942be22f8287e2b3c0b4458aa388511ee58b0befec0712108a93017ba80c113dbc6d0a76a3760406fbe57239c8cdef16a53ddcbe

C:\Users\Admin\AppData\Local\Temp\YsEu.exe

MD5 500cbb55688baa5aa59d1affa48d1655
SHA1 3050cab02afb99432683b7e03468add5152e01c3
SHA256 f2224137778b5f843430abae896217afbaa4ce3abdbf36d7bced36360b4a8730
SHA512 e74796bbe29f292479422e6ddc87b4d21240e515a3c229002bd0bb39d1a9c221fcdc4331c4172a8b35c01c9df5085291dd11f3d3958deb40f7220f7046811fb7

C:\Users\Admin\AppData\Local\Temp\Oosy.exe

MD5 fb2a8eed884d03f1f88910269485d417
SHA1 92ac19ba828d00f5463c7a8be88ab92c9513e438
SHA256 a89feb5ddb1e8942487fbd2def523cc5d460c68914b3f98eb954593933b305ad
SHA512 f53ded028ce7956c9f2f22a7773a39057c835872553bae212460f7f5e39fe8c5678746eecaeaee4d6e9724bd136885cea822152b202adf0e1d22acf00d41ee4d

C:\Users\Admin\AppData\Local\Temp\iwYc.exe

MD5 21e42d5b970fdf428f0b35e900c2a297
SHA1 dffd7c13bb87b696cbb9be78303567f94f294378
SHA256 8e71572b5fc4db8a3e79ff72e8b7eb2dc8d2f1ce4142e602ef1b5d98fb3b849b
SHA512 c01f194a59ed4b3f28fd32177e432420c39aaea157408645f627959b935a8ca61d36f5df4bc1ac16258dcd45e63299809645e569ab878af24864d7cf75ffb776

C:\Users\Admin\AppData\Local\Temp\sYoo.exe

MD5 fc83b1ae5f138aaacbb510fe721061a1
SHA1 c0016083d9adbfa5b036352396bf59a33f4bc85d
SHA256 2711e467bd8a64f8bc8afac169f4a57806250c6c1367f27b881ba4acd0f4fa60
SHA512 404d33813bd639931fffde7b72ed4fa556053f959632d3158e0f131dda8dd418d0f02dd882df193b4020159a662f667d1265cc75715cceb45f28f9c2bccf94a9

C:\Users\Admin\AppData\Local\Temp\UgAY.exe

MD5 791abd2d91af4e85a06bffdd4af20647
SHA1 dcaa84255cc4f3598ba65c7dbbf2cbe44f3e6cd7
SHA256 7349b05aef41b4cb458202812c82e1f75a8a70454574d1a54c180f35a5afba31
SHA512 bbaf9daf122560d8c5c0a07dacc83f7a9606f5c53d173f5c59bb502a5167c0f099702ffecb0af3705f84ca1b8fc8322454f54959478e40b1f6f4bf8dec6a331b

C:\Users\Admin\AppData\Local\Temp\ucgc.exe

MD5 d804440369fb50390997d14284c1119d
SHA1 38d5607df1f9fe00f06123c2ca92d3e2d9266415
SHA256 ae84d9f0d38627d1823b5ebff9500cd75dec3c6da04315de03cec3b1240be588
SHA512 22c669fe108d4cae5c985f10ecca8230e6e5de6bb6e874b1b84b502fb978b047821608682d973ed31336482f48f36d2b3cde48946b1e9cff3d90c20925dfd4d4

C:\Users\Admin\AppData\Local\Temp\icUi.exe

MD5 78ded7035757c53c58988a3c3b11af29
SHA1 7f4821b0b2249c18bd027494b6c2fb9b82945f09
SHA256 976cf15b6013ea93901b697c15ad4ac9d523e76b7acb808f2ff3bc5001e023ac
SHA512 784450835989887e3f8237ee215fa0567c814d6d3ef6af7695045eadf9423cf82eac1fa4bff62461aa8173611c67f9ecb6e5fa22b588b347b978121845ecd96b

C:\Users\Admin\AppData\Local\Temp\QgQA.exe

MD5 924db16d0ffd90493959ec407789a07a
SHA1 90c8e5d42412cc9bc452c58505f6a4c8c71d2d55
SHA256 aa71c9d78167ce49fed8320b90419da7ceacfb7665c11c6337269ec450a395d8
SHA512 64a3478a4b6f016dc7233af50f19bee7dc62cee307b2d56d8e21375f395bd6fff883c8893b09613217883350c397b3993837dcb835584572ffd7f4bf7cbd005d

C:\Users\Admin\AppData\Local\Temp\WsMO.exe

MD5 b2364f0dd8d57223e83e250815e491cc
SHA1 160927029b13f447e6665c3d87244c31bfc6a6a4
SHA256 45ed2cfd4068711589f314cb28a8df683d1ba852f380dc94c3b5b2a02c3fe3f6
SHA512 6722140ab1475b149f37759e725248d9ee09d9e70778113400be8adad207f93647ad9425b5e908e0a920b3239e6c95a8918ccef27562dbd16e66e6e82e7cf0c5

C:\Users\Admin\AppData\Local\Temp\UkIM.exe

MD5 3936057bd3b0e724b71bdd490b6484eb
SHA1 c84809130a5fb69437fa153ab5c7e3421cdb3c63
SHA256 b9605fcb8ed6100ff712bb7c6ca3d90966c3f3632b4f5d83a6c59cfb4c98654a
SHA512 8392bbebce4b779058fed358f284591f8496640746e3ced9423fcef0c75152f99bd8d026419102d3f57cc387b6bf143a2a8beaa7d4db68a947f6b3da9984b0f1

C:\Users\Admin\AppData\Local\Temp\SkQW.exe

MD5 116442c8cd24310f2ae7955b045124e5
SHA1 8d8ed6c15696a1ecd447e301f4779d1b7954e44e
SHA256 0fa191293d24091637f6a4174b2ff0eae3906970fe5e6e128322a4170ce36e02
SHA512 2bdda0f8fab66a00df7c10f82f927fe9f5cdd5585639d1026613c9d907d12667c182463c000b9939b60dae4b40a0268962d68e0f36106199467c7d85042aeea7

C:\Users\Admin\AppData\Local\Temp\skcG.exe

MD5 83904aa604a2d1a6daf82653aef21cbe
SHA1 a72e73ed052831bcf2da4784d89aafff4494ab3e
SHA256 4f1d521eb2feb0c5bd7bb1404f8745aae8c94218edd601450fba6faf20b90ff6
SHA512 3118c11777e6e2c01a82bdb3de59ca2295b69fe80465f62f6d41048d2a283234ba456c2d09823b3df07b5de252f4f6266fbdefae60cf15805a021b09a52d4af5

C:\Users\Admin\AppData\Local\Temp\isUm.exe

MD5 a5cae7cd0e1b2e1fb079798928100422
SHA1 ceb3cf88b9b3c4138a4b23fe4bc516b771bd7083
SHA256 3f7c9f8a7124e5a57061c030b0f6468ed407083eb9295974175d2273e338c43d
SHA512 62dac722f1025f2a86bd72130360a8b008ee019c0487f78000004b26c84d2c6c88f50318128456cd891fb192e8c989b42230223f76abaf15f316d095549daf4a

C:\Users\Admin\AppData\Local\Temp\eEYi.exe

MD5 5c30ecba017abef0a1d8132533fe60ff
SHA1 9c930be49234bec02e2dac0b4244f44d41e13f4d
SHA256 f899a2a62327889c2311cc120f2d18f941428af20e80b3764fb93c0ab8e6bea2
SHA512 53d195cde5f5f7399a30060663a3b2ffc1a3ad1d00d6751a2a360f0d046e114ee760179cd8795caaf3bb7fbee47b822d39e01046c2b61c08091449865e4307f4

C:\Users\Admin\AppData\Local\Temp\AkEC.exe

MD5 e76a3ed41045e1ce4f33d598a7ad9929
SHA1 39229e12d4fe923f607c0e72e8d174aad107943f
SHA256 cfa7368e6390d53b5d12ac768e0aded0f1e3acf89168d6d1b48bc17f7f88b4a8
SHA512 07c32257cbbd70ee5166f77282fc8a8754fffb8b7c84c0356e7453e27b87795023076f49e97b4d47405c0f09d7adacc1db414d731c0e6ed0f68b1ec0269acdc4

C:\Users\Admin\AppData\Local\Temp\IYEM.exe

MD5 4ba5018374c9e568220387ab10fd32c3
SHA1 3b31738e6367dd989e2c4dc320494be5d380b337
SHA256 86d1fcbe6a22d19635d61e90d9a34d91e4a00643d6b900c89d95fdb4d5951c67
SHA512 5157515fc4574dc4d61cce492b4490ecf2ec3e462a16e0007b1bcacf1814662da2d86014220ba0aa82ba25c785e4b799ba798b09b49bcaf2d1dc7f07ef3bc33d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 c131b7cfd42e50af23325f798aedafa2
SHA1 436a37359ee0809ee2647414c9083d397451dcdc
SHA256 511a54ceafb4fdd49bdaa52f381df12921513ece85b956d251e48f5c34ac64f8
SHA512 6850d351d15bf9ec0dffaf08a6aa529fc0ff3f43c157df466eacfe8b71112e0b0b8f970d9a05191cd1e9ad6a107242c22d236c1bf90c030d2c9b2114b9b1d487

C:\Users\Admin\AppData\Local\Temp\GAME.exe

MD5 f426f65ef192d95ff1551910a9c8e686
SHA1 c403cae2aaa7ae055977ff054108aa0d8c3399b1
SHA256 d9ed3359dc5e194408643ceedd6acd0376aa0f0a0033ec9f03c440ef4c3eb757
SHA512 d1a8b4bf0c86755deaa653db6b58641a0e5e676c2c6ba7cf142709fb3f160ea3518281d7ba5abeadb34bc6c7693c6c769b8d8b01a5cd82f8565a685fc30c5692

memory/3052-975-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIwi.exe

MD5 47bc89d54e7a3820c0be0f36b9855ac6
SHA1 e39a8b6bc86ec48bc24287cc09925299a72636fc
SHA256 1617febd2f8242e935bdd1c376f5ef45ea6f830a40727e85ccbe29912b3f865d
SHA512 6d48d3a9585223a356b323787823ac1168b0718811c1e79bb1aead48e67f19b9e7620016002fa7ca095b5fc203c506c10010e682ba668cdc6656620832e8574a

C:\Users\Admin\AppData\Local\Temp\WgIs.exe

MD5 170ff0c5c05e7de04472d94c62050450
SHA1 1f0ca85267d43161e0dbd47bb295abb9d24085ca
SHA256 cbd95c702aeb48f0dbf0cb8343a8c5935f86a1f44859f4a703928af24f661123
SHA512 0ecaf83cd8bc7b36d4f67d4c189e47fd47cefad92e4f17e9d3b1d8634e5935a52928f924c9e5ba7ebdb7b6bfacfab885ee0744fac80c38014e4fdf60f5f2b63b

C:\Users\Admin\AppData\Local\Temp\mcQU.exe

MD5 ba05908ff6ebf0ffbde2a4e7316507f4
SHA1 c139fb128da0e1a3560a517d45a028da7101a342
SHA256 ca935e122e3f8d46d239530f5ed07dc83bac0b57b070e0a0406f8182aa51c7a8
SHA512 50857d6e5ed92398f16379fe4f3a5544d2dbbc8a1bfe7fc4d7df2502abeeddf9870d3f95569fd109cfd80a0d818fc879de9fd0a1e2c2763facb55bc6338be667

C:\Users\Admin\AppData\Local\Temp\WUww.exe

MD5 1fc54d7babe5aeede8895c2c8ee1e15b
SHA1 27e44a0f86d1af4721f2f7ae95407ae90d29d490
SHA256 0936242512fca8ea42e5832971175dcca478a4a33299186a949106d2ae72f61c
SHA512 aeec7ea85b640c2f546fe65e77cc2e84bfde99c3b6b7c20ebe925cdb44b0bd7820494b2d01c55f142b27b42444e6fb93ca9a3c1e7cf0d1cc48ebdbd510042f9b

C:\Users\Admin\AppData\Local\Temp\owwY.exe

MD5 4cbb12476f6678dbdb9b927018bed2aa
SHA1 d4722a04a5f1dfb551e167d1087363a0f1ebe0a1
SHA256 78a17417a4697a2577decf794470949c8af84998d3ed038de978b92e76150621
SHA512 d4fe152015a1e44ed62d5a8d90985fc774609271daace37e4a3d12795334a038c5117043067ea47a44709290c2de2c1f30e5a6f21634aa139b1d721eb0a6a29d

C:\Users\Admin\AppData\Local\Temp\WIQQ.exe

MD5 98ecc1636b81b99a1912f9a15fdeb4f6
SHA1 5f39ac17dfe061c1b0b96be581b2f55b7db56d4c
SHA256 7fc6af9bc7af64c83483245b1e168e32617bd45ab183c69c385f5d95ff6fe6c1
SHA512 d613ea7df8d30e593fa0f14697c15a6492c30747f634026c3c529a2e9209516d0d77b85fbe36e1b29be146ade763137600b751b9e8979be3eed604803e3aebda

C:\Users\Admin\AppData\Local\Temp\Qkwq.exe

MD5 ad797d1b6daeea0a97e60c4b3f2a4646
SHA1 c42a9f15ba2595b754e3d2cdab1542ec962185f2
SHA256 6c49680a0f4cfbed619a321f3ad30530df74abe416ea52c1459ca99639272587
SHA512 7a9d357a4ee2b71a78c0f4c04653caaf9bde5c0a3a93bbe615ca134b357b775cfe343492aaf903460ce01e19eb786cbfa86726707c61ca751612c9e008565582

C:\Users\Admin\AppData\Local\Temp\UYAw.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\kAEC.exe

MD5 ccdce6851fd118617cd1b78aed50b9c9
SHA1 2c66ff76f7cbcab59300709b5a7aec70f9c65f1e
SHA256 9623c3ed4c407241fee85b2d6fbe3d4dc7a4da85e753993e0cd44d48ad95be66
SHA512 86edcf6a5ae50d74a12e4ba45fcd0ef31efff9d92723a077dba275abd800a43679223a684ed212bac92248a16ab2d892bf2e0c09299187794170b0073b3f2c93

C:\Users\Admin\AppData\Local\Temp\SYQg.exe

MD5 cb55bbff95a9992cecbe534ac33ef3c0
SHA1 7bd1bbe133648718a29b27c053e484133072b096
SHA256 35c1c726c4c9779131c1eefc18a52efd3bb6eca48c7fdb03dffb7c3d2c017029
SHA512 372972833dd221e88389388dc3697d9531553951418d75bedeb00f5ef932b5710bfbb194980c9c06035007cda4be3f0292c468e3c205d40deb101a8743b3939e

C:\Users\Admin\AppData\Local\Temp\mgcm.exe

MD5 aaa7c248bb9fae7f659be18c6264b60c
SHA1 9ac3c389540697a9296dc883f0e75d8903d50c8e
SHA256 9456a45f735834d60b0db44cb2cd2599dc6ae275725b29432f56f87c7f984a22
SHA512 25b46e6fdf65467ade04cff87431385b472613983b8d79defe2fa5ca2e383b69bcaece6beae1965f1349b81bdb54325969de09ac47d42f40771a7a114b7b6ff3

C:\Users\Admin\AppData\Local\Temp\cMUw.exe

MD5 33fb90b8c89a4d686d3c2b0c92edf37c
SHA1 c1a03a25c335fb29b2de6508073264306b63c7cf
SHA256 849b1f17dd1ea6ad3ade6887e33780f48d4d38204b9fd6826c2c3688301cacb9
SHA512 0e14a19aecc5f03daf6aa81c3381e8f88b58b87d6e348f1efd2d160aa37fe8b4213d4c71591b5fbadda227fe8c215973d95bc6c1ab5728ae5669eb707e78ab9a

C:\Users\Admin\AppData\Local\Temp\qAkw.exe

MD5 1c4fb4f478393eedf5ef43c0aafe94bd
SHA1 eb858383db5529e72544f12fc6f3397a6652908b
SHA256 858a2ffb223f187a21447252707a09744807caf65691003e6d400ea0545971a2
SHA512 dd1529819851331d8995f13ad19ab543b5ba3abc6e2fed00efbd888b57d02400fae9ae763760d842aac699492d9991ee4265e0a015a1679fb5a899e62f039410

C:\Users\Admin\AppData\Local\Temp\QIQo.exe

MD5 34a249d3d49b5754f0ec4f65a286c430
SHA1 7f67cd227ddefeb698b632463babfc320445eae8
SHA256 6043b0de93970f5298f69e1ce34eeed18c02cb99dcf24a3cb7245addd4cf724a
SHA512 e3c4b8ffe1c40f1b29a87690f6df9e8b010cc7134dbc90a1d7a82b7b6b8f7a0254a37b8e4fc5293de28ca3e863cdcd468da54a1ed9adb035d7e5057958dfd246

C:\Users\Admin\AppData\Local\Temp\wcsC.exe

MD5 cbcd8cddc8dcc8aef94090fb4e25686e
SHA1 c7b2821fe55050e7d1759f7ef8f6e5a1d805b49a
SHA256 17dbbed2cc0e7b28c34d90d269632e35359a649f281a35b91ef7357fc810a306
SHA512 6ce7906bae4f82990adea2f65333d93af115ddf339d8fea7782390a0208d6389403818c13f3d4e04628b8da6273be9d650d512bd4240de3abee8d51adfc71c51

C:\Users\Admin\AppData\Local\Temp\WwQa.exe

MD5 7a3be786a18bc302d02a874d36570aad
SHA1 4aed168168dc4b8a8b30a963b1a552e66bb6c7a6
SHA256 5806eec41a8e1dd2ed157ddf76c600793940287e9e7dd01f688829cf7a9cb5b7
SHA512 444ce993a40265e6ae93407088d98857f0b599ac6ec294dcecdfdffd744dad724ede22f2c0a11e1a887689db1aa9f571847711201d497a5ef01b17ea03ca7c49

C:\Users\Admin\AppData\Local\Temp\IEcs.exe

MD5 396e6133eaa0023870b67057af9d295e
SHA1 0233151599c9667727541836e131e2015d49e025
SHA256 f19eec8ea4b1aaee9844763dd0f01ec67d070d832fc56b820c7e18103e5806e9
SHA512 f4bf0f591b59b3aa37b9233f4a666b6bdc6337ebec885b254987819ede89243af710b9e88b8587b69a81b895a11589d0939dc706dcfca6b580849f2f8ca974fb

C:\Users\Admin\AppData\Local\Temp\kUwm.exe

MD5 06e037e459643a9a53a3ded955425baf
SHA1 0b4ed6373ad8e36cbd013fb409881581e47bf59b
SHA256 82fa20496a8dca62fd6f60a951145f9e80913e41a115a2493c23c3228e532da7
SHA512 680e501a1d5c35c9410b5b50812f5be8f98258d2ba3b69f6db520bb67c291d31ee4a5e785500cd1fd753f21a4a4682d39118b08c7cc94939cc60ccc9ba30d0fa

C:\Users\Admin\AppData\Local\Temp\SYcE.exe

MD5 4947569b650ccd58ce639d17f6132cec
SHA1 3f62fed2011d8fc2a916787c934575c05d48d6cd
SHA256 12211adb42a60e29a7bc2a7432625eda6726245125ee0db510a89aec6b9c4406
SHA512 f83203fe704c2d0d4be3ed4e6780199b3e984668f41658873eb13aa53cd373d54c6f15e2ae0b6446aaaff8527ba90bcedcd82c53ed5d3678d46aed1022d84fad

memory/4008-1245-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AIoU.exe

MD5 6f62a6b6b2ba71a9b76787b5ef5a0bb5
SHA1 46008e6108bfd3f1f0b95766649ddd1c89256241
SHA256 56ef78ffc1a853b01238ecfa403c40d4f5be8ee66601d44cde142e041c01a8e3
SHA512 5ed8c4285a827989b6c80ba0c37eca81c4c64d5c836b959980f80cdc8cbccb6056cb3765f00e45f2afbdd7ccb4745de8b760bfdaa80038c30836f02fb5b638c2

C:\Users\Admin\AppData\Local\Temp\wcUG.exe

MD5 e7d9cb702fb57c8bbd5b64790f78fe5e
SHA1 83d89c14c1cc81131ba695f749e7e6f2dcd6341f
SHA256 cdf8d4a0faeaa468f846fa4b92cbde1e82f6ec0d45534c1251d0dd127a0353f3
SHA512 032734643dce6ef7810a695aa8a229cc8b0146d665b7939ba93f071be36fa385ed277819e18882525e697aa4a1375855e6077045e33e41210eb57e18d8612e7c

C:\Users\Admin\AppData\Local\Temp\gYoE.exe

MD5 702b5932fed25abfdcce84a879360f35
SHA1 9b0bd2fbe57b6b7bbd40c0dd13e0453f25576eb8
SHA256 301823b0d25de5e4e43cfb0ec6b22a0005c1a36de5e4aca82e5b576f4dc4868c
SHA512 3ffe6b6e38cdf975e89df8dc5f58ab6ea55259c4da3dcf0d79b5c24d22e2a741b05af7e9bffa4d652fb5c588768c0e5c4c823eb7fe688086685c8ad25ffdf46f

C:\Users\Admin\AppData\Local\Temp\Qwwo.exe

MD5 379d7fef222f76084cedf4716295392a
SHA1 23d6a5be256ea8c1b28b4df96fd63d3404407042
SHA256 44d4c6acdfb7ac2595d6ece9d9afeab071377fe063e83f21ae6a2f10f23f3b5a
SHA512 10dc86409ccf1f29d28b4368682e9099d2045feffeff1f3821d16a8268e1ec2f016047381d750c63934d3ca490d551d07d4673ef8703b8e4e8391bf0bf980d37

C:\Users\Admin\AppData\Local\Temp\mMUq.exe

MD5 3d25d30502823ba352ed9f88272e018f
SHA1 3c6125b020e93ff6654cb4d27a7289bb59fedd4d
SHA256 de8b43582e979c95947024892c3a864c054140a57562bce154ed8e756f24d4fa
SHA512 640bf87592da608fa1e53c78bca735293f9844398dec4eda88a5bb67ab732fc305f25caf1a49fa0230b7e080bb9846fa104160595852de8d20a829ac31e43fba

C:\Users\Admin\AppData\Local\Temp\AAgs.exe

MD5 df6975c1b6d9bdad5646d3ecc168aed2
SHA1 1a1042d7844484671460a49302a338f21cf6efb4
SHA256 f1b832a9c1cf7756fcf5affa970d98f6f442e4f0770d76f1eb5a78743197db3a
SHA512 6e689340873fc8a0b4dd1f196a1d251f85118f0c641972507d45d130785fd0c7145bed1fea19d2edf48d6e82820d5bade3aa881df6eee9ddb10783ac5a73cf93

C:\Users\Admin\AppData\Local\Temp\WEcE.exe

MD5 6e716fabb815616da07ddd3822f14764
SHA1 f1c52bc888ca43f1c1d6225a78955a31572ee78f
SHA256 fe3c2f276e79ace8fae4e1794e860be733dd4060e20bae1818aeb8b37028bd47
SHA512 9f2ed98a42403e0a91751cbeeaece3889365788cd2ad9360bcd311e7ab29613ec9ec9961951c9e74d86c2d5766605b89438718e28eb8c4c63f4015377ee5aec4

C:\Users\Admin\AppData\Local\Temp\Uawc.ico

MD5 f7858e48b74b107ab160878eb400128e
SHA1 d8cdd8be514077e101a9f0a0fdbcdefaea6aa72f
SHA256 2dd714e9df3921b1194d3d890f6509ca5ee753d81f9fd83dbeec831440d22938
SHA512 c2e950c96da0c901c550dddf953dee3eecbf9a1cb509100c93bb034351369e1547bf5b97d4aad78e2bdd516a09ea28e999e597fb0a91fb350da7b7d3ec08e9d7

C:\Users\Admin\AppData\Local\Temp\aMMM.exe

MD5 ee398ed6232f83ed630ff5ae0e55126e
SHA1 accc6abf413f673ea6d6e706b13b955e440c0abf
SHA256 ac9c62becc3fa2e401294331b0db98076bb1ebe0a197b016d81b09e8d11d8a39
SHA512 31c35038a2018b004386819a33c71229fbcd7cd062da89fcafb847e03398574bbec66f0d0efb2bfacb49d07b395fe9c350500b6768963bc54ea33ad56a6b9838

C:\Users\Admin\AppData\Local\Temp\iIUw.exe

MD5 82880ee47e22c4029b6326fe63b048f6
SHA1 3838d7e09b82bd6678e4d11455b027774606faaf
SHA256 2e5e5b2b67fda8f192591ad8a08d8325022c1b350619333138af78a352d89c1b
SHA512 e562852dc0199337e1e40a147308ad9c170f20b5cf9b9fd33772a8ea76265d4a298f5bd5c3b7577f0fa91c2ac4d65b5f34a9474c1333c312c7697cec1085081b

C:\Users\Admin\AppData\Local\Temp\WcAc.exe

MD5 62b2cc9b09eab2309920164ad2a4a9be
SHA1 b547c5e4e934d9b60790ec5244b4644d4376aa16
SHA256 04df62bf43fdd8a60086081d795076a40442c89f71a1632ef99030f1a5038a3d
SHA512 fab2a26d8bab88a6f5533b5e366f30438b541a936066676d81eef04540e2d24583d3dcc420f02bcec975c3650cd12319fa45e70054bf1c34ccb816eee448fe2a

C:\Users\Admin\AppData\Local\Temp\yAog.exe

MD5 384de94684a565c81f7e6be1cc1cf6bd
SHA1 2e0133afe1d348733358b7b25240ec25fd516935
SHA256 b252673971fd608f3545b6c305867455a8d97b098912937c2c7b9417eee3da40
SHA512 627e09ca8f3550f928df3578a26f9c574e8bf13797944241c87d9e8fe82b904c454acd0766752f1f1213e7b300c4554954aa3dafc8eaea5d41a79d56dcdf9e74

C:\Users\Admin\AppData\Local\Temp\gUgu.exe

MD5 8ff96d4cf828cd63441c6edde2fe66f0
SHA1 deff12a7392b915a6ba6db3b877ae4a8fe0e3152
SHA256 1338dbb98cbb9c7fa7932b7468eebdb0ce060639762a2f67c7199da39df785b3
SHA512 e2dbb28e62fcde53ad0363eba1e7a88b14d2a18c8aa026c7b0ac7f94e8b26ccdc5e1b3556d404933b542bbcb0a6e44fcb36e3da7a4fc46abf3aacbe6559d1843

C:\Users\Admin\AppData\Local\Temp\uews.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\KIAw.exe

MD5 0ff1a6c4168618616f99a572a82b64db
SHA1 af175d9d9e5066fad461e0deb56781287f69831d
SHA256 f057524878c1254a1007a80483ae3b57117c36ad462404270fa79fde578bffe1
SHA512 b8c3c4a74547b307b17138c3d94489d02482539d2b298937ac0db452e3967136d34ef997bf198779010b36014b1db825d859b0ab64d02e4b9df99ca179d1dc68

C:\Users\Admin\AppData\Local\Temp\MggE.exe

MD5 760995068256b0909224a8fce1b7b4bb
SHA1 a5b11e84b063b8483b2e3f11e308a94dbd9fd1eb
SHA256 e99ebb3214a944fe70363faee330571cc953a865158995956d44fbbbdfe1732a
SHA512 dcaee1518c7bcda4b1bff76f8ad5065825acffa65e043ed1c70d4700cd321d2ab8c783b6b3b89c168a218d171223bcc0cbe0ff97ed6117562c9c2d056d43329b

C:\Users\Admin\AppData\Local\Temp\Wsog.exe

MD5 32fd6588f4de53498124419f4e83e2a7
SHA1 ce15ad8b91d310c16b49ab63cacb6d8cbf395d48
SHA256 f212275917c1fa2ff74a7ff19826f35a9429f1914ab5244887fb792f9515a259
SHA512 52c3f9a8bbdd5c453123012abaa9cddf15ef40fdd8763befdec0ed88a1f98f361351751f5950afeab13d58a70e58573444c78edee0926bac7b4af1f83b70528b

C:\Users\Admin\AppData\Local\Temp\OAsO.exe

MD5 1c1dc100c8d7e40456deb24000079127
SHA1 c25c23f701e64020eb8d3dca49080f39adad17de
SHA256 c1400a162139185aaeeea902345cbb02788bfa19cd4cc3bed95f272207a0fb76
SHA512 ee153e375440b8c83860c917fab04b26086b2a56083a1960179c0acde8f12c590fd0a717cbfb4264882e601e3e1cce34f6b21c1c37d2807da72294d438381577

C:\Users\Admin\AppData\Local\Temp\SIoA.exe

MD5 a637007cdf99ff47abec49b1738c10ac
SHA1 0364fbca977db52ec1ca416849fdfd731880bcf0
SHA256 02f58e3c87aa3d7aa7c7ecd554ea1aaf9ee7f36e9bbe88a552e483f596c1eb1c
SHA512 7a309e5dfd63b159a8650e35a314c20476bd799442f51f4c287dcec05f257ccc71f0d3c2b588a503a25fafc5485a4c9838e2b2fa4cd9681d1ff6316e2314db42

C:\Users\Admin\AppData\Local\Temp\OUcS.exe

MD5 d6d605be7f5230dc0b606bb8713d870f
SHA1 3155ba7d1eb1231e56f345366dd9b9c5ee0d3c5d
SHA256 11df055de09825abdfc940b89d36813b973ee3618a8eaf9e06ef8ba80d9ec567
SHA512 eedeace70260e55726fad0bab7f61b76b7a4a2869274502b1dbb66d7fa5608d2e58aa0d22e6aeec202b0680ec176c27f5fb42b332b3fd1149bd248b3045a2303

C:\Users\Admin\AppData\Local\Temp\oMcA.exe

MD5 2e054726fc68bcb800c63f5c040db773
SHA1 69bb6a5b46fea0a8746b0f4be4767a20c3e993d1
SHA256 341540ba33444db701ba93eb47bc90deba850d95e036cc04735914f00fef4e35
SHA512 1dd93d026244862efcaad30917c0af7390d2186715d8f438efb48afb0963aed1c1087d9543e3a913d80ddf89fca79087be9579fb4a3159463d31c1987bc45938

C:\Users\Admin\AppData\Local\Temp\UyQY.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\AcAc.exe

MD5 1415b4cb4535513c0b283f40b30d5ed3
SHA1 7f504c8eec5a8654c734a0d5df9b3819bf3fe780
SHA256 db7bf23c87cabe006f36212d60cefc007c8cf78813032246bb6243dd3bfafcdc
SHA512 c1a656d073ce24ac2ddecf7320ec34aa8e6be0c669224149b8f04f6e2f5e189bc9f19b13e1bbbbbd7fae68fb6b25ff92632d08afbf7b1ad96f1de369eb673dd3

C:\Users\Admin\AppData\Local\Temp\ksYE.exe

MD5 e94b56aeae11a6e7674ba4b34fa87686
SHA1 0ab2a447c69ba1eefd536c0b6ba79b1b56118eaf
SHA256 9d2124b0318eea0528b241a3e1102ec3752b55dcc9028c94a542a9b544c639e9
SHA512 3ac35337a4e4bb8eba1a0413d1280af8ae8b829fd3e3aabbb44c76ab07379b121c98f8e4c90860d62ac7cada5f7be0a164f3bcf2fb64163c956acd778177dd6d

C:\Users\Admin\AppData\Local\Temp\OcYK.exe

MD5 ccb411a6850043d5a024efce57737d54
SHA1 e366070f6c233b60e41d781d3387ede9418729be
SHA256 dbba5821d3f0576baefa8da2677bd51b0c792989cb70c32fbfdf7fab513a7fce
SHA512 c31780f4f8dff2fffc4a578e58979f341d12a00da8402bae4ab7b80a5902effb7440486e0a1a85b4a57010f2fee0b0633de5d7333e36bf1a68b8811e5c46b2d3

C:\Users\Admin\AppData\Local\Temp\uMYc.exe

MD5 183d8b60cb915e055a8a0165616257ce
SHA1 9cfe5189706ed4d4224e768f0990cd6ba365c98b
SHA256 80b36c2a836b3ee00b4399f393c3dd69216f96f21e241a233d3b9eb498d81815
SHA512 3401d99f01f0ba2386acb66a2d20fafeb73b5d903ff910a1eb0bed09c74d628e7022312a31ce6319ceb7ebd1439ba585988d65f74fa637566a70b4dd0d8893d5

C:\Users\Admin\AppData\Local\Temp\eEoQ.exe

MD5 10c18e0d826af8bd142d5991ed9388c9
SHA1 9bf851a2958e9ce76a0792aae492ac9589062935
SHA256 5e5732598af0d9f5b4df388569b98dfca0cc5d67f27e872ab4a3748690ce790d
SHA512 6e9459e5256920dceb83204421afa8661ee03d5fb56c881c2e6913e5a20548a96da08784694c8ee3c7e39d9e287bea94b866f49f0b1840f162ef774ae96abd66

C:\Users\Admin\AppData\Local\Temp\aUwQ.exe

MD5 8062d7731f14e106f30ad08ecb96e6aa
SHA1 f15238a003167539ae8f5650da595048924bca7c
SHA256 77199a3f0c76c13a30df658e6c0fe78bac80ed2160e0c292ae1739d27ac2f074
SHA512 d839626bc9befcdbb04cda33b31e2d9916c1a42c1def19f30e25dbb95b2efc2342b54565820304f7bbdabd9895e39c7d8cc88d0004a2b6959eb6a810b18ac3af

C:\Users\Admin\AppData\Local\Temp\MoUu.exe

MD5 71a2c1f12184f4550f365d08d94714f6
SHA1 438110ed4f6078f14d2092c443b0a9c41032d6d9
SHA256 ee65e33d73a519213b79d4d0a6a659c0d06cccfbf78790b7528989427477c408
SHA512 69c6a112b3a4712ab8cdc08dbd91df4fccc8f421e3f491691d5af89955919862cb629acf6f76783638dec50fcdb8adec339be08e8abbe192f0ce06d632b187ee

C:\Users\Admin\AppData\Local\Temp\gYAw.exe

MD5 912a1c337f2cdbf7a9e51913c8a851a7
SHA1 ffe6f83116fbac68a17ec45e51bbdd43c67f5d9d
SHA256 71997d0da7d015f1203c3f8128ce6674c8308cc51d4927a87354a679a72ababa
SHA512 fa1b59c36bd68543912a8101440277697ff8bdc8aace5c4505d44dfc2a70811b07d63c4f7cd69bde206ad4ed5af060e35e196cbebecdc2a259ae06ee5fe62d10

C:\Users\Admin\AppData\Local\Temp\aEwu.exe

MD5 dc747c7ab2bd1a28554ae9062359f051
SHA1 b7d2f716b894fd4bd7feb5542fa19fa53114feed
SHA256 e5a09455213ea02c8b5b0053920c540e05727815d0944cea3df153a0931821f6
SHA512 8b52d1275b8832656729f48bfe75c479aef90c3d1c5ba26904c567610336f99a9bba9dd95f222f655688ee8d6711d75824e82bc1847dc1eb58a8618cf7d50312

C:\Users\Admin\AppData\Local\Temp\WgAi.exe

MD5 b031374c9785b1fa3484379edc831d5f
SHA1 86e17500aa3a01afa686fe1b4efdb32eab7206db
SHA256 f48b33151dc8e0dad35f91ca554ab5e621158b7694a4104437736be7920b89ca
SHA512 db2c3da2ee1b67d3d1cf1d133e04fc098674c7e35c17e6310e081f07c7bef7241cb5819444b532ecf64829dffe744cd9c9c4fee2425b19532cad7cd3ba722ee0

C:\Users\Admin\AppData\Local\Temp\WAsG.exe

MD5 99c4a8b1171846ed0d351e278395fa7a
SHA1 ddc5384dc277a7072189975c7feccd6f7b25078d
SHA256 faaac2fea9b7c4f95deea26a6d2ec690d3258775f021cd1584f73ed1d1a4f3c5
SHA512 f0f58af25536442435aef4d7d46198e6fbc332227bd28217424f03d7b2b18ff22ce3d7a63e3a15592c487813d9ec98953895c10757743d47a4b079c9b9d5e1a4

C:\Users\Admin\AppData\Local\Temp\SscA.exe

MD5 926b83bbd640e54f6ccca3e15149bef7
SHA1 a30646b4c1bb47f69a72379392b4140d2c6ca4d5
SHA256 f9344c692acc76140ad8aba01a8f1e827e3d49eb133e6bbe7b162e9d626a4519
SHA512 63e09c9e2f271f2433909686f8b1a5ac1ae44397ab78662c49893c49a3234a1f3493e7f54d4e5478bd08813f3d5ed4b31ea122148dd85b13d2e6b71b3bcfbb5e