Analysis Overview
SHA256
aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
Threat Level: Known bad
The file aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (77) files with added filename extension
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 01:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 01:35
Reported
2024-11-13 01:38
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| N/A | N/A | C:\ProgramData\fCoYgsAI\cYsMgYQE.exe | N/A |
| N/A | N/A | C:\ProgramData\PgsAckAI\yccQcgAM.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOQUsQwg.exe = "C:\\Users\\Admin\\DAMEMAUE\\EOQUsQwg.exe" | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" | C:\ProgramData\PgsAckAI\yccQcgAM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okAoEYYo.exe = "C:\\Users\\Admin\\vyMgUock\\okAoEYYo.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IGggwcEw.exe = "C:\\ProgramData\\nawoUIkU\\IGggwcEw.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOQUsQwg.exe = "C:\\Users\\Admin\\DAMEMAUE\\EOQUsQwg.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" | C:\ProgramData\fCoYgsAI\cYsMgYQE.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\sheWriteDisable.docx | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\DAMEMAUE\EOQUsQwg | C:\ProgramData\PgsAckAI\yccQcgAM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheResumeInitialize.wma | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheMeasureDisable.jpeg | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheOptimizeWrite.gif | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUninstallSync.docx | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheUnregisterMerge.bmp | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheWatchInstall.docx | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\DAMEMAUE | C:\ProgramData\PgsAckAI\yccQcgAM.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\nawoUIkU\IGggwcEw.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\vyMgUock\okAoEYYo.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\eIQEQEQA\qWAsYEoc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"
C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe
"C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe"
C:\ProgramData\fCoYgsAI\cYsMgYQE.exe
"C:\ProgramData\fCoYgsAI\cYsMgYQE.exe"
C:\ProgramData\PgsAckAI\yccQcgAM.exe
C:\ProgramData\PgsAckAI\yccQcgAM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcYYocU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCsUcEgA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQYEUAEY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGsIUUoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAIYgkUM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMAcQwYs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYYMEocA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMYkgEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwYwIgg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcgIoUU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSocckcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQEwIco.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AssokYUw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seIIEQcw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCosokIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkEswwYU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaMgQkoE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwcQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKoIoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEswcUog.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEQAocgs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmsoAEAs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCwEAMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkMQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWccoAYY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQccMkww.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqgAMEoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWMEUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWoIUwkk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuwAYsAc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsYcQQok.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUkMogI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cisIAUgY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAoQUQEo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkoEoYc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIIAQcs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\focUAggw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYUEEEAg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucIUogAE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeMwksQE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGEIMsgk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIgAAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jywgoMwM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMIsAUYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKMcwwok.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWUQAYIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQUEkEMc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwUYUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIsMosk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkMAwAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWAAUMoA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgwEQosg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYQkwwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwEswwko.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGosowIk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQwkUwc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XecogoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\vyMgUock\okAoEYYo.exe
"C:\Users\Admin\vyMgUock\okAoEYYo.exe"
C:\ProgramData\nawoUIkU\IGggwcEw.exe
"C:\ProgramData\nawoUIkU\IGggwcEw.exe"
C:\ProgramData\eIQEQEQA\qWAsYEoc.exe
C:\ProgramData\eIQEQEQA\qWAsYEoc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gysgYQEo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwQMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOgkwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwAAgAwA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkcsMoYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwYMoUIo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUYYQUg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lckkwQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2292-0-0x0000000000401000-0x000000000059A000-memory.dmp
C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe
| MD5 | eba4d5600e9140501c1aa11252c83b8b |
| SHA1 | bea9e1bd48c4b6d2a1a800e7bb48612e4543f6fb |
| SHA256 | 669ff07034bf8361b8f826a1c7337acd5a9e1beb02df194da8fa7f12b3efccc6 |
| SHA512 | 2870ad08c4ed9a302d83cf21878c4452d8244522ffdd29760b2c8720035ecf989428ab76dd18ab10e049700f20ca11ce92b567ada7601d4e46ded638d62cd30c |
C:\ProgramData\fCoYgsAI\cYsMgYQE.exe
| MD5 | d301923868d0c445c2f96d87a3098e2e |
| SHA1 | f1e33cfe2c0c03c4387e6c300517cfd73eecd5e6 |
| SHA256 | 270afaba650f168caba2cdc6862cf5c931599f00fb3ca8bca8c0468aa318afe4 |
| SHA512 | eee8956223972d785a21e083a489037c32487d73240492743ceecaecb98747f69303742135d5eeff248007ea388b2d575ac4e4ca974498041a3c1c17bab7f60b |
C:\ProgramData\PgsAckAI\yccQcgAM.exe
| MD5 | fd1eee67d95260bcd524a59f0eb4bb13 |
| SHA1 | 46e4b14f33878948a6d3e174cb4e1fd6e1742390 |
| SHA256 | 3e8e0ab0d0f8a7b473556c6561d7a749bfa91978a1ef98252eb85c92f42c2ddb |
| SHA512 | fbedfb01e818208ea9dae8065b1b50ac80adcb93b5a43afd7be20b2c115f26f702754c15e40b74c059dba1974c80a64bff7f2579a4eae162a99b57def1c3a406 |
memory/2028-14-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3412-13-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
| MD5 | 01d093f84d9cb9f3c0508d6a377bc12e |
| SHA1 | dff45052b451b4831809ebe044d82d3cdde943c4 |
| SHA256 | 977f36483c0fb1b3dc95012d3e2e36c870f7b71e6dc669cb5741e0681509dee6 |
| SHA512 | d0e72be8cb77b714a6a39449c05fb4fee3c061bf59fabea6c68784ad2c0fc061ac1ac4e7b024c636436ce5c50c778b70b9ee5732de38a31e2f8e56872a996b46 |
C:\Users\Admin\AppData\Local\Temp\zIcYYocU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/2292-152-0x0000000000401000-0x000000000059A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EIAC.exe
| MD5 | a8198d962d283356e5811c5ef9261936 |
| SHA1 | 61677e81936ff3b2f3429e0192c0706e2a268d23 |
| SHA256 | c27d18ca9c32441d66f7da56a50dda002eeeb2dbf2d83db4f3fb522c9d9adc56 |
| SHA512 | c6364795ccea19c8d4ee5b1d3e71c13e24bed0f4bcc627be0163912429776c158fb77215d07fa754756cd4cbe306bf0c12cb9f51a95250132de4d27a6169bc54 |
C:\Users\Admin\AppData\Local\Temp\Sgci.exe
| MD5 | 7e833cf60c065b59f34b1aa7b8936ba8 |
| SHA1 | 67dfa8d89ee5ca77af0db94f80e9adcca191e64c |
| SHA256 | 65ef0314e429c1d48fc863bfce398dee18121583c8d76554228f3da2b3ff48ed |
| SHA512 | b2f2880dea43a35f571ba5a07c3d44350dc144976bfaf65a922842aab0f9b5bd06f35a177e931bf342fbcd59706d729589fd36401d590c052a65d6c17314395d |
C:\Users\Admin\AppData\Local\Temp\CMIa.exe
| MD5 | 150fc8d0b023cc6133ecd85190cbca1f |
| SHA1 | 35777085c9d66676dbee5e653a711c12a1734965 |
| SHA256 | a60eae93cfdd42a547c93ff5b40fec3bb17a81e34c1e84cbda2ddf41a459738e |
| SHA512 | ac02512d8cafff641177ee9c86b2c163e2ec63956e7c8802523b2483611226aed77c18b934fec05f7b00b9eeeee074298d33bfca075124d0a397bf82b15d7f7d |
C:\Users\Admin\AppData\Local\Temp\mQoM.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\swUe.exe
| MD5 | e0f459278df680b50de760f601deb3d7 |
| SHA1 | 108b69154f831321329eb8504ccae2dd669b32dd |
| SHA256 | 4b76df5674b09ce167c22fcae7f4198a5c739373b04e156abc34dc798cdbef9f |
| SHA512 | 1f3500bd5bcbe0a53119077d2b3cc58c8499077c2abbc82745c2e1dc345346d11177458743bcf47a63345ca46ef85c1e896b2be06fd9aed1e679caa233443ccb |
C:\Users\Admin\AppData\Local\Temp\ecIm.exe
| MD5 | 92bd6d9e378f51b320be8812ce01815e |
| SHA1 | 2e976f2402ec2d8398afaa548d2a5766362ba023 |
| SHA256 | c327a631bc8ebbcdb4bad342e4d902847a9527155bdb7f4f6da9e616c2823cc3 |
| SHA512 | a5a948ebea731cbdecd8de8c69d421c862db1d5db5b54ec041003adda16edef86fbc9dc705ce20d1c84ac1132387e4b90257e07b9569585a7b2b01b31ee9a6ef |
C:\Users\Admin\AppData\Local\Temp\WwYk.exe
| MD5 | 2de67f6faf94bc8bd5b6449d2ccc8563 |
| SHA1 | 34750bb8b670abacb00fbab32dcedaefba2c6045 |
| SHA256 | 0293d6df2fdf3daf4e208b1368347fcd5e364d05d422fabbc5c0c424d9d7bbf0 |
| SHA512 | 154eac91cf0527f88a42d9857ff55be38554a647bff9b304df302d8b162fd464ef8e7f0575a4ec9ba1915712c7d83fe3f4cef113cd77c8338077fcac3c7174f4 |
C:\Users\Admin\AppData\Local\Temp\qwYe.exe
| MD5 | c55c7b9cddf35b449b92bc25af8a7c62 |
| SHA1 | f21fcfd4bca601d76d168d30f1e9724156703093 |
| SHA256 | 7ee85a5ffe4b0128a9fd7e75a688b3935c9f1248916a780b88d9b54a217df22d |
| SHA512 | c5c4b8f38b5e114c38f9f1b547d904d987fe67e8d6d15396c5a22173f2bb4f242365a636743d43b525ca9207089687e9ccc3f3c810f4bc7a6c18fd5294e71a7b |
C:\Users\Admin\AppData\Local\Temp\qYIG.exe
| MD5 | ddf4f31aa00554daeb59f747938932e6 |
| SHA1 | ec23c97c7604e82d65de6d2b048d3dc994f706af |
| SHA256 | d761328cdd3bd88c2b147b7e931979cfbe8205280b0eae46a58287c3e5d26aee |
| SHA512 | a07d1ee631d7d6ea24e221118b231ef8c9001b1dd56d68db1136fb38006fffb2edfbcb6ac5933ce18c80547c5fe20cebdd30f30995843134fff912b9d011b4b6 |
C:\Users\Admin\AppData\Local\Temp\OwQs.exe
| MD5 | 25e52fc8706345aca2449dc957534acf |
| SHA1 | 3c07dc8b62f5a62beb74e550cdc7694ab299781d |
| SHA256 | bff49a1c37ea263829b9cb03650b6eccef00f79f6fd1f78e2692d45f103b949b |
| SHA512 | 89557c8b72dc9f49b0f06354a76b438471c2f311f66a02a47d7d54b8763c1e20eb640d6116685ce97c2340c6cf6b0726841f6514a24414d593932069ac75c694 |
C:\Users\Admin\AppData\Local\Temp\ooAI.exe
| MD5 | 3619bc18441a918715cf0e2441ea4459 |
| SHA1 | af5cc3b3e43de845b795a2509c70a7e9001b0758 |
| SHA256 | 1462a1f053d880be9509ec61922ded096f48a63ad6023447b69bbff3d4bbbf80 |
| SHA512 | 63a1985f962856492f2476b9c993b703723a0a0b1abcf2190818c838553d4c38ab8261747ae53806a3c329c2b41611fe0b501ed5563d02c7791c2089eaa4b0f3 |
C:\Users\Admin\AppData\Local\Temp\UsYa.exe
| MD5 | ca7317d2f1c616ef58d98132ee834010 |
| SHA1 | 7dd8d5a464a4bc593d6472133a236762d047fe14 |
| SHA256 | 3fe4149f6e33836a0dd358e130f8dfa9b2fff7b73c9990d3bb420f722a985794 |
| SHA512 | 07e79b274c7e20987b0cbd6580d01cb8ec50143ad1b9db3f951b36fe8b8572942ca37cba6d12c9f9d9ec955268b9fbf981cfa75ceafc4b593cda25d33e05f851 |
C:\Users\Admin\AppData\Local\Temp\OoMq.exe
| MD5 | 2450fb7df9f119afd21e0a5c4ebe42ca |
| SHA1 | 60fa29adcff0f630787a3f1d03bb2ffc4354c6a3 |
| SHA256 | 3bd0dd0de78a1be62158788630818f122f3fd2420ea1fcd35f617cf5337e0bd2 |
| SHA512 | d72aba9b15bf578cdb845f18fea85b90bcdb851d2f18ee4bbec54f86f41b239d6f07069bd70157bfc80992cf97f827c1be4a24a07aad94aba3479729f98bfaa8 |
C:\Users\Admin\AppData\Local\Temp\AYwY.exe
| MD5 | a2f199eca97a0dbb6055db82be7d4e5c |
| SHA1 | 9f160b8b7b0e09813a8b0e60560e11bc59682e97 |
| SHA256 | 25f28b19f4b1fff69b73917ec868c6dcb1348a8788ed46ca3a1ffc3a0eea8e1a |
| SHA512 | 48f541d5276a052db81a7966dddb43af68e78b0897eaed1ebafd96c456fbe6586ff0bee29ea38f29c465ccef36a3f3d43129f0b8171372c522ec712104c88377 |
C:\Users\Admin\AppData\Local\Temp\MsUQ.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\AkIc.exe
| MD5 | 7c3eae4bf9b539d1f088e2c4cdbd6917 |
| SHA1 | 8b7cc73401e328c357f2fabb2fd7adf1e6f086fb |
| SHA256 | 470ff401a17098c25be73f5c28a4f8d754eae891cc394ff94bd948f4b671ed46 |
| SHA512 | ea8a272cb4d4f862fe9605e293612c86262d07e391cb8183ec8cfc5b176bbe4a1d272f1d3dfea950dfb1fbacf721e376b208481ee481b7a8088c65363656091b |
C:\Users\Admin\AppData\Local\Temp\ocYy.exe
| MD5 | 50beedb38121c138fee0c9f837536d20 |
| SHA1 | 7663a6e6dc3db25eed9f5b0a03a6223899ead760 |
| SHA256 | 306e7bcf919314f799ae09c3ddd8a80b6a069a5381d3065abd2e54e07ee00f35 |
| SHA512 | 456c5425532be2e1d46c2dce22ab9cfc26f798d6634594251efd88c648c788b753891a64a3f8fbf6d6dcfdb9c624bc72542a62e2873d9c2dcd471d0147694e0e |
C:\Users\Admin\AppData\Local\Temp\ssQe.exe
| MD5 | 64499ec1e3a64b11b4803e7102731a36 |
| SHA1 | 3e9f57ec5ebd33bcedfb8129c5f16cec118fa2bc |
| SHA256 | bb02ff23b157919d350805be9af1ba37496699782d72f42ff4137f4539394ff6 |
| SHA512 | 2fcbf7f10b420108d5579b5fd6184f217f4357920e8d6267b1f2719142fa7cab04230c782f3037949cd16cad23a03ef1e4aa97aa73273c3b1237f83969a7475c |
C:\Users\Admin\AppData\Local\Temp\mYIe.exe
| MD5 | a43230642062d322fd2f9c55081b7afb |
| SHA1 | cbe64f68729e47c929ac734d2d1bbac07e1fec6d |
| SHA256 | 85e17d9dcbb394f6d0026aaac00cb73e14ae25404eb96bad01cd1a69a73b0d11 |
| SHA512 | ba059d1d34ec1338b4741db2b14ddb83ed73cfcf64006951fed229c09105f781ca05c2e2de1be7a6f152409196e70f0a3adf2ec2bf750f512ee1db101f51e0ff |
C:\Users\Admin\AppData\Local\Temp\cgkU.exe
| MD5 | 71ab7b95dbf4be948b1b1fdb90177327 |
| SHA1 | 34e12e52d1dd64acecd89697f1b33b01787b3024 |
| SHA256 | 0cd895420ba2a34d61edf8cf470eb50e6b129d19d3863c2076b4f89f1631192a |
| SHA512 | 9f0e9e8c7aa1c92d8e2f227743b80d8ed93dbf2db597f3d8e17ce4dcf94a367adefd1abb4c3bafb708f1eeddf1694700c4f4780bd4e0898b68d00e979d9032e2 |
C:\Users\Admin\AppData\Local\Temp\KMsc.exe
| MD5 | 651d863403dae67ab1dd35fc56ae75a0 |
| SHA1 | 2eebf3fdf5cf076ef9324af83f419ed05ca90c44 |
| SHA256 | b5a2ad63a96dc993b8473f2dbec2addcf98335401303b02210ce93ca9ee637d2 |
| SHA512 | ab9d4b875856b1020a5f20ca675e0594034560dd3343a6176cd435682b31600b920abaf2c1517bfef1bbef0180b5e7268bdcd0abd7c1d24cb90101a483d139b3 |
C:\Users\Admin\AppData\Local\Temp\UsEm.exe
| MD5 | 296a89a4619e3a31647b613c139d77ca |
| SHA1 | 196a06d7878989cb27e24763b13560f831ae4747 |
| SHA256 | 5b4290065cfa8b0a4513b020ba7906a88f204a3ba125505fad426f82d147a4f9 |
| SHA512 | 0464729f2f795884c748bfd14aee69123aedd3e3a09e060cf2ad15d9e7e929d69deb1c1a73e82a7102158dcbb2d6687446b06219caea3bfdecb3e4987c3a480f |
C:\Users\Admin\AppData\Local\Temp\CgQq.exe
| MD5 | 328e51586fd65d339b155d67c016466d |
| SHA1 | 484e68673393e32d6f246b28a9ab906561ebd643 |
| SHA256 | 138212c582fa15656fa6cbc3bbc0252f93f05c8596af9abcc7dda81cb93e6f86 |
| SHA512 | 7fab0c49f4c443eb2671d355a2d972910ea9c5238f2c13983161d5d2dfd56bc82460a040c0513c64110fcc1a9dadd686cb5689089c3b27d2daa023c1cc26ec85 |
C:\Users\Admin\AppData\Local\Temp\cYsW.exe
| MD5 | ed2dd58ca58c53a821c348768d0daa5d |
| SHA1 | 4895e2e98c7e865a016b71f7dbbb3f7d631a2ad0 |
| SHA256 | e1ab8b5a38dca3292917a3908dc0543539ec4a6ddad2e6074d512e95ae4dced3 |
| SHA512 | e70161181b487b84dff2a38604eecf9a59791023258a6bdbad52c66da6606cfc97fd2f72566aaa4c22a7f774d40fba5517c83b3c37fb6eba360d20770f5673b5 |
C:\Users\Admin\AppData\Local\Temp\SkUo.exe
| MD5 | 8788450d9c7a8e1cd0c2cad93bcb246c |
| SHA1 | d4ac858c17095692b9fbfed42b485eb89d8f1009 |
| SHA256 | 9e4ecbadd3795dda6092b6777c244cf889beb85204b5e20006f05404b84ffd8b |
| SHA512 | 514a42eb723e34d1486c37186202ccaa626ca4cb6faac9bb4a277e9c92eed75aa30feac99eb3148ea358b03b136599c2b4a40a81f7eebeb679c2405f18cd363e |
C:\Users\Admin\AppData\Local\Temp\oAwC.exe
| MD5 | 5596d205b249b0edb2a3505d77a2d480 |
| SHA1 | 90a4724ffd3ec83a13fb5f4b7555d606c0364c54 |
| SHA256 | e042db43b43cf990a86ce5ad1796bdea533eaf3c8e588651f32ef4d5522b5c47 |
| SHA512 | 9244b57affa87c89a2aabded9f31df9b4d90656383a2760db1c78b535a1e68ebd0f8b11aeb0c1c171e8787ca8830ceee8ed6c72973383925690b06e9683a4dbe |
C:\Users\Admin\AppData\Local\Temp\Kwwm.exe
| MD5 | fd2a369736c690465ab59ce7d871fdc4 |
| SHA1 | 2eb9d45ea80801dcab86c2193bab5e2a3c31521d |
| SHA256 | 6e42e1eb1174cedd144cb9f82e232d777b36f2691a8778fd85a60b10dc8b59d4 |
| SHA512 | e8d04192149b31951d2677bc39184549fc1bfb85c339752e6a76ee17275f8227e2a0f760e86c159aeebc53896b5fd7e529f799571719812f0a6920e8fff5f9df |
C:\Users\Admin\AppData\Local\Temp\YMIk.exe
| MD5 | faf554023d8c251452517d64e23415e6 |
| SHA1 | 7d7335ad3a19878ec46decb53f2053109cb87890 |
| SHA256 | 3d7bfbdd765e920575582ed881d5968ad2d804304177eb8f57247bbaa3a1f57a |
| SHA512 | 26af7a07512f31a90e6e5fc2487129ede7ceffc6744f338d9b7c0eb4213e60febaca7858039993275ceef56f8091870db6a2007ffcdffb8553a8c0301c0944ca |
C:\Users\Admin\AppData\Local\Temp\aAUE.exe
| MD5 | 6e7e27571c787dec629e643ac6630069 |
| SHA1 | df0fb0f889373020d2fdc97edebcdb43f2280a54 |
| SHA256 | 2611bb8fdc9a53aaaeb267001919c2785e295f4ab7ecbb5459ec92bb212ba138 |
| SHA512 | 50191f46e68e4a316c2d451cf817e019376df769d5168e0dd67f119ca121a270ea17eab14ac642cbf701c7e42eb52c345ae195c07f533172ec070ec74d1f3877 |
C:\Users\Admin\AppData\Local\Temp\oYYO.exe
| MD5 | 93040f4ea1468c59e359c643feca480d |
| SHA1 | 4d0b911c5b4b7657588df2e330dc3985dc4b9d65 |
| SHA256 | eb9279ed2c39e30d58f438fc21c8ceb48e2b966f7ff47a56e9a0c7083b089f8f |
| SHA512 | 47b39a618beb904000bd8bf74a7df41019c26667ba58f81b194daff3adead4968640ada71bc23cec39a8c17ea406282c1af50076a13a734736ecbb33d7c691e6 |
C:\Users\Admin\AppData\Local\Temp\wYss.exe
| MD5 | e885d1e8fa3cc07ecbecc241a974245a |
| SHA1 | 0d11a8290a5cfc066e905992a314b0046f5c0af4 |
| SHA256 | 9ec1d165349e7ee71e12b0c666f6dd48ab7582f03013ae907434f95979536805 |
| SHA512 | 0e71fd209cf9a810c356e09bb91ec4bc872ac192dde20b55bfa98f293302219130aaf637f85ca3f7e56151ae3a4ad109c719da62d473aff1513f735ab3a37d12 |
C:\Users\Admin\AppData\Local\Temp\ogkQ.exe
| MD5 | 9cf8a181c0d6cc98bc4624368ccd3256 |
| SHA1 | 91a4836b6d2adb4830a2c20ec2278df2222d6ad6 |
| SHA256 | 6bd7fb5bce00f7b3ba771b4cfccea1c01ea2c6a76b07d076457e2401212c13f0 |
| SHA512 | a5f7b5b45f334a32d5c25a23401c6d89ed9a3cac396aac21172a0e785e6199d5df5d44b3c9d6712f54bfb4d1d1d37740e081d61b7d501b5477808127584ce42f |
C:\Users\Admin\AppData\Local\Temp\qAUY.exe
| MD5 | 5ded628f9141fc91bd5117a4ff352114 |
| SHA1 | bb6d22cd9642ce1680e06344ad6cb5cf487e6d3e |
| SHA256 | eaaa1e3069ae39ebfb1be44b85acbd29b4db31b0b0d9403bd7afc70187029026 |
| SHA512 | 17ca3053c6c4d93bf4fee54b16ae2fadbbaba4def01a601c58d6de363258e849832d32799e554d2c746ecd4c540cd9b04e99b4a23f1c0a22095854ed7c6f3dad |
C:\Users\Admin\AppData\Local\Temp\Qgge.exe
| MD5 | 7788948817287deb8d552bbe36f27c82 |
| SHA1 | 9baac1057140ed53a306570ae3bc9422c6ba1fc7 |
| SHA256 | c60b5f197a0c973a139663b002ea9b3e0c4246adae7c37750d0cbc4d537edab3 |
| SHA512 | 4abccca14d8b335d1b90e6ab8adc9ac172ba429062c9e4efa3394f3dc354f9133f1a5382204f89ef3626fffe48895eaed30d1853e603d7521cda1db72cec6c40 |
C:\Users\Admin\AppData\Local\Temp\yMQu.exe
| MD5 | b124c5e04e0be8534b49a26a0f0d5f73 |
| SHA1 | 07a1b41108b6bbc51bf296325aa0e90a12d3e664 |
| SHA256 | 0936bc3e950b4b39c884a2b888e9aa6744555a4d3a7dd3a489f6d22846e537f2 |
| SHA512 | c6c76699fdeb0537048ddadcaff6807b514b277e000dba497ea43fb4a70dd691ced56a0dca1fe7bfc0cc028d6401e745ed957fb09d836a0f7495c0b6e80bf626 |
C:\Users\Admin\AppData\Local\Temp\AQsM.exe
| MD5 | 2fe1aac53d1099f56fc7c36d1f92b504 |
| SHA1 | 7d7b53b636a5dce496488d938a3c93dae2fe93fc |
| SHA256 | a14ac6ab907cdf9d8abeaf589f247725c28390bab45395e44b27276a71b8060d |
| SHA512 | c094d9ba74188db536a8e673280a71b87df7492261c37ff37952b215b6ccad744a8315b378bed84747d63a08c5a929a7e6ffb707ceaf2e7b81a370e1ba0d7023 |
C:\Users\Admin\AppData\Local\Temp\woIK.exe
| MD5 | e83fe797b95978e88a61e0354a5bc7d3 |
| SHA1 | 7e3a67d1b00e491182d2511650a1639aa72f6567 |
| SHA256 | 3a0dcf05ba7ae2bf2d639d615234efb3e7b13a3687b5158ed6634bebe93886f4 |
| SHA512 | 04d9407fec480eda24c42520e5e9dd50fd905bbe0566af1c1597a8fc28d8674c4143bbeb3f819d2da8502c78e068072774f0370b8a2db94a921584d759386bbf |
C:\Users\Admin\AppData\Local\Temp\UAYs.exe
| MD5 | 1e600108d54dbaf31b88703196b36171 |
| SHA1 | 37a193b5a18f56e84cd5eeb8e3101310686aed8b |
| SHA256 | f1705e6103a3eacd350fda43d8f668a55e89b766b5907742b6bf6209b300c0c3 |
| SHA512 | 1e4e506c930820d0e9edc070db6fa6c9fb8b0c57ca2b4f6269a051e74c59fe0c558ec62f0d68706ce1349bfbceca62c0f9b0cd8c1ab9513c6314cafa935ad304 |
C:\Users\Admin\AppData\Local\Temp\sUom.exe
| MD5 | 07c4214da71ef308401f4a7322bc7009 |
| SHA1 | 701c038d1cc9961dd42bbd832b1bb7ddf2573a5c |
| SHA256 | 52d5fafdcd9981c705b0bf420ce139340016a0c7cd22a0acaabae13672494406 |
| SHA512 | b182dde439b7aaf9d2dd0a132d951970eac2e32a9ea83d1a4535651da8bac991636cecb6b1f841e03a1e4eea7e98e8202076ab9f83468d2bc4e00db255b93826 |
C:\Users\Admin\AppData\Local\Temp\cIIM.exe
| MD5 | 8f2b51e5722170ea71ce07454a848f3e |
| SHA1 | 4a5d8d6bbc19bd7ddd758146b864f61d8653b247 |
| SHA256 | d369a7d9e774d4cf97f7059aba2eb0f4d869738a8b9959b307b16ea0056083b6 |
| SHA512 | d744efde52371d2bcf4b4648cf1352883f3c69d854e18a049cdd204bd93ea6ad0e7e14f1ce66681d928bc8be6b9bf2a34f5f2f2542c1de4518e4af2a376d658b |
C:\Users\Admin\AppData\Local\Temp\YAIo.exe
| MD5 | dd33ea4cb7b91db1bff67509f021df9d |
| SHA1 | aefb8f4f5e36767d8ad17ed03b1b296db456452c |
| SHA256 | 9aadc65f472f5007a358a5e773af00d0973981e2175dcaf5ee7fb3e25d7b5023 |
| SHA512 | c14b601f90e46af9ec8962f51838439b972863e962ce83927f6e74c5e9ceeb0bf73c510ec4d42f96d081f708f8e923fd9c1769d3bd6fe9fce7a3a7154df92b4d |
C:\Users\Admin\AppData\Local\Temp\OQYY.exe
| MD5 | 3c051c1d5807ebde94f29de9cead72da |
| SHA1 | fbd43870cc3e8ded6a2a009a84b6711a33d73c38 |
| SHA256 | f02333665f78bade850054d9868ec41d25dee456dededfc4f000764b6fa00920 |
| SHA512 | 9e022fd567ac5f7c467a41c55768771e319c9eeef9adf0181cce738f4f770d64c126b5ded1cedbc38a763862bcd35be76ee721f37abf2853f9e47ced59631659 |
C:\Users\Admin\AppData\Local\Temp\QMgG.exe
| MD5 | e4d31cc49500aafdb33e35d19825131a |
| SHA1 | 932c53eee95bcd244395b2b763b1aec0196cba73 |
| SHA256 | d60c99bf1943808ea3b929f7036aa8ee5222945c09e7e50de98e5e5f82fad32b |
| SHA512 | 623cb667e5e95dccacce3cd4302caf572fd8da49dbfdc0fcc42f067cb372b0d4cf409dc963489d35e39baee199dcf26ad846f45c31485bd73d3f9c0d52bbb95c |
C:\Users\Admin\AppData\Local\Temp\uosc.exe
| MD5 | 2bd56e4863ccdb7a1fd39a5b04f85596 |
| SHA1 | e22805c2bb28fb98da330ed6a1dea350c9727141 |
| SHA256 | 2e5d5eb17158756e6ef2d57d0d2b90f36a3298cfecb359c03c074ed6a81a3c6b |
| SHA512 | 0b31a4c1f3a0d1889259891c3c75216d48d0d82083782900b044eba630573461e43f90fb6ddb543d0f1d169c1f4fa16a23c080e69aea08895e0f6c7ec31527b3 |
C:\Users\Admin\AppData\Local\Temp\KkwK.exe
| MD5 | b3c105eea07a798498175d1aaea1d5ac |
| SHA1 | 1d33caf7125a10926c8b938bc0acd41fc5c880a1 |
| SHA256 | 404be7936a896c84a47a78cbb19116e723efd504714992c39d23ccd345c67bef |
| SHA512 | 5c7607f62d3a08a2f0172efc90432d2274fab06d7f11dccce200da3af4c7f3898019c0b578614220ce63d6b67b61abe3320316c2969672b1744868a17e184f6f |
C:\Users\Admin\AppData\Local\Temp\mwAw.exe
| MD5 | 7d98e1e2fd1603bfa4c88c70536b5fe7 |
| SHA1 | 91c49a8581436e3f0a50d0cf2bbb467245d634ec |
| SHA256 | 44d5a5002d7d3a48a306a4a7e85e6a89cd3c907fdaebaf5fb1c35389f85b3628 |
| SHA512 | f64ad918bba6042b296499ab8e71e057c791be4a541f551bb861b45e19a8c2e482336cff39c2591b0164c37bc9d06a863f9a76577fbffeb49bf1de0ebdff0c2d |
C:\Users\Admin\AppData\Local\Temp\IsAk.exe
| MD5 | c39a4fb825f1fe6e56147dfc0bdcfd3a |
| SHA1 | bf43438fe944b87a75f033320c96517939a731d7 |
| SHA256 | dd2b6495c570a68f50825271f75b6e5652e546ce7ee743ddfea9677ccbc0e473 |
| SHA512 | 8cdd72094a76cd0656e3553eb01da93eb9bdec0d2e9187850615c1a1be823e795287ba449fa6a429fe28f388242f4484ac58c1e7aca4615e91f0440eaec380b0 |
C:\Users\Admin\AppData\Local\Temp\QwEW.exe
| MD5 | 342bc4d78864e920a9b1152ed0806685 |
| SHA1 | 3080e03aee04a18c90870a21a7b99f031b6aeabc |
| SHA256 | b49330119fafe5766e4ed42c30baf165115cb22855b066d90ddab3f7b0639e87 |
| SHA512 | 7ad87ae3a598f0af7a447750a30fdf966b8707c819c5e7272a7b534613937b6d87ff77abd3d789e1243567fe5eed18d602d6fead1e0fb9689a1b0c9b6b930606 |
C:\Users\Admin\AppData\Local\Temp\AIww.exe
| MD5 | f1dbc74ea2fccd77f9f05f6266d76181 |
| SHA1 | 3688f79393a5016c5080cd9af03bedb1a8cfe4ea |
| SHA256 | 63fa69a2b52cd3a5e7c2e020b19270c8583e77e34ba808e0e77658b2604d24dd |
| SHA512 | 1d8c61d6bad25db45d50b2d2c3ce4f07d90f5720cc1c9fffc0302f432a3c52b8d0fd5ee1f7f753f35a5c933a83183d7dd302ad15c8dda538e20fecee0063e19b |
C:\Users\Admin\AppData\Local\Temp\SkUi.exe
| MD5 | be505a59d810e4bc0d9d79d33520d03f |
| SHA1 | dcd8bccfbfc279b1700a1b11d099a74160dc1c5d |
| SHA256 | bb1b754a684e4049c726d174aefec22df2d00f99802e67008665cc5250d948e4 |
| SHA512 | cb64a09956c0904f2771bda6dd60e3a3ed55acb662a7edf5ae7be2ee30f2f6c7b895aedc6956d31d1c762f9dcfbab14003dddd9e6471c724867932532fb478a0 |
C:\Users\Admin\AppData\Local\Temp\asAM.exe
| MD5 | 72ad128ca3fa8d485f3cb40938e059c4 |
| SHA1 | 120237bc4ebe4bafa21a78ab14886a476d8c545f |
| SHA256 | c578ab2e612d80f7fdebe9ceca9eb46f4454089cddab7c83a35c751509264448 |
| SHA512 | 37082aeaced83d7b2f0609fdf3b7385da7b733e652c71ed865a50972bc11e3073677539265bb7872bc7c4907ed8fc0ac2d3c7cd71a916207497161002d7f4633 |
C:\Users\Admin\AppData\Local\Temp\IccA.exe
| MD5 | 022e7f1c89e07387517ef8a77a2e27a6 |
| SHA1 | 22291770272b452b3c48ca110872099f72bc1e76 |
| SHA256 | c3c3969a3db6ddbac7a005815c8cf1712fb88732dc95c35d666b183ca07147b1 |
| SHA512 | b00437794999be428508d49c6cae282ce1d221f94c7505f1bb913b0b2740e6d4870b5bb1c063a18fc1efc7b3d635c56633dc974435ad15b9bb474f4405cfed52 |
C:\Users\Admin\AppData\Local\Temp\CEAg.exe
| MD5 | b210e4f43435d5ee406aff544f26dd5b |
| SHA1 | e762d7a5ef2253ec87782148edcf704ef0767a99 |
| SHA256 | 975930170c4762d4b79444893a137521f0c552948b3f4e8e736e721bad9d0ee7 |
| SHA512 | 4223b01042243618f0940584cd5e694fb64c80d4a711c972ad9568c27b3b9ef124f1335ac2926738c7d322c49defabfbfa1172906b4c95956e92071748341abb |
C:\Users\Admin\AppData\Local\Temp\OUYA.exe
| MD5 | 932a942fc0c1b9a5582cbcfc896551d4 |
| SHA1 | d85b3163bbb18c5c29cf7de56be6514db4c57fed |
| SHA256 | ad78a5050d555564296da554e1db3155455f29b8aa65bf18fba6306ee7a5e4fe |
| SHA512 | b9210c75c7d5ad91c5bd8cd729ce993aee8cb31bf74487121826c44b23e96c4559ab401dd244ecc8ff2b921143b65b48b75719741fc11f9e44ce8cce0bbd22c3 |
C:\Users\Admin\AppData\Local\Temp\msog.exe
| MD5 | 3e0f928e1632a70b47fd730522d2714d |
| SHA1 | 73a520f96afb9a2d2e2a0a3e4882d449beaf17a3 |
| SHA256 | 7288e426acfca05e0546d8becc2fa2d3ea7a712734b172ec9492d77692208193 |
| SHA512 | 992581d5a54a8b2c89ecb99f54fe79c2ee14ba5b0fffe54d0c7bd3c211d1d5a8b48e01b601ba0acc72845aa24744f13567308cb1a0bc126da09791e3bf025866 |
C:\Users\Admin\AppData\Local\Temp\ckcO.exe
| MD5 | 5ac29e678d9c7af10e111af369c14458 |
| SHA1 | 2c0470af3659e27515a7a31707a18168e198c9a0 |
| SHA256 | dbd82998bfd253d63a134c024c67fbdd371405f154b59bcbe4f2252c54c26287 |
| SHA512 | 6f335c74b46362935d4206ff1a179987921a724549b52ccba612d0be4c3f080dd04263e632625d6aa5cf9a1a86b65b32f57dd42811db35b81e97b17af5cf65fa |
C:\Users\Admin\AppData\Local\Temp\mgoI.exe
| MD5 | 9378c82891279ae86abb2e70a587506a |
| SHA1 | 8f203a7c0080d9d37e191e30633aa49a120213ea |
| SHA256 | 2e500a1d6d8d5ebb9ce67265c5515c8905ff14fe80fe0454cb45759d6d121c74 |
| SHA512 | 8a9dad73aa5e400a2904195b1ee8d7e33873d0dfc8f6829e2a91c58180e07dba84d39cc7389590c1c26709c1f9b3d1ef7350615724b408add3aafdd6e973db35 |
memory/3412-1004-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkcu.exe
| MD5 | cbc9bd90ec496150897b16930cb653a0 |
| SHA1 | c3aae83c5eda58257e16e57c1f237e00ec641b14 |
| SHA256 | f06552684d17c2848324ceba70fa7852c85929acc79ca4be59108d541d426a71 |
| SHA512 | f9fcd4c8b69f2fa7c8427b9c055270fd517fa599d9abb603ff0a79ecf16a9d46f32f9ed6117b083d5ae0ab38609b4b841986097b8b893ed15a7538d0dcb788a3 |
C:\Users\Admin\AppData\Local\Temp\yIcS.exe
| MD5 | e28673406df3719d970c7b28f0bfe0d5 |
| SHA1 | 3ce355a0a777c18fb748d63181a472ea92f9c0f7 |
| SHA256 | 329b8459bfb2dd97ef9c8782a48646b57cfd8dabf27eaca3e92efc0553d4f40c |
| SHA512 | 0fd090ee85fb464486fccec96786f0e01e6752b5842d7c40cd2b02ef99c3494acc5e7bbcc44e0792cd044d37d2be77899358cfc3e8be12a03c7c53671be521eb |
C:\Users\Admin\AppData\Local\Temp\mkoI.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\aMMS.exe
| MD5 | 8f268b008a836e4b96e8653b4efb0158 |
| SHA1 | affbe2e4436151c5d33a26168a66298225b84cdc |
| SHA256 | cbf99698bf0c63f133ed72189e9fb7d2fca37069f29d3ddb058842b10fcab213 |
| SHA512 | 78b1c6379d46648675bee278878ea2d210a8b1e5ada285a8bb4a5632cba5916e65107d65bab87e0a8d160f2dec5d34fabe1165bfaeb2da99131ac8530569d4e1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | a6729768e0eb266d962fa1465756ab7d |
| SHA1 | a6f5cdb0df59bc5c7959860cadaca64904a5a9e1 |
| SHA256 | c0a4de7ee46467b15aca3f2a18c585c51bf8de3a58af2c5bba392014682b1aa5 |
| SHA512 | e5ac7c4c16ade827a1fff43b37d159768bec1a6c7f68462131796124924243353491b66c2db80fea9032acc98fdcd4f7e6121eb0b14e7bfabab53730acb9ddec |
C:\Users\Admin\AppData\Local\Temp\GgwU.exe
| MD5 | 72d58da5f21a81c6820df35195662f96 |
| SHA1 | 5e919ef1af593f3775ef94c546a8990c64d9fc70 |
| SHA256 | 164b8ff6fd968ae5271b2597d5573cc11708620009bd7a4de6453040babdb9ea |
| SHA512 | 9534e3a5e49ab6916a684766038d3e03f95e07fb7c30d53aca29788b9e9b0cc79610f8b1652e44f8388a7a3c16ca29af0dab082af58e8c964576e186d947b1fb |
C:\Users\Admin\AppData\Local\Temp\gEUW.exe
| MD5 | 737bcbfebf5a925442dc451ad44fc022 |
| SHA1 | e25f483568b8732fe1d8a3aa3715aa29f4c47244 |
| SHA256 | 76bd03c335aaf40c428fe6bc23a5ce88025078a63f65e5fd5b022b77244dcec1 |
| SHA512 | 8a531b46745a27507894a0f5adc721d37b80dc9e219edae39e488f34642f00acc44caf9c30c1468bd02f8f2363019299b5c4edf99f73863a42904553075553c7 |
C:\Users\Admin\AppData\Local\Temp\aAkA.exe
| MD5 | 80743e164c2325fdedbfb20704e5c334 |
| SHA1 | da86815936f7e0c5275d8a21c6f1a9b5e75fff8d |
| SHA256 | 1437b32587ac739515701d749af4839dc1b05ff55b4868947485e27ec99b6800 |
| SHA512 | c8640c92ade3d40366b199618f9cd26379885cb917de90f20256046b75d35b27132c549627dba03bf504c7d8a5e58b4b961d07e2bdf08014e228fe652f9b0494 |
C:\Users\Admin\AppData\Local\Temp\uQoY.exe
| MD5 | 93e64c5d45ee12b70a00f9afee7c506b |
| SHA1 | 3dbe66634ef5c55036da7d38f8b531c5032ff319 |
| SHA256 | cda645ad5dd3cf82e6a756755bc28efe004375ede9c3208bc097563e531feb3e |
| SHA512 | 36895b70e78eddeb2e46a14f2441030ac8a38e53ef61d5f92592c043d7b09be068bd14706112b7dbb8de39d6960757d2425440fb04ba37bba35e1381225a3d88 |
C:\Users\Admin\AppData\Local\Temp\qMMo.exe
| MD5 | 6e135067f412a5ff7f052a9bebb77676 |
| SHA1 | f74ad2a1fbfa8200f982dd6762ef7d9a127a9a2f |
| SHA256 | f8761a5a28f28dcf4b8c2c6e2ed54d50c8a097cacc502f3ef5f8a0aad40e49ae |
| SHA512 | 95fe87bf526518cf8a35bfd4e8de921e923cc5ac92b273b59e580252b19db21be5991080d0b5d5404db8647994ff79b6ae4406213efec07ce3a60536562e23b3 |
C:\Users\Admin\AppData\Local\Temp\qwEI.exe
| MD5 | 71bb96e01a2f3ddcd06a60eeff8024a9 |
| SHA1 | 8a22b4e623484384a97a7c9403e3b2b034d6b881 |
| SHA256 | 394078a3e965e33bcbbd95ad011c6a7e9f2172534c53211faf1482a3291b307c |
| SHA512 | 9f13340740b057cef5ea83754ab7a2c65e78ffb945a6472c14e29f8313ac2386f8cb0f6e49ad9d918f9e16d5a925e5646beeefbdf10406f9c27b79d321f80009 |
C:\Users\Admin\AppData\Local\Temp\AwwK.exe
| MD5 | 0cf90f52af8523527f28d47df6908285 |
| SHA1 | b78e367b404a1546a1e28f965ec5a2a4e7403bce |
| SHA256 | b8ddc56dc78b5e4069924f9ce6ff77bfdf7fb094d49903e124659d081e8f498c |
| SHA512 | 4be36b83a501d6e9de165ea888c21c0c21548403694b73d35aff92ce79334601cd47a78bba7bd69edea44c5c95694db96685abb2f62efe2cbf29f20831a68b60 |
C:\Users\Admin\AppData\Local\Temp\mcMo.exe
| MD5 | e8992eb1a4b2c8c53969b86b0d867b57 |
| SHA1 | 758276462c727230cc3b41866ac87a80fb01ed32 |
| SHA256 | 90710f0ba6990e816aa158f43b78a1a8f5f94897c6106207124da72e509c213b |
| SHA512 | 64e664f6866ed8992441d74cca975c35259a58a6273274c2b79baf9c49ed0c740e89c6788c68f5c1a3df18a8ef341d98ab18a76159fe7cfeec228452c86f919a |
memory/2028-1196-0x0000000000400000-0x000000000046F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 01:35
Reported
2024-11-13 01:38
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (77) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\cAAwQEkU\fYUoksoc.exe | N/A |
| N/A | N/A | C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe | N/A |
| N/A | N/A | C:\ProgramData\WqQgoYIU\kUwAYgsw.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" | C:\ProgramData\WqQgoYIU\kUwAYgsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" | C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AigIMkQc.exe = "C:\\Users\\Admin\\OWIAIcQA\\AigIMkQc.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgkQIoUc.exe = "C:\\ProgramData\\FgggMEEw\\fgkQIoUc.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fYUoksoc.exe = "C:\\Users\\Admin\\cAAwQEkU\\fYUoksoc.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fYUoksoc.exe = "C:\\Users\\Admin\\cAAwQEkU\\fYUoksoc.exe" | C:\Users\Admin\cAAwQEkU\fYUoksoc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\cAAwQEkU | C:\ProgramData\WqQgoYIU\kUwAYgsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\cAAwQEkU\fYUoksoc | C:\ProgramData\WqQgoYIU\kUwAYgsw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\cAAwQEkU\fYUoksoc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\OWIAIcQA\AigIMkQc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\FgggMEEw\fgkQIoUc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\gsAEMoIo\FGYgocsg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"
C:\Users\Admin\cAAwQEkU\fYUoksoc.exe
"C:\Users\Admin\cAAwQEkU\fYUoksoc.exe"
C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe
"C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe"
C:\ProgramData\WqQgoYIU\kUwAYgsw.exe
C:\ProgramData\WqQgoYIU\kUwAYgsw.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\syMAUYgU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsgUAkQs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGckMwQU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgEAwwwU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmgcoQIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGcEsAUo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWMwYMwA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMcIEgAo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOMAIIQA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eckcsokU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAMsoccY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuQMQMoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYogkgoA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYckYAow.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEUcUMAE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RykckYgg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\OWIAIcQA\AigIMkQc.exe
"C:\Users\Admin\OWIAIcQA\AigIMkQc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 88
C:\ProgramData\FgggMEEw\fgkQIoUc.exe
"C:\ProgramData\FgggMEEw\fgkQIoUc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 88
C:\ProgramData\gsAEMoIo\FGYgocsg.exe
C:\ProgramData\gsAEMoIo\FGYgocsg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 116
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKAoYwEk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmEgcccE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQoAMYMo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqcQEQks.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgkEosco.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZusMscMc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKYMswIw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgYAcIcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkcoYokQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YioEcgcw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwcQwcgo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoQwMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGMcIMYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RooscYws.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGIMAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkMookYs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOoMUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMUMEQoI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSEQIsAs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgQEksAM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210424574540740100-71035562160179620031328852918128232641452109412778216132"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyMEYgIo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQEYMEoc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyAwoskE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSgQkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqQAkIEM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsAMckcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "824007554510331899-17402104871011416449-536244928448677737-21414160191643388998"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsQIMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "865038435-1330614331517939094-1973394147-2041853898-17671758871188856944661647508"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmYgoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-287895430156918594745216335-141139835619265033-759858536-1876963322139010940"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8062275844476257791790997259-1718453950123164339-809779726-1102022661-1625915255"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIMsQYAA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeoMAUQY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCIUUEQY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYsYwIgI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUYkUMEY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUQckcE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8913037086308454731320057118472870860-130649883512205377-303932825-2065509387"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQIUIwss.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1268320812-784268003-136003596-198395264823254058369191108814416834611471507500"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1376674157-1991686487204593274-12528376461450915188-1797768664-1210810694-168215724"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOAEEwsE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9658531131160923890573338208-1764326882-767757375-33805681414852203421662185986"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LogogYUo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1966253435294325261741392675-477824433-751703830-1898621696-30396754-2081041036"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "610205007-8395348921885249743-12936102741271317717-1687758370144196111-2103369167"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qowcsUEc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAIsQYkM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10084904794660838961035213682709300038-689817930104226467319456092171017236570"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAgwsgwY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19153715321116303757-1693753756-3194786622101162995984873431-2056062476992421477"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1618689208356584637-1799307544-253762733-2029512572168587416791361307-168014609"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCMsQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7693136081375310949-204820003-613180094979791891-1365200887-1911557466-1483729125"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-423922278100623083612391640271092818737719150212-74699173-1174408847565292558"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171320274615748107347821524631865019466-610678287-1024416081-1060156305-187463142"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgAwwgkk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-566592364608682951-16116391851335632363-15811491291198076960742000067-120589360"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqgYUcAI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1245139163-1980779762-329340936501848733-1491730904-1380251118-1578325038-1104917837"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2133175796430104416-235820550-1598626619-13094759081987435481399229122-1353853886"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmUoskgI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "667376920-3404032542028808971505922256-48915844919199752068974988671111177"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAIsgMYU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuQUAIgU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "528473854-1253429812-148878897-1739976443-392507491-192033140375336744-429963241"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiQQUswE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOoMQosg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoQAoYAM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-604826851-1180020725497091787-1900642411363578231-2191150601475793822-1793645320"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43486764344729589196868020113854857981739586622033265356-1728212493-1282585219"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154161195120446188091456192384-1472089912-545813571195410634915131301-257625193"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSYIMcoE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1664574991-572762325107063579612323872-646697906929729271-806724101-831775190"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSEwoEcA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1520900562-1748961358-1363564474-5410485689313147031469585923-934963642072826698"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1405396897-1775550800-16722203954409516541666333186537454589818262975682700031"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2145722898463559581-106765464-8050155301361689923283706070-1126914219-1235530397"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
Files
memory/1628-0-0x0000000000401000-0x000000000059A000-memory.dmp
\Users\Admin\cAAwQEkU\fYUoksoc.exe
| MD5 | 46939c837187c721823e228c951b89d7 |
| SHA1 | 9161f92ec03e999623cf4dea8eafc707609f7561 |
| SHA256 | fbaa173a8935ca24256f2bcd782977a53a63730f88efc0a261076f3184f2f7b4 |
| SHA512 | b2a57bc457553699797c8b4c0cbbcea8f08c363687a83e072c2b4c27246118aad1182c4b9bf5f42dac8f125cebb46388591df9b61b7d5cb1a6185b04b996d315 |
memory/2332-10-0x0000000000400000-0x000000000046F000-memory.dmp
\ProgramData\ZOkYIMsM\DIcIkYQg.exe
| MD5 | 222198ac35ae8f11e18da3cb28e8f40a |
| SHA1 | 82f3da34c711af454298eb85334bcc067bee6870 |
| SHA256 | 45b8b5849c0044f5cf7893f3f012d09e4e422f1265a1d71dcfb6470d356f1937 |
| SHA512 | 043c6f39d80b5c25818cfcc92816641935da345a272e7e8f2921efa515d8caa56d5b331a48fc2325520b6c083c93dcbfc9f770c7b26419260173498c085cbbb7 |
C:\ProgramData\WqQgoYIU\kUwAYgsw.exe
| MD5 | 3fa15a290f5471d9b33eae20575d4873 |
| SHA1 | c4e0f6edde09f0e583b5b9012f73aa4aaf4eaed5 |
| SHA256 | 5c713d8e0b416851002cd36598dc27fbe47105731c9b99bb634c43bd5c4cef84 |
| SHA512 | cb68d8abf4ea1d1d96c366d9d855368edf674646c05ccc8c9a440dc2d46134d26cdbf00cde47a39934993a30425ec9bfb2d37f450f54c573bad2c466234b11bc |
C:\Users\Admin\AppData\Local\Temp\ESsoswwI.bat
| MD5 | 3d72e0e742a651e7e590098940df0f63 |
| SHA1 | 17feca779d590c663f4b3a67e6a1a69e77e768a2 |
| SHA256 | 3bda1601e2b01bbad5fa4c96aa0b05dcace9c011337cdf0d12e12b969fe3c40b |
| SHA512 | e476f5b93ed8ce6f9f0a7d3d6c8a2251577ec08c0f3296d6aecaba39184458a13f2e178aa99a9799a157664747efd31d087d6b9cdf0543a141385ee7acf0c1ff |
C:\Users\Admin\AppData\Local\Temp\UAEYMEIk.bat
| MD5 | 56a79b8d4f52fa2c041ceeb03d27468a |
| SHA1 | 95f8a52ed5de1d55aedb4ceb11a93e7901001746 |
| SHA256 | a031fc839f45c1e1d82dae101cebe80faefee137a2743597fc1c1382f83a4a0b |
| SHA512 | 5bbd3b844614af4db30ac130cbf78817fe6ac99d081e2a4c42a115d0e715bac0a4e80a5052a85dbddbf03dc856cc5181c5f4d045156ffbb9c2aaa922f200078a |
C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
| MD5 | 01d093f84d9cb9f3c0508d6a377bc12e |
| SHA1 | dff45052b451b4831809ebe044d82d3cdde943c4 |
| SHA256 | 977f36483c0fb1b3dc95012d3e2e36c870f7b71e6dc669cb5741e0681509dee6 |
| SHA512 | d0e72be8cb77b714a6a39449c05fb4fee3c061bf59fabea6c68784ad2c0fc061ac1ac4e7b024c636436ce5c50c778b70b9ee5732de38a31e2f8e56872a996b46 |
C:\Users\Admin\AppData\Local\Temp\syMAUYgU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\EOwYIUkw.bat
| MD5 | e95c209b61fc3e7ddce2747eb3ff906d |
| SHA1 | cb9b20e138dd058858af04ef89bca48c2903492a |
| SHA256 | d3efaf4ede8fb2869e9fc32ea41edad8c777f6d09c8810596e6527723f11d6aa |
| SHA512 | cc1a68cb0d1fad25356cf7f37d643bdbe4a3e4d6c0e4637f557327e7970a2de404b489387c003019147a2a29886b764d255a9553979215415809c7c569978580 |
C:\Users\Admin\AppData\Local\Temp\OecsMYYw.bat
| MD5 | 3d537a2c6095b68fb96c587f64e84b0f |
| SHA1 | f8623840dbc013879aa2bf75aa4e3fba531f96c3 |
| SHA256 | 1629317d46594fb68abec6e5d50cf6e8c3b7694a3b65e930da01ef68c6365254 |
| SHA512 | 70fbc9e4e93d677d2bec331a7f5359982fb22b0156008436e9768f7895b0d918125e5cc02b8ef0e381cbc7b909e176d9a735f5692dc769f585be4e6ba22ce294 |
C:\Users\Admin\AppData\Local\Temp\XUwkEIwk.bat
| MD5 | 4a49fb1b382b400ade4aae1f81b59371 |
| SHA1 | 5275c10ebc231e1ed2564a32d7c8023f832e7ab2 |
| SHA256 | df6f8681b4b543697db5f0e991f3c6af4524901ba0aaab1b823ccdbb92428359 |
| SHA512 | 09cd79e37c8245e1c2554757a33255eb9e05935f1e5c6ce7ef070779bf0d831776ead255bb9b0f19572079f992dc704d4a330bcb50b9722196a93d3017dc698e |
C:\Users\Admin\AppData\Local\Temp\zycEEYow.bat
| MD5 | 35d09d01be1b5fbe8e8b5a574c45878c |
| SHA1 | 5a72835aac5c71b200c181fb61adcec8700c3bac |
| SHA256 | d78927328e43f5b5a5f33b8ddfdbda78bcf5c68b2cfeea91b62b27e946707477 |
| SHA512 | be161c1ce2a9de087aff10c5961cab3b5a1c18a88d3056ddd6519ca2e2390f9bec669f57714d103ae77d2f6de4d75e63a7f1372e07a331e0230ae255c28bee35 |
C:\Users\Admin\AppData\Local\Temp\dIsoMMIk.bat
| MD5 | 5836598f13ca2b4a21811e300944a2ac |
| SHA1 | 4eb7badf59b46ecb34a288a50eaea9e2072a0724 |
| SHA256 | db78a87bf2747ea493be981f9a8063513c0467bfe6cce769590a0cb75515bd18 |
| SHA512 | 57c1acf6c96e52c70b8a0c897b105dcf0df11af92bbfc1580c84bba3ceddfb613f152a5ec43fdcf71ec9f9c5f316a134a31f97d9e58c92a6c2d168f14e6a7e7d |
C:\Users\Admin\AppData\Local\Temp\jskcIgAU.bat
| MD5 | f44f9aa3c71df0c500f4e9ae1b51b8dd |
| SHA1 | e46c119786c1c0f388efc1183c394263fe4d34ee |
| SHA256 | 78898213f086828cc39fb6b7461189811230bb011985f189a2e20389c13c3d46 |
| SHA512 | 16207b69e397180b29850fb5dd1c691f7ebf6f3a3726c5a72c65b2f74c97bd3c82fef8824a8edac2ea62ade85de8a74c205b556e8065738d6726ef60109b4435 |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\kssYwwYE.bat
| MD5 | abf0a5fe7b1e9768506180202ddc7236 |
| SHA1 | 2f3e827e19610a97b4f1df493329880b4ca280c3 |
| SHA256 | ec8897cd5b3efefe0e0895bf998e495b142a9519c9e9c3f947287b51ee4d1bec |
| SHA512 | a00e6c22e9e3ef3bba5426ea53d36ab5a70dd219767b638d2c9509930275cda208e98fcda0c561fddfe42640cef9315264094d3eb7b8f8517d1dd169375074ed |
C:\Users\Admin\AppData\Local\Temp\gYYgQIkc.bat
| MD5 | 96d810ff46942233da8ed31a0fc434e7 |
| SHA1 | 829d2100e865b950fc83bc4b17c892a385fcb9fd |
| SHA256 | 02638e7a33dcaaa0de95e84446a9fed04a8bc4c529bea9ebcd682b9a3245a0fb |
| SHA512 | f9c82e7ba75def5dec690b78fe8a696b8bc2ddea371752fdeae27417442477c4416ef79c1a51142416d4969114180ef34d0e6283f0a2008ac5bf9f004fbfa5d7 |
C:\Users\Admin\AppData\Local\Temp\wmoIAwUY.bat
| MD5 | 44764bb7b84db44ba844f0a403c75797 |
| SHA1 | 7ac928622461b2118be3ad10ea974b32d16a9aae |
| SHA256 | e8c4a45e74d5c25235ba0ffc382e9cd82c61282d1bcfd626c9d2d5abeea180ac |
| SHA512 | 7fc260ceae4ad7221447d3b48e04e0bfb6d1b33228eba4b562aa2690203c7515aa63cbd48b33b8c512a745c61cf0c148ad5abd528bae89435b21d1730d224cf8 |
C:\Users\Admin\AppData\Local\Temp\uuwEQYsM.bat
| MD5 | 2b81bed8bd495bad675d87ad82dad8e9 |
| SHA1 | a8d2b5969ce1bbaf6c52024e1593ff4afde00a39 |
| SHA256 | 069e7f4a2b83a5bc258e825fe68bc07e7c6dd0684ff6a4fbb42480834c4a016d |
| SHA512 | 23cb0fe7cc4076fabaf78f12e3842c2bfcb995147a410372fb46274840333b2ba1acebdb9c2618eaa0e8d31fe3a953446650a50762a2f7dfe7ab55d706b1c4e5 |
C:\Users\Admin\AppData\Local\Temp\PGgkIwkY.bat
| MD5 | 438f116228e3dfce192614645f5b246d |
| SHA1 | aa095b3d483295531323f6acc79973d81c01416a |
| SHA256 | 86469b043342273d1190904c500e331931399598fb5a49fdc9afa03eba7ac10a |
| SHA512 | 7da5b6be0ce8780e7f318ea491b55a7116e39d0f528b0dfce1fab8b5d889efcb84f2cecf3bbb480058a2bc6f504cf15dea98ace32dd501c0325504d3cf719e3f |
C:\Users\Admin\AppData\Local\Temp\leQIkUQc.bat
| MD5 | 8545c53ab5050dd0ecce4022459c3344 |
| SHA1 | 3dea760ddd0413abee756378849ffd79ea41c153 |
| SHA256 | 7407f8fd1c3bfde63779dbc5a6ca2213a375ee15ca497f2601e9808271ede336 |
| SHA512 | 531019ef8b23ae5a341616b5bb9317ed9024403abc042ae14f1219e6f1068641424f1a9fcb837364b37bb6a7dced4815ad6b0576707a4f6f715d3c3483cd6e6c |
C:\Users\Admin\AppData\Local\Temp\hKssAYgI.bat
| MD5 | 4032656e82bcfe5f26f0f1babe6e4c1a |
| SHA1 | 6d827056951fd5d4170cb956b49469ddab569475 |
| SHA256 | e4c5effb7b8caf7c4b2bac9c19f1bb96189a2e2379ae1ec9ae952691d916bfbd |
| SHA512 | 518026d8faa20d0d04c36c3306802c4882af6788d0cad20cba174998e5711e502bb7361e738d2e21864d17f6628490c62f5f97c729314d676d1b956460c79765 |
memory/1628-311-0x0000000000401000-0x000000000059A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HAkUokww.bat
| MD5 | 20b93dcc43cd5b8f2a43662751ed419b |
| SHA1 | 4cd8834b4211df5b173e03a0f7920d882054df43 |
| SHA256 | 89a664a54f09ec610704080d9cc0de8f4ef7997d8501b2f8e4c57777998babc8 |
| SHA512 | c8244f8cae9ad2209ad56637cd01f524e3b5812f6a2fa630a8149713c24b6823ee1612ef1c626cd783c423aaab2b0dc8aaa4cd33f2346c4e221d74618c8f9071 |
C:\Users\Admin\AppData\Local\Temp\ASgcMcsI.bat
| MD5 | 04af2493d0dc2a2fe509487098fc3d6a |
| SHA1 | eb655c1f1ad719f62c704190350b5f39c3fce483 |
| SHA256 | 619df4171402a5f455143504dae9bce9dfebb8ac8ef752a43864aeccde857ed6 |
| SHA512 | 9db37698da3b7f0a261744557d5af89f82ef306a3ffa8862aeb0565a553f0b1b6383b28745e76bb0c1ae17315ddc26e0b3bf017b3b725254a5e4a3c7cb79b6ae |
C:\Users\Admin\AppData\Local\Temp\eiQwYsUs.bat
| MD5 | ea4460196ac5f680a8c8fcc1b072b9c8 |
| SHA1 | 6b94c3f0cbaf644d50f657fb2857db695444f62a |
| SHA256 | 07cc18a1c930e57d7f9404312331002398a60e033c4570837633afba4cef0481 |
| SHA512 | 33a913177a7c3ad78a7940fe29538dc9cd35f4ca45e2c03ceb15bcce248446ba64d0b4d6ec5fe9689f7a0be457f40f66b52fbcdae19da72eac0ba7473dffeb5c |
C:\Users\Admin\AppData\Local\Temp\zqMwskUk.bat
| MD5 | 460206ca4c50e45eb07068721b156830 |
| SHA1 | 8e9923e7683981937a11105b50cada176e853ea3 |
| SHA256 | f8e7bea089ce10ef8f918549a0ec9f3f87f0148830b65dbbbd6c61760384f962 |
| SHA512 | 05f89441131241316fe456b9bac833c5f3d925254746110db9f56e63f643a7fb11117dec08bc9837c0bb930dd5a57a972d8f360097c31c88e91f4dd54b37ea4b |
C:\Users\Admin\AppData\Local\Temp\ZIAUcwUk.bat
| MD5 | 7d68ae55aab9a751f06ab59912b0a45e |
| SHA1 | b9b44d288bc2ee1b1f7ceaeb881a0eb6e86cb4b8 |
| SHA256 | 59a1dfa7ae2f6081f2950c19567641f17b9866055270f7c43c4b79b6c76b641b |
| SHA512 | 79d938f7dafd7f986abb4150f8a44e0c15bb2064c98b6ec3f93000e689e071a79264731ae93d591a129ce8cb424a83075cde65b113864bf296251bb3ff691c15 |
C:\Users\Admin\AppData\Local\Temp\VYkckUIk.bat
| MD5 | cb2e5b2b99b770d38924ab2aca5e7fa0 |
| SHA1 | 22a0a1edab8c9ae5e05d09e4b69019e2638b072e |
| SHA256 | 0925bfdfef0ddf3bae17bc7eb60d8a1985262caf833cbae82e3d1600c6fe2878 |
| SHA512 | 9e641552df9378da403d4710196bce586b7b468201d0ef13dc37ccf5af1b278a4d8caa4f2a76644f4c4d8a21219a83fc465a11fe22deab3a266a4783039d0063 |
C:\Users\Admin\AppData\Local\Temp\feEQEIIs.bat
| MD5 | 0f4bf914e67c57ec56698fc6c639d908 |
| SHA1 | 541bc8ae207aafc63607694a77c9d80dd1af106c |
| SHA256 | 6e3d3636584b47702f7ee3dccf53fd10ee9cc685dbd28f0eff8981b04835fb8f |
| SHA512 | 70241651578f2d438d436a9cfb524e39fb2e5779086a34163ca0097a09396607a049717fedf41685971d522c8cfab6ed19a06f0249da81e68119fdbacdbac792 |
C:\Users\Admin\AppData\Local\Temp\LOUkoAQU.bat
| MD5 | 4558e5858628895ef3a500cf9a3eb3e8 |
| SHA1 | db4f2c6cc80b425f2af952056b4b6ccd1c361af9 |
| SHA256 | 0b3e8615a1a02061f6330e3619b32b2f02389df6590eb6e4a2f17b7cb5db9b96 |
| SHA512 | 138cef77d6f004c2841822253896ff464001218b1a7fc0158924f397af18134c62b6359707ca73fd0da5db0038648e1b29f28d548bdd531fbc8999bc4ca68299 |
C:\Users\Admin\AppData\Local\Temp\uEsMQQoU.bat
| MD5 | 055764a04aac20d63cc646b1979c0672 |
| SHA1 | 73cc076bb1076fd3638f70724701863e3dd38ef6 |
| SHA256 | e718a4d2d7c0dab0464c2d0011d62110ab89f492d7e7717ccbb3455f6183770f |
| SHA512 | cf9d3c939a79b256473f5059826e6bb4226cbb3038a53fcc05cbf20a1a6be075966000ca49855c192ace7f6784692a6e04b4e9919192adca21f0ae956c70d841 |
C:\Users\Admin\AppData\Local\Temp\YUAMEsAE.bat
| MD5 | 296577e41b5e38f62f7a0582b0415376 |
| SHA1 | da2e6d05df0256d7095828d423727e2d11f7b891 |
| SHA256 | aef4f061edc30058a7f76d49428325de1745ca8147c938e9617df3b11c3dc0a1 |
| SHA512 | a7c00f9657a31d2c86cc22aa51bdeb5d4d35cbf0de116f32b97142fdc075b0d63eccd843533f2407fb7dd8e5aa9c402c3fe39528d7ba18f4d1e052034ec5b56d |
C:\Users\Admin\AppData\Local\Temp\miYgAcEA.bat
| MD5 | 6c842e080ef50b4fefcf35f1a59b5da1 |
| SHA1 | 872af0345c7eabc93bfdbab80ba58118085e687e |
| SHA256 | 0c1259c0f206d72645b27f89554d0bf0e2183ae8ffdcd270772ed72f126b15c7 |
| SHA512 | 9a56be76b854858e00dffb3e1a4a9436eb98b74ba695c1126c13719da450f93c71ead600837d75119588d0ee9559f37bfa5d6fc5c13d1cc5926a8245bf0711bf |
C:\Users\Admin\AppData\Local\Temp\yWwkkggA.bat
| MD5 | 78f01ffa19bd0f8a1d2f18b9ad99aced |
| SHA1 | c9c06b1db0a8a4aa13f811d6b34bf15563ec9968 |
| SHA256 | 72606b02c5ba64f5ed5d9bea3988bf247c0cb539f35779a69de4e15e938e4cef |
| SHA512 | 2694b95b87d150a7641ef11d745d39a748ae0bd5bb394b812c7bfcacea655f6e891e555c8ece94e84f0e488090386a6c5972e1cc8211add659469192fa8d6de5 |
C:\Users\Admin\AppData\Local\Temp\VmcQYkUU.bat
| MD5 | e75f25030cbae3d4bbdac14ff357aaae |
| SHA1 | 8514e14780e69c8ada0b96bf47dd0c6111541368 |
| SHA256 | 5a1d666ab631d70af9eb37c9bd28f5ea70aca448560e0debf46d4f7c42da05e4 |
| SHA512 | 2f59d8b85b542b18320531acdca4da0a0b6ce672077cbd5c2aca552cf5066b50a356b93628672a044448854680434ca7e020040177672b4555c3b08c21e376df |
C:\Users\Admin\AppData\Local\Temp\hqUsooUg.bat
| MD5 | 6e7fb27d370e70c8ac95a3702b70b78c |
| SHA1 | dabe5b6315653c7ef63dc0dd4617fda174a22840 |
| SHA256 | e64399d1f8dd0818cfdccc77b7cee4e82e21c8997267be1430e06824cc8eb67a |
| SHA512 | 7b7a8b2d25cb74cad27fef68243a36c68e2c17c8335e42187e3fd92b90b9e3b22638441f406eb19da1cadb7a8e81ee6d17c5d6d307faaddb8cea6b6f9cd282ae |
C:\Users\Admin\AppData\Local\Temp\ZMocsggM.bat
| MD5 | cf7a8f61043cbaa73a1a4abc297599c3 |
| SHA1 | e2716c4d216100fd7c83df3df73cc3637d13150e |
| SHA256 | 46b6a3b07479247c95e82d7a05ce73cd5e9779717f14665138d50b717a41a9e1 |
| SHA512 | 9365b44b32f61ae990b14e8cd4d919596cc19ac7023e510c168454b76a99920275b87c54add2b5eee4f7b2a1ebe9deed1638dda12f6a24920b35f9376baeeb1c |
C:\Users\Admin\AppData\Local\Temp\doMowsYA.bat
| MD5 | 58700249c48c378baad4b161db8b333b |
| SHA1 | 830fba72f2ddd8008c38168ef9c7db2de6696947 |
| SHA256 | 52aee35f1d4a2630d925a69d3ec395e5940138f48913948da3d470f8bc4ac1e4 |
| SHA512 | 67d404ffdb38d2db2f2d66c06a5dacac4f4e00cfcd2b331e1edf5349c05266a6bf6e069204a6f794ba0e3314cc408c660e6666d2e528a21b186baf4570b8f6ca |
C:\Users\Admin\AppData\Local\Temp\OmsEgEoQ.bat
| MD5 | 63fa3455765160a0b1950f5efd07b63b |
| SHA1 | 99ee1b9da0ebb6ad5f0774b621905f432973c23f |
| SHA256 | ce7889a4f239388c12f2a676c130847c6d24846cafceb32a04f5f1a84de3b6b4 |
| SHA512 | 4702b886ebf557a4b46d4b994280d25245a5d83385958cc9f789626b1a2d3db7ac7bd39b67324477f8d8ecd1e977e9b57cdd32fe09998706620b991de829d061 |
C:\Users\Admin\AppData\Local\Temp\UQwG.exe
| MD5 | 829fe373256dacbe3a2bdf9945afaa6e |
| SHA1 | 83687fa4eae5ead8ac9b21eaafe9676eca8af503 |
| SHA256 | e1be33766e210865d723573f0229e49e6586537a47a6f8bbc1b39b12393a362d |
| SHA512 | 7c88cdd71f111e028df8e9e547524f926e1cbe4f0cb736c1b1112359a75c2f3e7d3a3b260b14605d76149303803e5062273b5c8ebe237d5e8f08d969fae1f40d |
C:\Users\Admin\AppData\Local\Temp\eMIU.exe
| MD5 | 9cae2de834c56c906c2afc9e8609887d |
| SHA1 | 1f239ce44e1a2c04d5ca0e76ea2720334c33d282 |
| SHA256 | b47212a5bfc5f97120158e2ed34db7f7463bd1f8fda5a2c9f5044d52ef8701ad |
| SHA512 | 0c1a8965aa81e293f78b16c9f31aa6ef2f50b84e5e8a19dd1101f5abdc00a7ac97462680efda2f58071916ee269fd9c4f9e96f549a7069e3ab6fca10b0c8ce44 |
C:\Users\Admin\AppData\Local\Temp\acIm.exe
| MD5 | 39545da13e5a0286128c75b8f26d5e46 |
| SHA1 | 3bc32563ccf276de21b77135a22dc74f82d8fb9b |
| SHA256 | 56b5e3ae34dfd65a304880eee8c2b62f6422cd9002a5387a4b13950c8cd06e36 |
| SHA512 | 1ddb12843ed4cae915dadef7e12c159c089e63e9ac179b281b7dd5c5404899ab57f619df9816382e647586f26faa97b8159ee3b8c04dec143274ebce48ee147a |
C:\Users\Admin\AppData\Local\Temp\Uwcm.exe
| MD5 | 3a0a7d2296deb918b78fec2c4f8484e6 |
| SHA1 | 1093ef1e1b42fa1d563a89d4824ed28ad1e4a6ee |
| SHA256 | 4c5c9d9844e0534669f49846502e4687f9e0028539201ba34c4a4fc22c049e3a |
| SHA512 | b053cf1b85e4f3f94cf75b78a045d721485ff584215991912a2e925176fa5327941f6f11e9fb08b4e7bbaf2f82e87bb767564052c7f1a4cd9d8944b3420bcf1c |
C:\Users\Admin\AppData\Local\Temp\YuYA.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\kMIo.exe
| MD5 | 3845c1b4063268826acdf82d0cf6e50c |
| SHA1 | 668db66acc97345ad6e72718cf40c77971ef7804 |
| SHA256 | f6bfa88dc7ac3b0f5ec869133ed1316552f49eb11f572ce54dc3b2c9af7e20b1 |
| SHA512 | 2e211ea8be693f1532096da103996beb641ef0bd72444d676bfce68f5f6b7109f2346e0f6e080d7853a5cc6692a15e70e2dd386d050183216657553c6cdd022a |
C:\Users\Admin\AppData\Local\Temp\iasAYkow.bat
| MD5 | 2690f3be05fbadfaf20a89e93e06a10a |
| SHA1 | fe1eeac9e373f973ea8852856ab73b368e280913 |
| SHA256 | 08c1aac3812c4436a7b9290eca2e21796acab3b9ce0291a6f73e7eb8e4a88394 |
| SHA512 | eba2b54e9e95d95328e278613803d52a86c7d183777682d19f857d24c15bb2d76e9e27da306b6dd3e589fae0ace4c054916c54856bb3fb67da1c7d54a29bd951 |
C:\Users\Admin\AppData\Local\Temp\SkQE.exe
| MD5 | 6856304c8566277f13e261bcb30ae825 |
| SHA1 | 1cd13c4c57d01d0d2f1edb025dd30b6471e037be |
| SHA256 | 1da6433111225a79e843c6d096fba5b3d6199dbc24862f8bfedf415098aa2c41 |
| SHA512 | 372d87ce970d66f0f1b75693e81a5206bdc87259ffe5841488f50f9b1f60a6873bcb68133d946a6ec75b202b95e2b2e4c578dcba898155ef83e14704cd85055a |
C:\Users\Admin\AppData\Local\Temp\yQsK.exe
| MD5 | 1360c991e01c8a40cc26c07bec0b3cbd |
| SHA1 | a3d594f340d7e5809226d97f8841f9281107bbc4 |
| SHA256 | acbb7752df568c00e435db6a4c838be6486b9a840d352c78e7d0f7d9d6f6c296 |
| SHA512 | e60356807bbdfc7a561c4ecfbcd4e233322d5c3c3ebf7213463131bc8153458d5a73ee2915c66b2b2e336133385927182f8339ebf0de5f1fb48ef7bf8be384c4 |
C:\Users\Admin\AppData\Local\Temp\AwcW.exe
| MD5 | df806f517624e240d7189c9cda8a3819 |
| SHA1 | 468eea00bd75b2117e279cbf82e97e3ed2dd05e1 |
| SHA256 | 97bf637613374ccb3cbde510c885f82d135ce896664cee3e1ed8d57abb901364 |
| SHA512 | 9b5f4f4dc782a6f4c94aa33d8d91a0baef045ff391a685db899a34de8af66513113046e17ed49fb32ce6eeeadc2d4ff980b43ea5f7dd0112d56b90e61cf59b3e |
C:\Users\Admin\AppData\Local\Temp\ukIi.exe
| MD5 | 4e28ba731c7012366cf549ad7ebd76f4 |
| SHA1 | 399e470ff878ecb7d073a6f2344f2f8143fdeca7 |
| SHA256 | 46c11ae89c85741bb91dd1395e38c5779d7d65157036320542e0d19e7358e187 |
| SHA512 | 02acfcb30c1e789dd6b2cf611820d68f2dd7419cfc0ef6614edfbef04efabbd9a988cf997be2b263288ab8c4b5e47b3a2dbc7b67fcf58b60ae961985116dc1b2 |
C:\Users\Admin\AppData\Local\Temp\okgC.exe
| MD5 | c964766eab0b49649665186e5cddc121 |
| SHA1 | b9052cf047ea6557ad98b555cf783188f07a296b |
| SHA256 | 526165cb1eb87b65ffcb0b42a707be8f4dd2ea7a2f1f8f257ffef7c5beb58e7a |
| SHA512 | 611b001057740c054b4a9efcf4fbee65d85f1e57b79f27bf14d9029cbb9fa349951cf3b6d447edafc71b75e12120f06cb0b1be9cb47f7d5b061126bdee406dc5 |
C:\Users\Admin\AppData\Local\Temp\CEge.exe
| MD5 | b37f32e9d4a3cd863d2b52e239321418 |
| SHA1 | 772608190e966a79db157f49d99dc0f60ebad82f |
| SHA256 | ce6c4bc758ac9f1eeb2c93b0b981fef89e496f76830410cc7b3d394f93a51a5d |
| SHA512 | 75f1e8ab5d59f4341b701f95a91e787b77a5e41479cac226cfa087155022475570bae29188e07ff8d4a4bb27ce86c3421f24e2be32f63fa2c6a2ed9f902ab534 |
C:\Users\Admin\AppData\Local\Temp\OeMooQwY.bat
| MD5 | b5e50b0bc6bc65e14730a5cca2f56503 |
| SHA1 | 64535e5f41d4e75816abb2339a128e6cd8d260fe |
| SHA256 | 1bb6081212b4486c1e0a29160f49bf3618670322533ed62ac27c7caf27a5ea21 |
| SHA512 | 6bc614c1a288235b5dcc0d086b9c1b3b3de94b2140503b8a6c377e0c09c6d66afc4b2de40dd808c5377f1b45a006770f0cfd0f0eac109e70afd944d993751eef |
C:\Users\Admin\AppData\Local\Temp\yYEq.exe
| MD5 | 5c290388963625a5be4c8fbef7900fba |
| SHA1 | 11db07bd60a5d1f432a6cb88c3e380bd1139d5c2 |
| SHA256 | df3c1e8ab01ba68ffee8541c08accd1b8f9b8acb13927cf774f38e40ac2fb193 |
| SHA512 | ecde3d8adf3afec195fb966545d56e54274553b18032e0dff9d1e91fc012bf903bb6e88a162d6b29e239b2163438f70c1f3270ac45ecd4a5359db72a97649320 |
C:\Users\Admin\AppData\Local\Temp\EwUE.exe
| MD5 | 1cabfb1f1785b2629f40fa53762cf40e |
| SHA1 | f080ca84434e428900cb83ab494207397bf471e4 |
| SHA256 | 9d8fd53c7439897b16050c99b951023566bb6d0a6f60104b9484e6849a952b9c |
| SHA512 | b53f129c0398ae32c251880a38fcce6ba9d2777684298ac9def4e693ab7144d97acf23df08bce2af4d76a9cc23577f15ae3d1ae594560d6254dc7166b3b4a73c |
C:\Users\Admin\AppData\Local\Temp\EkMO.exe
| MD5 | 713381eb9d437733f3f2d745e2ef3b53 |
| SHA1 | 0399d502e30f3be4b4b845505661402555f513bb |
| SHA256 | a136744caf113da03a138370792a1c7aeba7b6590a74659b6eb4a23505a52612 |
| SHA512 | 1237e27557042c904367388c30c364b177ee3d2c98488897cb003cb5554551d0d477c773238a4b94e88e6a3e66650e5d27b0aff76d4d1e5cdb2872d945f0e630 |
C:\Users\Admin\AppData\Local\Temp\gQAW.exe
| MD5 | ca98cb71a6053ceba9f116c95d0e86af |
| SHA1 | c3281e19a4926829c82322fbf130e31c6c856b62 |
| SHA256 | 734adab417e4faf217e5f245a2756488853cdbfa9af231d830ba14c6d1cdbe97 |
| SHA512 | 9992ffedd539f6a1ab1314c7bca4f973181d3d85873ca3fe4ca0c99998120275c62d22281aa1b90aa6ad7c7cd24256f704662261707354a1ba8c975b3fd6a85e |
C:\Users\Admin\AppData\Local\Temp\isAc.exe
| MD5 | f5545de0a87b74fbb67fa005db56411b |
| SHA1 | 3cfe1a3b257ea986029473d99cc2ba7a8fb431c2 |
| SHA256 | 798d94d1826db1e70e335e1503587ef17877ab201bd7d31d60c7ea96f9d5ff8c |
| SHA512 | 180aaac19fe840f2cc789578baeb72bb289b4819f4086d6298e03a174773a93f8ad16313f5e9cf36d4cabfbb076d4bc2a58965024d4cf5561adc2ab3d53190da |
C:\Users\Admin\AppData\Local\Temp\OUgI.exe
| MD5 | 045c66fb1a3c14b3cd7b6a98eaf1870e |
| SHA1 | e45101d90a3638520db176ea2900787e4245cb21 |
| SHA256 | 80a12f7600e05376cd682837f9aabd13ca1d96ace9d38009569cfa08e2db7282 |
| SHA512 | ab63507b623c051022539203b52d9d93a2365bbbe1de15c2810254eb13b2baf040e23b9fd0b70e1035383af59842b2c0a1a55c1e970b3c313b482ba4b9deb060 |
C:\Users\Admin\AppData\Local\Temp\Gsoo.exe
| MD5 | f9b1fa1edb95f6c03ec27ee2f4c243d8 |
| SHA1 | c1dd0d38c9437177d76e49faf5890eeb98537165 |
| SHA256 | a8d5deb9cce72725d5ad0d94435d7c09b55051eb77d26ef215f8adc15491238b |
| SHA512 | 0639852f294198c7e215d627dda300b29021073626a81eed3aec6e226630bf9f3728bae55c3d9ff9b3322046ed9f0dc3c9d0c85c44905655f473349b2871fbda |
C:\Users\Admin\AppData\Local\Temp\OIku.exe
| MD5 | d2ae5b4d40d8191c157e916882252efa |
| SHA1 | ec78a36dc5c22d78b263e966070b8858cdbc2aaf |
| SHA256 | 6bef415a0c53d98c8c616a44b11c5b082b6824beca63260b7688ec088d6110d9 |
| SHA512 | f84eedf09c4cd780fbdb7ebd45de3f4db971f67d1e0242a6725e436e786567f37218d6e37b7646586375919bd02e2ee961c1a17e7f4c1c4e85de2d6b1c9fd91e |
C:\Users\Admin\AppData\Local\Temp\qoowUgIc.bat
| MD5 | 692c614d77b5f22ffe3a50efa22deb7d |
| SHA1 | 3cb7e46fecfc50fde88313132e75b74c96afed1c |
| SHA256 | d6f00b3d7eff8a7dd14771dbf8e3c439279b584707b0107e48f69dd732305998 |
| SHA512 | 7da0ae8a8f8702b8c922e737faae67e0bd7cc8775eb4c5c8eba9f6bdbe1b2a4b2c4202d1816db4deae0c7c968a9b92a7b780e242d8e0ee3d9bea2095f365f5c2 |
C:\Users\Admin\AppData\Local\Temp\kQEu.exe
| MD5 | 35ed8aa96cba087fee368b92f2b1a432 |
| SHA1 | 5cf094c48784e9fcb8a651d4c3290b37b90f1e48 |
| SHA256 | a0e64859c1c65fa60a7e037f1d5f8b88abb18244a0e45ad09f8d99d310607dc8 |
| SHA512 | 4a5f417850e715d16911de401f3da9554633c07b658a7ea7c007f7eb67379def81f7204027fb333e7c2ed7c33a1353a5084344ded15b2825dbe8857393381a65 |
C:\Users\Admin\AppData\Local\Temp\ekIM.exe
| MD5 | 90c053b357083fdfda6adb40ba535343 |
| SHA1 | 743c70a0c4f31f8ae7a31743dc314ae7c15924b2 |
| SHA256 | 7f7b184ffe40e1c8d03acf299c876165e43a2dab74028ec217b3c7ba51a3aafd |
| SHA512 | 8b8b14d452b4f11c446bd6cef62b640ecb274aa1fe64fb7c37227f8ed47183326e90e953aea08e0fcdadbeadd0b830f1fc527ac96a237d9f7ac908d10259d09c |
C:\Users\Admin\AppData\Local\Temp\McME.exe
| MD5 | f710aba00e1e7b0f0e84d3420cffae54 |
| SHA1 | 1cee94bde7d2ec5e0f5ab69c957d5fca89ad5bbc |
| SHA256 | 69fddf6d4c1557f35cf1f1af11ef128797dfddcfab916c4273121163c57548a4 |
| SHA512 | f02ff392eb20b495f4d1098ff5468a010b109e33b80b8b2585642b4b4ff0dba6250bf47ab186bdf7a9e930239fcf9768ffd0ae08cb190e0019281f14a314b7c8 |
C:\Users\Admin\AppData\Local\Temp\ScQO.exe
| MD5 | 1cf379b05d1be624b5fed395b8ea645c |
| SHA1 | df36d753dfb4dc4575ddae8e806995cf50b8084b |
| SHA256 | 33e1a9ee3769196c97a80fb57fd6949fed43b11eb8c4d05a5aecaabfeab30e5a |
| SHA512 | 3840455b7fe8528cbb5cb80e004dc851357022a496207d536b4a087c2b30ea52b1adc8ea06889bded510400e7739811f6054865e034d771be7552f0fa7f5d083 |
C:\Users\Admin\AppData\Local\Temp\aEQG.exe
| MD5 | dbfd5f4ef132e80a64b83d8a0efc9ed2 |
| SHA1 | 02cf9d93e57b1ef3f055f0462c8ce5a7c6005ddb |
| SHA256 | 48a2d80efd166cc2f808c509ee5a48b77aca4bd4541d2846493cd7aa15c410d3 |
| SHA512 | cdd545d117b8906deefaad06c6c2cb43b2d6ebe54bba07a1fb874065c5b32a22765059ec1d78d4b2bd94386e48fa585b7c0d7039b9c35434f6ffb5b49f4557bd |
C:\Users\Admin\AppData\Local\Temp\bKIwoQsg.bat
| MD5 | 827535c29e5f13f4fe08a3ab3336fb2b |
| SHA1 | 3de70ab50d665bb88ca2d8f4ee5d10c0607acf71 |
| SHA256 | 94e7fbef830dd77533fb328b5d8bd9eda902d924e95b3316c431091fce8bb1f8 |
| SHA512 | c288f0345c5d4e60e5d2aa5045e9fb4416ad48577c16667b260fb0ef5e405c4b4192c8c6bbd0ffb602e6ee453c358fa8c167ff10abdded2af2c7f1db0da3742a |
C:\Users\Admin\AppData\Local\Temp\gcgC.exe
| MD5 | 1d68211c55d838fb0fbe5382e876a3eb |
| SHA1 | a9ca36f4e7acfa3f55177fa0a25e3482e3db24bc |
| SHA256 | 9902d22c3a43f82833dbf66f450e64a074c8817e333ab8100646d10c4ded75b5 |
| SHA512 | 13912505db37d2cab33e30820cc9684feb94343be80837655c696687c6a74edebc33f791a0153d2b64a570d6c6c771ce5775dc69c143cb9715c17c8e601c415e |
C:\Users\Admin\AppData\Local\Temp\wgMm.exe
| MD5 | 3828bb9504d2c2961731bf383ad462e5 |
| SHA1 | c94fb317214c617f2b7aaed184fbeb0660aaa803 |
| SHA256 | b09a60b29a74ff4b1e2bce18d3f99cdf9b1423f209dbfd4a32854456d7848a6b |
| SHA512 | 920721ca39a8f56ce9e132a32691d1e44923a0b139ff8e00fdc4ef2fe7ad66447b65b5f79bd0e7b641a3caf12e1afd86658fbcf70f28a9f8f590673326783648 |
C:\Users\Admin\AppData\Local\Temp\iQYo.exe
| MD5 | 170447342f4998991576eacef31ebc61 |
| SHA1 | 0667596d7e916b690d5fc8c7cb14c94baf43b97a |
| SHA256 | 16bcbccd11af81793ebbbf04003c3d314adb660b3863542c57ed1b03a6afb167 |
| SHA512 | 10b57f6682a1abac2c36047be46143e5f144ad1bc31bcc98025a1cf09fea819490c97267386475f55e2d61d9c049930db00dae6009f38c4f9f8bb30ea621cb68 |
C:\Users\Admin\AppData\Local\Temp\mMko.exe
| MD5 | 0011da9ecefabbf75e14e6f0d15fac9d |
| SHA1 | 45098a71a39c76ceffbc3db4e5feff6f10a33cfb |
| SHA256 | f519340cf2181c928bb43b95b41356991bd5d35dda9fb32fe10f8ddcf82a9b7f |
| SHA512 | 8d7c370bd2fbe9420d199cd52d568523283265a2eae2c3a004698e23e7f656ea712f5805bd7ad0134ca50c331bb5083c9651ac0e4190c23b15e98276abaa5357 |
C:\Users\Admin\AppData\Local\Temp\sMwc.exe
| MD5 | d3133388576c8a8b21c19e47878fffe0 |
| SHA1 | c28e8d83dc08a9ed249218ec34db52ea1b75ccff |
| SHA256 | 6f0e315c26ebc5a5bb509b38958957765ef99a66d5a1722332ce348fc91829a0 |
| SHA512 | 32002f140a02644c16915cb7cc878674e9a431a6774ac213ebafce58552fd118f3e6750bd0fe42210042b428eead86ec4502c24e9f4e4de85e9acab06b795749 |
C:\Users\Admin\AppData\Local\Temp\qcwo.exe
| MD5 | eb8ad370ea028ca2c680552902223aa0 |
| SHA1 | 54ef7c2829ec95782997107f724f6b85bf8d1f95 |
| SHA256 | 57b7ae5537ae59c98ebc635bc1bb7068d3aea427a4fa9d71cbe7253be1b07379 |
| SHA512 | f5529493faf4709d93f74ff60a96aa42934025b07fb0d94a8ebfc5826a0d1a164732324c229d9edb5f2d89fdcbc8f465f843a754ba6a2f9b313dd7ff16f159db |
C:\Users\Admin\AppData\Local\Temp\rcUMMQoA.bat
| MD5 | ac67c06118ddc321b24c18f91fbddf73 |
| SHA1 | 6df2f357bedd3673eb993d684d2045d0c269f9d0 |
| SHA256 | 86b93ecab2e80845607292410ae1dc7fd76aab40bee08e583bdf54a78a26e467 |
| SHA512 | c8cbdf96e9f207a919cfd344eeb71d3bc96e73130c5b15b8fbd4f4ee275b114582c7d967c3db781b12980f9b0cddfccab783429f2fb9e3c0c0f98443094d46d1 |
C:\Users\Admin\AppData\Local\Temp\OYYe.exe
| MD5 | cc8f97cabd3a4f6b1a00be7a24863546 |
| SHA1 | 857f0f4eb39bb8efe731db249e0a77b7a7ba57cc |
| SHA256 | 5ff438412ae17c3332d4862365f5a557cf73a7523e91195df82d1419e6b3c357 |
| SHA512 | 7f7651ff9134da775014a8385bdbfbedab44654b4f77aebeb01f1576835eb4dc6626a40ecdccffda75ed9cece646bfcc765a0725fdef0194073297488510c0ab |
C:\Users\Admin\AppData\Local\Temp\KQMY.exe
| MD5 | 3feec10dfc6af1c7ebcbea05023defa3 |
| SHA1 | 6386127827ddb13dfd339e8c1675523bbd485679 |
| SHA256 | e2a35d75b4b169e8c0b56f5324edcd2f0d7384180bf1f3b8969f1d62ef9e0135 |
| SHA512 | c8d2539c999eb066699c5b540bede8972666bfebe511871f1cf3f3427841b76bb0166ad80bda2102f718cd4a6f967b3a6abe28a6acf43212b39440527fb74458 |
C:\Users\Admin\AppData\Local\Temp\YEcK.exe
| MD5 | 9a5d0665b669646eff1c6b165970207a |
| SHA1 | dfdb6a6c1dcb0e5a5b09ade80cb329166a26f7bb |
| SHA256 | bc70311afed5f0759cafe26c25bbbb23b88bf555348464d0451e3bff29832931 |
| SHA512 | 8b4b5c2e3c6e5f99c32bc06834a4a846c751d14fc07f4bfbb82be5e3623cc4778d8f00ac38d4fd382bad945ec345bffe7da07f4914a787bc41261192bdf9e354 |
C:\Users\Admin\AppData\Local\Temp\oAQm.exe
| MD5 | 87c14f6461effacdb17005f60c0b71ee |
| SHA1 | c941bf6e40ccccc73e8f62634e934f2a86326782 |
| SHA256 | 0eb451c4898f56acdc75d2cb1f8af33d9bfd3d98c2ebf1bc669f9854cf1e8543 |
| SHA512 | ed02efa09236d77c54ceebf84f88763550e0c7d4e2c03d97cdeb168ca86fb60a10a19dc9a47ca7f468e2584fc20f91ccc41134277645cba989d770ddaa4b76c0 |
C:\Users\Admin\AppData\Local\Temp\yAkG.exe
| MD5 | 404e4c5afcc485befc571b6d4f185381 |
| SHA1 | dc8fce6f266573a687fc0ad7518d32ce5f696574 |
| SHA256 | afd1f1b0b15441b273c3b4fe0760d8fb01aaea12dbaa0aece8d8d580fc4a66a9 |
| SHA512 | 55b1f07bfec6917733e6a333a115a45f0184fa1b2d8faf676d0e119519a4e08fec41f509e5185712c2326dc46116a93044667f14a47a9054a9176f19eb142884 |
C:\Users\Admin\AppData\Local\Temp\QEYa.exe
| MD5 | 690194340d3611dbd0f9c1d82e61e68c |
| SHA1 | 2308cb9ae18354509a22b357c4efe36aa765c777 |
| SHA256 | 28731c2f337f7baf4f3aee7deea0627d6818a26e750d832072c3e23aadfb602f |
| SHA512 | 3ae6167d09614d30f48a382eab31e92a44b0076ca1192556fe5f7e349955f1cf54a384c9071e10bd0df99ba218816b02a4e7e51172c2a1aab8cdb06ba23fe2c9 |
C:\Users\Admin\AppData\Local\Temp\JQIwMEww.bat
| MD5 | f8d344f7acfd6a6054d4e22e74cf6a22 |
| SHA1 | 1456103f09959dc3afe03972c4a9ca4373c49365 |
| SHA256 | 587fd2dcb8a67617c9c503f634cc6c426511a72903392350d331b7657b96b47f |
| SHA512 | b45181f76e27b41ab0d29f70c899077444e051167752280374b48991409599ca02a22e8c06dbdb485160b844011bc68d07dc9d82e1a0dc2e0cda29fe22be9f93 |
C:\Users\Admin\AppData\Local\Temp\eQcg.exe
| MD5 | 1114f9a4a5e12cbfb3c25983ee3b6faa |
| SHA1 | eb2eb150337be3e8d9a72387152633ca19643ad7 |
| SHA256 | 7a54ffebc306b9429b7c0ee06d1d9a3815d6a6e373a9802f24d984a58a3a734c |
| SHA512 | 4aa4c4656d1a28f4db4e50443fd40db39d0367fe50a5c3af73d77b9176048ceb7b2cc9454b605b3ea8097abfa8010f754e127406213dc8d2ff485ff19a335133 |
C:\Users\Admin\AppData\Local\Temp\kIMI.exe
| MD5 | 736ee95c59d0f6d71560790cc96f0e71 |
| SHA1 | c7c0ddf8a9e6b9293de72dce15998826e809cf86 |
| SHA256 | 5d3d0097bd4d4f9244f9b7455dc0df0bf40b7e324699802c0e1d6e04333e5f4b |
| SHA512 | ef44bd1073b382f2d228b27e98d3136d35aaf76805077706bcf273179d4b78fbe26d23e15bc8b958cb9a04576254a35ec12447f882ee22fe298fd5a91631d96f |
C:\Users\Admin\AppData\Local\Temp\QYoG.exe
| MD5 | 90d477f2907a3bc991501702db34359e |
| SHA1 | 637020cc090a57a1de9ed7bd50b159f2a3d7f993 |
| SHA256 | eeb20368b6822f83b51068246645426e79134c4eb77faa558dd1ecb6c280f314 |
| SHA512 | bbb3fdd7ae0288953db1a2cce3a66f1bf646f3bc95e27992d41b0b45cfed2340d4d9bc39a703b11a282361f4f41a580400da059e3ae33db53cc77182c0ab0cc2 |
C:\Users\Admin\AppData\Local\Temp\IMww.exe
| MD5 | 05dd4b153c0027805c13e3e3c780aa6e |
| SHA1 | 8e7ae26d3f6cfea00f5610adf513232895ef1ca8 |
| SHA256 | 5247d807cae8c3de7629146bddb4ac8dacb505932c0c473669914e5032a29103 |
| SHA512 | e1438e9f9a1af671af45500bec1d74ace772377930caf29f11cd32e811a474f7b59c6d0f5d7dbc3710c910f77af4e2035846f79c442c9f3bf4a8b8f22d15d0cb |
memory/2332-1270-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMAK.exe
| MD5 | 488ff98a5e1b1132192f83b70711e084 |
| SHA1 | 93aa8b63e84e2f3c70c042de3389ad1b710554e1 |
| SHA256 | a373bdc1ed983ef5946b83a8fdf0c4d64dc078871d76483c25a8e302527920be |
| SHA512 | 495a6f5e67ce8a6e955e0be0e849565ffaf0b09f5c52f4a9d554946ffb8a5415771e8ea7b9d44f672778dd01fd52e6757f1b1822a8866e6c87cbfdaee478361b |
C:\Users\Admin\AppData\Local\Temp\GIko.exe
| MD5 | f98e030d6b1efe0b09b5630f276ee1cb |
| SHA1 | 55497511eb23c80978a5f66565a4683a78cd0cf5 |
| SHA256 | 26bb788a1db972ac5cf20e25aa7274a50d5c933848baca5cb9749cd0c89fb608 |
| SHA512 | 6850efd24b11dccdf27b3333f29632034cdb74ced90da24ebba8c94013935061cadf424b16263a6ff265b9d54c2cb927f4287d68d6978229adab3929ea6bc24e |
C:\Users\Admin\AppData\Local\Temp\OYUU.exe
| MD5 | 5f3fa31f19d82383397cdda280024ab3 |
| SHA1 | 16a085ae4f1c162b823a2691f570d0f28fd8b9ec |
| SHA256 | 5d210f48b6fb13ec2216b2366a610b78f0f0507ad07f32f05f2044e2951c76c2 |
| SHA512 | e033cdab2bcda812ae97d98ea9325b80861ae5535f90d3495b5e242b510ab0f0a9936ac483aee3dd182a259d5ed85b51acfcf9afb34521be96239b694cdc8184 |
C:\Users\Admin\AppData\Local\Temp\CEwMAAYU.bat
| MD5 | 7027d5f60d3f08a4f545bb8292652f3f |
| SHA1 | ffa038d689ea35fee92fb59626fa9583f98ba925 |
| SHA256 | 328a979194701ad0075979d1c2de2caf5febc5922aea9c45eb46a7b07e7f7d61 |
| SHA512 | 35f154eb5f49336c72a4d456be329c779ec565c698a631149a16bfef1f66d9bd48154db371a41d7cdd7fe1deba2066230c8a4b81128f6c36a5d74822e2dd7f16 |
C:\Users\Admin\AppData\Local\Temp\iAAW.exe
| MD5 | a9217bc8da84bad86b8c1e350b6547df |
| SHA1 | de59e8b93e14153217b51b320b0d0e8ed7624f11 |
| SHA256 | 551ad663836d369a60b93abc414b0ad845d8cc2e5163e0fa7f5428c4b322c81e |
| SHA512 | c871b21f2771feb8f9c592ddcedd9e463a35532b6599cb5da19451d3de5104e08e51d1bf6f9c0e178124bff1140978a738e02ccbe13f8553939a61f16bd6bd6c |
C:\Users\Admin\AppData\Local\Temp\aEwA.exe
| MD5 | c1946410c90a56bc3f82ce361db8ab5d |
| SHA1 | 58a4bab0e5ac12f0bcd987d99e0b930f767ccb2c |
| SHA256 | aae2a90b943ab583f1c78bd15006ade89f3a551426ac20781b8bc4c690edada1 |
| SHA512 | 2ac38cdcccd6f1fab10ebbffa65f2f7655525ac1494e7b7f7aa582cb2db3917b166d580d7d42844b2cc390746ac9d00c00beb909246fa644a53dda3f647a4eff |
C:\Users\Admin\AppData\Local\Temp\IEIU.exe
| MD5 | db9d33939abd578a9d15affdef094ecf |
| SHA1 | 69d8187ddb47f9d8525dd9c68c9b4354a14773ce |
| SHA256 | a1095da451466eeef4a281f5245a24bf544391c2a29e2b4c719a3213d774ee0c |
| SHA512 | e5d2c2f22a5937962e7c75dfe37a557bf7ebf5d2c5bac2d2559a3809b6097756181f635bd9372f93828053664976d0e313188f58323a1820e335274db50a34ee |
C:\Users\Admin\AppData\Local\Temp\wycA.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\iMsW.exe
| MD5 | d442ad1110237ff8a7a91ba68d93815d |
| SHA1 | a4ab1e7d8e6601d558366cc03628d5695c2b8c81 |
| SHA256 | 728cf75c8db6813c225e689a5c3bf113fa8d09511a00a6258340f5dbfe4780fc |
| SHA512 | 4b35501f0205dfaf665b35e8153b69415da37229fb3f398c7642de98eaf3b92468634c95943c00f3c91e8100a1f7469992059c8c841a0d2f421a59903d7d922e |
C:\Users\Admin\AppData\Local\Temp\MEcEQAQI.bat
| MD5 | 7087f18b6fdd24a70d405fc8de266869 |
| SHA1 | 7d23473ca5e8d74934e4382b89a3599e447f686f |
| SHA256 | 1a6258631451a0451a58b82b24c4de366e9ab18a5f2b924f5dfb80f6827cb77f |
| SHA512 | e30b5ae744abb4229846dbdf3a1a2e1cf4aefaa85a10d62b9f2858a473b8c6c403ce7929f179c1c1353a2f7ffa2b8dbfbf36611211d3512c4a00a1866d0d306a |
C:\Users\Admin\AppData\Local\Temp\MsAc.exe
| MD5 | 79efe5afe2a448f5d45258c10b99e565 |
| SHA1 | 12a7425ca058765687159dcca74f600dc18235f5 |
| SHA256 | 25273442b8d7d70bfbb99ae7daf9d6d2b865bda634d1ec92af35cb827b07ef24 |
| SHA512 | 134a7e4446f498066c2b50dae00e37100d1b4fa3c255767d84d5fd3b60531875a188fa8fbf8618c14b8a3f18705c846ec10802402439d711a0c5fe869123b249 |
C:\Users\Admin\AppData\Local\Temp\uQwc.exe
| MD5 | 25591c106296b98cd09fc4dbb33037f4 |
| SHA1 | 8d9a56fd5ad3b2fda06d187f39355b4172d0b899 |
| SHA256 | 0b6c64cd28ee0d556ee24c8daff6c6a5bc0ec5629ee70761d0e5d674eec2890c |
| SHA512 | d76a86a10840769f166957bd35c86b60da32a1f586733b160b2117e51dc286bc9a8bb8eb672d9e52e6fc9784984a763d0257157b9dd92d11fb1d40afe50703df |
C:\Users\Admin\AppData\Local\Temp\GIwQ.exe
| MD5 | a200b70e14a0ded0e2451e3d91842490 |
| SHA1 | e37b65b96c0eeefbaeb45edcda323344b9b0e6db |
| SHA256 | aa10680e41693388861ed2ebf508271d46d2f136bcc01eefbb5bbd74468332f0 |
| SHA512 | 8cc1cbc525525a8fe3867dc9407f20df2ed43daf0b8d3f49abc2540fe58899806744af27c4f235f7a50f9137f02e5fa6dc2d999963b2084191e81103456b8682 |
C:\Users\Admin\AppData\Local\Temp\cYEM.exe
| MD5 | 6a827537265780d449ce6f1e2cfd0376 |
| SHA1 | f4d066136dd70086da18e9fd357ef05c5b45446a |
| SHA256 | 2b27146f0a872141df83c3b204913c9546f58feaeed18c9de695a243f074aac8 |
| SHA512 | c97e5b3427951580dc2e4490dbf8c0ebf0f2d8c27619022555cee82b120d0625758bd9c21e59f4b1cb87f49530d8aacce68c841f1efcdf8bdd6d0435fabb5ac6 |
C:\Users\Admin\AppData\Local\Temp\eIEU.exe
| MD5 | ed09eb8d960a193fa6a30cd0461352fa |
| SHA1 | f2738db4990be54552494847898d73effbf6e91d |
| SHA256 | f0ea2d13b94c898a6c321cb3e8610e5be8c8c167dcefb654fcf25f6438bea797 |
| SHA512 | 16f807caca426180eb5ebba0e6b95f5047473a117daceeb9765feff31c2b76a528eb61dc718f21036f01387b2623196102d3adbd68ecdc9d65b6c7abcc362b93 |
C:\Users\Admin\AppData\Local\Temp\akQK.exe
| MD5 | 2b6633bd63c503f8a516110ad528c0f9 |
| SHA1 | 5f992937069fa8d45c467a52e6a66e9b05bba58b |
| SHA256 | 40da5ffab0dc771a34dc2d3b7ba33b79fa8ec258cb66d0219b9343eb76215e74 |
| SHA512 | 20db6dbb15b8f6480dd4392c61b0ff5b1abf2351452c1ed31b624db6df17862ee7e5c6c820b8cb05862d3ac5ae6676ac74925a3a9514e311966d882cc2b2ad6f |
C:\Users\Admin\AppData\Local\Temp\ysAM.exe
| MD5 | eb363e41f8aa89c88b2bfeeae7501241 |
| SHA1 | 3009161688eb0a47e25d8b1f3877d3e3f25be272 |
| SHA256 | 74f2c34512ac77c9c9d534e1f66f00b6e5a60c9708c1588f742983e9b350135d |
| SHA512 | a263e994afcbc0b4d9c30d1e34ca6273360cb6f7510ced3318d189eb4a2114be3f62cdd8817c89471bfe3c5b7542d4cb14cdd1fde5bf1d7097f76421152f9e8e |
C:\Users\Admin\AppData\Local\Temp\wmcgYokI.bat
| MD5 | ec4271912131a617928c110d80442585 |
| SHA1 | feab98f9dd8b6502df834d86025d75a020241223 |
| SHA256 | 7b0483725108fb7697a7238b3b66ec40d80705812ef9cf92f87fca2bee5c854d |
| SHA512 | d1b927fda00666b969cce1b56eeec982e7256ac1a413d2f61d078d4c4474607a82d906a572a4133c8859ecec4082d1ffd98fa4f4ad9e543cbdfa9b3078788372 |
C:\Users\Admin\AppData\Local\Temp\KwcM.exe
| MD5 | 80b5b11eba6c69eebad5dda0e235d5dc |
| SHA1 | 019da3428a82543321768fc38f12e9151783c7de |
| SHA256 | 4f22f2819daa6019a7c7c6dbab0efeb4c51200d96c2ba03aacfa244d88d16591 |
| SHA512 | de12822bd4bb0573cbedf1f59a4d2b615ab039c5d2b3bfa5718ff25b77d33b716388cd5c0423e0c6767d2c108642a2ffa8de8bf5526271a3d433bb3e25737730 |
C:\Users\Admin\AppData\Local\Temp\iUoI.exe
| MD5 | fbdb0be8892010cc9bb7dc970ef1478e |
| SHA1 | 3126e152d453cdb73a41f0f17f1dc0765531de1b |
| SHA256 | c605efc74f6e088564c327a46b4867f2e4d734b41646df496cbf222c00723418 |
| SHA512 | e5bf0e08e169bc161b9c6f82ca60609af37b29b18cad8ce3db6671fc8c2616760cdf07dea0cb48bd1eb227f72b3470aeb74c5f699a1d6700f1e2291a3665c3d8 |
C:\Users\Admin\AppData\Local\Temp\WMMk.exe
| MD5 | 660390a81e5b0110444191b21375c5a6 |
| SHA1 | a99b0f6f6e2293a742a24b368d711e1af54b185e |
| SHA256 | 0a61e5dcf4b39d42a254392876eea625ff0b4b9d61e03b72f95531350506e59b |
| SHA512 | c75672267928bd68879168c1c4605617c480eb970dbc1db56c9fe5b4b8b74cda297b21d1500823902b8e75c71065f39463668e1789b941e311611c3c02caba0b |
C:\Users\Admin\AppData\Local\Temp\IgkK.exe
| MD5 | 8a93f498a90f28b9e727b9b40e9cc09f |
| SHA1 | 92e6080baec6ea4db0d4dcf267474ee7e7fe9678 |
| SHA256 | 832b6cee5d57753e48edd0bbdaac7fd0f8267a072f49107f2def2668d8a57784 |
| SHA512 | 2b5a3f8823b957d0ec29670090ab7ebd66211df0a2361798f1c68576f452381b932d6303a9efc237bf5f07ea0d862c0476fe576d6d682b52cf8b18ebfaf5329f |
C:\Users\Admin\AppData\Local\Temp\EEge.exe
| MD5 | ecf4abbba7c72a4156c3dc1a0a699545 |
| SHA1 | fd9a12e69cb80999777284698ea182010d931ac6 |
| SHA256 | 72149d364e0f4bc51152f5f9b41ec9aaca12d575aae82b75a1acd2188e17d46b |
| SHA512 | ac61064a1553f0e82d673840b62c3deded0b596663a021e619f6427bd1be68e391e1952bfdfbc74d86b642155974ded819bea7b367e23feeebeff1f748b85fb0 |
C:\Users\Admin\AppData\Local\Temp\iUgQ.exe
| MD5 | 4561b6c24f4f1b6cc7b435958452b9c7 |
| SHA1 | 6e7c0c8116c09fea28aa3e39b010007dd6b5c63b |
| SHA256 | 41d90e25d4bde96e7244aa5e352d51debe47bb87f70e7c05e36dcb3128d54bac |
| SHA512 | 8217fcc8f3aea2d04d6d72c3f4ec673aee3cf0651c1eaa2ceced918ab71aa588bc1ec802c4d7250796e2943a9178361924a8ee9709b5dfd4722af7c6aef54efa |
C:\Users\Admin\AppData\Local\Temp\EIwc.exe
| MD5 | 0717903d94bda9d0059b78db44e3ac4d |
| SHA1 | c25d596355d0f51cfad6362e1ed11b31e660980d |
| SHA256 | ef18666231b07146d41c78da5bd631bededd0ed8557c5af9e799a4dafb9fa991 |
| SHA512 | f0e38ed78ce59810d9b2a454cec6c4fd219a80d6f6c3c1550e63b4cb6f57967f9e2546b92d8af1a936231963f7ee539531633593a448d1669738afe297d423c1 |
C:\Users\Admin\AppData\Local\Temp\egMS.exe
| MD5 | 55c21abb4f5a50b35b5fb79b842729ba |
| SHA1 | ad9bc71872ee24fe6f1baf5151f2bfe3ce18397b |
| SHA256 | be2bf459ca5d923a6cf6ef8c2c1a8f9bcab25c67d5a7cb2f4e98bec8fb679196 |
| SHA512 | 65ac48269fa8070731dc11778638cba7ab06a11a52d5a0e76936228660d04d0860bd42aa9eec4f0f1d3dacee1bffc27c9973875915dd7699b028bff03e6b3b82 |
C:\Users\Admin\AppData\Local\Temp\OoQU.exe
| MD5 | 4090a02b7ed1dfa8db10e7cef85e6fc6 |
| SHA1 | 731aa252542715b54c136660619987debaf2af15 |
| SHA256 | c1aceccb153436693bb839778ecb6679a4ebbd23aedc7250fa539080c7583c12 |
| SHA512 | 0ed34a8eb115238b1a499d27356f4e4f2b635c4229c64a5d312407dbd7a86dfb8e93585620b4fe1e496a5773c4a7ecc98183eb96d1e90b20a97c295b723ae10f |
C:\Users\Admin\AppData\Local\Temp\AggogkEg.bat
| MD5 | a4a012208f90bc50a11e9a453c947fe1 |
| SHA1 | a966fc8a49e160d23872328651e07dc9f40f3ed3 |
| SHA256 | 40fa6dec924caaa8840ff2a7da9594f7641947a7d03f7820ca5abf0bcbc4ae76 |
| SHA512 | e609096cc603759e9a328ecb62b5621f5d5d39b182d292ecd6db99c0ffa871afc3e792cbae6198deeed32e4d9709ec277de1a93f888e49c3b1a5e3f08d7e144f |
C:\Users\Admin\AppData\Local\Temp\mIAU.exe
| MD5 | e38670e66a26af3a7b2b12080cbe8300 |
| SHA1 | ac4ed6f6af5e6b80fd8a2bd3d981bc68a7b97c19 |
| SHA256 | b57ad2b029a01e97c73eccd03dc6390fa334092e2de014d2c32e65d510f3df5b |
| SHA512 | 81f189d877b61d5c7f9304b9db5affde23e0d2a353f40c1bbda5dc738c40caa9ada534e155f140cfe247eb048f08bc938277c7af4e577c0ecc0966eafc935226 |
C:\Users\Admin\AppData\Local\Temp\oAkY.exe
| MD5 | 947f96e929aa0fe4447ff122b1dcef46 |
| SHA1 | 70d014a1b86b4237252dfea63768d6d99e8684a4 |
| SHA256 | 6321ac1407317508c847ceb5b7cb3c18c80596bdd030b5c9c3df042884711a1c |
| SHA512 | 01c498238b8bae5eed1145938a66a74b32535d3ab918c37483cf4141445604d7ac780c41f1570be204063405038c13b7d918dfce16e6a2f5e22fc3fce67b4d6b |
C:\Users\Admin\AppData\Local\Temp\UoIU.exe
| MD5 | 649b379b4b7bfdac10e95fa8ef1daba3 |
| SHA1 | 6da0c37c8f7117cd94ae31cb5666d5c6d10f0943 |
| SHA256 | db44e3fb05302f5f0c11f369fae789304adee49bcd4bb687aad821fc38b7a181 |
| SHA512 | 2285a02013dbf16ee9425de739bcd5ea2f601db0426044c13ef931cf0f0caefdfb621bb68a8a06240f6f7e6c7d2746d67f55bd2e3acd89342b4113e060d891ee |
C:\Users\Admin\AppData\Local\Temp\AkQg.exe
| MD5 | 9469fdfd34049ebddc0029f3666d7472 |
| SHA1 | 3be31d5cdfed099fa76b28d50f7b9c79c74bf29f |
| SHA256 | 3a80a50568b379a47dd233816dfa7e5130572817bc81972441ebb18a616c974b |
| SHA512 | 765026dc8685951d40cf0557f02655dca38d11006e7adc980502a6137045fa0d67663e5236c57fb0a5a2893b8e5c0f017ef07b23976afb430a021b7e93869ff8 |
C:\Users\Admin\AppData\Local\Temp\uQwk.exe
| MD5 | 7ecaee6b398a9f82386c82cb8e95e1a3 |
| SHA1 | 2c26dccbed0880972b02323be6510b6a46105f7e |
| SHA256 | 74834f3712c8d54304f32faabc653e8628c7b9d50e388643be2bf3665f0ea5ee |
| SHA512 | dd9f8a56d52dedcbc136d551d6bc86f209fa0a7409dddfcb1f784f68681b3a95d3ce6be83a8524b8e58d4ec19e08c606266681ee26814beb4ea779193db63fc4 |
C:\Users\Admin\AppData\Local\Temp\pGAIMYUc.bat
| MD5 | 95eb353f94fcb974b01d5cce15b0ff56 |
| SHA1 | 9e8081c8abdce249238c6cf960bb6ea5e41e15d2 |
| SHA256 | bba10eec4c8869fba1778fc5d379d09aa5dba5472a3c7f7ede304cda6cbed128 |
| SHA512 | 2445597461373ec7de7203f1f4514d4b938b539025e81982f740dfd22e18e4ab5af3c6d1f74cca79530fb8273bc9dbca7c172ea511fb90dee1910b5922a1eb4d |
C:\Users\Admin\AppData\Roaming\InvokeUse.pdf.exe
| MD5 | 55cd61ef61da4d386259699ffbd327b1 |
| SHA1 | dece4e0e9441a9718a1e7e077539ba1ea73050a0 |
| SHA256 | 4e131e0b3096235b7322d80250abd821a29315ef0d59b9c57654206b54a679e6 |
| SHA512 | 717f2cc7e6d9145fb63404a8749f97a87d0d4905a78faa573f617dce71078747f1480a432e27a2f7a25e3482b9844219f794c47effbbbfd01a4035d0beecbb41 |
C:\Users\Admin\AppData\Local\Temp\sQYe.exe
| MD5 | 673bc0dadd2a6eee6cfad404a89c49b7 |
| SHA1 | 5de4e319b08236a0e5d55bae4f61ff1cc411497a |
| SHA256 | 7acf73c8ca87c34c232c5bcbd08ea2a76ddb54b8a5509d0720164d6d4fd78f8a |
| SHA512 | 07d96d745ea46f7df8155561fa0352dc7d59076abbb6cde94811b4ca48d282efa91e59540f2b810890d2d39cf7336183bffdfee168e24944d5fdff0540a966f9 |
C:\Users\Admin\AppData\Local\Temp\YEku.exe
| MD5 | e2d91bee59644c8d125af91167835025 |
| SHA1 | 83c802c2fbcbd2f82ae480b6bf427fea5274822a |
| SHA256 | 340205007359d22852d0c8947d549b632d3b23722865f0970e74894bc445793f |
| SHA512 | 59747ba337673fefa8d2c337757287ffa515f2331bd74c037a66fa35761762dd97439c4a445a92c5d74ce77dd16583739268f63a4b10a6bc8c602e17c75dd2a8 |
C:\Users\Admin\AppData\Local\Temp\NsgcIUko.bat
| MD5 | 02a5c6ebd9f7974bf7a25a9840e77a60 |
| SHA1 | fa6ae670686d6633fdb801de609848c1fb4ee1e9 |
| SHA256 | 4075802806d5b877017aeaa34a932b563ec530e308e37e1a0c7e67fb59dd214a |
| SHA512 | 7a350e8ccba3720e34e372df3e245355ec7ccfb1fdb633144aaaf05d0f9f605986d9fe3b7cb645c80eeb4d9312539fd9a6c5acd4b110e7264de487dc3462fa9f |
C:\Users\Admin\AppData\Local\Temp\WIMY.exe
| MD5 | fadbdaa232cfb15b6ad63b8a4588b8aa |
| SHA1 | fc5da1657938f569123f7e42d07cf1f61c62a3ab |
| SHA256 | b27e97be2e2167481eb5b8f95234ffb22adc39e0dc0072e998a7f2292844d481 |
| SHA512 | 3d8a0cb6ce85408010a9eae832e187f3a0ca0d5b4995486805bf3cea0fdce634f874228a464ff4518f76c86b133ec5511ed33dd81465922f4771dbde2e04a36f |
C:\Users\Admin\AppData\Local\Temp\qQsY.exe
| MD5 | 7daee096cb45ff46bd973005b43ae6ff |
| SHA1 | 26fa8abe7c16fb5d59096aa1ed284ed819404946 |
| SHA256 | 2d71f83c3b7b8d6f5fd9054cbc97f1a03902bf7101731a5b2834084ad885cf7d |
| SHA512 | 5a7a9e1c2b07366f527c11ea912b404e816fa360deb7fa45435999c342c38a4ae7e62f73d28028693c78ff613fcdcbc44c6cfc80205f7ea9ac0dce9a60585411 |
C:\Users\Admin\AppData\Local\Temp\owsi.exe
| MD5 | a48eebbf7764b8757427eed886ca64c0 |
| SHA1 | 7896849655e3a79bf9276378c0eb36af5ee4bebb |
| SHA256 | 0e083a0b71956552ccbe1314fea675f9e16ee548ea52dba57c165f4090c1ac49 |
| SHA512 | e3c8d7b302e99a71bb65a3b0fa2d770a35ad9ae0323b26e6d86fcae824cdb14549babb1e24da5d6a0c4dbed6e82235d7899ce616f5e9ebe90838f3c1fe5b5984 |
C:\Users\Admin\AppData\Local\Temp\GYEC.exe
| MD5 | 3249353c34764e8a409b15f9c5405daf |
| SHA1 | 4ecbb6962021a68c0b099104fd5d7d2d894ec304 |
| SHA256 | c322be791926315d141545a8be066adb7d70ceb3ecd6d2c5664c5bd90132188c |
| SHA512 | f224f5ada107f3dd7bc80f99e05b5936444e9c20ddf02862e4caecdcb61063edbe3b122f09452662ea0079432a1c23b6aca9ded95c8d45a894ed565a5b9f4c50 |
C:\Users\Admin\Desktop\StepInvoke.docx.exe
| MD5 | a5328c90ce9ba471c3807f4117bc333f |
| SHA1 | 2feb4678d237ed26b1d292543cc48ed9a2c9c66f |
| SHA256 | 068e667f105a25be1ddd7e1f05a600610395fa877303871ba27ae700c6d88bb7 |
| SHA512 | 6a18d4c2eb235efb542ac3a8184fdf8f33a68bc0ad98c1a62ab7771477f224e040a4b2cd0be2a621e57f5a25b7059f2b2784a82b4cd2e9de5a413b195e07da9a |
C:\Users\Admin\AppData\Local\Temp\Oaso.ico
| MD5 | 8e03abdaa3016247fdd755b7130384bc |
| SHA1 | 08dd2d9541e1961b06957fe9a19ce83aeff51a5d |
| SHA256 | 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8 |
| SHA512 | e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f |
C:\Users\Admin\AppData\Local\Temp\ggUm.exe
| MD5 | 988e381ac719cc6369b418bfc81296ee |
| SHA1 | b59acbe6aa1e43777bdb9122c4e45adee0bcfec7 |
| SHA256 | d6f3f94374500ca2718a9c10ac444af07640dd32ace05f80dda1df29356e6cbe |
| SHA512 | 7438e42ea3259f2151c1556f28b85bb1b6827ba586a2465ba88562c18765b676057358b6267d57b790fa1f43e1de152b94031d0fad85f77f171622805a3a2dcf |
C:\Users\Admin\AppData\Local\Temp\vEIMkoco.bat
| MD5 | 665fe9686b3daa9d0db64e9bf5eb8f32 |
| SHA1 | 29fb7c248aaf18d21b5308f8a50ad3360833e155 |
| SHA256 | b19a2eb0e434affc440513671ae92aa424a544d53a4b9fdf6fa85f1d08cc136f |
| SHA512 | 6ba5beea56aceb41e11a6f0acee0bdcea8664d6d1d0b7d16ecbf8f8b95d896c537d9254853e9103c944721f9107d671743c37e86e9c4384a0b7e290c630cb8f5 |
C:\Users\Admin\AppData\Local\Temp\iUcg.exe
| MD5 | c35b14115cdd53eb00e22764e443df13 |
| SHA1 | 64a31130fe7a8e7e5f2548a7ba0aa30c9ad96929 |
| SHA256 | 3e512ee6f1620f63d3d39b1a499ee52efdbffd5f9953e716163a82578e2d8472 |
| SHA512 | 86ea29c33bee0db7579eb7ba0ddca1d4acd6f6e6dba37fe2cbcd2e5c32e9ed1f4b2d115f37e3f6a5a0086d02287d1fd711aad96773873867ff3246d264a66dfb |
C:\Users\Admin\AppData\Local\Temp\ywok.exe
| MD5 | b08e3383c94d06ce789fd841cf7d68a6 |
| SHA1 | 74f15c483bde86dff6d5718337a141dfe0fb5047 |
| SHA256 | cc69396ab92c3482fe44a7ebd0846dbc7ec5bb6406351b84626e9b0848e6d7e8 |
| SHA512 | 2d8e587623009744d654fa9284b0ec906fa196e648f3944b809995ef86f6b0521b3344a33a490b84ffc7f534b63d534835dd52a384f2a8993470a5d48d23ebff |
C:\Users\Admin\AppData\Local\Temp\UmAY.ico
| MD5 | 31b08fa4eec93140c129459a1f6fee05 |
| SHA1 | 2398072762bb4d85c43b0753eebf4c4db093614f |
| SHA256 | bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6 |
| SHA512 | 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d |
C:\Users\Admin\AppData\Local\Temp\QQsw.exe
| MD5 | df739cf364826efdc39cb92960e784f7 |
| SHA1 | aac5c8b843d77d138c2ef9d2c46f942d4e430a4a |
| SHA256 | a45541f437ac68a05f40ec952e141f0d565abd74cc41975c96571f2c8a78065e |
| SHA512 | 44880db98f596950cf700832d41091c1a8c27ec082b94719c9501df36a69f1539fbd2822f249ab46e20bf8367eb18ce6a6610ee03b82b18eb7aaf7bcb6f8cb9e |
C:\Users\Admin\AppData\Local\Temp\eksM.exe
| MD5 | 462cb7638900101394c34f91713c2924 |
| SHA1 | 0e53ac059e540a19a3508cd85fdca8bd5771d25e |
| SHA256 | 31ed89c58baff34fe199fa5a11eac36e62dbef20b133ca2fa3a1314149431662 |
| SHA512 | 6438de1e61f777d504765524561338d466d37efeebb5b96812b9a7faaadc8073802d1fda58130fe3d7755957c80400f808ad150b92cd8189baca8945ee89cc23 |
C:\Users\Admin\AppData\Local\Temp\sQgW.exe
| MD5 | b7fb1010910da35e167b26ff393f816b |
| SHA1 | 32668f002b5033518e58d62630878d5c080d78b8 |
| SHA256 | 9d6d07a6f807d408f1550f2dda18b82761d8479934013279bad24118d06a6b66 |
| SHA512 | 66d52e62284b08a6c17caadd6341ccf142a930de8209b9a5273c5e7aa00d0b0d3fc2e89e1bd07164be818916c040b3431df785800347c752da4bcc0b7d19cfac |
C:\Users\Admin\AppData\Local\Temp\QAYE.exe
| MD5 | d8ccb0738f3349a0b186af8b360ed828 |
| SHA1 | e3dba17e2c6b14d5ed450eb7d09e8f83ab6a9427 |
| SHA256 | 762f29897c54a58b26faf6d3ef4be8301da27a34a1fcca2db26de9655d1b1ff7 |
| SHA512 | e08e4fd2aff67f92c308087a0802abffa2160884af4c0e0e5eda37c1ebd8eba7a161aaa9dfdaca4b2c498fd17a239ef04b4ee03b58d387f25baac0cf4c364485 |
C:\Users\Admin\AppData\Local\Temp\Ugce.exe
| MD5 | 373f0078658e4be863fcadd2c3c3cb35 |
| SHA1 | fe5f4c3e7a1835aaa21ce8924f0ca12e6489d772 |
| SHA256 | 11ccf72f9ef191cfbd0d4fc6b54088f31c570300ef50762696ab29024a055c0d |
| SHA512 | 6be4de0988100d94d1eb7f10d3591fd7ce67bba5f6643939a6dd8d96ad1572ff74756f7dfaf403250c5e06a10ec9414dad02da1a43d51e02cf49de75f9fee674 |
C:\Users\Admin\AppData\Local\Temp\gUws.exe
| MD5 | 9d5edfa95386f4a535a998e041128f86 |
| SHA1 | 37e24fbc6c16c560e3eb0503af836385e63ff770 |
| SHA256 | 0c11095539105fefac7bab9f01281a013913b6cba7e810af4f5dfa1ca4f9304b |
| SHA512 | baeaaf431d2c740233e920082226ddd7f9bca7eac35bc2e95738faf36a7d4da4f8128d0b9115dd5d87283e9e8516c28aa666f600744fd7aa344f0aa6a488ed81 |
C:\Users\Admin\AppData\Local\Temp\vYAscwcc.bat
| MD5 | 6b040326c344371ae4041521742df79a |
| SHA1 | 052561eabe09de8b63c76b22217ed579801b7a13 |
| SHA256 | ef3b091dc9919fccd649a2d75c0d043c0264e9482d4d0819394eebd37004c702 |
| SHA512 | f71f1d2e0d67dac6704ba2beebd4f84e4bf9522f12184872b2df5941fb3421d9d7c6031d7e6146cc99825f4a2b99338660bb60299e38104cbfd470274a376504 |
C:\Users\Admin\AppData\Local\Temp\Gksc.exe
| MD5 | 637594ac35c505a301c83675c4aaed77 |
| SHA1 | d2691739b3d9bda0f76cdd9b44d7d0ad1b330ce6 |
| SHA256 | 91139fbcd06e3c9ea54bf735a259a22a46c0010cb13486b17ed52257e171761b |
| SHA512 | bca5a7627cfb4352e2ecf43dff48f34f29d350efc04580d9bc6518b1f88900833ac8c9875c464ded3f9cb225f46da7524f96f8bfdc384a64f4d0a60d460646bb |
C:\Users\Admin\AppData\Local\Temp\cYcA.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\MUYa.exe
| MD5 | 8b01888c22e8b8093c8437c813aba494 |
| SHA1 | d31ce5542052a9bdf15919c0b5604880c9becca7 |
| SHA256 | 4fbd98c2da5f92cd95837d8dc3b64879f7a1d39447241941e326f4b3ab1d9efa |
| SHA512 | c040c41d9a020aef78942ff0ec8a5d5eea5f49c8cac15556dff1b0c10e4bcf63d70eea310a0a39a768c2c989a5d65955ffadb13a229abbe45de12305a989e6aa |
C:\Users\Admin\AppData\Local\Temp\yUIS.exe
| MD5 | 1e7fa0e1d2bb00aa3be07849c496218c |
| SHA1 | d9d700b1ba1139eebe9f3825975d6f935262a527 |
| SHA256 | d9f23f0830aff2d1e8f66fbce930ae8515568ab53e7d2d44736c1f95983f125c |
| SHA512 | 4e61466ade4cc482ec46b02e4c189b69384ca4c1bde6de98e4bc16c02f73beaccec282058d734f72c388ac99bb682c8d002d79adda3ef89015d03a2f22a8a831 |
C:\Users\Admin\Downloads\FindMerge.zip.exe
| MD5 | d5c69f727e65f7b467f10d3c66495e84 |
| SHA1 | f1497120eaf7138edf974ccd96ab6a5808052a8c |
| SHA256 | 58fea97de31d0ac7e32a08c3187ffbbe7a48a2a2c6eb80f2aca46a295f42be35 |
| SHA512 | 7bb9f0c85a2337e9ba2e56bcd498572e655fbccb286464ac3e7d67f347288839882fb63dcdf0d93e196c64b3b455c95821503270381c9b78901a6fda3de5d054 |
C:\Users\Admin\AppData\Local\Temp\ocIk.exe
| MD5 | d322bffdbfbec436fa6ab3ec4aa8425b |
| SHA1 | 9ff3608971824886d806363f5f634e31f45e8526 |
| SHA256 | c6cbba88135dfcd9ba717e3e5a8a09d7e8efcf41c9fcefcf829fc631c6c477ad |
| SHA512 | e0cc6560967fa99f18fee28b6e55df08e86fd43349039d63c53b4273f188ed09055b067db198a3d01eb20cc7320a44fe42cb38c6dc7a37decd715618418d55e2 |
C:\Users\Admin\AppData\Local\Temp\QMcgIwUY.bat
| MD5 | 2abed7255a3f1bf1349c447dcb704e22 |
| SHA1 | f771ddf8f7f6f1ef69bd7c169917b2ee879c37f6 |
| SHA256 | aae56dcf9f33ae451022b26ce0e2d591072c5851adda45f2fdb07a67422bf9b8 |
| SHA512 | 207f16b1ffc841900be5bd845732574e19022b27fdba0685cc67493239144db826171126cf6f40762df2387ee427db587f695ffd558236051851663b5d94bf29 |
C:\Users\Admin\AppData\Local\Temp\skUk.exe
| MD5 | c63bad214f8e9f9ce10ce3cde8082168 |
| SHA1 | 35d83f3642318726ab6d3326dce7dadb43650ab1 |
| SHA256 | 6dfa6ecf6395af17dec40563b0d62b83e81a626bc6ce86b0da4f3a4db6121478 |
| SHA512 | af070534d2c43ec1f62d9126e3e47725ca71a1710243ce9b91307c572ae462b2c8c72244431763699bddc17d6946135ed69cbc6a4047cd86699b3b13c7414082 |
C:\Users\Admin\AppData\Local\Temp\UogA.exe
| MD5 | 92642a2a2bb4149e212c6d4fde267200 |
| SHA1 | 7ac59c70851feb9a0066681c05f68419dc7cee96 |
| SHA256 | e9627bdb826dc0f55ea7ab0e78fbfaf24e80b0d936cb5a9011fd9e7eca7b5443 |
| SHA512 | a4ac5612ecd75b4fb0d38a14a157b3c1c56d49040eaf2d3ce6b008ed68623d0f1feefadd707be2e53c61d5954c1d84e2a0dc54803d314908f4b7ed6564e0ac00 |
C:\Users\Admin\AppData\Local\Temp\EwUk.exe
| MD5 | 62a78d5d3a36cf67a58087718f3b86c7 |
| SHA1 | 41f4745fcab5dd68e5a9df351c60915f04337b52 |
| SHA256 | 0b330e124bda687a00d77b1b1efa7e0d495ee1ba742ae2985ed5e74790014bf1 |
| SHA512 | 8f46396552ddf924c0485ce24b838d348ebd01381d6717d440166530caacc1d8c22be52419ac8fbad9988a994c1d58b94c4788a9ce8f789ee1222d1d77673e1b |
C:\Users\Admin\AppData\Local\Temp\WQYI.ico
| MD5 | e1ef4ce9101a2d621605c1804fa500f0 |
| SHA1 | 0cef22e54d5a2a576dd684c456ede63193dcb1dc |
| SHA256 | 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0 |
| SHA512 | f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32 |
C:\Users\Admin\AppData\Local\Temp\SYcM.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\AMga.exe
| MD5 | 0e7d1f3d50bf5157f5773d4b96ade78f |
| SHA1 | 3ca93bb194b77e52f10be3b5d78bbe92a6768f1d |
| SHA256 | 002c510f64358d96e33f012b90458e552257ef8b1fc57758fcd2601748f6f470 |
| SHA512 | 3a692b736bde126d0b763eff12adc60c3d0a20c98f9bb26707b0f5d8e38e5b3363b48f5189297d06ca96573b6cc9e7b2ed097bea181c9e2c5f4868527ff0e269 |
C:\Users\Admin\AppData\Local\Temp\IkIK.exe
| MD5 | 8a2f1bdda6cec2f56b6d7ca63249bad2 |
| SHA1 | d97c72129925d71adf665a88caad1d6fd82a77cd |
| SHA256 | 08d547686924eb399b23e746ab6ea36846b484cfc1e775cc38f1ec05a30fa300 |
| SHA512 | 44e47a5349c7a097c618f86081831673f84b81b0b5699559a62429ba80be47116511e2b81d4a3991e4bd9abdc6149c8977b82fbbbfa126746891e094d9db1289 |
C:\Users\Admin\AppData\Local\Temp\EwMk.exe
| MD5 | ac3d079aa22dcac19ff595cc065e0600 |
| SHA1 | 9be5302e18644ff1beb35a7034d2a0e06fc56926 |
| SHA256 | a75975f7616f9e87d68608c1a4114955641b178bb3b13b232968d69a439903a5 |
| SHA512 | d460760f5010dcf5844a55994a05eb006e4f5b0854ecdfb978a09f0d4694513a66ca51425a55477f1ef85d6de3b5f7b3300f06795f1b7a2b143a98ca7d707fd6 |
C:\Users\Admin\AppData\Local\Temp\mYIS.exe
| MD5 | 2b549a64c2411a514e7dec38006dd316 |
| SHA1 | 4a2e63a4d85619bd4c878a2216fb15270ef49822 |
| SHA256 | 54019245f5897bab2f6b9e8ccd3380822e28e15decda8182513151c2c18896d5 |
| SHA512 | af71de0543aa5dd0049901c89fb89ac4773f0ecf789bf5e2017ec466626903d3f1a21e9aabd6c3638277a5888ece03ef2908e86183deacedf78ab72702f8cbd4 |
C:\Users\Admin\AppData\Local\Temp\WgoIEAgc.bat
| MD5 | fa74f8e5a7b7f3b3eaa5664ceaf3f8cb |
| SHA1 | 7453c0285cf7d8862f5dca2a4c7f5c470c323837 |
| SHA256 | 634c047b9b841a1ba6469cbd78f47a71e8e5006e8a1f1720286d6cd0db128244 |
| SHA512 | 7fe88445cfed27ab5873411794929da97f007d8910858b36b772aa21f4d71da646a1cbbde80a30e0dfbeb3e30b4516eaa96629fd1fdce2fec87da599cf2198bb |
C:\Users\Admin\AppData\Local\Temp\qEky.exe
| MD5 | f5ef96f238bbe6b9193843fcc62ab125 |
| SHA1 | bfb7f0ea80a5d6867b4651d14407264d9d0d953b |
| SHA256 | 0bbd62c4842842b564413d08fd55aef7780a1d0762e3f85740265731c4e6cfa7 |
| SHA512 | 0737bee41bbaf8733740f14c87c85e3a9bf62e5ef3f541afad231f2e87d663a5a239e78f3f1c832465885943b3c7c6ddb2363796e22db78c12fab43e3b52dab7 |
C:\Users\Admin\AppData\Local\Temp\uIIy.exe
| MD5 | ad4e1cfa87227481f457eb3ab63dbaf6 |
| SHA1 | 0adfea87dcbff3f3bacdfd8dc3c32cd39cbffa8d |
| SHA256 | 238e60b16e1decef94ba08cc35212526ead64f7132da5e811dfb7777934db11b |
| SHA512 | 52d4ce4a3fc08b9cb56a85937af4d45719ea80295e01a5cd0c265a740b1f4aab8b6016dadadaab7b14d3d1554fce5d258ec9621c325f129794b45fed6ac9d6b2 |
C:\Users\Admin\AppData\Local\Temp\YAMC.exe
| MD5 | fa3a6a5e6117c1eef28ae3a4180c78d0 |
| SHA1 | dc315d6dbacbdc93f288f51f92c00c6efa4ba522 |
| SHA256 | 6596af8cc3291502094dfc2ab2d65c854a54d98c846106de383e26dc7917e1f2 |
| SHA512 | e01c7ec84dd56eb824b86700ab9bb32bb1251154716cba3caf8064fb690596a9f40502478506c832ec0257fd95d57b826a9e490a4480ebbcf2f2c1fbc5f45641 |
C:\Users\Admin\AppData\Local\Temp\GmIc.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\KAgw.exe
| MD5 | 865c8a8f59277a0710b4f22040ea3393 |
| SHA1 | 480a8333b6e1611c606bffebe913a0f7473c91ea |
| SHA256 | d634654508c97c82ae1fd65eb35c3952f25234bb12d19b211d686befecd1bbb4 |
| SHA512 | 666f2a7c21228f0dd00d8a7a0f284b52af498f98fae5f8770ab1884eb167f9073e48a8f31aa628b785b43e577924b088cc194ac6445e42a6d94b2bdac4aa65a2 |
C:\Users\Admin\AppData\Local\Temp\asII.exe
| MD5 | e62a4772b20c7047267c2d01d695bac2 |
| SHA1 | ab73fd67c888a63f989550cfa4da3e52f4331855 |
| SHA256 | cdea27152dea47a44671113042f1c800fbdc29909d478d6c479c5b3f48987b49 |
| SHA512 | 3231e964f1f20205d1dfded3b43bb1dbae713d2b79ce523d98c7de62fb001136e44a4fd3d0751bdea7bb533fbf278897f7d633d263575788484527e8ee011d02 |
C:\Users\Admin\AppData\Local\Temp\WssU.exe
| MD5 | 1f76c847e27270d63914825954f197ba |
| SHA1 | 8a77f81671ec2b882ea69f046a4229d8dead7c97 |
| SHA256 | 0389597e1d2fb3fbf93e70c60b28c30ee18cb6fcc56c1e99298ba5f69e7c16ce |
| SHA512 | 8399ccfc8054532ef691586d5fda19470c22cc42cde0ba0b3a58b6d63f62ad18a8e5a9cd3c6b68c38206ed319a0e3b7de8ea21bcc5d4a1c6e2fc7e1cde560bb8 |
C:\Users\Admin\AppData\Local\Temp\Acgy.exe
| MD5 | c77044235fb7712fd8700e6ed2fb76fe |
| SHA1 | 452c155fe75c1e9cfb7aa0b89414e12f50e36f0f |
| SHA256 | e9063ea5f0c8fa34bf6c8512badc7c4205e9032177db63a1c922959c8ec50cec |
| SHA512 | 48370714cafe393443e6cf14885afbad7e19fa0955682d5a98c20224d31f74fe3ee68ba54619f88d4d3be7f87dadee5d5b25b7472f1d0e102876408c609b905c |
C:\Users\Admin\AppData\Local\Temp\iEoo.exe
| MD5 | 890ec2d3e502ab97c4fef8abca314d19 |
| SHA1 | 1c6ce073136c4cccb6745fd7b65da902f589353c |
| SHA256 | 9051fba81e20249b1b7b0489668feae636d1c77f55a808c1a1bec2e554ec9748 |
| SHA512 | e3e640aa784f493c05f16949ba0c6cb45b8f8176d4c02e56f898a643cfce65bbfab79a144d85233d1e0cb7b9784238a5fe156b955a846a1b28f550e6ad020702 |
C:\Users\Admin\AppData\Local\Temp\IGIQkUok.bat
| MD5 | a953c6b18f4bfdc0431dcee07ec452ca |
| SHA1 | 01a95f26815b3a61b7c5b25d3458b707c320ef1a |
| SHA256 | 3579f4dab7e0be45e0259fc36c896857bb91ae6137c74dba7c4679ed68778137 |
| SHA512 | 207c22a8b4d63750933b5650d0e8a260569ef398ca052cb52334454eba4d452f89b517ec72813258e10d22c7c650f6eb2838814e94eeb13b3c0d25e4a7ab9137 |
C:\Users\Admin\AppData\Local\Temp\GUkg.exe
| MD5 | 4e2cdb96312165f35a882267ceecccce |
| SHA1 | 8064e02b214012253ec4285ed44c5be8271d0c5f |
| SHA256 | fee6c4028b6ecdb1b10c20db0699a91330f8401a977cde7c8bff6116f86913d1 |
| SHA512 | aaf8fe86698c81f155d2a2be2e68309891f5ef25f9dddc75deb9b8d32828a32872ad0938978821c287abdf61697c83d43245b3d39f96129346be690156b9bc89 |
C:\Users\Admin\AppData\Local\Temp\YksU.exe
| MD5 | b7309629747ab19a0f57959dd3a57e15 |
| SHA1 | e837d8c2b17fc4d0ed7db73aa73478e8ce7a5b9a |
| SHA256 | ebd5026ca30145ef0a764849439fd2d76e2277950f926218479832db261e3aa3 |
| SHA512 | 7d4f49fc52fb4de23803fba809468316d7e5ec073354f1e2caa71d188bf3463c2100ce201057cbbf679ac753a12fdac304baeafbe5d11dc591a2a9fd21573f60 |
C:\Users\Admin\AppData\Local\Temp\GoQS.exe
| MD5 | 5d2748d3084eb6aa23e4ef1b3e5b3847 |
| SHA1 | 9151be66166f1e37afde3b7d2e1126685b3ae3f2 |
| SHA256 | 4720010645710790085308391cfd62fa5830f88dbad208f039fc663ce8435cbf |
| SHA512 | 06f8682055a8de2630b68efcb15ee5ce6b247cf11c52269968155506c8f83673ab22cc1b31292c4d777e81fa9c0a0ccfaeb2564830298f712d4f12f48b53586c |
C:\Users\Admin\AppData\Local\Temp\cooY.exe
| MD5 | 1b45de4375ffda20b924537025f61e55 |
| SHA1 | 0bc536117da7a9a57d1cbdf731c07c7a7a379fad |
| SHA256 | b11fecc6758d9abff4afab5367ddee8fda71bf720487330a44a5aed4d5de6c66 |
| SHA512 | 2817ae58b65ede8a7cbd494696205d7d8fadc35e7c8e0b16c0a07bdb61b8e350057583ea5b983bf63322c0e84bbb6c1fd8adad098556c5f61f4b7f7464111742 |
C:\Users\Admin\AppData\Local\Temp\EEEg.exe
| MD5 | 616cdf046ee76ab93dccf1032890fb7b |
| SHA1 | 2c281f64bec710ca871a9b93381fcbf99d6a8eae |
| SHA256 | 037b6f87ecb2492e52b7eb7df36a36eb67b55e0f1f381105a5d798b98fa73015 |
| SHA512 | 18dadd3d7b2a2b2fe03d3cba458b9570d3ba07c33268ec9c9279461e694b72c7c8192eb832139ccf21781eba19c582428f49c348e5d2f54b7a1c6e7ac5d3d73c |
C:\Users\Admin\AppData\Local\Temp\OIAS.exe
| MD5 | fee403bb29a117b74816ee3db123894c |
| SHA1 | ec35badaaba6e9322a90f1fab8977434da818dce |
| SHA256 | a197afc8412f9976b4ea9712749dde0efba34764433213f43cb33c3a0ebbbcd2 |
| SHA512 | 171b7c3a892a6006ecbeed139bf3a40aea2418498743a44f47d7d255cd01751429f1183d48d85be6ce1025c70639098cde7bb9f939d2444c17a4ca987f9ea10b |
C:\Users\Admin\AppData\Local\Temp\CwQO.exe
| MD5 | 9cbb373b28551352c3a0c2010ca9c295 |
| SHA1 | 4fa4967f8c9e2aa92d0dfaba31f307192724fa48 |
| SHA256 | ef6bd4a37229740e1d71eee84b68043e6c1100a0afdb2eaebf2500c87948a7c0 |
| SHA512 | 81e19e2d855d4eaee3824dcb75f62e4f71360758886b4665829ebe32dd3f8e491bb7748808f799b73c052efca07aa407074d40ad4838d4dd75a93ee8cdd7ff20 |
C:\Users\Admin\AppData\Local\Temp\BqwsAMYo.bat
| MD5 | 0a6ed4cab2812cef10e8a818b92aeaab |
| SHA1 | 3524f97ea391dc44a584f5272ce5ed92d927688f |
| SHA256 | 3ea3f60830005ca1d6b6f08323a59bffec0a6c971ba7f7269dc12600d172af55 |
| SHA512 | 131292acf3ee27dd815f2e144716947151e7e331deb933915a85549e4505bc0ff4f507269272aca6d98a39411b3e0da6812d1e398c79857003cce67df692a03b |
C:\Users\Admin\AppData\Local\Temp\oggw.exe
| MD5 | a494c3258c703450365cc5825dd74a3d |
| SHA1 | 9065ba2ed0f09be56b9c11e71b94ec193410b8e4 |
| SHA256 | 31813cc0d3ddefe5129bcb959c4ae6b9ebf56a2b2d0b13e1e214b1d8a894a0f3 |
| SHA512 | 03aaae54c685a168b720b8598b8f2be5fdb5e4bcde931d278aa65fa5bae938227ff4177301461cb8b1d1f470ac3519dea75efe1fd388cfe1c5ad7c6405401c5e |
C:\Users\Admin\AppData\Local\Temp\UMkM.exe
| MD5 | c9b2c33a875b4512343e081dc8e84663 |
| SHA1 | 674c0925c2a6edc13361cc8a2f66ae2446844bff |
| SHA256 | 6d2a5f8ba8cdc2ad02fa827cb3b4ba3263222de1dbbf86e833a141791d3269b3 |
| SHA512 | a9a456042074992359b94f3f46219eb137663ee3e627dba8c970f9651239fbcf44c8067242a4d8bfa2a56e7457102a4bf402cb87e9618e8c656aff199f9aa72e |
C:\Users\Admin\AppData\Local\Temp\gkAA.exe
| MD5 | 5c863f5fd32d99d8d2072da8512dc42c |
| SHA1 | 30d7b8efade1265c83b020c1265438c9895f1369 |
| SHA256 | 8703a40453deddba2f6b46a6eef46443ed9f2691e06f829d23557223319d5451 |
| SHA512 | 7124de5a9edcc0f02361ec31824a297cfc12722d94669d600aa0097429251629951ee77a5a9e147d3492a232443d44dede6d93964b196f4cd6e11b1e16bb8129 |
C:\Users\Admin\AppData\Local\Temp\ccYQ.exe
| MD5 | 9a0b874ce9d985560d784ec8ddccf57c |
| SHA1 | 08d50efac50d49968b5969e13f4c3e3681ed87b5 |
| SHA256 | 5e8681ab78ba2c930f21c972a8dfae6adbd20b2d19d77b88fdc881cfd8b6decd |
| SHA512 | 11f7efb43d1012dc2b6691a85d807ea4b4219cda36a7d943d7a25f23cf846527fa1cb7f4fa356f88d5a2f2a4577e6c02af9fed1c70412fcd8b2a641440c67b04 |
C:\Users\Admin\AppData\Local\Temp\OMQC.exe
| MD5 | 7f323b47c51688a308c2255bc21ac066 |
| SHA1 | ecf776ceab4b34c5049313108039583d743b87e5 |
| SHA256 | cd0fa4703db4c39e26b6468a5582492cfebadb58fdd15f716c5dc16e6c070203 |
| SHA512 | c76a4514ba56e637676949a83799f9beae63830739393ab1dcaaa6d82739d9013585d4870f3f617465e38303cf167a6ca45803aa30fb87f87cb6886efb005134 |
C:\Users\Admin\AppData\Local\Temp\McAY.exe
| MD5 | 14747ccad28358b94b43c7239038c8ad |
| SHA1 | f819b8601c1a801a0bd2059232058dbbefbdbaa9 |
| SHA256 | f978e3daa899fe8855c816202051ec94ade68560ef9e26daa9d5cc1a7759569c |
| SHA512 | af166cec97202ef0a4159e37d1117463a91be9136fa4ec77d52a3ae179d6b7bdb8c6b7b14f1fddb9927d271227201ba7fd26d29f7f82ce848523eaf6c09a3044 |
C:\Users\Admin\AppData\Local\Temp\oIYe.exe
| MD5 | 7a156e9b035bab32e33c5823f780b5a2 |
| SHA1 | de1a33b1ca1951e2c9deacb11ca61528681baae8 |
| SHA256 | 255c42c75ff51f6f7c6cbce8250ab95c4f5a12f03a37d152013afe1b6003935f |
| SHA512 | 02a0e359bdfff522e84f2559cda944b828f508fdbb550c7d81f20286294b39c033e1124151314288d4c1d8fe5b026aaca1bb359503904761b829cced2c72158a |
C:\Users\Admin\AppData\Local\Temp\kUYu.exe
| MD5 | 5c0cf23055c39b50a3f80d8af5a6494f |
| SHA1 | 057d20337d32f0e4d3ea7ef34ad9f59ec63066b3 |
| SHA256 | 21b04546e60fb0997ec8b206bfefe3322315b087358c5263997f1e21842bd9c3 |
| SHA512 | d1632f231373f80737f698a4102ce84d68f8627bfebdfdc324a231af126f389388fce9ba1b5dfb54e702d41fa15fafa5e14fac867f306fae227ce48cae3c492d |
C:\Users\Admin\AppData\Local\Temp\Wsog.exe
| MD5 | 17cf49d30ff2a9aa9a47c6501c69c3e5 |
| SHA1 | 28cc87d91838410ff9ab90f5724b50f9d519419e |
| SHA256 | e66a8c453913acecb3bd7f8c31770f3d80132c28a729322a10dafccb2ae462c5 |
| SHA512 | e9b4d45bff254fa807420064cb1601cc512182866332886d46f13314346c6a7f758f081923dc223a4dd85d52aff50788025203e8d7d559c3bcc2c45df8b701f6 |
C:\Users\Admin\AppData\Local\Temp\VCAwMIgo.bat
| MD5 | 46e54e59d81fba0b9b7bdc6ba4d3b1d8 |
| SHA1 | 7b0f33241b75c58d1657ac1b80df6adca1789b9b |
| SHA256 | e306d522f55a9c7e9b21a0a7223ea3529e561f387ae27a40ed0327efe29da074 |
| SHA512 | af6b99ee2cc1bf3681a76dc084244a8d4158471556db358d1be1a1bc5ea2e969bd9cd1305d9e4e91bb5e8d9d71c457ed0966d343b9ff60ce72b21aaff71c0015 |
C:\Users\Admin\AppData\Local\Temp\OEIE.exe
| MD5 | 082b42426a7869a087ac8128433fa33d |
| SHA1 | 6b3e12a666a3d43570fc11ed8744f89c56dd1a11 |
| SHA256 | b07cc0901ff8d9548c2f3672c0aebc849282c4017efb4246c2510ebc4ba66ac2 |
| SHA512 | e011db8ef5eabdccf0e642932730d93402e49373dbd1e3ea36294e08334ea7a26cd0454a1b940c0f6354be2cd994d1a1661032a0f02b9b38517f6b5829ca9bcd |
C:\Users\Admin\AppData\Local\Temp\uMco.exe
| MD5 | 48216daba1564d54a690a63fa2ee33cb |
| SHA1 | a0044cd6af3040ff7e874616ef3fa8ae670bff70 |
| SHA256 | 09cfa901992373fa5de5b3b127ec4a0271109762a143bce977d0120931d458bd |
| SHA512 | 8aa12fc897e0853efb22f8049a33f9b0d36f7eb2700aff6fca400bede8e37a4d9a9760a485637b7ec574fa1c3a536fc7f49c4206f7ad566e1872a4c8274ea59b |
C:\Users\Admin\AppData\Local\Temp\EUwQ.exe
| MD5 | 03308a883934e322948f4bfa6536b386 |
| SHA1 | 4dc9dee57e5f6a3135caedb85e7fb8b7f676b3af |
| SHA256 | f2274651f15fe5fa4c8285921d1404487990290191a2d6f56db7da203b280821 |
| SHA512 | a6804189650861ec87d00de4f0b27b66d14344e7e86f10c4cef90dc280a33b69226db4f9479b9a491c682c8659d748c4e1cafce1155cc9bb134dcb53c77e09d4 |
C:\Users\Admin\AppData\Local\Temp\iMYG.exe
| MD5 | 78bc291479c66e00e07bcb06c44af7e5 |
| SHA1 | 28b179d91dc8843165da8b974e196e73640b908d |
| SHA256 | f316f8282fa3daa867e8356cf7882f60707a1baa5bea7de84b39be1767316909 |
| SHA512 | 7f92ca0e40efcc42416082403bda8ec45fca28bd40911348a6f37f7c2ee41738d47330d4490b9ed382910185b261365a1f0a1c84d1f65a08bf18a71b865ed9fb |
C:\Users\Admin\AppData\Local\Temp\sQYM.exe
| MD5 | de3cbc314a8c49e54acc0f40fe94400f |
| SHA1 | 552e1f5ac631b6c190297ce945d3107afd424714 |
| SHA256 | 6f5558fe5e63036cd963705923c5cb82709c8e707b4ae3ff2a643f466ccd6eac |
| SHA512 | 5da0dd55a46008dbe822e961eaf759080b30319878f225f8f4ffbf1cf8073ecaab0faa55b625ace93a3cda050e2820c7581c301fdb896ac446a2773e2ecf74d9 |
C:\Users\Admin\AppData\Local\Temp\YAAu.exe
| MD5 | 897ac3ccd3c29b083c265dfbde375deb |
| SHA1 | 7997708a803f39aeaa2e24a7f4c80335b0a1bf08 |
| SHA256 | f3b8c9436f168e94048257c6b7b2beb2547e771dcfcb793e124545c717117a95 |
| SHA512 | be599a9ad7777cd8799cdb23f07d3a8bc2539ee4375bebe3459c0d0298c9127fb5c5a223cbda9cfa032da03bced56e121b7cd964e963f5702b72182fee8f5976 |
C:\Users\Admin\AppData\Local\Temp\qAgE.exe
| MD5 | c7bc384890bce6a9d4a33c4d72d7dd0c |
| SHA1 | a8258a87f33234562fd28bc670aedc4cca03e44b |
| SHA256 | 26118c670f79db4e333af1cd816e5456138e1f76f88ce01c23839e65d5505691 |
| SHA512 | 26f2b8544e6fdc108d89739684cafff864b5fbe8d118255af8e04ec6e8100cb0d3715164c932adaf67fe47e17cdf5c75083dee3029857150f298f3c190bd5f4a |
C:\Users\Admin\AppData\Local\Temp\IIwq.exe
| MD5 | 15266130c3adfc6e380512dddad93bff |
| SHA1 | 185f87ee482038707e014e9aea978b8d2d48936e |
| SHA256 | c5ab201413734e01befca7a749aa6f5a3e7e59c2966ebb356b0c307b870e8859 |
| SHA512 | 42e213952f5e0b241fe623c178e1626f80b3906f1c63d587e92663beb4ea67de2a733eed2cac003b052b2e4a303262de885b3015d654f57869b1d201d8459f0b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
| MD5 | ae3991c8ef16e29c52fef4b0e48dc81f |
| SHA1 | 55588b3cef6940f3e2363d761b3667c1e27676eb |
| SHA256 | a8b85898a5f6c9549cbf09b74088ee30aa48ef8dc0df677f63c245aae688942e |
| SHA512 | 5d4e197f917aa1bfa9c6b9261f7fe12360a832f9b166c215b70525e0311e3468ee8731326e2fa3bee3986b45932c6147668b76d021e75207381148bbd051acff |
C:\Users\Admin\AppData\Local\Temp\OQoy.exe
| MD5 | b01329f09a69dc5efad1e58fa8bea5a7 |
| SHA1 | 960aa91284264ab0ce88f4fe6915c1ce6510764d |
| SHA256 | 89a9f576564b435ca380d97588e2ae8a1a10bf12317c81776a1f9693485907e0 |
| SHA512 | 5e8f1217c2772f697021bfadf176a99bc2fec94818b4bdb2133d2b98da606980064f08eb0210938faeb0cca05fd33a06b1af5d7041b1c5a8195c05aff5c7237e |
C:\Users\Admin\AppData\Local\Temp\CEMo.exe
| MD5 | 7291f4ae9514575bd576acecc4c66e4f |
| SHA1 | 0a09651f4db4b731199724366652a7699e380081 |
| SHA256 | efdac6cf2957aeb09004fe563b01cff166960be164b35575fcb34a13f55e0ac3 |
| SHA512 | cf6f4b8aa0a52e57d1294aa413410bb47b9a6b21bd90925d436d02d0282e33b173d9049c7cfb1ebf0848d0e6b89dfecb9c5373aaf52bd66a1b5fc06eef3b74eb |
C:\Users\Admin\AppData\Local\Temp\xCUsEkcg.bat
| MD5 | 99ff2747af4585cf8f89883928324bee |
| SHA1 | 12b5ba6f72a9d0bdba63c1217b1a1a504c827996 |
| SHA256 | fa3eefec44182377a95f10f39bc64dd699bdd2bdfa48fc10e89530e19f99ab15 |
| SHA512 | e1c098686c008c797349b310d45afa49981f4db0b85e80ff5aeb4d6ff717aa59857a922a3d63fdad74fc93f71098110acb7d31f43770055b548acbfa28fbc6f6 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | f4d18231d69275428a9de5e88b181257 |
| SHA1 | 08ddde0c18e85d6a591e7f48270d43d76b76555a |
| SHA256 | c8c050a80ac72eb3cb35c702c45369c226fb62cebd593a4a39db86a45b39b1b4 |
| SHA512 | 176ba1a44dce0c7f95d2a1236f47ad35add25d8c5fee45d94b975b1fc1af2cfac6f4e62dceed8276dd08806dcb85c989e5480865df95adfd498b9321ffedd38b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
| MD5 | fe449cc48df3a663b381269daa4d528c |
| SHA1 | b67d70e961ef06e539e8433c4ee50fb2821f6575 |
| SHA256 | efe831ea77f7e7e2283deea88b79053fe82106ab9f82be76c7e1471ed75276c2 |
| SHA512 | 7b139a8a5b7d2f0deb51519b94583b7154965776a3d5577509af71809e8535c6b8f83f7d2229a3dbe71428a6a932bcfbc4c8e3538c649eb546b8fd4b3b9cbfc9 |
C:\Users\Admin\AppData\Local\Temp\GIYy.exe
| MD5 | ff821418b7389dc6597a0664f3609b18 |
| SHA1 | 958ac08a0d35b518f41efa3dc5f365fbdee35c79 |
| SHA256 | 9f286ee3bdf5adaa00aed63bcf99354d08c22c24e90521b082f84e386d3e61e1 |
| SHA512 | 29f45a26115bf9c2e07bdc64be8276fad553fa85dbb2301bd9d27fa6305b128048fd274d6da52da9ba9a566ea2784a1fde8ebd86090c00658067c3320b71fba6 |
C:\Users\Admin\AppData\Local\Temp\WEcg.exe
| MD5 | bac31fbfffa3caf16144daa39d860dcb |
| SHA1 | eef2d71124db6cfa2b655308ba50add26eb03ceb |
| SHA256 | 3bb1f1296fd27e3a73cda043981dbbc054f7cdb0142b6e03d2b90a3f1079fb6e |
| SHA512 | b9b536df5791aa63624936b552455251cf6dfb80581f0613df99c4a29957833169daba1625d49268a4774fa0d601c759c7eb636c3599d0061dc08d322a9a4cdc |
C:\Users\Admin\AppData\Local\Temp\yoEA.exe
| MD5 | 2e1bca99e3ab38bcc4083ca204108aaa |
| SHA1 | ae18ce4e6d242c25c46ce9a830700fc2795f66cc |
| SHA256 | 454b1a4ea46bef93f25888ee29159471ab183985347d14b4019051d98ec6d906 |
| SHA512 | 359bca5f0db3da33ebd8d060603bc96a6e34ff68179fad82f67f223df9045db3f28dfe53bb59a54292a23ff1b3e45dbd3355be6a879a4dc6a5280eb1c61265ef |
C:\Users\Admin\AppData\Local\Temp\ssokUUMc.bat
| MD5 | 5122e6f480dae67807acf001617ff2d4 |
| SHA1 | f339b24244a1b2ff2fc4b6a29e1c9b78375ef36f |
| SHA256 | f95bee5da19fbf0397098973c688b69f6cb001e997d90bc4450cdab03b8bde0d |
| SHA512 | 3ca958f4e6b38be0911ef9d9ede7eb4ea89c2c615e814874f5a81af319bbd36011830705dceca0e14384e265922abb141c105c069b5f321925d643d198ac251f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 25cedf6312557288364cdc0dc88b8270 |
| SHA1 | 21be72ce9c77069c3c6ec9c2a72e13e792982289 |
| SHA256 | 518fe064120e69a90e529125cc851b7c342e481bce88151859883ad6d3826b64 |
| SHA512 | f2598d37924b98b08c9abb2791a1e3db740d73f7a404cc18e577970dcbb06d1e568359b408a243914c4804bb8ee58c72e66277246bdbfb016c070e5d9e9baff8 |
C:\Users\Admin\AppData\Local\Temp\mccA.exe
| MD5 | aa15d10a5fa45eb975ad81dfe04eecea |
| SHA1 | cb416a5fb36dbb0e22b884d4fd99fc033c33aeba |
| SHA256 | 9c814f3594a166c0089cafef0a94069c2b99e2af7b87692dd7099ad453eb4a67 |
| SHA512 | 179111ee2778907096cc47107014412f6051f536b731bec8f90cc6158753c374b89c4358eaf7fe7a77c76b7b2f68559ebeaeea229d290db01fd0d77d7fe83548 |
C:\Users\Admin\AppData\Local\Temp\GIwy.exe
| MD5 | a9342ff0d7d61ce9e66a073c9e910c53 |
| SHA1 | e966c5374f274baee50ccbc9b140987788acef44 |
| SHA256 | fe090e435a3d448c785bdfd45bf1e868e6d223034b34d8cb2cd8f0c10996eaa1 |
| SHA512 | ca2015aa7ac6a71766b634f04745887c82ecb15969c3f2deacdada9010a5170cea654fd6d21450a7d026ecfbe408d2db69d149fe852c7212efee4a346bf00859 |
C:\Users\Admin\AppData\Local\Temp\CYII.exe
| MD5 | 0e0c19bffdb491d92dbadfa0825851f3 |
| SHA1 | 66a02e88d728b2929821d487f0103e7a85d3a5e7 |
| SHA256 | db1172c4270e592785e989368a0d3fb6437fe83796b3db9922ce59358330c9e6 |
| SHA512 | 856b6bfe90d364d2c629b754b8c587da97d366e5de402d881791c1091e789f2852959291666d3dde2e4d89848c9e6d5ffb79c44b06de58db721502dbf69de79e |
C:\Users\Admin\AppData\Local\Temp\CgIg.exe
| MD5 | ff42581fdc2b77c5c022669c3830d4f9 |
| SHA1 | 1e330b97e2cae11c7cec1c034d031900ba5b09b0 |
| SHA256 | b9011dbaf5a80a1858ac88fa11f06129e19672737c5df9179bc47cd5c503728e |
| SHA512 | bec4eced0b01d6b2f3c95ce97a5ad6ee67619b6a597777768f94f99a11e9ba8231bf179812b3e54e357f41a65be9d6e604a4f8712fca8628bce204e1b97e38f0 |
C:\Users\Admin\AppData\Local\Temp\KIIy.exe
| MD5 | 8df17a33aa1c9a464a187f6b1e753d20 |
| SHA1 | 21e62b5ea0e4cc036ad7ba113dd29852f91e5e36 |
| SHA256 | 799befd7affdc6dd2ed3130c32787ae583dff9a40ca84c6027f9a61111f0b763 |
| SHA512 | 5e00a26210f6594126b8437dbe53c4703446a6bb95c6fdb93c1b40e9448a1227378c14e1490ab06fa9f63e00834d17c3dae9cf8d733cd91a1c89188b5255adf1 |
C:\Users\Admin\AppData\Local\Temp\iAUe.exe
| MD5 | 33474fd42a610b2444563e1dc1839113 |
| SHA1 | 1eeadd2d1c4f19ebc4ce6c5855deeb206ad730c7 |
| SHA256 | 1437a81887a5f8115152a1224b89bde02f96d14e89a3dbb427de5f64ae44fa6e |
| SHA512 | ee08364d6d21374a89b0c458bd2749aa0b2ef7a1503bbb8420522c41dbdc3de987aae09c0d9d332355ae74398e3aed3dd7072350c7f71a90c188986aa7cc0eb8 |
C:\Users\Admin\AppData\Local\Temp\sMkG.exe
| MD5 | a43a4dd6377df5d5724b630c93d6cd00 |
| SHA1 | f1eb29703d9bfbc61785c72ed5e8b1bed4a3c350 |
| SHA256 | e29ed21ff220c64736bea06d1ae304d57667f108f44bc5cffab55274d3328f43 |
| SHA512 | 1e42621e22fd093f8745345397544297adf95ae81594fe20c979c798ad992f5bd3421e7127b2b55f97e7171847fbd621682fe4a542c85d2cf7da75bfcba47512 |
C:\Users\Admin\AppData\Local\Temp\KUYA.exe
| MD5 | 007feffb9735100cc076e781fe6b051f |
| SHA1 | d4404c3734b0505140b748c847e8cec19019cc16 |
| SHA256 | 0c3b92b564e142c037177b872642fb50ba669eba6d82dffe7df88c058115c7cb |
| SHA512 | e7fb50f4ff0037eedb19febfcd5ebf0b421a929dfecc9c6a960206c51a46827b873432d85701584fe0f162e70af42c8a78efd943b357e3b0fa026bb7ac908540 |
C:\Users\Admin\AppData\Local\Temp\gkIm.exe
| MD5 | cb2f13681e5a5e658f105960cfe9c182 |
| SHA1 | c494d72def8aa731eee0b72b6bc869bb89d569e4 |
| SHA256 | 0d1f804a1e74cfdf04b8b1b877b31beffcdc268d7a390d73f134b43e051f9b72 |
| SHA512 | fa70247812a2d9a2c81fe005ac4d0deb3e49a8a2659d340d43b7e32c54631fb690e660b3e22347eedd094f9f37a2f92d351225c646005a703e0a71a24a238d10 |
C:\Users\Admin\AppData\Local\Temp\oIkC.exe
| MD5 | 2ce3ecf23b7b14995fec828fcb18177d |
| SHA1 | ae03919021d072a4475a3cb10dc9fbe86d9703d8 |
| SHA256 | 6a3e22f6f2fc582b1882af94e1adaf16cfa2db261e8a1ec804f3694e53b953e7 |
| SHA512 | 2b030dd94c4c92fb9c3807061e0846f411bf6b9738dd57238f2d8ce205b98e45b6984c9deba110bb6e3407ef3d9c9efcef627372d0ea74e90ab892e9c86cc773 |
C:\Users\Admin\AppData\Local\Temp\umIkAAEc.bat
| MD5 | 3ddccb143969143f1922f88658325f55 |
| SHA1 | 2c6057599bb9d3cb6a74aed60498406618fd1573 |
| SHA256 | 55627f11524f67596b39b016c70a7521f3551d247490f3bda85d8bcc6cdb93bb |
| SHA512 | fdf6324bf860ee6bf7c2a30c37712aef35fd3c648325c70322cece8fe852861a00cb5170a384caf3b6319e966d3f98bbcdfa26bf0e7bda0dbeff930293d21998 |
C:\Users\Admin\AppData\Local\Temp\IAge.exe
| MD5 | 09d8587817cbd1b24678d54990ccd3c9 |
| SHA1 | 7780f32401f4a9bf77f3df9902ce3f6ce2e5a3f4 |
| SHA256 | c1dab9155e84d8ab29eea7e48974b86a8b981f5923a54c41c74df75a292cab33 |
| SHA512 | 973f8d8397c16f3c03c37615f6503fe56cfc4c787e64d0dccd2a3aa1219408a406e83cdabdacefdae52f2bef63bcd9e8a370721b8ffeb4a134213ae056bb2c71 |
C:\Users\Admin\AppData\Local\Temp\IMwG.exe
| MD5 | 6d623226c8480241d9d548538831cffe |
| SHA1 | 0b21bbe3754f9c1942c620fa011115bb7203b0bb |
| SHA256 | 2772928fd2837cd8b513ec2a1520fb5ff7c7835bbb40dcdaec81291ca4d0a6cb |
| SHA512 | a63edcf3e87fde275ad3a918057dd2baf171f24eda1aa0941e245e09bfb75ece9a9af814701c6ee64ae95ab329d9f648db1326a4ab1711adccd438cfe6a788c5 |
C:\Users\Admin\AppData\Local\Temp\iKYwoYIs.bat
| MD5 | 86e25ea66964f00b0a88577a78bee37b |
| SHA1 | bd3bfc2ea33809f7917f837d414d68dfb8bd8508 |
| SHA256 | 0d8fb328cc62a27d8a392506f799ffeaa609051b1674e52ee42120098fc8408e |
| SHA512 | 2744a6f79e4f61be573b1dff3f6e93aa4c0fe56fa6427d3cf2864279c63524058028c02085c102b352b70e16715239f91164e62513efa41d2670e6210300b3e6 |
C:\Users\Admin\AppData\Local\Temp\sgcu.exe
| MD5 | 31055c74553afa3ac72509fd2e9e31e8 |
| SHA1 | 16579cf505435b0886aeda56836504db307b5c36 |
| SHA256 | 1fbc41f2c63dc65ffc00f2b70d3859dc4e7a9eedce6009aa6b0122a49c35bc70 |
| SHA512 | dc8b9cc753ff22034043f656b7e7f1816be5a24870a05f88de9edf3a5b293ac18110ebb9eaeff2cc2e5d417f2a10608c2cfb46aaea4d00eeb9220376defb66d8 |
memory/2996-3219-0x0000000076F20000-0x000000007703F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ykkc.exe
| MD5 | 9a193bcbb84b0d5534076384904c1381 |
| SHA1 | c258779d47ac88d8aab6c62e67f4037ac82472d1 |
| SHA256 | 658890228c98ba69666840c4c04fbf57fd69d16bf7ad6af84a45374c3abd2c2e |
| SHA512 | c835e04b40394375c02dc44acaffce70d491478e1403956cbe83113e3da1a0a48aa93bda3d6bc6af3fec96fdee86b28a48a645239b6226418fa5252c900b27d1 |
memory/2996-3220-0x0000000076E20000-0x0000000076F1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UUQq.exe
| MD5 | b5e1ed18551957057ec5735b967f2276 |
| SHA1 | 44a78bed6fdac46ec4ecbe11fe802d136bafcc92 |
| SHA256 | 92ca820853fbf9fc776c29db6bdb272241be8af1771d61aed77897a7a9cf1576 |
| SHA512 | 992cd33e45b13aa981f401ed548005d6b3719ffde3ad09a5cae86ebbccbb52f0889875d5c26f17c37eafc43356752faa4dd39bbb003935d22a2d138ab5c9c8be |
C:\Users\Admin\AppData\Local\Temp\zCcUIcws.bat
| MD5 | 62d085bcd2f1c3c1415fa1ab25ed65d8 |
| SHA1 | ded53f561f391305b1a4c89e0d92ac887f68b713 |
| SHA256 | d9db40da2b4b73cfaed51024d82b10225d62c0423fff9b1d0aead18c7775cad7 |
| SHA512 | 87403d8d5862b44f3f7edd42f97f0c8f0f9920fb5f6d27ee9c08f1bf5abc525eb047a474bfeefeaf971eacabd684bd663010f99067bd5d2978db0a49451e908b |
C:\Users\Admin\AppData\Local\Temp\EQMW.exe
| MD5 | d7861837c1a231cd3defb459ebf77d97 |
| SHA1 | f5cd5ce6f4b03efabe88ab865e687bd4c33f82fd |
| SHA256 | 796f0a76c364b300fe34d83b8698514d9ddd94bfcdc0de322feba8ece6809447 |
| SHA512 | d1416a20532e35b6d9178a3fcdc0fcad35e0238f124b1be8d5037c9676487b63343f645b493b68e7d706053c288cdecfe4f009d6bb6793cbdc8add4a00ca814b |
C:\Users\Admin\AppData\Local\Temp\qcYg.exe
| MD5 | d702ef435dbfaa4f92781d59a9371114 |
| SHA1 | d4b2642ef7c9d88e98072449f833755ba5c252af |
| SHA256 | 7134d177a574af3e2903d78df045f6f4c4a3cffca0062767c0bdd8f0b05e3acd |
| SHA512 | df96d82102100976eb83d2282efae1fbf588a63e5abcf3e47fc6133d417b0a8791b354a2be45f8cfe8e0e7064478f8c32d3ef60139ba4fd2101c8b74a8d8f830 |
C:\Users\Admin\AppData\Local\Temp\wUAc.exe
| MD5 | 6fd143d38a2d381768ed7505654e29d4 |
| SHA1 | f2bce73f86a0a9bf78bd29974c402540ae7c4b25 |
| SHA256 | e8c7bd335374281a2a07cad4ac538048437c0a3cea06f34aeaef312089e4a991 |
| SHA512 | 4ce6f7384a90ec8c3365abbb8b0dea0c09cebd55d21406daee0baa502698ad63de04c56ffe5825c45e1d5b8f81079724b7a01708737750ffd5e236b4704321fa |
C:\Users\Admin\AppData\Local\Temp\CgIy.exe
| MD5 | 3714051f3832d58696c73bfb1d6d8ba5 |
| SHA1 | d7363879092a4c5058af57e2e48de0c120ac8bf5 |
| SHA256 | cd50940e70917e5db82e169f17d7ad43d51978c223bff465b1df32855970e7fb |
| SHA512 | feb9f19db99a79f18dcd509c2ae070e38d001741fa2a9ba2ea4e8c153fac4cfc73bdceb3103f25c19cab14bacd45eff6873ae4f21cb12958e913a0cee67a0906 |
C:\Users\Admin\AppData\Local\Temp\IsEO.exe
| MD5 | 67102d7fd86776f95bbc29cfdbd6cd38 |
| SHA1 | 191f17ca7a4c39ba0fa00d61ce0c9a5811604408 |
| SHA256 | 6bf21da2339ef61f466dc20c0b037050614f5e4c20ae7241f2b48a01aa101368 |
| SHA512 | cb3b87e80c2c68d4049f5cd39d91e50f90dae9d7a0c55d6256abe1b9212d630c5e740776a290950e7b0405f4950c35edb892be49b895ee7180fac74ec024cdd2 |
C:\Users\Admin\AppData\Local\Temp\mcsg.exe
| MD5 | a12b5391b8315e71618927ede49aa737 |
| SHA1 | 39c7e951f941b11262d6c2027995013f16e0cc09 |
| SHA256 | 9b4de83d4c82fd8d89e5ada5cea264960170df47d51b0f2cdda19d3757fc0fdd |
| SHA512 | ee44679a2774e41abd7b62ee6349c5877272fa02cc01b205753bc44ad40abfe7328ee73bf8afbce8b178e8085fba040b6b0490255f11c18791ed30731b26cd9a |
C:\Users\Admin\AppData\Local\Temp\xugkAkUI.bat
| MD5 | 72a3567a1ad3b2c96902ca220340f7d5 |
| SHA1 | 56e418fb79f80f5eb63490ceb0e79bf2c169a348 |
| SHA256 | 2676f0313781279dfa9445d231f9947e75f457e4014aca2b1bddb0a8fa2d4168 |
| SHA512 | 39ac7d00260c3d62cf57cf833c52ca9fa34f0821ec88ae9d84b3c67fc07c4bfe1daa8cc6f112316dfccddb5e0810cbf88d8576c2fde11d6cbb695d89f2b26d57 |
C:\Users\Admin\AppData\Local\Temp\jqIAkYos.bat
| MD5 | 470c11563ff7d0375800402776c95111 |
| SHA1 | 3e8e1e7c444e6df341bebfb82532a3bc8a6424a4 |
| SHA256 | fcc421f8bb71feb362414e30c991d1e7f7d3c007e1c96c14cfdff4fbf5f4a054 |
| SHA512 | af0cb375fad568c4edca5d642fcb9620605dd7d516b830b3c72fb408b4febf22be988c24fff1e055692a4f848d84db2c943f7e4b110fbcf5304f58d6f79a3ee1 |
C:\Users\Admin\AppData\Local\Temp\dMEcAcwQ.bat
| MD5 | 0b41e4ec7d36762e13d535bb10a7fe97 |
| SHA1 | 1376fbb96985508f1feaf447e26304423d3060b4 |
| SHA256 | 174cfb4d24099fdf417126faca07a1dc7d181d53ff031545539aae4812241ebb |
| SHA512 | ff684394db6afd3a4bc4cd641a1a3d56db4b6aa0584f13eecde612fbd5ea06a0b9ed3d993653690fb4a8cf61ae0860aaaf04bc86a0e80d608222e7fb1980e6a0 |
memory/2996-3384-0x0000000076F20000-0x000000007703F000-memory.dmp
memory/2996-3385-0x0000000076E20000-0x0000000076F1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EQUcgkUc.bat
| MD5 | a271bdef35c9314f1a2831c51ceaf246 |
| SHA1 | b0c8544d3a33ad0afe0ac4506fb05a5b87bee7ff |
| SHA256 | ac1fd85eca0ac24f0ec67d6a2540a8e550fe156a1cc5f23a48955fec08ac708c |
| SHA512 | 66190cd1c5d942c9b34bb0d455e3187fa56ef33e2a5d69f182b5d2fee9397b6dc874612df47ca80169c814adfbde67c4ec6505f0453091bb2b2895fb5f8f7419 |
C:\Users\Admin\AppData\Local\Temp\cucQswcE.bat
| MD5 | 824275c6dfa8ef22bc322d5e3380622b |
| SHA1 | 073688e04b01ba3c303829b398554794e3d408fc |
| SHA256 | f8cb29281e8622250033bfb60f70961a7a1809f2828b13dc3f208322619185ce |
| SHA512 | 7cea5bd860edc684434179c056e24641eec6619304a6d1beac86565479d2d67931f99131fb95ba4a5e17a0b83a95d741be6fc206681f72ae59a3bf2bdb3d237c |
C:\Users\Admin\AppData\Local\Temp\wSMcsEgk.bat
| MD5 | 646471d1db29473e8c7f17a39cd4c9c6 |
| SHA1 | dc4abb26223d1bda78677094ee9e5cd9ba89fe4f |
| SHA256 | 512a1255e7be2e792902fd89e16078b4dcf5b11b0937792b2264a5a5f65748ee |
| SHA512 | cd1375b95dbe1a7e76483b81f17c273615b6bc6856de74a36f8b356a70ab8af26600a11bb5555917eebbc2880a3e2f73839c680d25e8abc6fd3960054a6d7a81 |
C:\Users\Admin\AppData\Local\Temp\asQAMAkg.bat
| MD5 | d36a0a00713d5a57f7a17a11a6468700 |
| SHA1 | ba94412ed5152f30db0342109fcc4d429711f2cb |
| SHA256 | 857b8dd4348ea252cfbb2a6a738fdad074911eda1fa8c75e6b19d664ad258f31 |
| SHA512 | 1d3970b6e9f44238f47808b089dfe377d6517ada5a30804b45725f3653c22331c51a6ed6dca156aff8371bf78c5a816c34ca14db340fd8e8559804c8d5855b66 |
C:\Users\Admin\AppData\Local\Temp\dOwcsMoo.bat
| MD5 | 7e3a80937c623847137753d42871918b |
| SHA1 | e5063755b58e7ca0e80e27ca872e9956c923c0b0 |
| SHA256 | 5d6bb1046677bc17ea44cf5b77ef84552f66e88b2a880e4a6e0271f091bb7085 |
| SHA512 | b227ce89a9b25d9327718797b743272c8b13ee17582923e50c18163d617363a155d5c7eaffd9d858ed6c6ae8c1973e6ed591d3f4567469407189c138c0393418 |
C:\Users\Admin\AppData\Local\Temp\DYMIkQcQ.bat
| MD5 | 29683ef507889785fc04fdf191ac4d36 |
| SHA1 | e1ce07817331b21a03d461b6505d2f9a2349f19a |
| SHA256 | d2aedf34226c6d5f5c875f8c18f025c34d0b76a4f83876c459e0a0ac4fa1c56b |
| SHA512 | 246ece676849f97e8323059dd05b4629779d75ed184975351180bc3a16b4fc96938119a692f518aa8a35a97e96936b5e453b276a82efb0aab3e92f7c8ec56a1e |
C:\Users\Admin\AppData\Local\Temp\bucoMcgc.bat
| MD5 | 9029b37f8306e00c8109be2a9d4834f5 |
| SHA1 | b1af7178dde4dae53a273b53115233b00afc11e8 |
| SHA256 | b420fb198da6609c0fb84d987da325c8aca016fd5edd7aaae2744e82301f75a7 |
| SHA512 | 40a3aadd1ac7020d605fe0a544585d74e75dfec7bc6d57129ffbdacf426fbde469df529e3e1778a2fb357e078011e6048b82b20888ba2a1cbb97867407aba289 |