Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-b3sg1avame
Target eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN
SHA256 eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86c
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86c

Threat Level: Known bad

The file eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (68) files with added filename extension

Renames multiple (83) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 01:40

Reported

2024-11-13 01:42

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (68) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\MKEIYkEk\LUYUkAIk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWYIosEs.exe = "C:\\ProgramData\\TMMQIIAc\\xWYIosEs.exe" C:\ProgramData\MKEIYkEk\LUYUkAIk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqQwwoIA.exe = "C:\\Users\\Admin\\IIYYYoow\\wqQwwoIA.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JkkkMUIk.exe = "C:\\ProgramData\\SUYcooQU\\JkkkMUIk.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tAQcUsAU.exe = "C:\\Users\\Admin\\CcQkEQYk\\tAQcUsAU.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWYIosEs.exe = "C:\\ProgramData\\TMMQIIAc\\xWYIosEs.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xWYIosEs.exe = "C:\\ProgramData\\TMMQIIAc\\xWYIosEs.exe" C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tAQcUsAU.exe = "C:\\Users\\Admin\\CcQkEQYk\\tAQcUsAU.exe" C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\CcQkEQYk C:\ProgramData\MKEIYkEk\LUYUkAIk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\CcQkEQYk\tAQcUsAU C:\ProgramData\MKEIYkEk\LUYUkAIk.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheEditApprove.docx C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheShowDisconnect.png C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheEditClear.wma C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheExportSave.xlsx C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheTraceSwitch.xlsx C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWriteWait.pdf C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A
N/A N/A C:\ProgramData\TMMQIIAc\xWYIosEs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe
PID 4444 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe
PID 4444 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe
PID 4444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\TMMQIIAc\xWYIosEs.exe
PID 4444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\TMMQIIAc\xWYIosEs.exe
PID 4444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\TMMQIIAc\xWYIosEs.exe
PID 4444 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2004 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2004 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 4444 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1004 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1004 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4612 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 4612 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2472 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2472 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 4704 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4704 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4704 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1440 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 644 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 644 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 1440 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

"C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe"

C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe

"C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe"

C:\ProgramData\TMMQIIAc\xWYIosEs.exe

"C:\ProgramData\TMMQIIAc\xWYIosEs.exe"

C:\ProgramData\MKEIYkEk\LUYUkAIk.exe

C:\ProgramData\MKEIYkEk\LUYUkAIk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoUkssMg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EosokokU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsggUYoI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIMYUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYMoskYk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuQgggIc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qowocAkE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeAYQssk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QigMUIEA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmAEYgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwMosYYg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaAsIckc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOUkcAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkYQgIUU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEsIIYEU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUIYQYsE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYgcocM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUMAMYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIcQwIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaUYskMA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaYgEMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acsIYYwE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkUQAoY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOIQUswk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAkosAQg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ockAsEsk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKUoMAMs.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwkwEgwA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEUYEocs.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqMQkYok.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcAEUsIk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCAgkkcg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAEsIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Diswgkcg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boIkAYwM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQoAgYEc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmkQYkss.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEccwUUo.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IScsYUwU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUwsAIoI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKAgAMwY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMQQMYoY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCkogIwg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuEMEowQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcgwIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqMgQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkEUUEsw.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSYkMwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMIAcUw.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GekkAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIEEkskE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqQcsEEg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUUYwAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAYkoIUY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKMgwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWUsAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GikEoYsk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSAoYYkU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikUQYMsg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgYMwAog.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv /g/x9er69UGu7bOGmjsMxQ.0.2

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcsMQQks.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEMQMcco.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\IIYYYoow\wqQwwoIA.exe

"C:\Users\Admin\IIYYYoow\wqQwwoIA.exe"

C:\ProgramData\SUYcooQU\JkkkMUIk.exe

"C:\ProgramData\SUYcooQU\JkkkMUIk.exe"

C:\ProgramData\EwQsUsoI\MqIYEUos.exe

C:\ProgramData\EwQsUsoI\MqIYEUos.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKYUQUwo.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAsQQkYU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkQwMYE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOYMowwM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYsEowow.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joUEQwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAEcYgMI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKwokUAY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuUsUYsE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIQMgkkE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hekAUgsw.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uykgsUck.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiscYcMo.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSQEooME.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAoIQMI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYAsUokA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmUowIAo.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/4444-0-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4444-1-0x0000000004310000-0x0000000004330000-memory.dmp

C:\Users\Admin\CcQkEQYk\tAQcUsAU.exe

MD5 68aad34b4201951c04c1c1c818bfc0bb
SHA1 6e84be968a4cf69e6aaf8658da605a9a2a2db714
SHA256 fb0fdf6f7db9df84eb67de9afdd07657d3beb9a938ee28afa5cdbd32b569a008
SHA512 6b2c93a581c075b9b520916e609a37ad02ef8a0edbae0807820e9c2775fdcc8c97161f2214ab5330cd2b4ca926bd9509e64b2122f6e3ce4b61cdf35b8dcff33f

memory/768-7-0x0000000000400000-0x00000000005C1000-memory.dmp

C:\ProgramData\TMMQIIAc\xWYIosEs.exe

MD5 06674318e7c700b09246e1bf5540b813
SHA1 636891a8392d4dad07352b3339f12af7b9e3c883
SHA256 f159bc9c795bfb49eecdcb7ee8edd4510d0f5c82bf93a0bca8b84eaea30e0085
SHA512 9cef6f9f843bc2e959daf54c9c0e82ded7b3a3c3e8ab4124b0bc2abf9a79c70190a4ae4613443142650531dee8295f95fce8a02532b7737c530ae87c15b8ee6b

C:\ProgramData\MKEIYkEk\LUYUkAIk.exe

MD5 a61c7e6cfe7637e8523ccac2cb8a1f34
SHA1 e0ba3d724e6549175fba72a64adbce84a2e7719d
SHA256 2818e8c8fe35fe000753582fbb442efa0f03a502dbd0db5932c75a8597f7c0a8
SHA512 1c520177a396a2d51b628987087b1ed5dd75d94018a6ac0b38154c319b1cc85d12727bcbced8ad88c0c6ccc7d16e12bc7edcdb525804a74bc263e4fa21626641

memory/2140-18-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/1452-15-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/4612-22-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4444-27-0x0000000004310000-0x0000000004330000-memory.dmp

memory/4444-26-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

MD5 9a73063ea181f944f88c3e2ed083f8af
SHA1 f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25
SHA256 dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec
SHA512 a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

C:\Users\Admin\AppData\Local\Temp\OoUkssMg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/4612-37-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1440-38-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1440-50-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4724-61-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2700-72-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2212-83-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1900-94-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1852-105-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3988-116-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1504-113-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1504-128-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2212-139-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1584-140-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1584-152-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/452-149-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/452-162-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1784-172-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4964-175-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1784-185-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3444-197-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3408-208-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1244-219-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3648-230-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2740-241-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3812-242-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3812-251-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1520-259-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3492-267-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4916-268-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4916-276-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2984-281-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3140-285-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2984-293-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bIkO.exe

MD5 84d684b7a98f6d0a13b3bd0036c5c7aa
SHA1 f73cdcde774c03cf148a663efe7b2237aa87241b
SHA256 cceef2ce1674bdd32f64a9f0663d683fb3e686979fbfc3c22365457b9157b437
SHA512 c48d63321aab2eea5e6324ea4193427f05b75522fa7cd440497a6086c57fe1b1299ea54557a1215f884688c3212d37ff33c0ef383b134ed3ed4ae5efa5386f7b

memory/3492-311-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fscu.exe

MD5 f338e282735fa1314520871aa3fd2cbe
SHA1 821118b5b6829b205c2b026725b837159405d911
SHA256 22ab4def67fac46929fc560a4e0957afcb402db352fa243b63d90270e222e8dd
SHA512 9f2b8f970ca3ec0963e2127c579819b5245b990594f24a66c108bdb1f8f5286bdcdb13d4d3a3950a0d3610cc945e0bb81f2f49f8b9551d055531cd43b64314bc

C:\Users\Admin\AppData\Local\Temp\KcQI.exe

MD5 5a70ea2284f9e6664035f4b5bc53eda5
SHA1 ff2df361221d33630896492ffa51284de99da472
SHA256 0eedbf5c52f371f95f70b64ca34023a601acf98d31a512c2f35de6ef047d0988
SHA512 ffa84b94639e3754a1351c31aa332dea58a3229ff999a70468d0db606a495ccf3209414147b118bcf75e0e9a867f61297c9e129d7a6907ebcb1d6ddbad12a2fa

C:\Users\Admin\AppData\Local\Temp\RYAM.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\fIEM.exe

MD5 06e23e9f0aa58f1aa7923772ea8dbfe4
SHA1 d6b62e5f4dd050f4042d90091f8a2141380cff76
SHA256 9780614fe9a721910095d79ae9ec7eea4e55c0eae5ebaae3fe7b6a5565fb728e
SHA512 5466dfe810c6a1bc0622471835f40731f873f4fbc078ca1766cfcce70652225858523b4e9025b8713d1a216cda4ff81052306a5da5041ea22174dcc477f27391

C:\Users\Admin\AppData\Local\Temp\FEoo.exe

MD5 a7d74273f7ae0ed0d5215485088fa12e
SHA1 9d16fc82e99f7de51c77ba2217650e66dbe4ad22
SHA256 f4e80c9ec0fabc586ca2769d1b41eb8e5939157772a8923e612db600e53c7ad8
SHA512 2b1fb8bb92479424419dd338a47b03366faaffe5a8c58ac8ddac4cca7a3b2e65607d71636f517e9da1d18460e072e45b00126cf83870d395ecbe4e5fb8e8f0cd

C:\Users\Admin\AppData\Local\Temp\Tocc.exe

MD5 d6007fb40c48c0b6dc48ac7ad0b3bc79
SHA1 0a692bb7afda6557e776101a588a3ae256714d47
SHA256 566b489364d3c8b703fa7c704ffe2b817858eedf58c185f553f6456c889bb344
SHA512 e1e935c9c56e190417fdede3968364baa7b1b06e950fb14a15675e691075dad6c501e3cb6e288117d492c7774e3aa4bf18cfa404a00460a7858ba66f05a5ed4e

C:\Users\Admin\AppData\Local\Temp\CcUM.exe

MD5 8e9baeddaefc00e88eba767c85341ad6
SHA1 192b3c51429e489a5b73d16b035d2a55346b14f7
SHA256 ac5dc8fc247eefe465dc24e37bafe190628c33ce075fc232468d96854e0c38e7
SHA512 002530535c392a1b037f6889fe07c505d47f41b5e311b8efad97ed9605866153d0222d4a5ca15e97a8cad8581b876fe529f97cfb47db4ebaa871facd0ddda343

memory/3492-398-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bEka.exe

MD5 d2bdcd9e61ba9253349efb467fbca689
SHA1 6bfce19909485f1fdae6416b20a27891572302ce
SHA256 6e1a5fb7acf7e96242097531dfe146d1c60aad6c0e863562fbfbdb44b9fbb204
SHA512 feed27bedeb7f94f6d6804bd264aa6875a41fd0d84d0e667e73eb8c2d2989a0a1af06b4c67b8d8cbef1ba36d6ff8762ed013851400c07df487f3af2beb74ad50

C:\ProgramData\SwkE.txt

MD5 de8f2f18d70422b6e3ceb131c90282df
SHA1 a4278d0e60b2b018d4a00207b7525a29831cf1a0
SHA256 cdba811bb5ef7f92177cccf22e3f2ce57adc052d1371d7eb49a60c20815e0964
SHA512 0179dc7b85bea2fac6962d99ddbd5ff1ed03061572486a88a9ef17c886d376bbcfceee68b90928487fe219f1d4facebc18137529de6746b77ed82590c09eae40

memory/3668-446-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PAcu.exe

MD5 9c9f4e4e2d5aae0db2ff37cbcd8de51f
SHA1 69ea64574c6dd5eb08f0317af937a1b5b7024c2b
SHA256 519e0904d35775964bb1baa0c002ca1e4d44fc0d6a6b4833f30426d7fe78e2a2
SHA512 b1a598cd2d1877e6cc46b31e2f4a554ec99c5a3d2e8ca3d86b389d79c5d83736e0073b268ae56798dc2d1ced344f9b3916d73e99cbfef98d75827950e17a9a7b

C:\Users\Admin\AppData\Local\Temp\jEUk.exe

MD5 13b2c86645eeef0a4acc9f40fbeea229
SHA1 427d35e16443afa51260a376b6f2be1fba975645
SHA256 62009b7656ad152c5e5e8d1a2e15524417a316ec3965cab65b917fafabb56a3c
SHA512 67a564a6c1a585b064cd8b6f76fa9fd00dd55215ca2f67c022ee029ad30c3660e0f633d04a0c7f5cbbffd450d876ec5c6b3e3e4d354125a2c919b09c67cc3f33

C:\Users\Admin\AppData\Local\Temp\EIEA.exe

MD5 69a7c4fe6011d4417d071b4fea3b4fa9
SHA1 5e3c333900768fb39cb18bd91714e50620b0729f
SHA256 6d565134f745175b53041dd8600d89ce024ff6f7dccae6b4a61255aa54988d52
SHA512 9a3a620743776c58855efcd7c81f5ccc770c73d157c7080609b19d750468965d29d77908dc77e7680b00ba511b2bbc98ff439c48f26f1a65305189411198ef90

C:\Users\Admin\AppData\Local\Temp\QqcI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\lwwe.exe

MD5 7409c894e49470ecc8a7b3b2ce279119
SHA1 17394957cfa0604eefd6983827f1d45b16305aed
SHA256 89d06aff3fabb22b3b5e6699f71e61dc3f0b84d63807f42756412b672114b61b
SHA512 1ea4fc293fc3e02801ddcbe0310fee8b7d8774e51475fef04c017161d2ea8a98b72b47578cab46016373c4a6b4b355057c1025bd52bf4882ef46a0fb62430c9d

C:\Users\Admin\AppData\Local\Temp\Fkwq.exe

MD5 162efc68aee2384958b82c3deb11713e
SHA1 f0c417c3a5daa7d2ad014fe0932fd615ae4ff576
SHA256 a6efe232c06a3682a6ae457c83e02aab9773db78ac0802636b04cc5f0889dc16
SHA512 1ebd6fb5c1e4142e1fb55687c6903d44ac48f2b8a8b24b2ae195a7409fab96221f7e5f785c0c7bb6061f27fd13ab7e43c3d1cb58df85f4ff2216393c7e543ce9

C:\Users\Admin\AppData\Local\Temp\EkUC.exe

MD5 a14debaefb5ff3ac355e34648b19d223
SHA1 8a79f9b20c59cebd17f0436947d67385e63ed569
SHA256 a06eb5de45cc802923e5ba29a13051085230640ebc237b8d0cf266ea3568bd84
SHA512 03d2cb5643ddd68a2f2180904718d6e8463940c1b4f599f19413776079fa3634bab5a6e50254769564213c212d28d80dec48fa02cbbdc69c749dbfd4fc192789

C:\Users\Admin\AppData\Local\Temp\CMMg.exe

MD5 9acb5b9d151624798637af4898c0f528
SHA1 21313fdb9d82cd28b7eac7c1300e6776a4a0ebd8
SHA256 d056d9bedacb99fa1504ce00559c12d6795e5c2397148a281bb3d51026aa0781
SHA512 7e92def437c728c2da62cf89a7d2703391054dd40d3e9153fc99cd0a2dacad6a37a9d9aecc4042b74862669e89b59abe5e92d03684448642758fa019d1d72ad1

C:\Users\Admin\AppData\Local\Temp\DIEq.exe

MD5 c962d0a4741a1628e4ab036d330e1563
SHA1 8c6d48c71d50f70d983d993dd11da7cc227a4a9b
SHA256 56e74ad56d26f77687761c125df161ec72663051eed49bd7b69ef421b03a3e89
SHA512 7453de46521f11a5be9529c89c6fe126907fa9397d201533bfe0307057040f46e2a7e9acacdb8710c81efc3a2e4fd753d6fb4a609e6134c9e71fdeb3613edef0

C:\Users\Admin\AppData\Local\Temp\UIQG.exe

MD5 51ebd7997c3ee467136e7db2fbcaea2d
SHA1 5c6e41f01dfa7b2baa6e1951d2778ac1b66f6aac
SHA256 fe750a37d16018722ba99dbdc9aad311632162296db2d21925452f40f0542028
SHA512 7224a5ca4ea3b7a1cc50d59586a02d2e7ed0dde0e49476acaaf31b07062a0d921eebac9d0d1b0407eeedef7b266e268d7fd97bd3722a19caefd3cf408dd2373b

C:\Users\Admin\AppData\Local\Temp\QQsK.exe

MD5 019e7259acec28346e76ff651408d312
SHA1 71c5bd41f639d2a05c5fc4633f510674491a2d58
SHA256 fb7af631aa552376affab4017e9e7efcf50c22d8be212d4af275fcf703fc41a8
SHA512 dc38cd46561b856a11e9777b3a8649b41a8b2884638efdea67fd295e0b1c28432d9ab8e364dff99fc3f79b1ce1ddb6e61c0d48c46b7fb637b18849c63ea780ef

C:\Users\Admin\AppData\Local\Temp\tgIm.exe

MD5 b526fc83d7f8b621779f7375122e4565
SHA1 f54fdc7d958940cb89220f82b599c2be85cb5375
SHA256 2e911cbd7df4589ed16451709edcf4b6c983a15db4af60cea59c9e3a92bf63dc
SHA512 b86b12f020aee525de77884f5f3a5709a35595a9aa3eef28ae539dadc5356098c60b79940f875dfd547bfc1c5674da69d8ea66108aeb417de5d8376081f3d987

C:\Users\Admin\AppData\Local\Temp\iEkQ.exe

MD5 902455b39669f790c2a005706da7130f
SHA1 6f1836f06a8c2b94dd49e44f06c4f64ec0e85923
SHA256 aca4ddc3c9d436ea6e5359a5c69e38334dcea125f456e2b6ee30c96f9a9ca9dc
SHA512 cf3e9a5039092a6c01219b8f5dfc2073129481a4c4c264517c51040423ce9d5c0326dcb90e7035655973602f4a6604903134eb62e397d78afc40368f227faa7a

C:\Users\Admin\AppData\Local\Temp\IoMO.exe

MD5 3a1a4b9f7e3ef548101a78e2b8c867c8
SHA1 0d1289b721305e776df799276d793c0177683861
SHA256 37c13241109bfb6d9676791209834ee0d7d7928791594e564094b6096af5f66a
SHA512 a2d267235efcda0722729d6ac4a91ac8aadb1834ed68ff3b8c80846f565239f99889e8da0ba5af67b323aca504a855fb053321fa771e171d4580c7e01ed57f07

memory/4956-633-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2004-649-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rEUI.exe

MD5 f1d3c12229e204936a841374d155bd83
SHA1 b76424a46ed59fd07b2b24ebcc622a0bb3d27b86
SHA256 02dcb926afb6539a49469e210b8c3ef62eb29f9cb0e239d906574db2f0d68256
SHA512 556618676fcdb2d7e2136542d79bfe3ae6ad8ec9571dd3af70cf6decec1391df2c7e71f03e653bfb957f85726dad9a07143a42308509350fb1b949f71356f2c9

C:\Users\Admin\AppData\Local\Temp\iYMU.exe

MD5 c3fa6ecd3ea0b91c509e43052f228dd5
SHA1 774b415237b3d9df926df4d248a4c907a36a8d54
SHA256 02696f0b2755f8edaa9128f2cdd1166c1f0585fd353c034ba824414f7a6d497a
SHA512 3dc47f78187daa1858959dc60059e3730c3807395a5905eae9c9eeba3a7ac564a65b2a118280057bd976eaaeb7e13e200762b6ac9fd9b441125f1074951ddeb1

C:\Users\Admin\AppData\Local\Temp\gccU.exe

MD5 e91a00b58245437bcacde760caa249f3
SHA1 15668b2e941fc88ce38fc7bad2fc496d3c0d8660
SHA256 5aadeb1c8cf062685005e592960f35720b39171b9f4f41066a9f4e5daabf6db1
SHA512 3d0abaefa31fbc6b4176b7d883c3c546f7e4d9240124ec61a36638c58fff3b275c65f2d0643f64b437688e0ed56e140d77323a466d48f34867f3eb3f0b03fba0

C:\Users\Admin\AppData\Local\Temp\BQUm.exe

MD5 1926f68ea0940d31284d784805ded1b8
SHA1 125c9fecb2fbd3ef5bf63b5da889b8d6f72ac833
SHA256 e6850f9e961999cdc0eef23889d47aaa96528d4b328ee810572495f324a5bd52
SHA512 04e6e2387d73fe83482592a589c516b977b148d2cd36846bd60ad46f4f23376512a8e05d04dab91d1d1ecb25d648e26dedefff184d03fce30af7cd9f18f1fa7a

C:\Users\Admin\AppData\Local\Temp\eUky.exe

MD5 669068a14a4056b5305f2769a0d887db
SHA1 23ed34148496900a4b90c8e32734bbb1ad790950
SHA256 0316d0f9311cc71b8d8e5722f6ce5a9eeb8c58b80c0718378846e4e00ed7f871
SHA512 7b2cbee7a113c79593c5310148744aa00855c7ff85eee2925387d36eb1f3f124c7fffc875c50e65ff7401ab98831bee9dcde24a2f5c30c76174c6cdf9ea30560

memory/2004-722-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FQQc.exe

MD5 3987d15c79289c88ca83a9799a912aea
SHA1 acb30dd44dc592c23487c05c221e25360b47c145
SHA256 6d48754fbd035d8956ab41b0d9d9538a003b5d0d42d5a87070798da8518d00d4
SHA512 445b2ac8958dc718780425143ddec77bb7b9457bb1809545373e29825d574ecb1755c48e57656d51f93f51c2feeb7858f597a706e9b274ef8dbdc010e4d2be7b

C:\Users\Admin\AppData\Local\Temp\jUcy.exe

MD5 f61de4053f109bd4d3670006d2ddfa1f
SHA1 75755dbbba0d5909b779c89703a1bd8c0fe4b79e
SHA256 d89c456ddefb1a2d84c0a0fa2aa9db8b2a8c2828fb628fb6c4904240ba5d0629
SHA512 ef604a092342318e713ac6ca27a5e17570d4b1885d5ba3ff6aeadc9e3e62567e69b1b086b43ca4e3345e2cfb307740b612a3144d7d869c8e5b4663edd338c299

C:\Users\Admin\AppData\Local\Temp\qEkK.exe

MD5 3aa5792bb350faffc3669d37c18d430f
SHA1 6d3bd72e52f1a6f5a275de4c4b6c6d9214d392f8
SHA256 9ea7cef286ae90276210f8fdbb0b777444bc29b6126815fa3eecdd86569b20df
SHA512 42687b67c30209bffc21ba0122ef306e8ac2f60cf4a00d90cf57aaa229a72cb30c120f154ccfa1fdcb226e0e4f74202e4596fed72dd69d84a346a6b9ece136f1

C:\Users\Admin\AppData\Local\Temp\qkQK.exe

MD5 5a640c8faf7eca755826ecfbfd0e84ce
SHA1 991bebc2540a31f84fb0c8facb9f73c845201c61
SHA256 2c35b4407cdc976edc82aa583144295f71eae49ba8455746c8a7ed21187aef15
SHA512 46630fd39b712412b6d5435d3b4e9a1cb1de587c0cd870c9c0b9a6485c7defdf2e3daa21b91eee583a14aa5105f2a3e6ef17eb736f03f59be3d5994048c1fe15

C:\Users\Admin\AppData\Local\Temp\DsEm.exe

MD5 aac57f04c80d4044e655210135eadd82
SHA1 2514f5bda163c2484cea22ad12b768e2e8ba2ab2
SHA256 99d7869fe6e3cbfbe0de02fcf0130d89ff605e9269dfe9cbe8254caf3a069c35
SHA512 49c2995f791e2e93d6f704580e1585db5930e0e327d2eb7f87b98cf9c12291da6bfefa11d5eb7e4d09efe993826a4c71b7bb83849ae4230e0dbf1c00f4152015

memory/112-809-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYYO.exe

MD5 78933d8848ca890da9c411ece6f7c79d
SHA1 144741af96d8304b05e23b92ab1d847b91cba11d
SHA256 379d050c461355ecbc1f16bee48f7ac8592297e3c1c9d56144f7740dc2ed5d3f
SHA512 35a0919df79b489751f4a29573ac106ff4a6593e5899e357bab62a566c8cff4e4d91509068ac700bcb189218a057991acf04c92b46a0ed47cd20fdd95c5ce30d

C:\Users\Admin\AppData\Local\Temp\sIYg.exe

MD5 4eec7d6ede72c5cba3067c87bfb54c6a
SHA1 f73cff766e37cba3236c8e042b4d543a89e640e1
SHA256 2c354fb65a8a4a1849ae54784b74180dfbd7e38c40965536da569cabc6b009ef
SHA512 e014cd60673a727fb8e599c884d2317c4d779361e5ca471052483ceef20b4cd170c0d1a56d8ace0304be4fd613060a921c7efba3d190a6f54ac3816250a06e57

C:\Users\Admin\AppData\Local\Temp\igUg.exe

MD5 ce8e72e67057bb1d15e550245e348c65
SHA1 5fe2d24d1a9f16573de5289232cb0a3ceda3791c
SHA256 e3204ebed614b86dbc17ad85289e1030ad87e62b5fcabffe7c3c9ff509b0ddd6
SHA512 69da9c2ddc549fca12f3b3a739f9efa65a66dfd1d8a9d3db4b17107d993d99f37a9aee200865fd3802ab1f093b8b292650f2eb3d17051544bd1664633f56148c

memory/4704-876-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMsa.exe

MD5 1321ce0eabb5f8c7457641846c84ceb2
SHA1 89cbad51dae3573ad49e3d9c6e121038f6894fe5
SHA256 0e65d8de74361b8ffe30404c63a674722aee538448ccd8c4af60b1a68638d528
SHA512 26cb58d04d9182e743d946c700175b76c539d78f1132b88615ba7334b40d18098380a18398dcf3e14946e896b217cc391a70852ad12cbaa19815b75335446bec

C:\Users\Admin\AppData\Local\Temp\DYQU.exe

MD5 deebe0f93277f71db0bb90f97ac3c931
SHA1 b529e72a4393e9bb86cc4cd5381c0c05a67fa293
SHA256 52d2cc962e311866876266f2202565875e5b670a87300c5ef00160861c7d5209
SHA512 f78c382d598dcfd7febf9f2e39d89c0d7569511c82b59beb7f3b3ab600c115fd89ae158f94b4c86d762be3e31ef3f8d92a2a5397e7d24b3e901ea6981a56c1ab

C:\Users\Admin\AppData\Local\Temp\VUcu.exe

MD5 009cf8d69a83158604b8722728b278eb
SHA1 24c6cf0aafcebedc9e1883fde09a6b7cd15e0dad
SHA256 a33aed2d0518e349d844770ed25ea71e06e5157942e849878aef2945c7c41fe8
SHA512 ed025652d39331cac156cb842f14f075613f42676c39b0c6d11c54cf0354a30a6291a6bbf4754b6e66609848033a30402d14e4aac18dcef3e3a6dc433bc6d5bd

C:\Users\Admin\AppData\Local\Temp\rcQi.exe

MD5 07c9e213abe41e7d7f7c669b9ac7e641
SHA1 6017f0c182f919e6fd030183658e59099c0fab84
SHA256 23821e560c9bb66f0850f8348942dceb63a1adabe3516288449163b6f6ce265b
SHA512 90d86903b1bcc3df83ee99c97d99ad9df97d5cc12eaad1a1d4f8462965588dbc2757e0bbced901f84b4a4d74f84592a34a1b19e015e033fb3ed92af61971c357

memory/4704-930-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ikgs.exe

MD5 2574d7718991c4cb5cdcd6a1703305db
SHA1 a618f02401af7812054dbc1f68db0e437679d168
SHA256 9ee1197ac87005b194d04f70edc1a7c1bddbf5c45dc5fa68bbaa998d3dfbf894
SHA512 7c7d232d6ec25e1fd4e9a274513e3a10d129f15006ec0555f6bf04436b0f588d87b5a513ec25608d8dcfb27d84152df7ea3c5b3ed109b3bcf5c091764b6add7f

C:\Users\Admin\AppData\Local\Temp\UcYE.exe

MD5 637aed019bc6d22dd6b3fc2f9fd0f01f
SHA1 b050f084fa35b74c70246a7941826d5470f305e9
SHA256 87f9f746111c4ee6b7160f45ee7aefb5b3200dfe05dcffe925bd74116297fd68
SHA512 ad6f071f01a873ffc640616718d1bc7c1ab11e177a0d9ae0de7c0e6e05c9668a3074fec528412b09e28e4e979589bb88087dc44f98d2ce0dfbbeb58ed2e78468

C:\Users\Admin\AppData\Local\Temp\jYoM.exe

MD5 e8f663f189d3ede6388607004acdc0e2
SHA1 e6522872785416449e390fe0ed75b7405e720ab2
SHA256 c85e9167fc6c6bd95748e46ebd9c90408e72f165a0b2b4f7ab4bf7da22373158
SHA512 2295f8f377c2166f87e6f8af6bb832901ef0df72107134a85b2d635f868b668b727c8188df8cf52d897843015d1a1682aeeb1dc56723a137e1763b2ca711e979

C:\Users\Admin\AppData\Local\Temp\cYIo.exe

MD5 bceb2cca6264d41b0b486682e3f602a3
SHA1 77fe4e5bb1c43a2b2ce4be392d4f58860d2bca83
SHA256 4a6f7f5fea35f6d0e4a3c403cd4372d30bd403f7ee7a570ad130037095c02692
SHA512 5dae7083228d6354082fade56b96006157d82e86daef94e603eefbe4db3c4f748c952f22f494e9fa52ee5f2ebeb43ffeaf507f34a71888274a810d4081de8338

C:\Users\Admin\AppData\Local\Temp\bQkk.exe

MD5 ca97dacabb1e479cd29aab9634afe840
SHA1 0865a7ee9049368caa3a66f00c9813034b4dc1d9
SHA256 bb2e872faf892df74db9c573f0d7df406482901e744bb47d73f0c44f6fd066aa
SHA512 036ad71e9646991fb6507aada926c3b025dfddcd00117ca626c6c04aaecea73f6d65573e405d2a99d1ca23e89fc0787749451acc2162fa65ad39d2f7e7534fb4

memory/3900-991-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iUYU.exe

MD5 a3255d6557f470ba2fd39a63bd1f95b6
SHA1 47602bd4c98984e6ed97841a8307ad5b98bb2778
SHA256 e84ab1c86f577e12a8f0e77a5386726131b50eb2b8acac13f2f2025a1576bb26
SHA512 eab865138780d77e29351b31632088b5d0457d1ed6c79718862b3895d03d08542d8471f372cbb01e1fb01a92d131a172e6a05785899b38115014b9e79b81c549

C:\Users\Admin\AppData\Local\Temp\TcYG.exe

MD5 9fedd86bc8de7fb97070a970b8691731
SHA1 ac6768c7a5761acf2e0ee7641dbfca5307b65546
SHA256 1f0e0314aeab0492b6c5bc69f333e9f52610fa1e9e99a6367f8c55e6427250cc
SHA512 5bd866d9da7f34fca51738f948372e4f516587f24c2182bb86dcbe592100fc9ae85cd2d51a6a9e1a75bc62cef60e97074defc01edc27be3e84c8886eb9a855cf

C:\Users\Admin\AppData\Local\Temp\lskE.exe

MD5 deb2466b7edcda966b4eaa1c8bc5be82
SHA1 44583558f9f04c885050bcd7c58a7966ad6a1e7c
SHA256 46d94f5b25fae883de5cd44287d0c47f2b3802cc4b86754dbb3aef2c61c81481
SHA512 711bb028b4caafa532941573dee87de2d971561eebcfb72c11d91e2d9807f6c5e523bfbbf0d2e525471c02154b6fa1bbfad7f0a9ef6f7871bcb2aead23726730

C:\Users\Admin\AppData\Local\Temp\KYkA.exe

MD5 cfb68a25ac540b9426dc05449626ea99
SHA1 89f69a1b05ff1c15aadf4fbaca9e803b6e2e27b1
SHA256 f5e0ac368f0c3eeff876f0c897e0bee71bc786a57202bdd6e2e052db895d723c
SHA512 91b213cf3e5c051a49f08458fd724cdc707f8245f1869e44ede8eb2f6f1ea6abd20ddc8c31793342c07fe46fb59853b67cebff77e9a9ef30985f882177e6b132

memory/3900-1059-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LswS.exe

MD5 ed4d79ba3d9f32b94d1cf35ff2c3f44e
SHA1 34dbdddd574f939431b8d4cd979eed5f0b79e529
SHA256 38224a2824d4f2aa1ff797458d9c9f38282525d0496a873d4fedce1197f8b7c9
SHA512 9e5be452d24e9083e3ae82b7309194ba7ef88d720070410a73f6153c0791b838ed20ce619d16bdf1f99a01081846bfa5e2c6b1efc6c69ba3e0679c4dcda4d59a

C:\Users\Admin\AppData\Local\Temp\swoq.exe

MD5 61c95f48799e4d22ac0b02f823731a7c
SHA1 9b1dc9b2b54204befc053deb4dc6559baa3a260c
SHA256 00bbd654624c999d3468e7224e71fe6ec84c02fe05fd88dab3170331313d19a1
SHA512 43d566a3597216998bde11000a871c10ee2161c03551664256e5c623e5394c99c654d3037a300a450a065d42b33c0f326f7a35576d6450d9a56700cb00ede2bc

C:\Users\Admin\AppData\Local\Temp\CowG.exe

MD5 6d587989f1248b4f991039b425e39211
SHA1 03f1dc93917b507e33ce21b53b74885c3aa9151c
SHA256 dc7fee24e9f7c2de7ca47c5d06b5187b7ec8372afe4be066723a949e7a45f531
SHA512 d30e6c5a0ba9a5627c9c76c959f34cf600f63bebd071f40ed00337471bb70e68394518e6ecb6813353ba3f789392af9406255fbb735699fea96fe2fdd2169ded

C:\Users\Admin\AppData\Local\Temp\GkQW.exe

MD5 b09c8f5117a0f6098db31beb0284a0d2
SHA1 c8bb9d5723cbd288447d25cdbab36c664c350c5c
SHA256 abc805be64b7891863ca59cdb88f5948283f18e688c345d4d3040c7a2a0861e8
SHA512 d50772ff6ef8d42b6df3f6693a8aac63e6392178df76ef590b40ed28e2d51cfc213a4557a2b1dde9567bcccd63a1c9aa2accceb92e69e7f6f69285b2e58e49f0

memory/3404-1119-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukMa.exe

MD5 4343338494d62b16e46512eb0bebd540
SHA1 547f55e6c0e84fecdd6be0f625a7f18a3041f7a8
SHA256 faa4acf35da36feb2b12629a648c9b634da2854fc544647903cbe686cb9ec7c6
SHA512 c9fce1673b689326061105dab6dc3875c58e16fb2e681b1468ae294dae9a14fdc104876a0d454909200b672d612f709259a308da3891822190c157d2e0e312bb

C:\Users\Admin\AppData\Local\Temp\bYgG.exe

MD5 3faffe3eef2105075d56fd52ffa0275a
SHA1 cd200018dca5c320e80ed1c2b5d2ecd914a32983
SHA256 1fdb898a4adab8e1db92b2e3b885acc089d3954e4b47bfeddf95acb147f5849d
SHA512 241252bb994b10738056aa791c751061fd462d1709931757ed142a19a7143b375b580c976bec11f558c8dd471d0d28f5f9308c438f30ec1ff72e5de6eeccf907

C:\Users\Admin\AppData\Local\Temp\vwIU.exe

MD5 68ca20100ea520dbcc2680d9b17f6f77
SHA1 5d51398f8a0b0a8ba6640066e7b8d3039ee56440
SHA256 a5455fd1512a28f9f28e04b915577272ff319ae5f098399f06fb2a0bb0eda536
SHA512 51d1cf00b4efb2ae9f3889dd150fe8d2ac9b2195f9eec9c17c0bc12e32e921c49275fd561904d8efd264d0667b1257251cf99f034f57ef5ac709993097bbe342

memory/3404-1187-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NEIi.exe

MD5 807a4823cc885bd0d19432405a55b5c5
SHA1 d7762bc8002273fc6fd0bc3c4e60b3d145f838af
SHA256 480beeb73712a5a6b2f4876231912da096e99b7a806b05a7a11d64e1449dd1d5
SHA512 7ef181573886e41b3fb4fa9e14ab3685ed981ea986d3f31b9c2b234a0a4167cf406e97018bdd2f85d330c3e6f1b4ac60b967569515516b9e2a83a3bc4b783f8e

C:\Users\Admin\AppData\Local\Temp\XUww.exe

MD5 a929dcbdb246ce836fef670e46d18849
SHA1 18e6668c033109dc59398347b8d36fe0aa34edbd
SHA256 8a591f631e3e1325b68cff325874d494dcbaf1e09ebb85f22c9f889a974a8cb8
SHA512 8273da4f9940f955b34290d297531333d590515f7f730d9fd732128f3f1ab81fd629a5876c8336428516a22120c014e0bc76b448e20d9ae098b588753f301261

memory/4844-1204-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HcMK.exe

MD5 d47bc03e353295596c1daf683c9f3dd5
SHA1 7b69614aa1ff1d59a18f1971ef79133fc6503d6d
SHA256 1d50b3be392cd45dcbc3f81930e7f650eceb5c6683bd79711da73d359a9e12fd
SHA512 f90d471a0e5f6a60e44772ef23a8813527abec1d623d532d045f8dc19f4fb38a4f82f858007656e0ecfacf17e95dac99129d6fcd13ab74536f9ba9d954fb7db1

C:\Users\Admin\AppData\Local\Temp\BQso.exe

MD5 e51aad6b6e9291335ec73aafcc918a44
SHA1 367f7a588e1987cf3e24c7f16b453cbd457929fa
SHA256 7ca0bd9a82e0529147b7bcc2817650f8d115c380cedd1f29257d0fe3fb43aa95
SHA512 0f69c2dd2dde332fbfc862a30356853ea1be0fcf00230207c20e2e6375f0e7bda88ffc33f2fdd5b025c0740108793f8d18ad35cab52d6b63ed4a58e555d59ff3

C:\Users\Admin\AppData\Local\Temp\gsgw.exe

MD5 911b30869366fc411b48f356045815c5
SHA1 37cbb6f9a7197f2e1adfe3bc06ab399635eade2f
SHA256 11ac8fa25bde0f9254f3e098c320c7b257bde1285f3aeb23e85307ce34ade9cb
SHA512 ff8537d05930614693cab03cf48dba2b5137ed553e218f0fc17ca567cf241b22639f7f1d3f9a6b7f3168eebb000bff03cf91f8aafd518cc1f50c634a532e203a

C:\Users\Admin\AppData\Local\Temp\XMsA.exe

MD5 acdd939a92557861d742b8299bc37f77
SHA1 ac37456a7c28d23f094700fddcc35cdb0d8360f1
SHA256 2f6506cd1ae66ea51ab468de8a0f667496053d2a01a266f20b69fe2818bd2815
SHA512 e3781b4e4a36cc6e17a2a36dd4ec3bc7d6d8d2cee70ed39074d70245bb0ef257f2c78cd4296e9fbd1a34674f65e6d480b2157bcccf86a153f96372cf36468d1a

C:\Users\Admin\AppData\Local\Temp\QsYW.exe

MD5 dc5e0f6ecfc100947c61419add6d6636
SHA1 6c8c25d74f996d73428bcabddc2c31b07a7924b0
SHA256 e927efe4e13a74c41e418c5b2a3523cee23417002312898448392b9287c8635a
SHA512 116141a1207013e5098886124be7303a60940d46390d634e6d2b2d40d184d9586edb6c63da39569058d128f8dbcea083447a1df64fb38bdb21962d666868f19d

C:\Users\Admin\AppData\Local\Temp\lYEs.exe

MD5 f63d269567179bc9a62319b840ee0372
SHA1 078f115a4d8c642b39bf0dbd48e124113d3b710b
SHA256 344b96ef028d7ccb78b8a9aa7cd4b46a15fb299a5a0cb5192870eba9d92c0727
SHA512 1015fe75b5641bc21ff2aa17081c88b3a044a1ef8cfe167eada1064847dfecb69169e1c424353a2a1fb30eb1c7f8ab7c9fa24c5a42b689d54ff19fb672a33085

memory/4844-1301-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IoYa.exe

MD5 1752306054e4e307fbb47085a4e87208
SHA1 d3c74458679f588d09cbb480c50c47608295c361
SHA256 ee0ae1da9ae6c7f34c79a3ffbcbd6597d5a95df6eb938bcb9f553ff4a910d249
SHA512 801b531a7703d455a37e58f0a6fe3c79bc3f8c26f1e4cc1bd60be779259d0772f2086a508c9f816eab6a8908cc71a7e3f65cc5ffe4d4ffe1ca2cc44a66ebc1f8

C:\Users\Admin\AppData\Local\Temp\FQQG.exe

MD5 f8a0ad3d532e8e8e95de3ecbac325977
SHA1 6fcb99c4934b0df7c3f61ad93f39de478fbd8e20
SHA256 ff1520859d157fe9787a6a101cb922e7a507202721d9ed78d3baa707a3830c4a
SHA512 2e862cef6e028d22c1dea2ee6607ae0188b9b932210cefd7345a6cdbf47ea72d9991fa3597deac411f98c6b4be7d8d7e1a94d853b313ef2da627fbaf27851d6a

C:\Users\Admin\AppData\Local\Temp\IQcE.exe

MD5 5837876c1cd676e4ad665c5909853ab9
SHA1 970420ef5aca7f3b4a9bca064dce6814370114c4
SHA256 60bb9a3ae7488abe902bda6f98d76361c105e0a7639aaf52cc3e72a828a7edaf
SHA512 1945a44e7814729a9acbbd6cf74028c7b3a835e6b571ef50aa6e5d6d9c928c879323363bb26eed846a0cb6f53593b15d39497cfa1e1eabbcf9c22bfa3b5e12e7

C:\Users\Admin\AppData\Local\Temp\YAAi.exe

MD5 5cbe54cd3c1db7250e08ae2778db9e00
SHA1 6adbdadb3121d4083949db7cd9e986e855b4406c
SHA256 d4520e79ce96ba25293a8cd8e2cdb6095e2e3f566e13da719ba3420a57befe9b
SHA512 69bfb91e5489875c4f04a71f5c3a9d9d13c106670c322e3c6750c8393bd3a7bdb50f13700963b911ecf402c341477ce06d0761f731b9174b464bd0c5462d818b

C:\Users\Admin\AppData\Local\Temp\Toou.exe

MD5 2661b25e1e13cdb38bf8c894d34f0ce5
SHA1 237771e28b4380882831b0c4bc22eca0d66bdb7d
SHA256 33037b50c0be7f5a2284936588a510aef041dbf18a8d52285693589e77e66cd5
SHA512 87d920348efdadaed2a2b8b67ecb4a10e7d5c6ced458ae15d8307442d5dd63417bd97b4d1cb82e066bd20ae06b903fa898aef4576e34fe623c777687bf65d372

memory/4384-1384-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUkc.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\dkQM.exe

MD5 271e59a16c83ee7320746f70a246c922
SHA1 f7ad4770a43753fbb3207bade7fad154018c22c0
SHA256 1009b5853e1c144b614de78215bf84661119792bb783efa672804aa8e9942e3b
SHA512 e62f690ba045110a8e10a8834411ef49834f285562052d14a04e8165e8639d13c3a1fdce288b0680cbb53799510534addcdc526866cfd2b7af4aca42363f73b5

C:\Users\Admin\AppData\Local\Temp\KEcs.exe

MD5 3c4ed07719cece0f5a98666f1d47a87e
SHA1 4927f76fc0c630c40786e8fad820c379c10c27ab
SHA256 901ee258058079cc61c9022fbe660726a3c807664329c289d0240b226c6e4167
SHA512 0822b7830a6eba86800530f8aeda9004d7820d96bfe6f459dc68b84a4d2f26dfbf97c298757e2e248b40a4629ace869596aeb03df6ab985d084317c89ce4bbc1

C:\Users\Admin\AppData\Local\Temp\SAYq.exe

MD5 12dbb57fa85b84e1f7e28e252c148d77
SHA1 fbd813a50036b5f5c5aaa64a1b80f167ed845d83
SHA256 227e6fb036feff8360a6df59fb70209af0e25ed883b15a6252f1ec2c2a8a39d0
SHA512 8c2c5054a8bfaaff42d4e247359c760d3e998e182f600e3f6c47aaf7565dbed6c48d7c574f3f5405cb6956cfd9d0b8a2f1014e9a6e43c8a7fd5106a77b74cb8c

C:\Users\Admin\AppData\Local\Temp\owAK.exe

MD5 ec3f315f713cda12bb0ba4f363759062
SHA1 46bb140c6dadc9429a064f647d0dc89e39de3ef3
SHA256 c4b90d2fe8f8f4f87c1c2b31ede2a40d6b6ea4cdc01a1c1161f105d75186bde9
SHA512 398987a3324815b417ba37e603b8a5b4b3faf51ff0109b740b6b91cd55d0205e433e255ded0466afb6a831c55c90aaead09d902c3f7c8378be056d7df5f427df

memory/5096-1444-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMcC.exe

MD5 9dad9f1eba9fe1002de9f69eaf4e0cd4
SHA1 7bf603d33b12391f9f0ad3bbe49402500e9a4f2c
SHA256 daf1ec9792d327994c230636f6f3cbe50032d308e130f187a42fa45972ad0882
SHA512 a0eeab3dc21bb673f4a522e3f9310dece504f973b68333b43c367be70a81f9bacea6010082e31986728a3ba390814ccc31664152f089bb277594a18bcc4669b7

C:\Users\Admin\AppData\Local\Temp\IMkk.exe

MD5 c2458809beafffb494267f7d69f844f3
SHA1 15f27025136ce18ee84a42c00c4e6d58f7c1fc7d
SHA256 edc14107d5c98d8f3eb194f5695ed7ddefa46241eda9983c24fb1057487d2621
SHA512 c7dd10508a2bc235d03f4fe97eac3a20e0e3e2f49d11d4788514ad87ddba7118238399ec7f14ec91703af5f0760f658213f9c9b8196515f6758cc0aae5168e9e

C:\Users\Admin\AppData\Local\Temp\rkkI.exe

MD5 2959868a5917c1a073863cdc17559f4d
SHA1 7d2ffe5547cba06d6006b6a4905efddd16ee9ab0
SHA256 6708674bf2dcb84a8b2b12ff38fbbf059dda7f70037d72288e547d813e48a52f
SHA512 136fd33d8df46aba938ac4c06db8bfb80a908d1247eb00db1b7b66566bd4f7d03c62c8bbe79db3574a4d7846004b086361845dea5655829f4fa439678f96ae6b

memory/5096-1513-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEIQ.exe

MD5 fbd56c14ae5d2f399d86b8ced4c0fd0e
SHA1 d45429c824c210b2d3ab81887d78cde89ef0b012
SHA256 f448600f3bd584097c540f6295c27178b658d84991cc2ca9ecfa7c1905143c94
SHA512 650445130acdff95b070f3cadcc22bdb805127747794187b003adaccfeb5b5e74a31c152bac0d84ca45d5c9aebd0a073a346c556a84bd94584ac7bc030fa74d2

C:\Users\Admin\AppData\Local\Temp\XIUS.exe

MD5 51895e7037c66b82cd838701b2bd0e8f
SHA1 45f9f4a938eb28583e06609e4d88e8868a623239
SHA256 1feb245b4bf41bd099165518194ff23883839edddbe3ce81702f299e2db792e3
SHA512 970b19dc404e7bdb80181df037971ad1681c429b0f172fcfe839afdb413b5df2b3ba26d974e4777e8714a6f3ccf4c5217098e5cbc6ff9b6680caa881783c6bc3

memory/2712-1544-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQMM.exe

MD5 d89ce4cf34aa72f67f49ccbafcc3696c
SHA1 eaf313224edab75be8ee6f8a9b9e77543135ea30
SHA256 aba500480b2d6be5f46386b18b6a5a8ae50767fd4c1c57df341b7b819f290919
SHA512 3fecc2aa54b55d1bca5688275efebdf6c23901e21f47f6d20d9b865ff971e3d4e909fa7be45d07623495cd43ef39c1ec7f3d01ba4a31c065cec4219fc0994491

C:\Users\Admin\AppData\Local\Temp\UMky.exe

MD5 d4453da83363cc37d367f801e03011e0
SHA1 2a066f33b571c16aae4acb00c24c07c3cf7a59b6
SHA256 59fd979b02bdec82874df271e1ff0f3aac5f719d67c6bc44eb5418f16f93f7a4
SHA512 2e88e40bf02777f47383a95852d0acf66a6e53344579c3947ea7db085eb1d94bbe4f4fb6ad1a2b057d09c84d6d3f87a9e15d29d34a624dcb9e49e5b65779a6d7

C:\Users\Admin\AppData\Local\Temp\jsYw.exe

MD5 232e25fbaa689bad827f850a772dd7ad
SHA1 02bb774b91ac8d03fddebdbd86f33c73e1f7c102
SHA256 8993f9dd9d90445865ec6c5fa73183499cf9a6edb768b2763b67d59d459eb56a
SHA512 018d9f34b23131f59d41f584f64ddec39d0c376fd8e5cbc716ae08f603f8b7069d104aab23333ea4e870fbfeb9aef43e59040c1a2053a7be88001cede41cf0af

C:\Users\Admin\AppData\Local\Temp\BMkI.exe

MD5 2a5b146650c06205b2e95737527f7a49
SHA1 e9f428db5df6bbf23a71bf8c7bcc7d0d16abd6fc
SHA256 6b1d806eb10e954ee96daa138886dae4833d6e9e71b54d26a73303683c5d799d
SHA512 db0859c10565433826b61d6cdd205e5e1ac4c77c3600d7674592ca490d4068fbf52f07f386dbfe6f1cccd20f642388fac5ceaddd8dfb095c5fa968882b1b9d8c

C:\Users\Admin\AppData\Local\Temp\xkEk.exe

MD5 ef6411cfe527b182f2798e8512d067c2
SHA1 834b64ce5bd9546ce7236ddbd928fa870578e69a
SHA256 6db31b952018bc4de064e3bbb170eec1096e8b59eac49e759d0c1e47ae8358f5
SHA512 1d9c65140a0da4678415ee6343002abad2e9c1d919b089bfca05e93665bc00f80a2fac33be1f3be03e594fb487a7d07a78a5b5cc436c48b08b1c7da2ceb1ca68

memory/2712-1611-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ngcS.exe

MD5 05f4672dba172fecf40a5c17529477b8
SHA1 5404f0a8cfcdb58fb1d285888d086eb6a75d2633
SHA256 34e33ce9f774480aca56b2657ec43a8d52c49c8b5fd446e768b029eade278866
SHA512 b0f6bb18ec4cd96ff2fc84304ec917ad203c652ec0341422ed048d0a28cbfb5169029d03ab306f00123ad5f3c99d9a310f1248605cb0976ba5b93a4a2ee614af

memory/1884-1632-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GAgu.exe

MD5 4e4bb65cb78ec67d7e641a9303180cdc
SHA1 bed961eb25ad408aa5e8c673fe8c4887052673d4
SHA256 dbbe284ccb6739f45fdcf6c02c0a46e23bfdfc16b85c7f591ed85584870bc9bd
SHA512 378aef0c6ee91fa509c7a622ba7db023419e3c6f5f69cf8164b438dcd544b24240ea69304dc19c7d345421857683d165313120a1f9a82a5e4534906f8bd96532

C:\Users\Admin\AppData\Local\Temp\HksC.exe

MD5 70f7d0ff801e6df45b29c60d1d56c4ee
SHA1 0ea46cd0e9af0bb2ca8c82ebf24740bce9b8828f
SHA256 e80cfdce10bbd4bce08673fb41196dfabefe378a3f34e59398cfc27e33379821
SHA512 0a6f47eb15818f3c629aacc694b784ffab7835290ba742f81d8262b0d123ed92e6c192f537b0d0b13e6e00f9f86e873f6e166d584387f5631cbfc1a9b8bb19d8

C:\Users\Admin\AppData\Local\Temp\ewsI.exe

MD5 29dd9a4c3b1c6ff607c117cccdca280e
SHA1 72b1b23584c9359ab4267541f2e7d5dc7e34e348
SHA256 f8f3510195bba53dcde74d9b258bbae1fdc3ee6b699c8b6808b00571c042d2ed
SHA512 1663ca1e3e13b40d1b7b19ab7e48b0194b212223afc18a215396f47efa7c9ba969f764a1e69b75796eac4b9a7b69b9f37a6b1c9460e6047d9f80936ac6e3e08a

C:\Users\Admin\AppData\Local\Temp\NQcu.exe

MD5 53c2d03f63130ccdbd9cbbb5fa5db489
SHA1 565a4d9ea73cf6d186087a8b1d483d2d9e7cf830
SHA256 63704ad194ae837340e2c97c711a604edd598d7d315b529299e3ce8391f3664e
SHA512 648b592c3ad31611e4b6f2008ef04590606198547433abb6d92bfcd434c94d7a27a1fff7b1eb68afb60cc6c32ae926211079a0fdaa43ffa56d6ce2aa109b1966

memory/3880-1693-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1884-1696-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3880-1703-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3852-1705-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3852-1713-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1360-1721-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3636-1729-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1444-1737-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4724-1745-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2592-1753-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4916-1761-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3408-1763-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3408-1770-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3284-1771-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3284-1779-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3540-1780-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4844-1786-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3540-1789-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4844-1797-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/5000-1798-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/5000-1806-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4564-1807-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4564-1815-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2744-1823-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/768-1994-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/1452-1995-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/2140-1996-0x0000000000400000-0x00000000005C1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 01:40

Reported

2024-11-13 01:42

Platform

win7-20240903-en

Max time kernel

120s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\KusEMMYw\kQcckUEw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BSQEIoYU.exe = "C:\\ProgramData\\mKwcAcIk\\BSQEIoYU.exe" C:\ProgramData\KusEMMYw\kQcckUEw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\vMcIYEoU.exe = "C:\\Users\\Admin\\aCUsgIcM\\vMcIYEoU.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BSQEIoYU.exe = "C:\\ProgramData\\mKwcAcIk\\BSQEIoYU.exe" C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\vMcIYEoU.exe = "C:\\Users\\Admin\\aCUsgIcM\\vMcIYEoU.exe" C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BSQEIoYU.exe = "C:\\ProgramData\\mKwcAcIk\\BSQEIoYU.exe" C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\aCUsgIcM\vMcIYEoU C:\ProgramData\KusEMMYw\kQcckUEw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\aCUsgIcM C:\ProgramData\KusEMMYw\kQcckUEw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A
N/A N/A C:\ProgramData\mKwcAcIk\BSQEIoYU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe
PID 2336 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe
PID 2336 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe
PID 2336 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe
PID 2336 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\mKwcAcIk\BSQEIoYU.exe
PID 2336 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\mKwcAcIk\BSQEIoYU.exe
PID 2336 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\mKwcAcIk\BSQEIoYU.exe
PID 2336 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\ProgramData\mKwcAcIk\BSQEIoYU.exe
PID 2336 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2336 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2736 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2736 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2736 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2872 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2872 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2872 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2868 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2868 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2868 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

"C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe"

C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe

"C:\Users\Admin\aCUsgIcM\vMcIYEoU.exe"

C:\ProgramData\mKwcAcIk\BSQEIoYU.exe

"C:\ProgramData\mKwcAcIk\BSQEIoYU.exe"

C:\ProgramData\KusEMMYw\kQcckUEw.exe

C:\ProgramData\KusEMMYw\kQcckUEw.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQgoEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCQwYEsI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwMQcMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQoYMgcU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saowMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKEAswIA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\suMEEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWIUococ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqAcUIgw.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14762783771887363655-15656426-18417912841392640041-4169299461473666269-1377574175"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1348393170127601026711667952661662072560-770083545-14874687051692568898502385901"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGwIcAkg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSQcUEwM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\juEkUEkw.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dswAIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "817728535306812242021622975-8596171691969075208-1389485586729712815-1634724364"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQkYUIcg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1363178320-219018687-755317711715467817-1186816029947760379-1516372987-1418612350"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\imkQgYYc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2092563793957592003302637700-1112721732-1298273995-101903410967080229981384632"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1227892691-428592599-139605715510012698631170121749-469012462-768578168-661975339"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWIQYAYY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUcIIYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "114592017810030494661578467094-1394860768-472551413-24708689-1965901901-1226633067"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmwYkAAI.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2052092511-69443683715649583092043777297-1892067321363551844-110385670-1018848857"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWYoQAUM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAMwUsks.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2614233381502846501-20980553121600876787697059297-422349339-1329044127-758261236"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\giQoEAoE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1895505984-206778562-978964050-20925866116811040802065754290-1902838231484709369"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYIcwYkk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "96029025-1779840335-1458723208-1772853697-3512493162006404596-375708534-1867787225"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuwAkckg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1392642777-806179832037640597-1506719637-7830662011473913104510438365-1231674866"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20331002991530122737-1773469296-1214202772558865364-1767974543-1228529173-494074254"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKgowIIc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1919433035-966075539-1219041361-74358418950328799416492127720778414201562519129"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMwUwock.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19933942501334383091450767440-15961650444378387919903640341644178632-583261080"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1036020701471902052372484902132250051-949286719-1153291823467663920392560465"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myMEoYko.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-517383447-151901610517776638277473611-1764633379-2104632168-62962814-119405736"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcwwUMgM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUcoQkck.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyEkMAkY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-440089154-5704650421888970255-174184789312007860412115771723-575124746-492062876"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOIUQMUA.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1733669485-758048083575840708-1845514558197809301551852280693421497253144373"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-735335262-7186671011675498566-11652365001477097950-1857741619-1182890880875976383"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-212847207-857551648-13845015861203975610-73334514114226939-20517179181848516079"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaEUAkoE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "456943303-2083637922-92502907520070506148760051184638958566226517501300032568"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqcsYkEY.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16915553801215517837-6290013931862346576-1219210369-1966915082-991095541-1256685622"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiQsIYso.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeskQEwE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\riUcAEYs.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "441084120-332425249-232825547-2042408622151305733-1915614317-18688463981929505242"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEckocAc.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmIUAsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1056587293180920300-6415384181067815982-32549286264520283116821004831961725013"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmkEYsoU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-127651429516536090001668707720-463460208-19174928173465040486902101011735984255"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYwMQAEE.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyYQcsMM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAgQkMwg.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQEcIQkM.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hswAwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEMYcAMU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "514971528-117786390720378434611185005248379812385-10792728151493029673-2019281659"

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuQIwAsU.bat" "C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe""

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN.exe

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/2336-0-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2336-1-0x0000000000250000-0x0000000000270000-memory.dmp

\Users\Admin\aCUsgIcM\vMcIYEoU.exe

MD5 8b938e16fdc26eb3953f849d6ab890b8
SHA1 7d8eccb4338211b5f77248734dd0242a538362a8
SHA256 8f9183f648e9d6d17948fff0ee61d463d3ec0a7631d62c399597708fdfd2dcae
SHA512 400441303984bf0995689217b2c66f975aa614c157e7bcf02f8fa806fd5d56cf3c3b5db75980e3645bbacf6664e000730752a21ce2c0083daf61717bba507c53

\ProgramData\mKwcAcIk\BSQEIoYU.exe

MD5 bc683c282f1dc89cf0c99b739d150199
SHA1 52bd2fa5d9b173dd8ea9127f1d58b29cc925cacc
SHA256 fe28cc3d743b9519b951a02f813b8b8f4a0c5da2ab047f76f1183cc4cedf4725
SHA512 b0123ff46c9bfaa8ae51c7d28592b1b07c8b7f53f3f274e1ce5d900b5d7afce8900d0e02bfa63aae288e1374b75fc41d0691d66a6a86a5f93214c071700091dc

memory/2336-11-0x0000000004250000-0x0000000004410000-memory.dmp

memory/2336-25-0x0000000004250000-0x0000000004411000-memory.dmp

memory/2072-26-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/1692-23-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/2336-10-0x0000000004250000-0x0000000004410000-memory.dmp

C:\ProgramData\KusEMMYw\kQcckUEw.exe

MD5 75d2626a7d35b034e780736e85c87fa7
SHA1 c1ddb702d85f62f69dfbd159e834c7e7bbc29ebc
SHA256 9b3a3ab1bcda8e7a69ea2e8c5fd88bb87d7701265891edfcbcf9423835b320fa
SHA512 c57b3b4ab7b002de18171ef061eb8c72ca2b09d86c0f25d6567b0f77b1e8bf6560222f6169de8accdc3afb33a266ecbacc9116d3e0465f8b0a88638a599836f6

memory/2788-28-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/2560-38-0x0000000002380000-0x0000000002544000-memory.dmp

memory/2680-37-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yiEswsoU.bat

MD5 2f5321870628fe9ae8966288126a60f9
SHA1 8dbcf6bd34a12645c13cf5dfa6249f6110fc73fb
SHA256 649651c3a6d7a105b4a2a8a3b80fb3cf33ad1037ffb35234576b0111b944da97
SHA512 56ad94cb1e39e5bfe53268ea98f4231d6ab8358da8bf9f7e01f4261d522fb01ea662fbe8d59ec101631a4bb538de49ec17ad68e41afffb84ad890eff81cd3142

C:\Users\Admin\AppData\Local\Temp\GQgoEEIE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2336-48-0x0000000000250000-0x0000000000270000-memory.dmp

memory/2336-47-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1992-61-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2872-62-0x0000000002320000-0x00000000024E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SuQYAYAo.bat

MD5 99adb356b48abbe4bcc003186551e688
SHA1 78d2537c016e48ceb6c386430a2fc651af1534a9
SHA256 b503793f71dae3ddf3f7e28d2334dd68dc9ed50771e648e5a5a5d47d1aab1896
SHA512 3a8864034519e29dc23b07d0eaeacd3cd2b0508c9b8cda97ad803fffde56ea0faff8c17c7a400ed17e104636be0e7d89df63aa1d7619d2c614ac938d3a4612ce

memory/2680-71-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb68e0f59630d5a08bfcc1ca6dd4ebf222b2bd6db21782c5464bb86d5a65c86cN

MD5 9a73063ea181f944f88c3e2ed083f8af
SHA1 f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25
SHA256 dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec
SHA512 a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

memory/1620-85-0x0000000002530000-0x00000000026F4000-memory.dmp

memory/1620-84-0x0000000002530000-0x00000000026F4000-memory.dmp

memory/1992-94-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DIUAYoAQ.bat

MD5 6bafdb8f3b7d2d0491c8aa9eb7f0ce4f
SHA1 eb29279605efc0ac75fef743af9e4add9454fd43
SHA256 1d988177248e76714a15f4e62bb324cbe350028203e0c46516cbdb76bc8953d5
SHA512 d61475433b4f32cb128ae470bc7e30c1cc50b94481fd265fe7941d88833707187d423a40f5711bbe77dd1b83c707aab1121a80ba3d51901d61af690ef9973679

C:\Users\Admin\AppData\Local\Temp\cWcQkYEY.bat

MD5 853890c3b108932a0160c995444219ca
SHA1 3ee705302c8ceda6d9cdb1bd61d2fb2d54e444a8
SHA256 4e6a6c2901514801f5ee39f55f7a50c828ace6892d8e496edb3b7a85605cf0a8
SHA512 dc6f4612b6edd422bdcc2838aaf1c1ec52e0e891eeb0d4c500a893932b9ad89cc11e2f60988aa78908c325edf4089d4ff4ca3b2b81bd688c96401bf24ca28f17

memory/768-108-0x0000000002370000-0x0000000002534000-memory.dmp

memory/976-107-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2252-117-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fEcIMkUQ.bat

MD5 4375f227b382d7e4e13647eb08aee5c4
SHA1 763ec71c9880b19460fe72931efe82e164e59ec0
SHA256 e5c3a24f533119881d25e7657164c0c3b857c184f2c51269b72eddae7f5249ff
SHA512 382849dbcfb89cb6c19001853acc5a3c0b6e17a4f4d80477b5f4bc9bc94b9adfe865bcbb97d4ffe2edd0150303417cabd85bdb40ab5cb855b22c02c594722cc0

memory/1492-131-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2380-130-0x00000000024E0000-0x00000000026A4000-memory.dmp

memory/2380-132-0x00000000024E0000-0x00000000026A4000-memory.dmp

memory/976-141-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCYAwcwY.bat

MD5 2f135baed3ca606bbf510482a456e627
SHA1 df394b935c28f5b8333a29527c61fa9cc5734a44
SHA256 9f8d018f4f47512bfc26d5fd75eb1972ed4fbaf42f55aeb31ca7341f0f51f1ae
SHA512 4c12f28b0e2a54b0455e39d62242786c020ba9bdb90ab2d585926bbad36253b570eba9f1aba83bd5bc74bf79610544e0793137542e666c740adc6182c2a557c2

memory/1588-153-0x0000000002370000-0x0000000002534000-memory.dmp

memory/2472-155-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1492-164-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CGIMwUgk.bat

MD5 a6ea93f58bd65e0c7cc5473a138964b9
SHA1 f6e84f1fc37ce50fc3ca4710ad2f3aa39b43a25c
SHA256 39c7e0c3323269daa5f86f1365db69b694457d1ef4a3dad8641f8408b5d60372
SHA512 83e2ae67b587ba6c30b47135362ac6bb8a742cc69467591ba447da2e850d689e240bb68374021ac4e2572c4da60289f1278966ae744c381e7b10c796ef0378f9

memory/3040-177-0x0000000002330000-0x00000000024F4000-memory.dmp

memory/3040-176-0x0000000002330000-0x00000000024F4000-memory.dmp

memory/2472-187-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JcUoMsYk.bat

MD5 d3b1a174f427cc8692252274a90aeefc
SHA1 aa2d343fabb9dbbe84b673baa53deefd1f2ab29d
SHA256 db780b8bc697738a08738d8bc404c4a920eabe7d38cf5e6e0e7b1bdd0cfb0aaa
SHA512 b437bde626d7493b6e468f3f7bc92fea611aad98edff2e0781957d6b506e9fb16c994a18302114fe3727bcea3bb643154915153a9c474ac900344d20d8fe9d99

memory/1612-199-0x0000000002380000-0x0000000002544000-memory.dmp

memory/1988-201-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1612-200-0x0000000002380000-0x0000000002544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OIgsckMA.bat

MD5 4f19af70e5d343c5f7ab836d9b5343a6
SHA1 32f8bfada6dcac046ee97a33765834b7f5cd36d8
SHA256 13db87df2c1b0a586c6a0cd84d815e43ca9d6a514cf1345b12656d94fec49be7
SHA512 49c4da1e1bd620d0b53383cf1dc6e5f930b4e473959fa1b35575e344fde0d05d5b25ea2e2ceffc6591a2ad50a6c9ad87805ef7c76a596e9556d1126eb69e3e73

memory/1624-225-0x00000000023C0000-0x0000000002584000-memory.dmp

memory/1624-224-0x00000000023C0000-0x0000000002584000-memory.dmp

memory/1984-223-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/1988-234-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vWcEAMsY.bat

MD5 7b9809ee305ce170021ae74e7ebc8698
SHA1 31dfabc5ed1135c118c67dd316e0446c2cd0a7c8
SHA256 9edbaa6213ae9b2f3723954f90838221140400ab52e4a1b5304bc9b977ee80cc
SHA512 187cb1049ca235dd0ef428d12ee360a79fa4396ea2c4e82ac7d9cd4660a8051cf489ba5448bf94bdef81ac4bc2d727a4811a99298b9d7bc4bf90d8a072077f56

memory/3020-247-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2188-256-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\teAssIQw.bat

MD5 350a7f3fa5e2892177b3ca2aeefda5b9
SHA1 a6f83dc43575248026a66b451ce14f0f897c7532
SHA256 b3e18315882266c2cdeadb4ab3a326ec775e482f1b2f0724c9065cff1772ff2d
SHA512 b855b3bc0efbc61e0d1c674f9ace5a1fcfab4456ce4685eef51f99c850ef540d3b8c13ab58bb22f29d1a4036d6b87f164d6044336b2a9af899e37d1cb550954a

memory/648-269-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3020-278-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mCwQcwQY.bat

MD5 a9940a4a9735e3ff795cce6d5fd2d0ec
SHA1 3d7d95f49aee8d534b700f42a8b2bb66c807412b
SHA256 724b9f5b6a2b611b8a905f83f3545f804112dbd7687cce3f0e2a266747497c07
SHA512 72a0777023f188175afba27baaff77cad31cc7f4015beb018f391aeb9325c148f4634c38510dd3b9476aab69821d51609087dd84dbea3aabde8209f6c1234c63

memory/2684-291-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/648-300-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jqEoUksc.bat

MD5 18c1d3184c27ab9f5065f98447b28f83
SHA1 d334507e76b6f326161f485f3122f803d0286f78
SHA256 b813a19527e750551e2c9a21f420ff8ad01a23bc6e9f29fdf522dd5a4ca17742
SHA512 eb46852edfaf9e623cbdc3d8510e042bbcefa0a21ced33588edfb1ec6d81360259b782f4f85cdf052b6c82f90427e0d4998abf2bfe7624aedb0c00cd77908f77

memory/2600-314-0x0000000002360000-0x0000000002524000-memory.dmp

memory/2600-313-0x0000000002360000-0x0000000002524000-memory.dmp

memory/1148-315-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2684-324-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kmAkoQYM.bat

MD5 04c6cbdd3e7135022440dead7b343946
SHA1 ef5e595c41ec6f7b6f346ce735ba81e39cac93fc
SHA256 7842e6dfc48cf60e15f9723ccdb5dbcc42436603f4ecf72e66c3df7595064e8d
SHA512 951e6016a56555c9fc41e265143773a72993899d8a25b6bffb7fc34c831d2859a8c51abbfd13c6553d536b521d141dd622cdae4e8dfabffcb9f2058d90d28a45

memory/1716-346-0x0000000002300000-0x00000000024C4000-memory.dmp

memory/1148-345-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QwsMgYIQ.bat

MD5 9265f47f07338c94e45bdc2a4c64a4d0
SHA1 e6457e8a854fe1f637e821954f13af7ea011b6f3
SHA256 391c97cec4d994a43904f5d6c58851136644b6e7207109ec590ef3de2dab5385
SHA512 f3b8567e5ba10eb43f9fb6ac14af2100ccf56750ab3cbcf1f8b9dac0a5a7a0d697dd43e17869a8cd68c751c1f47daf753cb7c7f8065ce1bba349fb300143111a

memory/572-369-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2756-359-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2896-360-0x0000000002440000-0x0000000002604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcgUIsUo.bat

MD5 397dba0a9032de7e3e4caf20e67c751f
SHA1 e2bdd046bbe7a3c3ae4544b200bccd3ac5edd9f0
SHA256 4fd6bded5ea9c439eb6daeaea7bc5cfbee48e2ed095e412a3afb10bec52670e7
SHA512 75b73beb570cbbe73019a5b44746ffe917ffd8d57cfa34dcdb0adc75e75cd2e47564b90abbe4780ac0e8568fa50c2f44359e0b6e4ce395e84e5998a3ac92c8ab

memory/1356-382-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2756-391-0x0000000000400000-0x00000000005C4000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\QcgwkEcc.bat

MD5 183aa2fdbb9a076a1af5496e2162f403
SHA1 49f9836b846c91050ec59598fc541527ddc0d1f4
SHA256 41ae05eef8db1f4bd73e933b01b1ae02bb0ce017e3c09a9dc593d22fd47eb188
SHA512 47e0766825448ae2a82cf5802f0287a98993526ea0a01a05344b8fa0b571c09668b9ed3db0fbb1935b8eb7a5a74f803b57b00dbc12d69f7a3b02da974c2d9c1a

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\ckws.exe

MD5 18248d843d9c54746cf1d29638a83f60
SHA1 574b659eb82f0c2e5426963f48a39bcdf4ebbdc6
SHA256 c018c89fbdc90bd127e0243013da24a9e780afbe5bb10dd90fa8a35a8e101d93
SHA512 609f30295c1f4553b2b70dd9fad783ddc79b242a0a5124317c95973f2f63069bfe1051e2cbd792ee963c737c5d8417cfe56ec9ed5a2edb18852ff2b923d80c79

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\pgMEcMkU.bat

MD5 a0fd27eeea3468d25374427615805703
SHA1 f088ecb72f676473a268272383504c7cff0a53f3
SHA256 916d714a0c871e6436d2964cdb8a8ee10bafe1a77dd580e5ea4b8d60c1d55df9
SHA512 6a8d056f2b8cb3422f87d5634f68569b9426b089ce567803eaae55f37b5eb588726cebfa564f2fd0ada5096ccf42a0927d5f7f6667b2d485a458560ac2d12bac

C:\Users\Admin\AppData\Local\Temp\wkUm.exe

MD5 ae4f6601566fe8b7131f620f88b394d0
SHA1 3399e42d58e9e3f7cdae1d228ae23fd8f8a8d540
SHA256 b7286db79c89d4c89b39cf170b86222db52ac7b131857c14e513d0ab562b1a6a
SHA512 36102d63aa3d59ced0eec38dc5ed9df7984ec6685867d7c373c31b935ec72eb064a8ca512ffb270342189c3512bf1c092792e254c3d9ff6482094daaaeaf1919

C:\Users\Admin\AppData\Local\Temp\sUMowsYk.bat

MD5 a51313bd885c31aee40d752c8be0111c
SHA1 862945c90b8a1f3857eef55f6060e2042eb5bdc1
SHA256 1aeadef14ba8a5ac6404c42fefe93baaf3ca3cf811961f06020289bb56af10a7
SHA512 cafd5c6a374ba906c7f4db11818a8acc3bdcfaf68c6f1aa97dcbbf2d2834dc2d731d589b4aa11b25f0301ad2696d23a2521add4c5f26d0384ff36e092e4731c2

C:\ProgramData\fEYo.txt

MD5 8edf0f4ca173077e88bf58000a54e102
SHA1 fab7469698f10f06a195ddcdd54d5d13b5b479b2
SHA256 d97ff044166c855ae321ccb18c01588ccaca5ebde2938ee574349161b30cb1ad
SHA512 8dc5b897036a02b2df0cfe53d32c923e4bb8f72b4f894307ca0cb8ccdd4a6cf4e1b61e21770d297d1cf365489bdddc23262bba50388c95577dbf8cdce3943bd2

C:\Users\Admin\AppData\Local\Temp\Fsoc.exe

MD5 fa99fe41e17678c0032c8b29e7bf76ca
SHA1 8cad3d27bb4aa910bf0a5dfd3d22dc0cbc4b445d
SHA256 ce2218e8de4d3f45d2bb264338a66105fc0f0a9591dc1ab77a213a9c7ec8777a
SHA512 1503e0a690d5fb40ad1feea09d72f70f367fa30d61db6b2373ff90a46b4ed027101a674c925eb1a5359ece535b7d96b6b9d20570b1eb2ba524d2c69ed2c3c303

C:\Users\Admin\AppData\Local\Temp\QYEAcQMc.bat

MD5 62d1908c1547e7d5f59362416a069a2b
SHA1 fbefac7354d8e8b6bcd826dd65aa18cc9a60a4a1
SHA256 f9c347b6118355e3428e9831291ef5a98ab9105d14bd32b0c6f993cb74b89ae7
SHA512 6587485b9b8cf3e07f197c3bdb355163bac61f7b6454a9713870fc12a575110135e7d0c3d5f63a26457cc5adac770250ffdcf8771ef1ccd8bf1bbfe8197251ea

C:\Users\Admin\AppData\Local\Temp\ikgy.exe

MD5 9d50240884e0c2bcbd50eb57bb5cec20
SHA1 189177ed3513d7f2c9b3652ae08396acb026d5d3
SHA256 b03fdad79c79b1f7baa3b3161c0e49ac7965e139870e8edf49369ef5cd5eb0ee
SHA512 33e073ff6795592c0d9df8ee87d037c0b3657b90cb7ab814917b036e1490ef1e765998d033c97065d451a2bb4b202214aff354862864e3fcf0a3e31d4e74eafc

C:\Users\Admin\AppData\Local\Temp\pAwI.exe

MD5 57ac83ea9b19a5b192d98a30f2e24dd6
SHA1 514206d29eff5d1a053e417f9e2a972e989bf968
SHA256 5954d99ca7c2f4b7c102f3d05c2e4a68b7ee76c941e41be40983da4bd307bcae
SHA512 a6adf722de0cf07312a4779c9bc2d68cd08941a67a9f090a37599c2e531a7a88f35246530cef35bef1ee2c82442fb7e23d83bb7628ec3efbe4d77c45542ce70b

C:\Users\Admin\AppData\Local\Temp\CoMw.exe

MD5 54b530c019a738ac3fff28b954ad8320
SHA1 da20a34b725c636db9897544cb99afc05901b6fa
SHA256 7605338c6862ea1b21ac4e092b3593407bbf7a55631347e2e0ca768fc614fe14
SHA512 e6c88f902071d60c94a8f4a41de87f8b40281534de5119c1649bc2194aa80620652a4450e17900f8d62b226cd78faa9d9e2551836ef5106cdb77894e54d1364f

C:\Users\Admin\AppData\Local\Temp\CIAY.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\ukom.exe

MD5 697e41e7641255eb03a1805dbca9d81e
SHA1 e241c0e87dda555d6bc401d65e9e989cba353fa3
SHA256 79db90abc3a81bada379118649f85ea40c203264e441602b85d152d3a3bbb4af
SHA512 2d1aa6bb646e5690f0f89f927bd95b04fcb24fe45d76cd4e9a75c02f9d169bd3ae885a44a8a27a67afe98085cbd45b2ac5fcdae6733a431a118bf49c488ab30d

C:\Users\Admin\AppData\Local\Temp\EMAS.exe

MD5 c9bf0f4096b489b5b0064d9392ecba4e
SHA1 948ecdf64acc46aa09d8638f1845aabfe610a6e4
SHA256 77d270992c2df7d5fdaff3e9185294f13b486fbae7e025fba2ccaa647901a338
SHA512 cb8156bfd16f021ca5b050c60aa172b3b3a8dd1c1d1bece7b1d55fe2c3b1fbad034016d8ffff07ddc0010dac0b2df96fcae6aedba905f4f03435a56bb83903e2

memory/1356-447-0x0000000000400000-0x00000000005C4000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

C:\Users\Admin\AppData\Local\Temp\vYYS.exe

MD5 409b8678e45be7ea602847dd8c96e9ba
SHA1 deebf0ea2ae56b80bff1b31f1e21c6e37f615e16
SHA256 db26b90cffb51712a91d39b4a88d4c83ede756be7cf293eeb9811f11875a8ace
SHA512 f30c8e20fc457a1e4f7a0ec9056b1ad14d397ae907aa05632325fb4c781529f66b8ca64d8e88567bbb4040ef334856e5319ebf15f5cbe0f2cfdb267bead9d6f0

C:\Users\Admin\AppData\Local\Temp\yoYq.exe

MD5 7efd850c40a7a19f97e02c4d64dddb90
SHA1 1b4ac95208408dae8e3bb912a471f1abca7be155
SHA256 1061a4110bf166e80c530e5a196ade8a12acff3d47dba01f9b71f40534ada277
SHA512 36c9c64cc6ea9ee0e5c350d8878181ceb5d382d1ca8a091a3635e61b262da8383546f053fe61cdf6cfb6841c93fafd5c938c5ccc08398ad3706e8bb57f6fffbe

C:\Users\Admin\AppData\Local\Temp\skcS.exe

MD5 fd778f4f48cfeeaf6af61dcd172e82ef
SHA1 c1476b0bb3fecab07e40d851eb065865301a465c
SHA256 43de0e4f910aa18399d8270851c8f632b9cdce98b3242a64868be599aedcdb3b
SHA512 53eec9a7a54e73e3408782d471c172e4294bc351223468a634573ddeb9da7a82dba488aa9dcaa311bac01321e6db12e11b3dc051adab50816d58a2be2221bb3b

C:\Users\Admin\AppData\Local\Temp\YAYY.exe

MD5 70d9f320875c7838d827c9318e1b8f11
SHA1 a9d036c9f47149ce79b66f1a5fcc1b64a3c9f86b
SHA256 39123b9ffbb77e4a02f9ac98f57d4f35298e36ff55a0eb2a6815b4770c2092c0
SHA512 5a019f6f52c94227aff86d006f41dac2e20c54fc18047e90001aa102f747dd0fbb6403eb6661c6ff548ddd1991a09957ce60b1311e4fbb3d7efcad7a5b68eccf

C:\Users\Admin\AppData\Local\Temp\PUcg.exe

MD5 c291d186582d3de5f89a288bcc559297
SHA1 817a3e0f951abf7fb77784ecf083aadf9f120038
SHA256 522f9d8a37121046dda381460044ffb5acc0397c530ac60154a8273a4931b063
SHA512 208c7f80ebb95199ecb1691833de2d373a9379d63680fdc0cd08c36d96347cd78be5ba0a56f8a4b37bf0164bf84f525414e9ad8c951c3f31dc4f14b17d26d7f0

C:\Users\Admin\AppData\Local\Temp\YwwW.exe

MD5 37ecbbc34236194a10d8b78534414798
SHA1 9c15fc57cd0f77aee783b06a20e3bbeb72f9d1c4
SHA256 cd7d5b6d4484ef4a0acd0e6b9a12b745a81bc8b23007bb5c284f3bbfd8433d89
SHA512 e085822c7be12a5907c22ddfd2f02ed10daccfa6993a487f8b955adf7c904bdc326596b941a06418edb93cb8778fbe85975a401015fafce47444bdeca7091cab

C:\Users\Admin\AppData\Local\Temp\DgQM.exe

MD5 6ff6fe596c3a78d1254b74787ba8bdb0
SHA1 6ab0994961e2cd00bad1e593d758fe5c15b79426
SHA256 68b9b1a094e8cec494fce61849d4f3245c45216f4a28afce505509be11d3df24
SHA512 eaa5c32b316f27e042a7d66bdc08bdb7f40c955815f59e2f6bd79d968e931f86dcd5d14ca639e6b778936f0decdcd8fd35dbf96a3845475dfca7bfba9bbb5fbc

C:\Users\Admin\AppData\Local\Temp\toEo.exe

MD5 4a69e5d1efa54c72c45290dc4e933b88
SHA1 838e91da62881377135793ff04f90fe6db02de08
SHA256 063227653d3f7809de1f9bae7547cff2136ee518b2282ec07cd7cf147f536b8f
SHA512 987ac6e58c619dacc7f2991188c2b7d7ccfbba3bbc5f26e752f9b180e75ad250b5ca33eddd964285ec05f4dcaf6803001ca977830424e03f12c2c1c74f1f5dc5

C:\Users\Admin\AppData\Local\Temp\SEki.exe

MD5 53e333efc11aacfb3f7eb652498a15cf
SHA1 72a12777f460a666ea92744d265765d12b6d0b56
SHA256 f06285b9a89cb63e17aaf535edfc52dbbd8d163ec0bd8544dc198e580f58997f
SHA512 15f36504723dcaa9099b563620c0e77ef055959870b8356d5c60cb4aada119c54c0b241b56ac717a4d719b82fbb1a5deea9dbecfed84047432317832d1d4492d

C:\Users\Admin\AppData\Local\Temp\WYMy.exe

MD5 53f1164f2c58e60abf6f1991f28cb0c0
SHA1 041fe0e10907ba6500245c82f019ce68dbc9d85a
SHA256 200258c29cb3fcec39be2f4f0a05da522fb08d823776fbb126d1b29ae5943ce0
SHA512 905c89f451a84a046d4e12441ea7a12450758f9267b70ecc4cf8d53c9eecea94aad597864dcdb45d47af92308ebc8e59fcd9604093e10bea92147a08aec14a03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 3fd7ba00f8f90d104d37673c44c908f8
SHA1 a06af3d0d0a5c504da9ef87a50df697f8bfb2b90
SHA256 3d4d54bc3dc2b11d1d07868d58374638755a344e321b9f96787d9c7d6d06ce70
SHA512 3600f4150470ec2124d2c13826b6389725a9a69719434a48866a7945534096a2aeb58db8cdc71842501ef4d284c15b7e8a2a8f2dae957d0c8b2df0f187340391

C:\Users\Admin\AppData\Local\Temp\kwws.exe

MD5 93ea2a8cd92a50317ab5b2b46b80add0
SHA1 97702bb91651e1bd4e0e7761fbf22c8f0cbdc15a
SHA256 413ecf7c89463fd8005660bb391a9205d2252d028be4752c05e806ea2cee6a0d
SHA512 fef2f92bc0bb9f7681d1451e7364cd74ec8fdcf31abcf7850830fa29e9cbbb1c7b93fef634bc0a5f950425a602ef6539e6023e265bd2074008c8a40381086df9

C:\Users\Admin\AppData\Local\Temp\kcIE.exe

MD5 afb1e6a9ebff501fd14de053949dbe8f
SHA1 95cc6e66ad4a25ae5636b945aaa186dacf99fb9c
SHA256 7f3b7dbc8ddccfaa7438691aed1d38b73bf8d0a9e15b3cbe6c09ed7ee48877b9
SHA512 787cdbc27376536e531a8a3d2f8a6d1d2b18a33d368b5ac55a5b83570a571dc67751ff286a81d2cd26eecb0682e53d1246de89db4906f0991820b51329bafa6c

C:\Users\Admin\AppData\Local\Temp\JQEw.exe

MD5 95701ee1d5bb45fd3407fc6eccce2caa
SHA1 986b1febad80d6c41daffea04a9beeae7898931b
SHA256 dee09f3e2ea3d99d46592c25003455b8080b6657f7f3a05f7950895a1a5ca82a
SHA512 ffad007c42a339daa6a38883759a0751979bb708f095fc577050d61c0e4b8e7adc2de6848809bd467f1a2b43945931a13c4ea83d0bd88aac21ed8c80be5dba1c

C:\Users\Admin\AppData\Local\Temp\AsEi.exe

MD5 04149b7d96e35fbb0c834334b19c8470
SHA1 bf08400aa3c2cb32f758dab24cb88fa206d6a038
SHA256 8e89b2a54c70a27d5c6516357c65b81ac89f0da0f964d213c08034085511b62e
SHA512 bc7a7d9646b00c820dbd7cd5a5eecbf49f1321ea0f01ebed98f78b9a16fa0520fa2bf44f65b05fb65fcbe4c38b9b217dd930b1d769426bc46b2469ba795dc156

C:\Users\Admin\AppData\Local\Temp\MwIcAUsc.bat

MD5 00eaea1c19b17ad785488be9dcfd9d69
SHA1 f35bc22c94eedc13b8b731063714b5c05f63e177
SHA256 83f965ffb2eb9d4d27a0ffd410ab9b8416ab6dd2a8b60495396c05f29e0046b2
SHA512 b3617218783aac06a490a1100f6a56db4e349a8cfff37966a64774bf2f821224e3c2184e5ce34aa7429e2b555881ae7f34d72419b8c3b8721d8100c73841eabb

C:\Users\Admin\AppData\Local\Temp\qMgW.exe

MD5 a3fed0a4d95fcd0087822d0e6a490b73
SHA1 c3634fccb5d3128648e4cc44a520afbb245c42bf
SHA256 8631a1174f8eb15b1128cc5b61655b63f6ab5ff04847e820bcb1dae1a12f0f49
SHA512 54ca2ee8329a22becb02cec28ea1d33492844277900ef89bb71cc007d9d23846db206d6807945977e3a4c97c1b68729a56f9c5f0477806770431ef45173132b4

C:\Users\Admin\AppData\Local\Temp\PMwm.exe

MD5 2e0de5b025b3dc21eaa6c2e7ffc5c20e
SHA1 347e7339eac5ee4e62481a76a129626635d16ab9
SHA256 9a6f3261bb00c5453be567df1b6eced26f11eea974a107f8b7e0e7e3718efa2e
SHA512 8c4c721634e6abc4abfc4bd4aebaa8d70c33d415d30960e227cae64cb8350b4fcc9c1c13dce5f7e52af5d27a67c4f027118a082c4ee826ece489b2f148380e70

C:\Users\Admin\AppData\Local\Temp\fEcy.exe

MD5 df638e9bd3fc0bfc0eb74e93c60dc1f5
SHA1 8a258c055227662c201569e63cf0dde34a329d05
SHA256 2f36b424a6a4b366873c0d03b01bd75fdf95a64f00bca617a300b23eec48dfc5
SHA512 3011e5184dd8d0a2561bb43c53815166d93e3356ac2db3ebf0522b1f6ce0aa83f4ad609912181ee2e7ca8ee6ad2446180c4a6e3a89ead7191a7bc1f63390f967

C:\Users\Admin\AppData\Local\Temp\NoQe.exe

MD5 3424ddaa117aad0b4be40edc4a404c05
SHA1 3ab0e97f1681c050ad4e733538c9196dd382f9ce
SHA256 d335b4e147ed1d1f0cdd371294c501d4b12533394d304b55ec2030e344c310c8
SHA512 3dbd896af41f6c4a65c019ad32c7ca0802fe16714cf342e8a00f83c891efd9f42048a67808505ba22029d9ca67239611c3a8cc42e2456fe634dc4b371369d88a

C:\Users\Admin\AppData\Local\Temp\dUga.exe

MD5 157a253b7366bc26124c313e843845bb
SHA1 164ab492aa779381fb07a2f62da1f2cce0ff4657
SHA256 26cf0cb8c4ee9e358093bc2d1869a1b20d964f4de38d524b52f6c9d23c718da5
SHA512 f7d02f64c75455678179afc1cb712a7723effa09858ddb94b25795af91e5571969be871af28eac76f2a42fe90f09e87af6e7277653c5d5ab21a44b708093ab52

C:\Users\Admin\AppData\Local\Temp\UOkI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\tUQA.exe

MD5 4f5de37b3d83683c96cc31eea0d4407a
SHA1 ebd6c678db0f2a736ffaa2da1eef53223e1aa79e
SHA256 eb76abe0d974b0e573bee8c621439fed69b41c04596ef79173be687367e1f20e
SHA512 e46d309815e5b675b5d3935e441741c4d05e6d15126bbfd2ec8ffd0de0bf60f65b4793f69a7b043114805ddaab58767b9b7226f04a34a1877d558782b4555814

C:\Users\Admin\AppData\Local\Temp\MwIU.exe

MD5 62c99576186cc07df7dd05e154e372da
SHA1 2e7084564a155a6b24f61982c0002573c7f6434b
SHA256 6d160d00b29a722cbf77c8e9d380a6f92211a54e96119c3fef5a1812f5460891
SHA512 fc1e74e8e59982eae778394e9419f85b26c3623f290a91e5ce466e03cd3d50a994501ef81f616d97081f3b328e8adc212dea3ede98237414ecb7a91271c98096

C:\Users\Admin\AppData\Local\Temp\Csow.exe

MD5 a92511cea488fb81491f4373d8d128d6
SHA1 9422d166d6d30f301b8a123f05c6ddceaab085a0
SHA256 fb6e05692d9b5c4260aeebed4f1a689ccfea673b49d65303e3ad5e4fb5fe0e1d
SHA512 ee1e3fbef53c3dba8807ff8c5312ee7cc8ccc27bf5ed77f420c0a678ab6d06c970b5e317dcb0997c8d664acc1dea8dfdc59522f25c7c647d4d7100b1c7c46a2c

C:\Users\Admin\AppData\Local\Temp\HcwC.exe

MD5 65dcfb27f3143f5a89416a950d14d5d5
SHA1 3164aa84b3d50796d801f5666c710d5c3259db99
SHA256 553ef22101d4f741ffab58ee24ee6791cbe7bd15cddb60c8e179ee4e0c48bfd8
SHA512 30c67e6555f978f999b54f8df0f275d4d619791d871fe65c9b4585815f404fab7b1ff46717912d1bb58c00e7de1ba81c9288e035f0b5c165679aa8f6a18dd42f

C:\Users\Admin\AppData\Local\Temp\hwsA.exe

MD5 a9f7b8bc7565eb714fc34170a6ccfb44
SHA1 a793d62239784fad55d4c20c95a0621f3d38a3fa
SHA256 fab99d4f1c5c092eb9c006dfadde6a94a490f9b457b866a3298e804a619a3501
SHA512 61a1b841f4eb6eeaacd3e3096de8cca8618288a7cdf79f31b5bdd7478648fbbe73c8b311450ba0ebdb3b3590a1edf850254c7a3aa91643db5f3cdba7022b9268

C:\Users\Admin\AppData\Local\Temp\WEUQ.exe

MD5 26ec5757146ee3d8cc94eb8a35be5f29
SHA1 8689b72cfa893e6355a139ee64673bb89f9a4d57
SHA256 ca4e3ef6514f58721c8968d3bdcb9d0a469fd416cad248826f727f3214ca64c8
SHA512 a51ba48e9e34f1e0efced09116ffca5ff6af88d4ff5fb251728295ef5ebfc6e1dfe5af01e3c00cc386666cce77242d9259115ed351a5805ed5d9c4209c01c10b

C:\Users\Admin\AppData\Local\Temp\iAYw.exe

MD5 193a304f8c2d892ec27c9851d23ba671
SHA1 b1c03d529f8a368de5f0e4873fd238a887391f94
SHA256 aead89e792bdbb7e0c43ca779c81b6430bc0db7328b02ff88563163113cd4f5f
SHA512 6eec9325f23e16529825e23f40cb44439c054d4ac659b6b9f0f6378633ff89462e2bc7d6ca16a1036a29e5bea6bc1e9c56a0a8d0ad1d9df30d674b9e1f62201a

C:\Users\Admin\AppData\Local\Temp\XQUe.exe

MD5 79ee168c0e4464fcac3e8fbbfddb6087
SHA1 4c14c869482b02180c8f3a7dc3c55a65d61d2d10
SHA256 11c8d10df8ca01b20f20ff8890dd4542b0552b01d8919ec72bfc34ca1151ef14
SHA512 e89a386141f59898668553873605c6d1d7303ab1764442096183c0aa41c2b1bcc1e2481bd048686301da6ea416bd923b2ac4961edaad86a2884fff1c13bd31ab

C:\Users\Admin\AppData\Local\Temp\ZEYE.exe

MD5 e7fcf19b93b8378254c2763a8549393a
SHA1 4c8dddcc73e366087e45b18a01fe87cb2c1b925d
SHA256 ad8fd8993e22fa5076948639701adfd0989f9bdaa2381f09dfc92e552214e992
SHA512 79f8b6ce3dc7d03cd7807afde28b33d98727d830fe14734633a8f8f2c453e4dedcee696167e41275f8ba269fabfc30e5aaf47712679985ded2f739a1492bd781

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 a148915e46ed5fa4d9219aaea43a4990
SHA1 a9e00a7462d8f18845a0405f69d11f56e4370961
SHA256 0d634bdc27148ee4621bde9e84a9de98e3282995073ba557237bd596233d1d99
SHA512 1cb725c2667f62bbfa21fa0e66fce74c291a82a0310ca257ef501f32eb22a8346b53e4e18682f172d0ba03afe48f8999494b9c4225c2d6c0e1242a1213fa08a7

C:\Users\Admin\AppData\Local\Temp\YCoIIIoY.bat

MD5 5a6b73fc16d7a4dd4dbdd0d029d6da83
SHA1 24bd55a3b5aa8f5d959c5595af0ecd08bc3311d5
SHA256 4c490d0fd931dd07c5561767ac9dde67d9f717befa4f846f265593c89c581225
SHA512 b60ced9a43f9ed75dd8108f99f3ace7c71c2778351dbf81aad6a423d16238b13fc75d6441dbb0faae8e7206b06d1cb19565b2129df37c2124003d4f9bd758b49

C:\Users\Admin\AppData\Local\Temp\dqAoUwUg.bat

MD5 bba33ea1bd8c545be4a2dc7696cb3b17
SHA1 5040e3e2effce683277d631edfa4fde9358ff353
SHA256 a1926759879d93c17c45d3c3b845d8ba3c785863620829904ee0bd57a3e55ff2
SHA512 c1a17ad3ccee35453bcd948b4ee4a5ad9e54fa2f1738d9d74fcfcfd5005e96e32d63969a5caea5f15475e95ff26bd2cd2910df81e6a3744982772c21f24cbebe

C:\Users\Admin\AppData\Local\Temp\KKsYsYoM.bat

MD5 7d078e8cc8f7b4c3f38bff3928394022
SHA1 096cba69325023a5b9530c3123d8991c53838234
SHA256 5ca453d7a9db943c772441f851672238619e6e2f4ce15c538e19367fb40f3de5
SHA512 e867619c1192dee0d7365bddab6aca22543548b8c7465595c3ca2ad8c9c39bc8993a180d44c3b2442097949b0372eb2f57d9f3cd05a04b6d5880f33591590f9f

C:\Users\Admin\AppData\Local\Temp\vwsIQIIc.bat

MD5 1c4ffd9e2ba3712dfafc2eac0beb1312
SHA1 31ddbbd74701a274c95575ecaaa07555840a2bfe
SHA256 4d2aac340413aa8bb1991567208fe83cbe11eab6a29297f115edf9aaa6db8969
SHA512 dbd0884c1af5e431751e1854ee71e6c7143fb92d096a76ae7b551c36e8e2bb07e9f39615b37d071d9dc52bdcbe8243132bc04feda7cfb450546f70b702f06b2b

C:\Users\Admin\AppData\Local\Temp\NQooUgQM.bat

MD5 62691ce8942da1deb2aaf9500bf1511c
SHA1 40c335797e5863f68af6ecc378c80cdeee1d5cec
SHA256 89f91527f2d106e10f1fac02ea691f86065779c81a4a5863d0c8637ecb1cdb9f
SHA512 8a5f0bdbaac4913e8002cbd83af8b6e2e7251aa80fdd1f7fb5a45df88faca0fe8f11699bf14647bf13da8f8d4e4d52474ded3c21cbf708a84c0e8f3c7f56fdfb

C:\Users\Admin\AppData\Local\Temp\mSsQIEUM.bat

MD5 02d5647041ed1ef0662a67f34dcc6dc4
SHA1 264dd31f97484a41efaf627f00c9aafab1d0d979
SHA256 f5296395f13d42e4dc50c52787b951d5ddd2de080bd737aeb00c1d14793ed319
SHA512 d829b997bbda0c3ce7af148b15f707e972347af28541e35e81c7565ce7d53cb52335f7dc3d0f4c016b1f8f12bc668b0ba6c0e8140ca7ffac2419fa3cedd3610f

C:\Users\Admin\AppData\Local\Temp\wwIEIYsw.bat

MD5 5139cf87f3f8954dcf345a088f7a86cd
SHA1 0407cb0270cebebf09a4c9240f01d2b8bcdb8d28
SHA256 23e9a645fc091d4c3b31f7b7f63dbe359737686f4969259bcec200106df49dce
SHA512 a0004a9c48da68a25f2aa5e31d7887f4b2f47d4fe64d5da0dc1a2de4ff181f318fdad8f9e141bf5dcb382886254204cc0088d7c3ed1ac4e0da569b847d125997

C:\Users\Admin\AppData\Local\Temp\dCcggEoA.bat

MD5 dbaeaa3e4d586a88263404d2851dafd2
SHA1 37554f3daa342d869d4c62fdb37126657f1b231c
SHA256 f266424220c008ab17ef51989f48bc48d814263d6cb4dbf135db2a5889df8d1f
SHA512 b97b98e2ed5df880d991a589d05e7fd0a368af9152972a2297782e0c3a35da967d93b24d83ddef71090d4887b14602a107bd6d287e11721b01409f8bd404de85

C:\Users\Admin\AppData\Local\Temp\gEYEcMkI.bat

MD5 59795610c476ffda9fdeb4cb8d11416b
SHA1 251f4649cab048a065e57c096dcf577e3b359a70
SHA256 c22229a1c46d42aeb547eba36763d739311832a2bc1cf1d3af116907031339c9
SHA512 ba2b73711a6105ba1069ce52486580b66f56a6b326cdae07ec827832ad20ddeedf9a867e16ef7c085883646100f162fb5a3d940a5f781b67f22e199f8fc31ef3

C:\Users\Admin\AppData\Local\Temp\bwsoAkgU.bat

MD5 7a7584ecd5dd0a254026d3477a37420c
SHA1 e48b451132a0a5965859136b2b70ff9b65f67b07
SHA256 f02f35ea06c34409fb387f2ff4c6c4e0f80975e15e877cd4bbd905a049f49825
SHA512 3d182d50aecb08fa30ef7c7b6dcab379832251dfee12055515567d24e97482c421d6eb776f3eb268d7ae1ead7ec97931532e47fa5af9b9ba0fed0d20580ed415

C:\Users\Admin\AppData\Local\Temp\KkoQ.exe

MD5 18dace4ef5cfdc6e6586008142b10d05
SHA1 2c8fa94a327105c62e0ccabeb770cc8e91dd7176
SHA256 7a13cde647c6b9f98b16b3edf030ec9932862558f35729270063f61664957386
SHA512 c0f3fa4b4495ccbb582df9f80181765c4de0dc4d51a6dc291055135064826f10a207943a69cdd60b0377c6145b3ebba873c666c08dec99909d69738734324e35

C:\Users\Admin\AppData\Local\Temp\twcm.exe

MD5 68460cf60e17e1e4db62925b34305e79
SHA1 cb88c9279184552bbe306b99d96577f1035fcfa8
SHA256 8db5dea4c4ea1ea6cfd5c9daf4fb60689452038f51ab132f65c5f532acbceea1
SHA512 facc10ecf258ad210f4f178267d066c5004df80d533c49a2901962ed22de54384e28a3991a7f05b735a2d8fbbd3c959102ca0119598cc9acbd187ae419ed251f

C:\Users\Admin\AppData\Local\Temp\IcYk.exe

MD5 25a3c83e57fb7ecb7b3dc6e4f95c22d4
SHA1 9c2f4ac1592a784f81fd44a9b79cf7227e459726
SHA256 b4587de9f10c8ec9244f7cda653b4ca0ab957d6c593bd1d10ab336e7b4bff475
SHA512 9a5b43e116146cc35e7bd6013b59318ed9b474ba143384d2dd30666d4cf119e094a309a6f4b06fe181d2fff1e53c6f218fe910b05b67dad18702b555c4223d3b

C:\Users\Admin\AppData\Local\Temp\rYMG.exe

MD5 1a68e51cb100a9b63226c63f87e74f6e
SHA1 92d4333855f8438f4da6ceab116c6692a48f9f64
SHA256 50cc2681bbafc1434ab041e667ea22f69663b2197e300a4ad24ca9890c418383
SHA512 df453c3f3bec3244ba8e58a40d2603fd0ce638206f201e5d69b471bf5b04ebbda8f4bf2f4f584fedadb5dcd5141a2f6de54a31c9c0f1dc7a42d1418671ce8f1a

C:\Users\Admin\AppData\Local\Temp\wsoE.exe

MD5 ff44e63f925df83a29dacfa78762aa79
SHA1 5a80a9f1bfe1a811d1395dab6cef673dfd8c3197
SHA256 69a0836123a8cc0003e0d2febf4932d6a9ce5b4d2248bd1e65e2d0e594998966
SHA512 ff838f655a31f656155927b823cd88519ef8e05da931c8ccc2bef50aaa6462fd4e0a01a7ce97349287ac8089721b4b273eb18fbecc4d9495b38738d3da957de4

C:\Users\Admin\AppData\Local\Temp\TYsA.exe

MD5 beb38633db8703e61a4944e1dbef28f9
SHA1 8f4c8b27e3970b35c0f0dbc41c689c5ac4d727b6
SHA256 ad384136950ced7b984f57e5710c3a82dc0439415629c3d3334803d25a104caa
SHA512 77a4f0464ec5f5a73a6813a316c1ddf56786aaeead2ba807b5b10c9196ca03bed3b7fc31c61a63b421d9a53ca4b9f329cd7842da86b7d58512abd65bd5a1e28d

C:\Users\Admin\AppData\Local\Temp\iMUs.exe

MD5 b258dea4a3808212ba2066151edd8e15
SHA1 6f4bb47d6f27d39c4df573b713a8467ebfda3c78
SHA256 80fc7642a41a38b2674fa9cd81f133d442b27d98fc6e88c0042bfc0a3f2124a1
SHA512 2f32280c46c04ec0825a5dc92f23e13c41c70ff58d1e4c8c02a135e7df22be005372f9c1251aeb822b320c9e6b992f099b265606bc31a770a8b6bb821f22afc3

C:\Users\Admin\AppData\Local\Temp\wQIK.exe

MD5 5ee802b1957314ffe0755909fb46f8e9
SHA1 5ee055ae947ea7cacb2699ea1cb418206b317543
SHA256 ec866ff847b83862e2531a4e97f0ecf946bd70f43f194ccbdc44f35dd7a57cfe
SHA512 062af00b060b2f6ac9bb20fc9a9aa2d0bf89e4c5c98ee25529ad791dbd576376cdb410a974b1a58a80fc4d8f7f4906a03a1467a4b8308386da5e2da80fb1baba

memory/2124-3454-0x0000000077120000-0x000000007721A000-memory.dmp

memory/2124-3453-0x0000000077000000-0x000000007711F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yEsEIcYM.bat

MD5 b8c2d8a8eff351b2f330a0e7bd8cffaa
SHA1 970a6f21550c458021f5d863cb62b0fedc35f02d
SHA256 7661504d69c66af16ec32b32d29255e246b87a3ed28eaf8ab1a8e8dd7c5b43ea
SHA512 d1527263bcd03c874d18b0b576ad31f60d7f43a0bcbdd4cdd72202d539096b9a9756e7f6a498bbc85c66bfb697f21d80eb2a3e084787be1d807cd73a2537b472

C:\Users\Admin\AppData\Local\Temp\dosy.exe

MD5 164f09d7f0c9c0b54107420d9a276a77
SHA1 c8af254d11ee0001f72e9ddf1400cf098f8685b1
SHA256 940a2de3b566e1a7d559f3f797292e7aad187a8379a19d5597caa99a3f47b405
SHA512 7678f2498458947ce19de24c830bcb11a72a9de8984001b019486b29647e19d57fcafb7dc1527578d05e33f4b912ca8f0360a7321105c54014c324ff86193cf9

C:\Users\Admin\AppData\Local\Temp\EAga.exe

MD5 2f3d17131a9a05dcbc518941947393a7
SHA1 b5c2ad6199898a83938d9d0d0e279f92caf85f69
SHA256 50041fa59a2d477beff2d312fb513eb4a65c70c0e2d1b0401d5e198a94775b38
SHA512 7c95311f844171eae001a66a1fc09b3a8da9b7d4d6a9590cf78c14e5a5fc5c39333138df082fe7f3dd6b46df10c8d2bfd90e387e829d8260a6b2535f30c8fe5d

C:\Users\Admin\AppData\Local\Temp\fQEu.exe

MD5 d379cf041e919f97ae8a0475069a6880
SHA1 c56cf465644e9b0606fe3c6a90a8fdc32efbe407
SHA256 ed948873dda85ed2eb87533897b9108f56721b57c595fb0692fc48a24db6b07f
SHA512 bc244f699f30d04f51ab81b6c3d41ac42d685fd09c5ae2a6bbe121a2fdea61197d4bda85f53592aa29aca7f9fff4eaeeddc1341aec6ef0d12a64ba254c003b96

C:\Users\Admin\AppData\Local\Temp\rwco.exe

MD5 77f2bb77398634673e715cb09dffed64
SHA1 f79b0cec0624bdad156e95bc46081aa0ba692070
SHA256 fc36fdba81acb82b27ac5cb3408c809f31b07bcce57619cc2269df139c89aa2c
SHA512 f3c15f86a201e893f5316c2f7ced97c9443358d3a3585f5abd07370737afff33c83f0b9c85831de8aae6f19394ca012baa74bbb65736be097d96c4ac95f17fc6

C:\Users\Admin\AppData\Local\Temp\WgUe.exe

MD5 cdfccce3a038c50e2d33f05d0dc4890f
SHA1 a8f2656aeb82e399305ee1f7d4c442c5f66358e1
SHA256 eb85ae1d8b711bc0fd8be9b431d6eee9a03f263388c83224d362a10c7581ca18
SHA512 032d905b882e582ce4725773129fe32867aceb2588b3768a91150d3d622fe3dce5daf0bdec24ee3efd94abf387ed6ffd2c7b5a148c9bbe70807c92a27f4d2325

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 71f22fb243cff17413cea03ccb739205
SHA1 4a5281026b4dd8e642e4630b859f95f383db3fac
SHA256 8a6b73238f8342c1e596b0cd9697dba0c7321e710b5dc98178a2fe11cc6dbf0c
SHA512 6c70f30dabebce71759de0705415f901b14178d3d223b983233c9519e6d9026d209710638c2b0032578de5ae4918175cdc30413a83a608a4b039d3ec7344e065

C:\Users\Admin\AppData\Local\Temp\sgQm.exe

MD5 920e56d1473a200986a6f309ec670231
SHA1 bbbecc7099e5c1518aee05d4dd097b544e701120
SHA256 f643588c6301f26bc6f4a6ad593e67f94b0685bafa8ddeb96e48b971bcb0450d
SHA512 3faa8dc30a94956b0d7bd5085a271028ee48ab86a518b2e67064eb55f0a174b5fc7436f029c069a1a352368ec1e8293f75f332f4d21b828869fdc2839b68c06b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 3175a285fc50442c2463f91743c58116
SHA1 3b301c89b059e55f65727c9803e9d727bb80f90b
SHA256 f55093f6928b30efc0929a83882f8a6d1ead865a86f87c69cfa5ed13cb093225
SHA512 a0b772918b089a12cfbb7861746af9b8f954b049911222d531a6037f1ce9feaa304802a228531d2615d78ea4890b99eecc818c25f73a0f2adb924eec496c500a

C:\Users\Admin\AppData\Local\Temp\yEEW.exe

MD5 1a6b62807fe7d6a5da4ec81ed334476d
SHA1 695cbc149217286ffd0c0ef9fe0d24d8f83492dc
SHA256 b9c33b3498120bcf11bd651602ce8eade1de863ba504b4e33a1eae8ab0929f0b
SHA512 879368e4ce69e67620046d957bd2d46c533b96d812887054c0b07f788bbbb9ebc907b19e05a1fe8dbd303c4af0acb2c20ffe09204e1c4a0c3eebd08cfba9fd99

C:\Users\Admin\AppData\Local\Temp\lYYssUwU.bat

MD5 528bdf5d5c133589ef2bdb8766f6167d
SHA1 450435c46d9e2981ad16c0e33c22b9d4758a9f1f
SHA256 b1d2695d5b5447ff2a91c7f73eacd23f0e10cc13d8c8b637a237d30c603e5669
SHA512 cea985c6f06f23996efa1ad05959c343327976c35e2f09d7c4c622b11b068723bc5f7e7088199c72a03b7fee8cb5c0851943d0b702069ffaacec7026eccd8b70

C:\Users\Admin\AppData\Local\Temp\YUAG.exe

MD5 45e7d3d689f5f01a493ee54f439fe79b
SHA1 474828127f57d32fa8cf91609f4680f23f13aaff
SHA256 df632d10fa14f572f0a542e73528cef675d519bd14b6deeeb4029e0e620fac92
SHA512 e7771b3a26d546afe3f1b21d1cbcd2250133723192ee272f72b16997056a6570dc6db387c2e322519642253e7e402877101fb9012cbb687d5243c0a00275fbb6

C:\Users\Admin\AppData\Local\Temp\iQgs.exe

MD5 42015017ae06827ea0d8599e30515047
SHA1 21685cde10332fb92276d67302a442d82c2bfcd6
SHA256 4e683b0ae85b42f1456c3a5c57eab3939468032a20e21d44640f72601743e166
SHA512 c2da5b017f2dd70b9ab38125020c15efa57a4758058a384e7c61ede7c3a7ac41f22cd2f11a5740eb023c3c8585dbecc0c957fdcf2eac56329a77828e2c0e5e30

C:\Users\Admin\AppData\Local\Temp\CIcO.exe

MD5 968063a26d8d616c7777a5c07b90aaec
SHA1 b1d08db10cdb1947575bb01d9025f3850198ef8c
SHA256 d50094e6c5b72c43e3ab414891f81d1d45a165b2527a3a51f940d53a15f26ffa
SHA512 33540ec7b495e7085577f780eb42cacdb0269d53db85f0eca372d901663c78390dc27b1e57db2fb74f3daa141afc1f8402dca27b2bce6496e5b9c9bb5e6ed4b4

C:\Users\Admin\AppData\Local\Temp\gsMS.exe

MD5 adcc007dbeafc2ea2eebc3d0865e6435
SHA1 47ce412f4da06a014291b0af60d350d6ca58b35a
SHA256 02dd41c68205f5c6b93533bf5f35a571db0f12e03e664552b653b93ae4cabcd2
SHA512 22612076c556ef3d4887fb128b4f8625ff4ff12defbd499f95b2d735f304ff3690682d9f35d2dcf3c6a9a40cf73ed30b40ccdaaa0c8b8df32d8b470e60889583

C:\Users\Admin\AppData\Local\Temp\TccK.exe

MD5 a80e2a129cc24ee73c3ddf974667315e
SHA1 71dc65a22d00e8dffc6401fd827e7fe88c521efe
SHA256 08f0c13312e8d954d8ea0ad9c26b1057d5467cb00e5153125567af622f690413
SHA512 0c31c295729b47b1ba1578994592b76846a35ac5f53d7f9eb5acf2adeabe654f4db0bf31466f15705fa1b8b5fadbe6c517be202f9cfceaa5693d9c848f761f3a

C:\Users\Admin\AppData\Local\Temp\mUUQ.exe

MD5 5b75b6d92448eceaaf3eccbb2c6cd6b9
SHA1 f8ca34fa003c2e0e4da1bd4003836d908d63f1a8
SHA256 2500b2238c55c2acd7e0e2c38afde874fb4cb697e9bba18e658082e5799cb7ef
SHA512 c5947675980789cd27938685245da053b3e06a9807c222153a75d051455c5d52e584205f8920542e43470c62044769359329ec617db8cad66af244a971e70201

C:\Users\Admin\AppData\Local\Temp\ekku.exe

MD5 99ed9b248d778b74613e08750fa03a1f
SHA1 1e70fe0a6335f6f0752d451b469c1c2121669bea
SHA256 13b3e953c411e8a215f0a5cc6c8fe65812d66d66871728d200c9a5336ef4fa7f
SHA512 3e61aca7ecef83d5e999db9cff89cdb6d970c20a789a21a56897ca118c40ae57f363ab647e63e1a3e479cccdc79a1ff16be4ffbc1d26c5fd6b179c1c76e7ea18

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 94910d34e975a8c5b07429302239895f
SHA1 dbda05e28a29fdf1588201e7dd86fd6944ba4a42
SHA256 09bcb852c61b44385647e9ce909bb4d9f3ec1377f6e456cf6a815cf89c356e95
SHA512 a2da71652c7bec75ba9bacbfcec2752fdad07588f28873c299b08dccebe0f7d9a4b2c393c742cb83c36d705bf5c16d7f29cbc6de6d6327817c2c6d7d1a8d809e

C:\Users\Admin\AppData\Local\Temp\tQcC.exe

MD5 0a16e94d3fe858cb447765bac4326cad
SHA1 339ae2c7f42dc79246253319f918d8b79f50b686
SHA256 49ab53eed3fbfb87694da82b87385277375ff0c97ec5b4ba6418c11f54d09a2c
SHA512 965242692533d7cedb9cf4cbe3e37a1e7f7aa8910ae0d12b3fca2ec5b6f9896be200380cc044f2096f059cc674ce19bfed41b29606466d9e151bed1b51766806

C:\Users\Admin\AppData\Local\Temp\AUkO.exe

MD5 c1eb1c740fdca29935f8c86a8f49b400
SHA1 aa26790aafb25ecca49dde317d366d4af4c5ff2c
SHA256 9d65a074a0f414faf588c95b80e28317b4474671e736115a9fb90d41cae96a49
SHA512 2d77557c701cb70dc1de48a9a090f3f3a77e5106c81815c3dfff4cb64cbd2a81a5e6a461e416ed830bf176e387cf809b2b83e289e7b8f04c2bdfbfd879fd8ee6

C:\Users\Admin\AppData\Local\Temp\dwgm.exe

MD5 dbd6113a22014a5a9ff7559799088a4e
SHA1 90d0469dfbba075bd1ca4bea77cc0fe306fc7b64
SHA256 27f8abe62141e0bb1631a7ec1397ca6df80275558a963f3f5e94eba35efd2e5a
SHA512 9744379eac7bc10d0c908aa3a991659e5e6e06b9ae07ee9d6417a11deaf511605202eb2adbbf291cd4ed64dcdd628378110119d2320fd28cd5a6f5e8aa2c7a2d

C:\Users\Admin\AppData\Local\Temp\pcEi.exe

MD5 af558772af44ac63adea4260a98debf0
SHA1 c596597b9fe10af59f9ce2db10b60514b78d03af
SHA256 1fb468c36fb623bebee7f4930c77bff5d8542a13cc086d4c23b6f263abb64fd3
SHA512 dd1cf8c1ce62ce0c26d5070076d9b5f8321caacaeff644e43b13fb2cdf1566cb26c52f346a89bca584583f670c8bd079069570d889feb2fca5e6a254317f50c0

C:\Users\Admin\AppData\Local\Temp\yYoC.exe

MD5 844212f05a3b991cac30bfbe4daa81f1
SHA1 4a0ab3698679d4d9e44c6fb49c7644905910c472
SHA256 1fd335c97c3360e8ed5053a055a78a9a78ebff4f7e0f229c1f860fb8ed800770
SHA512 ecc75250ece95202e2b701c4c0c9bf8879018c26eb06bfe0a41d2db0e672916a2e6556f4a5585439ac833e9e7722aeb2ecdede0161c36aa165f07b8b6a0e8a02

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 cc27e07e4a04bd4759191bcacc587a11
SHA1 9836bf8c17c7af9dc0b4edba11b6a49c79328dc6
SHA256 3a217b6e12627f3c26fc998dc8200e56d9faf0a9c1ab816f239a382bf87fe78d
SHA512 ced2cd75d5d91bdfcb6b614c201a7f2bc2aca837c041e3e459990df1b69f644a3a845150bd263c23bd70da173bbc0cfef6be8bf61c28375822289ae82f0a3d2f

C:\Users\Admin\AppData\Local\Temp\GQcG.exe

MD5 e779588ed7829eef0e16c99ddeba02f5
SHA1 021258bbc114eac116f470715b20999ff3eb9c51
SHA256 c27175d6ba0c2db1b4d7fb05861b7969e8889a6c2380f2ecee908208e73199c9
SHA512 1c03f6b6c86ccf71298879dbe0f0a81fa0d45dbc0d3e22ec11f757cbdb999645d0bde163340f4394370cb0af44feeca1e86436af495aac441f285e8417b33d28

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 c55bfc670b01f0080a6b0dc5b0ba07eb
SHA1 1fcd2bd3bc72f0c2f2979a8f13c83e5cd06d16ef
SHA256 7902da88fc8355da95608619f56515532b7abbdcd5920c06b63530b7999dcfdb
SHA512 b90d7ecb59e05d12e9ff22ff92d68d0a4cb2608544ac8745640dcb32e443f6ebd52d457b718b8c9fd019cb13c72e0ea65057bc98a3f5b44e8c13a56b7eaf2571

C:\Users\Admin\AppData\Local\Temp\xEUC.exe

MD5 bd5d95dbbf13a0a2793d8f07d5b75339
SHA1 7675bcbdf567955b03472ff3a691a6e4f5bcb438
SHA256 6af433b45de653ee000acb97323eb2bb236bbc1a155cfcd162f8eaa4ff8fc93d
SHA512 bb9a0775bac885473eb5d1a04950112db102148c41fea3c31386d742b1ec0168edea9d8860763b790781b790b0c3751b1e96884cbd4b9b222768d93de46a6f5f

C:\Users\Admin\AppData\Local\Temp\XgoU.exe

MD5 f5db2980028f9999d8c1f29cb2e53a9d
SHA1 4a3f6b67fe929689f693874693952322c27219d8
SHA256 75413cc19519d735a31beef609a6c959ab39a0d4f5dd214a15c1c92fe0dfaf3a
SHA512 8518595c7ff0f352a28661f8344014db928c98a606d5dd4c0c9235fa6bed52257707c0939d8998fd37edda827dba95c70a6410f15b57594aa15d109a8cacc4dc

C:\Users\Admin\AppData\Local\Temp\bkMq.exe

MD5 cde70b52579a7fcc715f895f7323c086
SHA1 681982fe5e1e18e055497a4b42019a4fd1765e93
SHA256 519dc818c85febb7cb043908489f9463f0a02568ba2a947b2d30deeea4913c32
SHA512 19f1a816b841d08b19dfce80f9ae41ebe290c2a4d21d040c7ab24386b189d32da295a9a675ece78922e0193ed142f594e8d60a49c7c2ac4402fb63b2b59bac7d

C:\Users\Admin\AppData\Local\Temp\YqMsMoQE.bat

MD5 cfddff75be77143641a21d00e7652aad
SHA1 a4288f478065a91d8c8642b513fec6adc77e60f9
SHA256 de7f5f5eaeab97be8f54bfcf762ff130a52eb1e1d6414b3776b48fce7edfb672
SHA512 d52235aabe0c586ac453c884108d9753eb5912936e00145b8bdb4ff08772a15b29f96f0c32012b88231dbdd3ed78a1429e5603d15843dd35aa39c80bcf718ab3

C:\Users\Admin\AppData\Local\Temp\VgQC.exe

MD5 752898fede7c5a906e05f55400de60c1
SHA1 62e303adc55a4946705d983a9863734100d2a0ab
SHA256 71c1533b0db90ebd0b0d72b28d1313df25729f0e309e8e893b610dd52b12128e
SHA512 313e5dcf9ea1080ee8a49f8f171c45a0360325a00ed910d15f2427363de22717b746b031b82c1a8abf13e09515553916d2c5074ac764c52cf0ebf82a10740a07

C:\Users\Admin\AppData\Local\Temp\wIcE.exe

MD5 bb55b38103424b0c5209e93337cdd706
SHA1 a5f00118087d12a971ad7600ce562323c267e190
SHA256 31c3866307ed9c706d424139eaea2d9d5ba5e6b7d0307d4550ebc281642d6405
SHA512 ac356a8009d4964c149ccd20b7ce1f7034f4997bbab24ade93386062eea37438a99857cb5e13f48367cc565e963488b19cd22cf7d7fd9d5ea0466191c652ebc2

C:\Users\Admin\AppData\Local\Temp\IEcA.exe

MD5 c99220bf82622c2c2a3180b2608524fb
SHA1 18a86cb9970cf7c81521938d54afa9e1c1bc8e35
SHA256 120fa23cda94d713cb628201ac94469c9603687df3d042baaa26ade5e90a6037
SHA512 d339800b7c93c3ff0aa1a2d7fa9dae5255d3e8d35c995a90c8d38571ce8c31e93c1b37cd3539132f41f676947f58fbb9fe3baea2190a0b42ca440fbf1cde17e9

C:\Users\Admin\AppData\Local\Temp\GkAQ.exe

MD5 143f26b3abfdf7de4dc1a809ef4691be
SHA1 7452eb9494ddf9fc21a796bc92d3821e80bc3ff5
SHA256 83bd3bc75f9f0c30c4f2f20f2137f23c2e2cac7d05dbae457b61c25c9aadcce5
SHA512 203d4fb2cb4b14f3bb146ac22001935042cbc4d2c1a7b26701a21d47e1c35330d571117f07bcca33dc1cb8e0ff1e7f0da3945718d499987db247c3e9102a0fbf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 9bc5bc3ce72e27bf68fcc29d0d28f1d6
SHA1 a0260baf164abfbaf7b9545de710dc2e46d785c5
SHA256 ddfffabccede124db94bb58ce301a423422e7e25621b345e2cc88dd7f16b30c6
SHA512 7390cf9d1a7370e1f1ad3cf11cefc4316c5df282c0da4266fd1dec884b5eb490043057c21469791482780b3bc14ea13a645635f46c13c90f480d9a5ee4d077d4

C:\Users\Admin\AppData\Local\Temp\Fkgo.exe

MD5 90f9bb36a88096d7e2f7efe796260a45
SHA1 63331fd22569c72cd873418fba9d6cc3c32412e0
SHA256 65fcd993f270c561af1ca3ad31ee86f98a0efde73c4052bde04551d45daffd5e
SHA512 06b4cb2298992f1a23948b57ef860b29de401570c76e9f697ac5a5b23449c25ec492152fd43d558252cfac345374abc56eeba0718aa53090a8bfd10aa44e1ecf

C:\Users\Admin\AppData\Local\Temp\BIEa.exe

MD5 8e4d22af392955f22af6f08944af71ee
SHA1 a47e1ccadf599ba0b391e24c4ef9acb18dde0fac
SHA256 d7f878e9c7740cf4828ec43ab1e154296e52d2d9614da7cbcd0d0aa9cbae0a95
SHA512 0edfcdcd7d046010a85db842f867c88c0db0b48967cbd7711e3b7c659a0b6eb641ce9c847e9c6d05f5d7d8fb6805f9478e68f89c362eb7f4f505811123b772a4

C:\Users\Admin\AppData\Local\Temp\pwMa.exe

MD5 7130e5b43c35ca5bc67eee9ca67eeeed
SHA1 157c9c5ef7e0d3c427498aa061a69fde68c77db5
SHA256 c877a44e084f528a2a95a22778e94972ccf0560c8abf26e7f76f8e4706423113
SHA512 94a3015a87afa7b2dd91ee1d03df7e625897316bc3bcabba934e17074304ff78fd8372a609a51701460ad40e7ab6246a919f7c9bed7428dcc7536abd50fb2109

C:\Users\Admin\AppData\Local\Temp\NAws.exe

MD5 d5978f920485b471888a83624dba770c
SHA1 f61a9f3823e8a08846e6f5de0f31052575b1ef0a
SHA256 9e959d2e1e9eef43dcd69d7222ade0974fb1c8654e5002818e42c4bfa61a44ac
SHA512 d6580acf20136aede85234a961435588376f184d09bf52d117e373c30e126b5e196d526b90d32cdf61b50b82837e97037d30d94bf6fa941528f42984488d12b1

C:\Users\Admin\AppData\Local\Temp\xCYQ.ico

MD5 9752cb43ff0b699ee9946f7ec38a39fb
SHA1 af48ac2f23f319d86ad391f991bd6936f344f14f
SHA256 402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636
SHA512 dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

C:\Users\Admin\AppData\Local\Temp\iEsW.exe

MD5 f2d2a3b972257c1e92ab39f1ce2bbac2
SHA1 df76b05102dd1acb1ee7fea2b7b3a446195bda85
SHA256 a8b17a56a1cdb98e19f93d842f12bb2b0fb2f1319ca8fab0d314e6649f367fe7
SHA512 0859795cd5679ffb4b1cd8b178246d772ba96953cc611f05b2c8f1d8f84c2f6f41a9ba090b1d5d93f5def25b8955e8a42d168aaa3aeb9b4f4c9ec73b0f5d9578

C:\Users\Admin\AppData\Local\Temp\kUIu.exe

MD5 9384ac0c9e899961291598c91bb359ba
SHA1 eea0a9a47ef3a356770dfb2e16f0df3374c54d17
SHA256 6f3019879d440833648e3ffdc33158405e72d4ed7941752fd56d49248d5ebf47
SHA512 674ba9ab87e2d0973efe07d0b5533b62e10f541b5862e0e83da01081bc54e936152be55687fe152011fb674be2ea685c3a97566299c071b44a607520ce6220c8

C:\Users\Admin\AppData\Local\Temp\rMwk.exe

MD5 98d4066c3a0ec0537e0fc90028f3b279
SHA1 ace95428059a4a2f178814f6a93761d3d9275fda
SHA256 14fa87bcbe379c5a529cd21f1c492ea06113cd477113f5ed9d0121d46e39501e
SHA512 4184160ff8020e18840e1145b0c06b8172b641c9f16e3d71289ccb0b3eb45543142c798bc1ba5f3c3995ab1f8ac477aaf68052a1af0e9c4cb330ee040c7809a9

C:\Users\Admin\AppData\Local\Temp\OsAw.exe

MD5 02633536b8eb46bfb0dc1cd44ed08d96
SHA1 5cd0ee907f26eb17e60f80c99efb29ab81f10acc
SHA256 d54a67d5b791fc05c8e994f59274c91a8b1f41f85362afdf40d762d5788c7079
SHA512 b50dcc44a4b9d5aafc118dd3102ac7fba54f4583e6ff06ca5bb0cb13c06e193d7ebf642f29395ed0073cabd74585107a87756dba6af9a2a1de441f2969de6c78

C:\Users\Admin\AppData\Local\Temp\hgcq.exe

MD5 1ac679d9c74719379047203dad838403
SHA1 28a6a4ad2f350474780452898a59540d18379564
SHA256 31bc0dd18e17d845e9b43850b75bb0fd2da1247b080e97164c30b60eeedf999e
SHA512 cb4fcf680c9bc1d3bd65205a089753d9a35015afa6d8f3b90eded7f9439ff8ea1d56f0a1f64025841fcbd8fccc3e3d142d5c03a7767b6564c2d24d9ea45f56b2

C:\Users\Admin\AppData\Local\Temp\IEki.exe

MD5 be1aad337eb9e4f4ca02880aa1903b70
SHA1 2b1b78e4e403951f01904e48f48f8be5e6d8d15a
SHA256 61aad8cd47adcf5e85abac89b183f7835d4c01cebdc47f664e23d012baa2a6e8
SHA512 bc974b5755eee9c96a0277482893707234059c1f08dfa40d59de39df5436b3ff8f7f225304ce2d21b1752530a994f2eed9d54999d021110e1a13e6d88e172c0f

C:\Users\Admin\AppData\Local\Temp\soYI.exe

MD5 0a866a38c60256f3ff161e203037fefe
SHA1 3207e796adc2e380278fedb9e8fd792dad450c10
SHA256 c078180a9d56dfd09d3307c013835e66ba0e23d269de8e3c275fecbe42ffa619
SHA512 0d4566b4f04d2933899d5c9567381bcbc56f298ea1cda23856174d600c5d29d878729bec733a076d9985a6efa41ca2716480ae9dc29a93d665acc651c6bae3ea

C:\Users\Admin\AppData\Local\Temp\qUwu.exe

MD5 09436b9081f772f70ddea8d5b87f1977
SHA1 2820a42bd9e3641694042de781ffef715a39b304
SHA256 c792d094ed7439139911479aa8c3dc0cf96487f97e2c17f38a020278aec08939
SHA512 26c809222ccd9d0fe0dd50ac5bacecf0ac726d4657025763784cb810461bda710a1a494899849d61ddd1a757943014471f3c4305a9bfe77b4f546699429a0997

C:\Users\Admin\AppData\Local\Temp\IUwU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\LUAo.exe

MD5 4b2da98371c7c1c62b7f319125f0f2e8
SHA1 f841f6d54e0d5c40bace35a72c5a632e1ef61809
SHA256 c3962ff9c4979e9fdc364376223eaa9a7eb9ef51446d7a4f567bd9cd3226819e
SHA512 16ea0c334b348a051b981278981ec08f44b564dde7d80e0f01457118492351d10e36748bbf9d73d41a6a070a38cacad22ab658443eaebc127a2d7fde21950d5c

C:\Users\Admin\AppData\Local\Temp\AQEc.exe

MD5 3a540379321cac3182efd73efbf90e63
SHA1 3faf03ef5878f6370fac301071013d3d68017ba6
SHA256 629c203ad8d4c3308c34810a17ac2a0c43cd61361756eeb225d37221b3663ba9
SHA512 38e16d1d68710ae7c3417324ef63c8b9d76a279d297766ecd3ba17f1ded4f5a3f2e2c286548dcf03c9a35ee5f5620f7d48f6547c68278f445b881a7e678bfa5f

C:\Users\Admin\AppData\Local\Temp\rcwO.exe

MD5 bb2395194d36617fac4f550eb3843362
SHA1 84251b1605ada58f5169dfaf546a87b5a9d392cd
SHA256 0ae93273a774fc142eca9828e84808227e1ae26b8313eae590db91261b319177
SHA512 6e120308414bf1179f4d5082a5626e8db4426f97719effe6387ea6762b3ff0b917875b39aeaf494d95611e539b2a154a38e7d904d66ce885562d1a5bbb6ec571

C:\Users\Admin\AppData\Local\Temp\fQII.exe

MD5 8fff3ccc1e74a071da1d975971ad43d8
SHA1 e7cff7b90f3ff35450dce03bfb4ca661577256a9
SHA256 94f8d79b97e2d4199772c32983c3320492c8b1a4c16227b0327ce4514d6c73e0
SHA512 77fd2ad06ff237c451a59b16f44f05f16a047386997c9dccc52f4fc5126f561b7954ce3934bc46e4158b828fd8df26f4c20aab7c0d3b558bbc8425c317a00f5e

C:\Users\Admin\AppData\Local\Temp\CcQwcAgQ.bat

MD5 b6a14594c85861db4104573bb425524e
SHA1 6a9ffb2eb7e0c97d46a014fdd977a6b4baa32021
SHA256 633375d35a88b54f4418761eb7785842aa0e2dff6d7516fbc961b8865f30016a
SHA512 c823e2add18f5b42bbe15c7e32a81090b0feaae63e8823f245cdcfbc6448e744c4dc613ca591f35c40318c8220a6a7dae345796bf4c9c75287466a9530f99ecc

C:\Users\Admin\AppData\Local\Temp\pgkW.exe

MD5 482ec39fc541bd1feaccd15aa29de0b2
SHA1 88cd2e83223e03a8fe4fcd62b29ec30cfcde8fae
SHA256 ad0faa1f3df8b65f4457b26c21bbf0130620f92f51e278cbc7adccd31b5ada3f
SHA512 37c8b3a9ad9e3dfdd74e6b5d534bc65bc15f89222868faeaaca5b514169520c8b0c1a064c6fdfaf8350c929a96883984403bb10e507da48c0b4543af81bf92d4

C:\Users\Admin\Downloads\EnterEnable.mp3.exe

MD5 7304d217c222520d7f285259799123f7
SHA1 47126656f8638f6b5daac5b1eec545ec356f45e1
SHA256 d6eee79d914b5962db2dc135e3bc707ec5b1d526bbfbee9960a1bb9e19dfb87c
SHA512 791096dcd5b7beff7d18f6af1d750efc6d6187044c3453f12284f09923512d3aa863129740c66b9bc9d148117c41e65e1842f0a26e960a6d3f5b6fd1a9122089

C:\Users\Admin\AppData\Local\Temp\zgkw.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\Wwgs.exe

MD5 db3ea643feac09f7dc8d93e6768f6d7b
SHA1 c7503ee0e8b77f818bea09522670d25bb2578aa1
SHA256 3c206b1ce36ea20abae3db06e43a67aa85a079f17a810bd89a8f51ce4e10f72a
SHA512 5eb42a7b49d0e838b9613ceec880a696874cf31d1b71babf8c8089a7d965de34b0e9f5876e873223c834c0c2630bb47776a2bd90e3e7f194bd078d2412198043

C:\Users\Admin\AppData\Local\Temp\NgkMMYgA.bat

MD5 f5b57bbc1a830a725ce7ca884c72c45c
SHA1 e0acf38d317491181293fd50a724a8d6a669c530
SHA256 d0137cd12d390a612aad0d1d4f46d2e14ba4abb9c4597edc9cf71e30386a5318
SHA512 464515d0adb7050ee929851a35c8b93bc1b2b7ce0b59290ff1badbe850ab7b724960b96cd92991fd69bc480cbd60c1386dfb7c1580e7715c57e71455ffdfd42e

C:\Users\Admin\AppData\Local\Temp\SMMU.exe

MD5 11755c7e95231af5aee169e756072712
SHA1 070ecf48dd1dc40b2b07728fc8aad291188ed63d
SHA256 5fb25de23e461ffdca85db0de01abb55f45217e2cffb5a1c3c20eaf1c2f1c45d
SHA512 9c0d6efe49ba5d9fc63c6497d0f2172b8e043bc950c20de6b406c9943f4379f2653e5c4bd46c525b5ef3062284b004d366e6237f6d80d8413eac8b2f943c931e

C:\Users\Admin\AppData\Local\Temp\yYoE.exe

MD5 d92e342abdc8d25988565a7831588f84
SHA1 907195e166dc63c60a405a9779cab84c627c7882
SHA256 0ba1f7b81cd9e888b671bffd9adf44f9060f36c098f7346735e8a66ebe59939c
SHA512 fde2fdf4adec4f7b41e37aef9f9d446cab4401e649d1eaea27e5726bf8aaf8bf7a55d2a5e8d314b45eae4844063eaa7654a17f8c5522bd8889037d1890bf2ddc

C:\Users\Admin\AppData\Local\Temp\XsAw.exe

MD5 6a6e7cdd2440aa362626ef4dd5bd6d79
SHA1 2ca26746d9972b71362114dcc5a3971bcc98e090
SHA256 b23848198ae92495415bb53ee5d850f39314ebe6a8509fd68eabf7fea2d1989e
SHA512 75a4d3ad65f790538adc94056c85f95c68781ea8199483b3fcd9621140e593b9aaa2a576f7da2f30e56a163a7b2accde782f7e2d9023bdb96582bb47ddd9b51d

C:\Users\Admin\AppData\Local\Temp\loIk.exe

MD5 35c10174943c20c4ee7e1c5e9db3de60
SHA1 af0dcf8357abf30789d77cc32f7b1d445dd14b9a
SHA256 2c00ae4287273c06be7d68443cd87432ba082c0665b03b1e33eb78d928bcec55
SHA512 a3e19b151b1843f0fbe72154fb6940dd31952abb268348280d6d4c040a4d3543e8da07b7c1d31902d2f20a33e8419fa1cad370428a2e641f6d6190af5cb71fe7

C:\Users\Admin\AppData\Local\Temp\RIca.exe

MD5 641732758649cad3a699ba20e4a337e7
SHA1 3ba4847d60893cef7b3b71677c82890856ee8a9a
SHA256 95babcc72f5fcab8928802d2ae51fe3d08861a4c982cb067345eb0075379526e
SHA512 84a4c04f4899ffa21e3fb1e11d995dcda58657d42043f88b693650ab8fe5f3141da91a2137b88ceaf08bc8a3b79cd790c07ff7249ee15eb2c53f50832c81f905

C:\Users\Admin\AppData\Local\Temp\wgMm.exe

MD5 699e4060b7db305efe1defcdf2a53efe
SHA1 b318218818b9a89d7afad1e9ee60212b113a421e
SHA256 9e30fc1596219cfd9ee76ef639c6762b0fa7faa52f33b7d95f8499a6e76cdecb
SHA512 96cafb52a317e1ef95ac0fbbdf5d30ca5219cfa02ea9eec074984550b1455ef53b6606544226dcbf0b7c4f92dbc190dd0f310571b24167f4c504f20d87e89091

C:\Users\Admin\AppData\Local\Temp\KkMA.exe

MD5 e5516070fa6540544b222cb21f0dd88c
SHA1 585bf77e80a4c079c12c1e02e06725eff9330bb7
SHA256 355c67f6a0f894c6880ac456fff459df1f47dd00723703484725befa23497c79
SHA512 295de4af54d7bb043bb38e36d7105eeda78df019178305ef4d9faeebdef55e920ae1b49cd816370cbdb7f1d0477048475f4e405439257f3f90fd706dc9f8563b

C:\Users\Admin\AppData\Local\Temp\AQIY.exe

MD5 c81876f5566624732754714cf2677489
SHA1 58b2296a5879627f81a59a356433f07004547688
SHA256 df0f5972281d2b7607a6b53d207d5d09cd2d06dfbe82d1534dafa553b1974830
SHA512 8d7b2fffc26b2217c0bc0388b8f9e7253db86e620672be4ca122d8459963e0353589beb67487d52312ddf749c07b15a32e3fdab1c5086c0dce37738190225e8a

C:\Users\Admin\AppData\Local\Temp\zcco.exe

MD5 fd13382d4be9f24fbc62787033a3ad02
SHA1 08fc389821186db39a20ebf96aad04a4b5be4fc8
SHA256 6827d32104b313f3856da23016b538eabea3582ed58cab7c34b12257c6d4324c
SHA512 fae78d965b207d62c4ed6bb2d2dfa6a1d7de6ba94e59c65f1d3743a5d7edc0625806e1ffbf083dc381ed721c1dcac50d1dee0fdce2b21431ee99fce6064e511d

C:\Users\Admin\AppData\Local\Temp\wcgu.exe

MD5 103b8fa87dc3c37129dd2eafec24b69d
SHA1 aa02b90b411a9ed1e4e9b8a120429679b0afc384
SHA256 28aab15f10327956851e9a38c8f8e636999d7c4ce4411df81178078616849b5d
SHA512 749e3dc6462d372a67a95c57908566254a48a24d7345a4d4e564fda40698d8ad2f7a5e3ed838f103714502f6d9a781dcadaa1e2aea3ee0b4fc8e1fd8f537321a

C:\Users\Admin\AppData\Local\Temp\ywIM.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\vwkW.exe

MD5 cc1bb906412d2f1f6a49df577afc706d
SHA1 c6f32eb5e036d37f29b65a9c3fe42f463e74bb1d
SHA256 7646f1b46cd3b989d6233ff52ce12bd5d83461a059a241e1b16fa861b704da45
SHA512 baaf870558991fe6e8287dba06cb7cd9e3e7fc6aa96a9023923662f04cc727ec93125ad255769940d42df4a0f16a1e82100ec19ffcfacef1a3c42dc9732632bc

C:\Users\Admin\AppData\Local\Temp\cgwY.exe

MD5 937bd9e290e3ba75ba480441c878f85f
SHA1 892c8546f9ebd710759d875bc2bd21325956efc5
SHA256 01759f36cf68ee2af96ec1415b4016bb9fa59935e848a2ba88ecd087cdf5bc24
SHA512 dfe9666fa8c142302a2bc2d1c0e82a74e0dd558f4fac538e1ef6d617d763442cd4e7036e84fa6cbe91594dbab19ccd47ae797be673026314094f707c335a83f9

C:\Users\Admin\AppData\Local\Temp\xYkg.exe

MD5 f856a3286deec0764e3b14f6df5336bf
SHA1 39ca3009b6180649f54fc036e11a294389782887
SHA256 591e971ca3c4abaa742c3f80636a57aab64f4e72919e89ca7ba43994021bb906
SHA512 ed3999f054c9c82128bee5d406323f5a074bdb6129d6a4e7df60e39394a8a5f9380c8dcc3ac4def8c81222187de7c8148cc1bdf6d5e81ad6bb144219f0ca120d

C:\Users\Admin\AppData\Local\Temp\woEu.exe

MD5 309ce9610d57f657bb219bdb0f8188b1
SHA1 499f46292c6750418454c0b951be9faa9329f9fb
SHA256 f6fe666658058aa3219dd3a91d8d8400812e5915cbb6d14a7ee5cf500ac6c37f
SHA512 ace16a406cfd600cb9f67b38e430a3692e514e03ea8f630f2b9e7088883d601b0eb2fbf14bfcb45a034fc23408f59ad32234fa70714f98bdc72f0563bf32176d

C:\Users\Admin\AppData\Local\Temp\IIoM.exe

MD5 d19298942e53513014d65868a26a8d69
SHA1 6f2519616211fb3b611154c69f18ce91eb6e94c4
SHA256 be3d895bcb3af15479982bae789613640706d75a5eef1d799ee3ef33749a9323
SHA512 67a803655575596e1a6e89387cfe969f4cc67aa3acb09bd649b92bbad5b01a0bfef8e85789ac8c27b0fdcb6d262f2391b9f2a4bcbc8088158a0c23016fe0ef9d

C:\Users\Admin\AppData\Local\Temp\XMsS.exe

MD5 0225d0f67e8f1c7c14607ca335083b87
SHA1 cbafb0f4ac23336c3d4367f78ea236c73ea1ef65
SHA256 0383b1a9c340d0709b5466fe12e05f05e5bea8e698f0cd9ff14bd71902b92099
SHA512 8f4f3709f79f2052daa3a3677ba1dcaee7512815f77f939bb66bdaddc7e106721ed7b8611b4a1905e4531c8b9f1d63757c6d3ca84fd91111da33c34632a828fa

C:\Users\Admin\AppData\Local\Temp\iAEUYUQg.bat

MD5 35801879d5b9f104271d70669eb70a95
SHA1 20d80a41fb661e6824e06757edc84ee0659082ca
SHA256 afd5d49cb4375c1dea0acac83522c61b7f11780effd6ef761e55dc52ad0bb270
SHA512 8e1e8a157e365869eef3ca496044a3aee8ff8970b61d6d5c8e540d485b67dfd4b8aa7ddc657e7f0d1b7397da0923537d730fc17975b80a3a927c8c5a678e4202

C:\Users\Admin\AppData\Local\Temp\uAYw.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\zwgg.exe

MD5 dfe1a999e6e314515dc9a9177aa21129
SHA1 538672f7bf23725c1c8dafc46495c6f09a6cb2af
SHA256 a52a52954e9569864a7d40e62815c074c684d96596b91b6be0c7f0c1843fb858
SHA512 0161da20278f8874770b35d9fd2e460bfb90a90396e9045b75c4398a730418fb389ce6e2a0d30afd3d094a687056dd1c81964c7fe5f378e724da4b67c626d874

C:\Users\Admin\AppData\Local\Temp\Bgwm.exe

MD5 87c781ba4f9195ec1b40190fc0d9e2e7
SHA1 da142e97763ab42a83d68f50fa688b62f4a1db9b
SHA256 66fe14d12704354042a0da3409e5a04bb7ff25cbdc3caec621130d49c7b9ab40
SHA512 ebba9473631690dc9bc27c9774cd163383d99fa56dcf5c0d4bfc0c5cd8aade66ccc118191a35c07c08a51ec1227825fe14d3bb98adb13e9ff7d100650fcf7051

C:\Users\Admin\AppData\Local\Temp\yUks.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\RsUo.exe

MD5 37fb134c483ecd2bba47679b7a144bff
SHA1 7b7233c2fcf0b9e170b1a8e289c238361d0fc169
SHA256 33636b97dfaf0c606203cd0e461eae9df782eb66101d265227d26b3e4d3dc270
SHA512 b0aa852393d433816056466b092d795c62107511fb3f4472a1a7293007d09939aa10fed29294855de79fd8be6d500f4e2f2416f25ed17ec6e3cedab6fcc61d08

C:\Users\Admin\AppData\Local\Temp\yccC.exe

MD5 4205d3ad55515caf1cf34ea1414f4c52
SHA1 944feb60def31d3e61aba0137e0b24767426d574
SHA256 31ec3d78700be7671ac88d91deafae8834272118bb8f953476dc9fc268bd7058
SHA512 8a382384a1b1180f35c9f50c4be88dd795ad4190704a919b8e05249cffcf5e4f8a9bf032fbf07e34e5689855f53de274408abde4661115f77ccc4f9108d570fb

C:\Users\Admin\AppData\Local\Temp\ZMUW.exe

MD5 8534ddba615c2066deb0e0de9c43c43f
SHA1 9e29fc3a6aeb31acf84879ea30bfcd993a1cd35e
SHA256 1f5b057c4b975146ca91b0a6a1051f7a8d49cd195565eba2e41eafb429f49839
SHA512 27a87443c531297a0450d78c7a69c16f0bb2d79abc0de3df1efd3def66b6536c6022aa42665d364ff7ca4791cd0d33c1008f9bf814b6f5269aa8eb011e0d4f8a

C:\Users\Admin\AppData\Local\Temp\XiowQcsY.bat

MD5 ab75b13cabb35a7c953e55db83cad69e
SHA1 15ee9d8610e3798534c41caf051fa0b17856327a
SHA256 27189b3b290450f36a0ad8a9f6b2e881c017d3353e7622005cd2921a4ba97b0b
SHA512 994f466774976b6b14fa247ebc34da4ba673624f41092f547f7c096a339e3107b73c9c4465f9a1f326ad187731db9bb7fc8ffde7d13d523b12e67052e51e2fe3

C:\Users\Admin\AppData\Local\Temp\lkAc.exe

MD5 8fc912550cb28764cfc67cd1ae8a79b1
SHA1 81492d9bc7b6eccba8418dfa0b1b79f8b1c927e6
SHA256 9cbd8bbb63dd24f4f925a39f3a2e74260c1b74a07f04384ef94406f025a4a8c7
SHA512 36ca9119d9ed53713c9b4ace62593cd2ea42ffc0bd32e88f85e976ad9e8e41cab5fd4538d4e1a0273d2ea0973d2db40ef6560b8317896d12de490eadae3a683e

C:\Users\Admin\AppData\Local\Temp\RkMc.exe

MD5 dbea4a7e60c141afd1c7e04741b908ba
SHA1 9026ed9ff4c0ba9d2386fd1c565a94cfb195c095
SHA256 54ee55f06d78671436774b03588451a9c2e8641e6302af67ec1ca38092c1a083
SHA512 e868737342240ddb046ccf805f87950428850fbbd30c8052715d27e2be59e9d33f3b3d716c4e8ff4a8570894d848d79315de7d969290f98a994522010ab50a2d

C:\Users\Admin\AppData\Local\Temp\JAkA.exe

MD5 5840406826cd83e527a442ea849f987c
SHA1 1d3806ed79f65f91d6639a8667d94313b9924e42
SHA256 ce4acb9d99e273d090cac154c99c6e317fc4fa54a5b71a08bb7b343d7264804c
SHA512 923cfece4c157fab1c205461a43a492f532a605e80a85b3ecf7aefec080f774e1b20260f93620d6022419930cdcc86464e1d9ac483236a1cbcdadf6e7a227ff7

C:\Users\Admin\AppData\Local\Temp\IMwwEMEU.bat

MD5 09970cd438e5305770d02cfdc91e46f1
SHA1 fcc64d96a2172daef12998b12955d9f40bc3afeb
SHA256 935506b19f62e6d6dc8e6bb36ec2865f9f930db8e9d4ab1d8417c3f9061a902b
SHA512 a118f9cb44a099387d32c12ec6467ebbd3ce8e51d1bd91fc0ab58c314fb6f09a0c39a8e810b959fb7a7d8dbd049abc237876ddb18187023d3456c41978e53c8c

C:\Users\Admin\AppData\Local\Temp\Pwoe.exe

MD5 a28331dd32e84b25a7592b91c3cfdba2
SHA1 f2d5deb7da20d2614bb125ba336a2bb165aa5f9f
SHA256 15b00c5524036834ddc42d734754e9185cbd92812ed751daaa36d3a42cbd3a85
SHA512 00e951293df26a5863cc2b6702a16f34fdca10382908967b4d384af07c6e59c3e2f4a89f1b18f7dd7295c99dd068eead25a9714c2759c227e6870df0dd5e89c1

C:\Users\Admin\AppData\Local\Temp\BcUY.exe

MD5 06d2f9e51f306ee312959655072ca50f
SHA1 f22167049beba74b3395109b25154d6509ce5040
SHA256 af1fdf0b24438bdb31c924e36f64311e3c83a954510ea256bf4aa397242eec4e
SHA512 06ef9a1a3139a675ca2391577646008add44125f640e2d9d4f86b5c5de4c2391ca68dd5ffcd19e4f5ee905bf9d5f5a077eb1e861734083266f8f8e3579c0028d

C:\Users\Admin\AppData\Local\Temp\DwcO.exe

MD5 c7073f225e9273310f67d3dd6ef5a2a0
SHA1 c90521b8894dff23ef2c2a5d15f3db0a133ef92d
SHA256 853bbeae4812838e4f293ad455af7d9f242ce346225ec33f2b5011dbbf1efa44
SHA512 8dcdac3f047688fe21718243d2f5281fb7f884c38009950ff993314152e1c3faa086281a7d0d9b9a0dcba21b4a315f33aa822a38c1d0908714ccfbef7dbf7783

C:\Users\Admin\AppData\Local\Temp\PQgg.exe

MD5 2ba306df0bcfe249f8562b9ead5fb07c
SHA1 1473a6a0f5cf33b8263b6c2e482f87f0b7421c03
SHA256 281a6e2820df57a1f98737120078ea65a8127a6c7e70f8f8ccecfeb6b1522fc3
SHA512 74c0753d2d313b65ad680229e10af08503314bbec96fe613009e00414b8f7f92a614ba980f097c6690eb1d4499707d4a116f9bd00f1ac3297fb62de0dd594dea

C:\Users\Admin\AppData\Local\Temp\NaYUAMQY.bat

MD5 b9a0377700601dd05fcd18930f2ce213
SHA1 dace904a04eefa2731d855ccf2465a697c7a23be
SHA256 a9c11367485ba58c3e1791b5826915ede1ea596bb952a6f53d5bec4e8a1ee581
SHA512 8aecaf05491a777e78fa08d985026114ff024d5e12d9f27fe00cc1d9a71a56f775ef8b439574c124e34ad26d5a25549ecedfa14b71b590aff9b5ddc98764c354

C:\Users\Admin\AppData\Local\Temp\OQYM.exe

MD5 4974e8933307f25ceb52052d8f3f759d
SHA1 94bee8301193c6e8106e8e9664f78c2734780a55
SHA256 ab7687449eddc23ee091df8b317d7615bec6ffb250ccb204c84baf72a094a624
SHA512 795343f7ff0f874eaf66366d89ad05b51b494e72804e79a689ce06dd34b693b7c8f66e04383db08b24093397a64c5d5e5aec3aee16b20f206b7ea4d3363b31c4

C:\Users\Admin\AppData\Local\Temp\sIEs.exe

MD5 265f8e81616d57aaa3069f045cde117d
SHA1 36f16f241553a5740e3af09ba162836cfcf6a346
SHA256 2cff00f6f2d5a724073513fd2b865ef5bdc656897018a34ac40a9a831b40b217
SHA512 63168a2599528ea8f5dd5de7b83b2a23f6c29105f657d3fd981418de539b0a5aced1065d680f7ab54c9c1187e2823711a1498ca4da27c5cd8e3d07ccbda99061

C:\Users\Admin\AppData\Local\Temp\fkEa.exe

MD5 b35a5c7df4dd795e0dbc30f97ef3dfb4
SHA1 3be6a59c3590a1a14e92d62ecc13bec4e08af826
SHA256 f07032668e28e8f4b4f1885e78de5d3bf8e2f4bf7781b1aae43c3f9d6c5f07f5
SHA512 c52ece9dfd4b09ee1272a7ece92d06bc42dba5873a4d939710755667ba0c8430c2c1025ba37e45baaac8309a7d9f17802a2fb1b198d1eaffdfa6a1735eed3dd9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 78a6602fd2e8e8353f568e28ec7cc3e4
SHA1 0cfc864f9a27bfb7d6d0d1a6cff62e8a981a73da
SHA256 c297f7d9ed680ff33bd3d700beb536c9c7b61f34b90b21ef912f0c05ec05755b
SHA512 b2cd5be168d6e7dce8b9fe8ddfada2b7e4c14695863ae93b7a5ef0aa86d2ba3453afbe3f88081933c4e142f2fb241538a203a83f0bb420a2e0d99adb0251346f

C:\Users\Admin\AppData\Local\Temp\rEco.exe

MD5 439899a2839b7caa79504166e0f87cc7
SHA1 f68d92a28e854679590c6689ff3fd6ea118bc055
SHA256 43719b046914d74cea018299c6ae4dd9bfdecfd19040c3895d02e2d0fd0ddfad
SHA512 cb86cad4736f66af7a50f5a91a90dfa919387cdf9e17583820e024fd4023eec6f0314ce0b1d082d16905c7b8e9bd672b758cbfae89f1dae8dec6d0967550b7cc

C:\Users\Admin\AppData\Local\Temp\uUUs.exe

MD5 811c6dab84a08c590b17b39a8d9637bc
SHA1 9eaa25868e3abc880ed3a8665610b791e2d09751
SHA256 94c8d475f0514a8d88e87b478ac7566c899f20ff7507f59bbaee70f764d1c5a6
SHA512 622cd81a711d1f5d49e190243dbb4bdb1bcafc52cf6666ac8c56f0b15beb65f73514b420627f423f43f3ea20bf8017a1100746289c88702e777cca751181667b

C:\Users\Admin\AppData\Local\Temp\sMQu.exe

MD5 f5bec3084d8e29c214faeffe77b8b576
SHA1 5ab13326a0cfc90cf4e5550023a9d764a6da1faf
SHA256 b7c9dc5045d13a482ba9ee19ed4ae11e510cbed15dd5d37802be968b68e47bb3
SHA512 0023ab9363208b8f7477ab8e554a94398ecf1ca5a34168c53675688ad9548c2c6a6657e7d8f003a361090ca149dd1cb26ec8cc541dd444de13624efd7ea9c08c

C:\Users\Admin\AppData\Local\Temp\MYwM.exe

MD5 61c922e7929a2011155f5deeb183c915
SHA1 ea51f53607a3e4d693816c1987cb769864d970a6
SHA256 4b90bd56835aeb7e6d05dfd00824b8ad8564d78ddf81fc0c3fb86766cdd7f38c
SHA512 904c3f98eb9b2115f7e1fa9c8268e295c815f89ff1e849023a097a6c84d92ca7b0765eba59978bdfdffad6f531c49c59a5e05e50b82f49e47189ef280c3d7436

C:\Users\Admin\AppData\Local\Temp\RcIG.exe

MD5 7cbddf1de79f2b07ba3df103945c303b
SHA1 d49307d07d0e6f9650f5f99f14d7243e9ee69313
SHA256 87dbb2f59afe3e1a9fdf384b969890720a31552ff87d7607f8dc7e7ac0ea4b6a
SHA512 b0827b194e4333630ccee192af948f9deeec4ecd4a0390f0b632aaa1e64046a699453bf6e88c11029d828bf807802c26afeb6b668f6158173802d2b636875097

C:\Users\Admin\AppData\Local\Temp\uosq.exe

MD5 32f58cf008c97acf48415ae6eba5e9d6
SHA1 a2e92f8904634d6f8eabd5308e27c449ab5ebb2d
SHA256 0b9ba8f1e7b41944fed99398ed39cdc9984dd03ea304114dbdad56b9cb44505a
SHA512 0dbae921938e49acc497bb154f574f6a50538928f000850e4bea8710fdc8dbb4ac9fc3feca578289f41b6efbdf2cd3546a7693510fcf56cd85b4619eed6d9789

C:\Users\Admin\AppData\Local\Temp\dAwoIEcc.bat

MD5 9ee865178c82bbefc40b893c53b6363b
SHA1 c08cd9b6a2f8c3d3c53cac0500023500d829644a
SHA256 e6c3b55c8b9c47b49f3663477531fb0e74fba84f7a782a46eca52b92ddf2f881
SHA512 3c4873e593f07445417845eaeb5b1e57219e5548f24f4f6769abe54dc00e4d05ac3bcccee27c33f7d204056fd9cdbe4051395e4307bd671efdea2f4d13df6e53

C:\Users\Admin\AppData\Local\Temp\ksoK.exe

MD5 085c484b1e7146e45e708bdfa6a41dd0
SHA1 578c31070e5a731ca9b2b723e47253f0b389a21b
SHA256 1151f97098d00b7a6dd6ba4d12e12b3bb3fc4df3923d1c0960ab3e653bc75959
SHA512 c8e41346eb7a59988862a7c872bd7f74aa80cd92db39cd54c25acfdd1c91f991608f0892893208a1ddaa663fbe3f01e7cea7bc4053b6ad68d476d94edd575243

C:\Users\Admin\AppData\Local\Temp\tgYA.exe

MD5 176fe4421591647f15e03620351cf6f8
SHA1 6e36de37553242e258c7bf60f446507dd2828bb0
SHA256 70865456d9f5b231e300ed46cabb24c5a6dae5d700f88be539f55c8b978e6f3c
SHA512 710f04fe3e719fd622269219d2d5ad4c3b364b38e6845bb01b18808614be76685cac1c7bfb173e3fe8ae365e23d1db1a474229bf1990dc026db1658d82ef2c5e

C:\Users\Admin\AppData\Local\Temp\tkYU.exe

MD5 63492f83455d227cac5443ed7a85e2be
SHA1 c592e103cbde6a4f4896cd669f7920cd80d07725
SHA256 04cc6f73c3b589ecf79978dc621b22fc4f7f391514d1969f49ee76a20beaac75
SHA512 a85df8a717d9a91e9ac521cfcd708e1d20e05aceb49e2464a719e8b87fb008031278b07e0e49f9d29646efca5efc3d57950b52341f0ed5a0aed518e5da13f4e5

C:\Users\Admin\AppData\Local\Temp\Hsce.exe

MD5 35ce057a48f042e9fa8627b46d62bd6f
SHA1 575587b5e4018dbdaf791472140c537ce1aed449
SHA256 8a95319d99465ae9549f7eb8379c6fe40b770cc4b7ddad06cd77d41bbb5abb44
SHA512 ecff2303a9a589c86e202aa53bad58645a9e1ada1daddf353eac94f315692fc1a36a5ba74f3550a7fcbd7c1106835c1b7424511c339ce47c6f86d7341daf4002

C:\Users\Admin\AppData\Local\Temp\tIoW.exe

MD5 dd3ba4b0e117d743a8020a578af4af8a
SHA1 54189334450f109bdde6052085ab07152d0ea878
SHA256 8fdda350a7106fe201b1c805dad9aa9b5374870570a67d3cea88ec20f4be80c5
SHA512 70d493f921bd52a171421a38cd05ff0b74444476c8aa0d84f3bc42acff92a9d867e04ef660ae4f38cce33264cc17d3acb1920c76b509a6c40efffa10412cf2a7

C:\Users\Admin\AppData\Local\Temp\vAoK.exe

MD5 481a4eefd7bb9be3e3161a21287f37f1
SHA1 8b4b41e95b3d8ce681a1a8924711e8f42be565c6
SHA256 c021fcc5b4fb14dedc7394f6796695cca5c7d6c99939fe16094c2519f1448a09
SHA512 f8ba959e8e6a29d5a08729acd2470382cf44660a5f5ecd3313f5112ec16fc1f494761e06bca298b6e3df81bf5dfadfa2682e86530875ec6eb1ccbcb5e9faa67f

C:\Users\Admin\AppData\Local\Temp\pwMC.exe

MD5 447ba2cb893c5717fcd8c9820efedd36
SHA1 d6b92abbf75a0cf33d3bdd1035a6fbf51bec2eba
SHA256 d1eb0fc0e863b2fe5f23aac00c5794abbf958387e25fcf1de0bb1061a3154124
SHA512 c085a8771cb4e21983c2720fa62da7a4e91d0b69d1b539c43f54a2c89f5b603b6c47b7037e8316045cc004179eb9aeda95c2a454a2b2af19b1d3a251a40b4ba2

C:\Users\Admin\AppData\Local\Temp\BcoU.exe

MD5 4125ac259a9a747869e1e54b5cb5f6d0
SHA1 3e7e2514d02b1d7f5c656babb4ae933329dd9a26
SHA256 e2ee62671561647f3d545fe66350049a05a39c56eba5a6c2c2b85433d0da43b2
SHA512 4773728fbac0cb8bf6da532552865b8a7a749b9ee879fd7d8e1ef893c22b17c4b16e063b3536c696a797f6320e60b6ddd4f9e89b45b683b0bd3e3a91e4ce84ed

C:\Users\Admin\AppData\Local\Temp\esMi.exe

MD5 5ac90b3980307420e09dbc052923ed5f
SHA1 1ffd08fdcf41371b514119356b452f3c5dc6d58c
SHA256 e5fa710a1beed0b5a655d704e2e40961806fb20cdfdd817b0ed8ba16792177d6
SHA512 d2d7ef3018f396f349390d5d1acb3dee55d782d2836ea595f6a76c0c80c7b27346e7667fa37e3a0097c7375e766e7f42511f0cd70bc5b5c27804e0226c3c3e26

C:\Users\Admin\AppData\Local\Temp\rEcM.exe

MD5 0d25d24ba3aa214262d351765572ed1c
SHA1 95a4fc741157c15c3211e1900a6670e0ee6a5480
SHA256 2735e31cf5d2ade3c48d38e29be62761950f239cb776573538d9c908df86c712
SHA512 800ffe90c557e72411ec057a73342c2f21c12ccb07149e748abbf71c2efafa469b404db83dd6a6c532b95a7407325d366c384a145b299a96f03eff3877baa2aa

C:\Users\Admin\AppData\Local\Temp\fgEowMQQ.bat

MD5 3144e3d1389dad55d25b08c2105578b2
SHA1 744ba3252f699efd3385e34543cedc0bae60666a
SHA256 2d8552b2a110e548df5502f6dc5f3cfaeeecc469a5433296fed2cd4797f85710
SHA512 2a327408377ab187842fe1a4ff4f6cbe3ca35448720f288fd9ba1cfcc0b3bf2b39f746baa97ee01f36b8b08f1be4174590074ff92d3a456346d898bfa0402d9b

C:\Users\Admin\AppData\Local\Temp\tcoE.exe

MD5 9222e1ebd45ba4050fa53850df9eb58c
SHA1 fe4978ed3e3eb96947256d1f3251555fbcf15fd7
SHA256 c7075ffab251874df14f3ad09650a2923bfadd2456c688ee54269b0a46f0a918
SHA512 b91e2b7d320bf5dfc70421630e37b667e85aca1dc745f968a06e6f5ce24029f89a5fcfc944f7c0191da81c374f3f33d4f0d0f83381e3fdc0c8ce756daf5abb9b

C:\Users\Admin\AppData\Local\Temp\PMYG.exe

MD5 f890605207b20282392cc0f23beff926
SHA1 893c99f80f1d0afd38773a319d59375460b89daa
SHA256 e8ca1fbdd01480a4c4d8825b4dd344a08350eb21829c96f61da4bda6ca381a14
SHA512 851476ed899d20b162334baae70f415c0d6946a61926f0b252d857f1a04b3628c2e5f5f2b483c0c1ea9d7e790e2e24c931f17e03f39078fafdc0e5de9c0918fb

C:\Users\Admin\AppData\Local\Temp\WQYC.exe

MD5 a16a45d9b589a11a3059900a049454da
SHA1 856465a7b62a49a3a95bb76cd606da2ac8a1e63b
SHA256 9ca6a4b9f05cc34caa6e5fee6d943b4044605db1504a970b1da320a23c77a0c8
SHA512 91730b689a0153246855e68e01607557ce0dddeac489344809acc033087a0025f2fa055d6fd07f3a787af6206bae65a5c62df24490883a0eb93aaed24a76d6c3

C:\Users\Admin\AppData\Local\Temp\cUgE.exe

MD5 317a10200beb4c0231c2b391a56f451b
SHA1 7a9d0256acec9520a9abbabbf5ce29ea71ce53d7
SHA256 4b16a609d6ab895c91347a59bc72b8a4361bec02b30abd62f15e4909d4363156
SHA512 df2b257f57747c8af13ac566a06c04356828991e097ce3d0e2b382fcbeeac7676893ecdce5fe14feae2cbd55db57ecaf7a92f355a6c1dcfd2f10c0afe41f47f6

C:\Users\Admin\AppData\Local\Temp\JAgC.exe

MD5 ab9fda7d2a3780209717a69b37d7a61b
SHA1 ba1cfdfad4424b065fdaac53e587d5f4fd0c8b87
SHA256 1598005b54cdc684b6f230a7723cbdad3ae82e6adbee77dd3d0afe401c32faff
SHA512 755b907f4a8cdb83c20fa59ea9f22a1122f1730a14a8c83a2cd82388524b9ea057bfb3012f495533f81ee2016ec2b7149c71afe52fdb6666f5a28f976f4bae78

C:\Users\Admin\AppData\Local\Temp\gikMogko.bat

MD5 adc5a0920cc8b060806b05bf80f6446a
SHA1 cbf05e90d45bb12e0ae290103211d9e108db2356
SHA256 416f95de40a9c8ba2b4b1af949e24c2416b179aac48f0ee64965684bbc446cfd
SHA512 7011eda22a4c7e9180334cb50ee97144c5d5c07db32ce268e5997c81d59b6194d040fcba3bf3d7ece9e93a92bfd308eec0be88439f0095843e294d4b0123e147

C:\Users\Admin\AppData\Local\Temp\DYsi.exe

MD5 19edc286fb93e431c3f980094fcc9856
SHA1 4bfc001ec6c29968cf601f4ccc89bf77bd7105c3
SHA256 d505eb3ca0865abfc4fd1b00c227841d9d9ea32f871740f7532a1abbecf8494d
SHA512 c8cbf2f6f677477075dd6b9dfc61718055e8d95c322139e4cf894747f2770d9c1f78faf5f24f2d388657e970bde3dbbe662c618bb3bbb84a29796251d1069e12

C:\Users\Admin\AppData\Local\Temp\ikMO.exe

MD5 581efe204f31242c61030fffc8635dc0
SHA1 9a67f9bde6fdd4bc1ce77be855500d284db0f2bf
SHA256 5ff70dca1e1be804235565262d6394dcee886c70b751f4569b3b37b551503a19
SHA512 b38cd7137335dba27ac62e204cf395b3617876167834d86adb98ca31332df862d6dea34f7ab01e8e02ec7b39b618ab9426749e9bb90a6ff071ad090327a6f9b3

C:\Users\Admin\AppData\Local\Temp\mcgS.exe

MD5 19fa2946dfee25cdd466073db2fe27a3
SHA1 90f5360116a08b1bb30915064d9672d0dcdab4a3
SHA256 1a3362556cb0eb0bf86cfd39230567188dd9bfc3324b1c323c3ae343c23ce6ed
SHA512 4288ec8e65e97db77bf5cc9b73666808b9ddeeaa184780eb1411980f96093d52bbabb7391119376ad4528c4afe4332987b762fdfb0d205aecaa3fb2df59eee72

C:\Users\Admin\AppData\Local\Temp\sgcA.exe

MD5 f50ec42ccd714a9c30d88489b4665e38
SHA1 57b289f80c21323fe811d8d06150d95de9424b1d
SHA256 b94f9a6b544fff80a31ffcb0a051220ff59daaeae65059554681b451211d05f3
SHA512 c62dc70195dec3273b1fec67637c1d83097d0d86a0fc4bce8b236862c9f4f15c44eefc8f50de21625161b6f2a7044793bdbca5654113d77a28c99ebf64ff04fc

C:\Users\Admin\AppData\Local\Temp\mMoW.exe

MD5 206afb77557c8f865ab9a0877cdc00c2
SHA1 661b6529c01dc9e6bbd980aa44230c3d84b2b37b
SHA256 007dd3ad72ef17c34526469b356e31e6c4cf1771b083d8e2958926c82b014250
SHA512 09e92d391a70a46d42a304a5b6f4189b2b779a9f1ad8b47cbb9f6942a96425a76a0baa51108bd64adf2e2a287737b83491c6529c640ea19bf5d6f8dac48600be

C:\Users\Admin\AppData\Local\Temp\fMsUYIsg.bat

MD5 cd06043b668873ba4c96bb8fee134831
SHA1 91b4181d462f59fe517fd5d298c8151ab9955293
SHA256 f4d50dc193f9643780593e05c45aae7f7f98df44fb8c63d533fbbf9151590102
SHA512 f7e96b2fcf6098d7fb885f901b879d62a9471755db594ae2ae9a336ff9a284e7d7a753182ae97865ae1f928c5ab0a86c9911a12637b921f44b16761bb7b4e2bd

C:\Users\Admin\AppData\Local\Temp\YAAm.exe

MD5 efa0c0847089f670a49c327efade3665
SHA1 421d8707581daa0d7078a394f5e0068da71794b8
SHA256 babe42e33b3a5ab371524e1c9b6dfb59df00cc524419abf56ea2009f404100ff
SHA512 0be76a707386a2660a7b53986928e926e562f3823d115656e68e1ba52f4c65460047fbd85a328cd4cbe595cf3fccb29c5a66e14a638bbe346c61d211c93ad087

C:\Users\Admin\AppData\Local\Temp\bMIc.exe

MD5 97778c746cfa3e33c09958ba5b8296f8
SHA1 a4c6b13909f463fb3ac47420f5e6f00be5ccfeaa
SHA256 3e29d587970cb4a5971b915f172d30d73e9d828e6204627a92b9f75f6becac4a
SHA512 aca01df4af3572be477206ac36eed8de90f4a51cd4ddfef996a2eddbe74c28d214c95d430292ab095f1acfa6dabb38b4333d666644c15ccb23cfa4ee6ec183f7

C:\Users\Admin\AppData\Local\Temp\WIQE.exe

MD5 16956a8bbeec529e25f20327a3ddba7f
SHA1 e72ced6bb9efa4e42e8fe3f8a3d0aea680fb5d15
SHA256 1275e426f205412f2e2ccf944b652f5e95a229992393c3f0ec2159411ca8a35f
SHA512 8bef450445f0414a31cf5d3ddebec4e8a1bd1b018c127a9b8a3accc93346c3fab58b4614fd4c73370f00991dc4ea58cf8ab44c3e88bbbd553ab46d883bb76625

C:\Users\Admin\AppData\Local\Temp\zYIA.exe

MD5 7ca62bc30296e17b0a742a0e65f17a18
SHA1 802adad15e217610824e07d8e855e15abb9e1bf5
SHA256 929dbc05298387369bb95a9b9b289c5ee38e98d66452285f7b48e95d16ba0cba
SHA512 de8a89c11780057eb5291c517c608252371f06bfac5ba2df6b2e18faab45af3c4688ee19c656ed5071eb9f208f6780ac47813c864c107815fee283db276f1fb1

C:\Users\Admin\AppData\Local\Temp\TUEM.exe

MD5 57c84d088e55aa911bd7af6bf4277a30
SHA1 63cdae5feb3ed37fad9c24c48f07f2d561492421
SHA256 3c4ea1b87a81669039912c14a9ab7683f9271997e7b7bf9ed0ac265ec449ab69
SHA512 3c1024561badf1e8c5546142479a8ea4e57a902fe4ae6d7e3d4b15e983268ae536f30139c43a5073714a4d4842e07ab0c6ff2f9ab4c7716565ac8a592b90aada

C:\Users\Admin\AppData\Local\Temp\EcEi.exe

MD5 53b2fa60bf78275efbab6a5480ffdfd3
SHA1 77e6006de524e9f6ef335aa8f414635160bd5866
SHA256 f054a7598a798e45b4888eedc3533a860b09b12b6e4c12f12081f549ab13644d
SHA512 1b69874660652788db917c1208bd5f454a3bcab075a0103b238911da4a7adf21b67278ba6efc283bc20594760a3ab6b3db801f626583e9753c78ae706b4a8998

C:\Users\Admin\AppData\Local\Temp\wIYy.exe

MD5 4b70a891655c548e6adefff44b924ff3
SHA1 9322aa009f805982e272dbe4a46b1d27270f9c47
SHA256 7edd3ad9e68ebe00ff07cd6753c1e5a52f28503b770d1df6525f725cbb9d8872
SHA512 40fd1ec55b64313e8c0bf4f6b2863c6137c3d7a82cdfc6348e799c52394a9e1b0a435963c769d5ab068f5d8a198e6cd6a5dfd82537df2cecf69ac2569e246d0c

C:\Users\Admin\AppData\Local\Temp\lYsy.exe

MD5 7dbadfb9980c248f06c3bb971268c986
SHA1 4845b70a1720eba036a9f49c7919aaced983dfaa
SHA256 8edb5ca183ec4fd8a730da4a28dacdded4a52ffe8cbfe5250f3cc6c89ce509cf
SHA512 6f3cf7fa626c32eb2246bff15867f77c7950c71cee1ecc7d44eb51347707e94d4b5d05dde4249481a9465ccd45411a39bc9639cd60d1ad4843d6a6fd4359bcee

C:\Users\Admin\AppData\Local\Temp\DoMG.exe

MD5 67c8a6cb764661134469c1a91e6214f9
SHA1 e98fca57924c2a3328560d7178367682b196e298
SHA256 2c638c263bf0e931ee6f784b1808c027676484f5301fec682e2c1958512ee970
SHA512 71953a931a6bc98269add7794e99d636991cb794776fefbfebebd4b15e2d9d1036192ee28e48475aea40686c336b77ba45c6275e83504c0fbc5453db84fe2261

C:\Users\Admin\AppData\Local\Temp\HcIO.exe

MD5 eb33d2e2beae5f224e28b63b06198312
SHA1 dadf6c51ee17d35dab2fec1fd368b27373b49fe8
SHA256 09dcf98a20dabffa18acbeaee83a14890ca7360ffa97eef9c7aa68e52ce1e044
SHA512 83f5757bd92fa44ad9cea6aa23a462edaffeeedad7f550c836d17e33af9968fb0330c5c0c70ca26d6c1e69d95405632eefe103d62900ce006e25231bffe29baa

C:\Users\Admin\AppData\Local\Temp\AAUY.exe

MD5 fd712e3228eaa20ec54a5ed4c4f982dc
SHA1 b8dcd5d58266cd6a1d6086440bf88b4c39a13044
SHA256 1d4f1a566b060857cc40a909030fbbbec7c25e1873b5517d86b9515ae2c41173
SHA512 897260bc46d510a91317a788337322f92cb1968e6ddae0169b1ba55d1fff560387e5af9c7decfa014cd1e361b9067dc32e1c4857894b06cf92c3bc333dec0638

C:\Users\Admin\AppData\Local\Temp\boUu.exe

MD5 d7b9962b9cb4be9e961a33374d68010c
SHA1 35105133d937f9be1176a1bfe862e215f7be4901
SHA256 77df199e000e46b94e7d86dd208d63b6b09476a8964e6484acf39783bfe02765
SHA512 403b5d3f08a8f8c554e4debf6a6a20319d86ce80155db7638c6dae07166e6756b4bfda31420c62bc6c0ef54f2b391b01b0923d2eee2b40abf2d26ddf4e912e32

C:\Users\Admin\AppData\Local\Temp\yyksksoY.bat

MD5 4f45920d095188897279417eab9f9920
SHA1 18468fd588adf9a38a5032b12f29023256c00fe3
SHA256 fefc4eb25b059587d5fdb15faa2f12910cc28fec9b0a3569bcbe99678f60b45f
SHA512 df5a9a60d5c962e9f9ffe245f3d037e2a5581c7387483be524700496d6b65b9e2287e563d2525184c053b561193f23a85d66a0603620f7812efc67f117149c9a

memory/1692-3455-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/2072-3456-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/2788-3457-0x0000000000400000-0x00000000005C1000-memory.dmp