Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-bzzf5stlct
Target aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
SHA256 aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

Threat Level: Known bad

The file aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (77) files with added filename extension

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 01:35

Reported

2024-11-13 01:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\ProgramData\fCoYgsAI\cYsMgYQE.exe N/A
N/A N/A C:\ProgramData\PgsAckAI\yccQcgAM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOQUsQwg.exe = "C:\\Users\\Admin\\DAMEMAUE\\EOQUsQwg.exe" C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" C:\ProgramData\PgsAckAI\yccQcgAM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okAoEYYo.exe = "C:\\Users\\Admin\\vyMgUock\\okAoEYYo.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IGggwcEw.exe = "C:\\ProgramData\\nawoUIkU\\IGggwcEw.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOQUsQwg.exe = "C:\\Users\\Admin\\DAMEMAUE\\EOQUsQwg.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cYsMgYQE.exe = "C:\\ProgramData\\fCoYgsAI\\cYsMgYQE.exe" C:\ProgramData\fCoYgsAI\cYsMgYQE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheWriteDisable.docx C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\DAMEMAUE\EOQUsQwg C:\ProgramData\PgsAckAI\yccQcgAM.exe N/A
File opened for modification C:\Windows\SysWOW64\sheResumeInitialize.wma C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheMeasureDisable.jpeg C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheOptimizeWrite.gif C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUninstallSync.docx C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnregisterMerge.bmp C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWatchInstall.docx C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\DAMEMAUE C:\ProgramData\PgsAckAI\yccQcgAM.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A
N/A N/A C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe
PID 2292 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe
PID 2292 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\fCoYgsAI\cYsMgYQE.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\fCoYgsAI\cYsMgYQE.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\fCoYgsAI\cYsMgYQE.exe
PID 2292 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 4568 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 4568 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2292 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 4356 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 4356 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 3440 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 392 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 392 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4860 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4860 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4860 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3868 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 3868 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 3868 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 3516 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"

C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe

"C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe"

C:\ProgramData\fCoYgsAI\cYsMgYQE.exe

"C:\ProgramData\fCoYgsAI\cYsMgYQE.exe"

C:\ProgramData\PgsAckAI\yccQcgAM.exe

C:\ProgramData\PgsAckAI\yccQcgAM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcYYocU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCsUcEgA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQYEUAEY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGsIUUoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAIYgkUM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMAcQwYs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYYMEocA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMYkgEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwYwIgg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcgIoUU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSocckcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQEwIco.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AssokYUw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seIIEQcw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCosokIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkEswwYU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaMgQkoE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwcQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKoIoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEswcUog.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEQAocgs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmsoAEAs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCwEAMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkMQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWccoAYY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQccMkww.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqgAMEoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWMEUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWoIUwkk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuwAYsAc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsYcQQok.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUkMogI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cisIAUgY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAoQUQEo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkoEoYc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIIAQcs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\focUAggw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYUEEEAg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucIUogAE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeMwksQE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGEIMsgk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIgAAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jywgoMwM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMIsAUYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKMcwwok.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWUQAYIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQUEkEMc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwUYUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIsMosk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkMAwAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWAAUMoA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgwEQosg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYQkwwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwEswwko.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGosowIk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQwkUwc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XecogoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\vyMgUock\okAoEYYo.exe

"C:\Users\Admin\vyMgUock\okAoEYYo.exe"

C:\ProgramData\nawoUIkU\IGggwcEw.exe

"C:\ProgramData\nawoUIkU\IGggwcEw.exe"

C:\ProgramData\eIQEQEQA\qWAsYEoc.exe

C:\ProgramData\eIQEQEQA\qWAsYEoc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gysgYQEo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwQMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOgkwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwAAgAwA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkcsMoYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwYMoUIo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUYYQUg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lckkwQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 udp

Files

memory/2292-0-0x0000000000401000-0x000000000059A000-memory.dmp

C:\Users\Admin\DAMEMAUE\EOQUsQwg.exe

MD5 eba4d5600e9140501c1aa11252c83b8b
SHA1 bea9e1bd48c4b6d2a1a800e7bb48612e4543f6fb
SHA256 669ff07034bf8361b8f826a1c7337acd5a9e1beb02df194da8fa7f12b3efccc6
SHA512 2870ad08c4ed9a302d83cf21878c4452d8244522ffdd29760b2c8720035ecf989428ab76dd18ab10e049700f20ca11ce92b567ada7601d4e46ded638d62cd30c

C:\ProgramData\fCoYgsAI\cYsMgYQE.exe

MD5 d301923868d0c445c2f96d87a3098e2e
SHA1 f1e33cfe2c0c03c4387e6c300517cfd73eecd5e6
SHA256 270afaba650f168caba2cdc6862cf5c931599f00fb3ca8bca8c0468aa318afe4
SHA512 eee8956223972d785a21e083a489037c32487d73240492743ceecaecb98747f69303742135d5eeff248007ea388b2d575ac4e4ca974498041a3c1c17bab7f60b

C:\ProgramData\PgsAckAI\yccQcgAM.exe

MD5 fd1eee67d95260bcd524a59f0eb4bb13
SHA1 46e4b14f33878948a6d3e174cb4e1fd6e1742390
SHA256 3e8e0ab0d0f8a7b473556c6561d7a749bfa91978a1ef98252eb85c92f42c2ddb
SHA512 fbedfb01e818208ea9dae8065b1b50ac80adcb93b5a43afd7be20b2c115f26f702754c15e40b74c059dba1974c80a64bff7f2579a4eae162a99b57def1c3a406

memory/2028-14-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3412-13-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

MD5 01d093f84d9cb9f3c0508d6a377bc12e
SHA1 dff45052b451b4831809ebe044d82d3cdde943c4
SHA256 977f36483c0fb1b3dc95012d3e2e36c870f7b71e6dc669cb5741e0681509dee6
SHA512 d0e72be8cb77b714a6a39449c05fb4fee3c061bf59fabea6c68784ad2c0fc061ac1ac4e7b024c636436ce5c50c778b70b9ee5732de38a31e2f8e56872a996b46

C:\Users\Admin\AppData\Local\Temp\zIcYYocU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2292-152-0x0000000000401000-0x000000000059A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIAC.exe

MD5 a8198d962d283356e5811c5ef9261936
SHA1 61677e81936ff3b2f3429e0192c0706e2a268d23
SHA256 c27d18ca9c32441d66f7da56a50dda002eeeb2dbf2d83db4f3fb522c9d9adc56
SHA512 c6364795ccea19c8d4ee5b1d3e71c13e24bed0f4bcc627be0163912429776c158fb77215d07fa754756cd4cbe306bf0c12cb9f51a95250132de4d27a6169bc54

C:\Users\Admin\AppData\Local\Temp\Sgci.exe

MD5 7e833cf60c065b59f34b1aa7b8936ba8
SHA1 67dfa8d89ee5ca77af0db94f80e9adcca191e64c
SHA256 65ef0314e429c1d48fc863bfce398dee18121583c8d76554228f3da2b3ff48ed
SHA512 b2f2880dea43a35f571ba5a07c3d44350dc144976bfaf65a922842aab0f9b5bd06f35a177e931bf342fbcd59706d729589fd36401d590c052a65d6c17314395d

C:\Users\Admin\AppData\Local\Temp\CMIa.exe

MD5 150fc8d0b023cc6133ecd85190cbca1f
SHA1 35777085c9d66676dbee5e653a711c12a1734965
SHA256 a60eae93cfdd42a547c93ff5b40fec3bb17a81e34c1e84cbda2ddf41a459738e
SHA512 ac02512d8cafff641177ee9c86b2c163e2ec63956e7c8802523b2483611226aed77c18b934fec05f7b00b9eeeee074298d33bfca075124d0a397bf82b15d7f7d

C:\Users\Admin\AppData\Local\Temp\mQoM.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\swUe.exe

MD5 e0f459278df680b50de760f601deb3d7
SHA1 108b69154f831321329eb8504ccae2dd669b32dd
SHA256 4b76df5674b09ce167c22fcae7f4198a5c739373b04e156abc34dc798cdbef9f
SHA512 1f3500bd5bcbe0a53119077d2b3cc58c8499077c2abbc82745c2e1dc345346d11177458743bcf47a63345ca46ef85c1e896b2be06fd9aed1e679caa233443ccb

C:\Users\Admin\AppData\Local\Temp\ecIm.exe

MD5 92bd6d9e378f51b320be8812ce01815e
SHA1 2e976f2402ec2d8398afaa548d2a5766362ba023
SHA256 c327a631bc8ebbcdb4bad342e4d902847a9527155bdb7f4f6da9e616c2823cc3
SHA512 a5a948ebea731cbdecd8de8c69d421c862db1d5db5b54ec041003adda16edef86fbc9dc705ce20d1c84ac1132387e4b90257e07b9569585a7b2b01b31ee9a6ef

C:\Users\Admin\AppData\Local\Temp\WwYk.exe

MD5 2de67f6faf94bc8bd5b6449d2ccc8563
SHA1 34750bb8b670abacb00fbab32dcedaefba2c6045
SHA256 0293d6df2fdf3daf4e208b1368347fcd5e364d05d422fabbc5c0c424d9d7bbf0
SHA512 154eac91cf0527f88a42d9857ff55be38554a647bff9b304df302d8b162fd464ef8e7f0575a4ec9ba1915712c7d83fe3f4cef113cd77c8338077fcac3c7174f4

C:\Users\Admin\AppData\Local\Temp\qwYe.exe

MD5 c55c7b9cddf35b449b92bc25af8a7c62
SHA1 f21fcfd4bca601d76d168d30f1e9724156703093
SHA256 7ee85a5ffe4b0128a9fd7e75a688b3935c9f1248916a780b88d9b54a217df22d
SHA512 c5c4b8f38b5e114c38f9f1b547d904d987fe67e8d6d15396c5a22173f2bb4f242365a636743d43b525ca9207089687e9ccc3f3c810f4bc7a6c18fd5294e71a7b

C:\Users\Admin\AppData\Local\Temp\qYIG.exe

MD5 ddf4f31aa00554daeb59f747938932e6
SHA1 ec23c97c7604e82d65de6d2b048d3dc994f706af
SHA256 d761328cdd3bd88c2b147b7e931979cfbe8205280b0eae46a58287c3e5d26aee
SHA512 a07d1ee631d7d6ea24e221118b231ef8c9001b1dd56d68db1136fb38006fffb2edfbcb6ac5933ce18c80547c5fe20cebdd30f30995843134fff912b9d011b4b6

C:\Users\Admin\AppData\Local\Temp\OwQs.exe

MD5 25e52fc8706345aca2449dc957534acf
SHA1 3c07dc8b62f5a62beb74e550cdc7694ab299781d
SHA256 bff49a1c37ea263829b9cb03650b6eccef00f79f6fd1f78e2692d45f103b949b
SHA512 89557c8b72dc9f49b0f06354a76b438471c2f311f66a02a47d7d54b8763c1e20eb640d6116685ce97c2340c6cf6b0726841f6514a24414d593932069ac75c694

C:\Users\Admin\AppData\Local\Temp\ooAI.exe

MD5 3619bc18441a918715cf0e2441ea4459
SHA1 af5cc3b3e43de845b795a2509c70a7e9001b0758
SHA256 1462a1f053d880be9509ec61922ded096f48a63ad6023447b69bbff3d4bbbf80
SHA512 63a1985f962856492f2476b9c993b703723a0a0b1abcf2190818c838553d4c38ab8261747ae53806a3c329c2b41611fe0b501ed5563d02c7791c2089eaa4b0f3

C:\Users\Admin\AppData\Local\Temp\UsYa.exe

MD5 ca7317d2f1c616ef58d98132ee834010
SHA1 7dd8d5a464a4bc593d6472133a236762d047fe14
SHA256 3fe4149f6e33836a0dd358e130f8dfa9b2fff7b73c9990d3bb420f722a985794
SHA512 07e79b274c7e20987b0cbd6580d01cb8ec50143ad1b9db3f951b36fe8b8572942ca37cba6d12c9f9d9ec955268b9fbf981cfa75ceafc4b593cda25d33e05f851

C:\Users\Admin\AppData\Local\Temp\OoMq.exe

MD5 2450fb7df9f119afd21e0a5c4ebe42ca
SHA1 60fa29adcff0f630787a3f1d03bb2ffc4354c6a3
SHA256 3bd0dd0de78a1be62158788630818f122f3fd2420ea1fcd35f617cf5337e0bd2
SHA512 d72aba9b15bf578cdb845f18fea85b90bcdb851d2f18ee4bbec54f86f41b239d6f07069bd70157bfc80992cf97f827c1be4a24a07aad94aba3479729f98bfaa8

C:\Users\Admin\AppData\Local\Temp\AYwY.exe

MD5 a2f199eca97a0dbb6055db82be7d4e5c
SHA1 9f160b8b7b0e09813a8b0e60560e11bc59682e97
SHA256 25f28b19f4b1fff69b73917ec868c6dcb1348a8788ed46ca3a1ffc3a0eea8e1a
SHA512 48f541d5276a052db81a7966dddb43af68e78b0897eaed1ebafd96c456fbe6586ff0bee29ea38f29c465ccef36a3f3d43129f0b8171372c522ec712104c88377

C:\Users\Admin\AppData\Local\Temp\MsUQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\AkIc.exe

MD5 7c3eae4bf9b539d1f088e2c4cdbd6917
SHA1 8b7cc73401e328c357f2fabb2fd7adf1e6f086fb
SHA256 470ff401a17098c25be73f5c28a4f8d754eae891cc394ff94bd948f4b671ed46
SHA512 ea8a272cb4d4f862fe9605e293612c86262d07e391cb8183ec8cfc5b176bbe4a1d272f1d3dfea950dfb1fbacf721e376b208481ee481b7a8088c65363656091b

C:\Users\Admin\AppData\Local\Temp\ocYy.exe

MD5 50beedb38121c138fee0c9f837536d20
SHA1 7663a6e6dc3db25eed9f5b0a03a6223899ead760
SHA256 306e7bcf919314f799ae09c3ddd8a80b6a069a5381d3065abd2e54e07ee00f35
SHA512 456c5425532be2e1d46c2dce22ab9cfc26f798d6634594251efd88c648c788b753891a64a3f8fbf6d6dcfdb9c624bc72542a62e2873d9c2dcd471d0147694e0e

C:\Users\Admin\AppData\Local\Temp\ssQe.exe

MD5 64499ec1e3a64b11b4803e7102731a36
SHA1 3e9f57ec5ebd33bcedfb8129c5f16cec118fa2bc
SHA256 bb02ff23b157919d350805be9af1ba37496699782d72f42ff4137f4539394ff6
SHA512 2fcbf7f10b420108d5579b5fd6184f217f4357920e8d6267b1f2719142fa7cab04230c782f3037949cd16cad23a03ef1e4aa97aa73273c3b1237f83969a7475c

C:\Users\Admin\AppData\Local\Temp\mYIe.exe

MD5 a43230642062d322fd2f9c55081b7afb
SHA1 cbe64f68729e47c929ac734d2d1bbac07e1fec6d
SHA256 85e17d9dcbb394f6d0026aaac00cb73e14ae25404eb96bad01cd1a69a73b0d11
SHA512 ba059d1d34ec1338b4741db2b14ddb83ed73cfcf64006951fed229c09105f781ca05c2e2de1be7a6f152409196e70f0a3adf2ec2bf750f512ee1db101f51e0ff

C:\Users\Admin\AppData\Local\Temp\cgkU.exe

MD5 71ab7b95dbf4be948b1b1fdb90177327
SHA1 34e12e52d1dd64acecd89697f1b33b01787b3024
SHA256 0cd895420ba2a34d61edf8cf470eb50e6b129d19d3863c2076b4f89f1631192a
SHA512 9f0e9e8c7aa1c92d8e2f227743b80d8ed93dbf2db597f3d8e17ce4dcf94a367adefd1abb4c3bafb708f1eeddf1694700c4f4780bd4e0898b68d00e979d9032e2

C:\Users\Admin\AppData\Local\Temp\KMsc.exe

MD5 651d863403dae67ab1dd35fc56ae75a0
SHA1 2eebf3fdf5cf076ef9324af83f419ed05ca90c44
SHA256 b5a2ad63a96dc993b8473f2dbec2addcf98335401303b02210ce93ca9ee637d2
SHA512 ab9d4b875856b1020a5f20ca675e0594034560dd3343a6176cd435682b31600b920abaf2c1517bfef1bbef0180b5e7268bdcd0abd7c1d24cb90101a483d139b3

C:\Users\Admin\AppData\Local\Temp\UsEm.exe

MD5 296a89a4619e3a31647b613c139d77ca
SHA1 196a06d7878989cb27e24763b13560f831ae4747
SHA256 5b4290065cfa8b0a4513b020ba7906a88f204a3ba125505fad426f82d147a4f9
SHA512 0464729f2f795884c748bfd14aee69123aedd3e3a09e060cf2ad15d9e7e929d69deb1c1a73e82a7102158dcbb2d6687446b06219caea3bfdecb3e4987c3a480f

C:\Users\Admin\AppData\Local\Temp\CgQq.exe

MD5 328e51586fd65d339b155d67c016466d
SHA1 484e68673393e32d6f246b28a9ab906561ebd643
SHA256 138212c582fa15656fa6cbc3bbc0252f93f05c8596af9abcc7dda81cb93e6f86
SHA512 7fab0c49f4c443eb2671d355a2d972910ea9c5238f2c13983161d5d2dfd56bc82460a040c0513c64110fcc1a9dadd686cb5689089c3b27d2daa023c1cc26ec85

C:\Users\Admin\AppData\Local\Temp\cYsW.exe

MD5 ed2dd58ca58c53a821c348768d0daa5d
SHA1 4895e2e98c7e865a016b71f7dbbb3f7d631a2ad0
SHA256 e1ab8b5a38dca3292917a3908dc0543539ec4a6ddad2e6074d512e95ae4dced3
SHA512 e70161181b487b84dff2a38604eecf9a59791023258a6bdbad52c66da6606cfc97fd2f72566aaa4c22a7f774d40fba5517c83b3c37fb6eba360d20770f5673b5

C:\Users\Admin\AppData\Local\Temp\SkUo.exe

MD5 8788450d9c7a8e1cd0c2cad93bcb246c
SHA1 d4ac858c17095692b9fbfed42b485eb89d8f1009
SHA256 9e4ecbadd3795dda6092b6777c244cf889beb85204b5e20006f05404b84ffd8b
SHA512 514a42eb723e34d1486c37186202ccaa626ca4cb6faac9bb4a277e9c92eed75aa30feac99eb3148ea358b03b136599c2b4a40a81f7eebeb679c2405f18cd363e

C:\Users\Admin\AppData\Local\Temp\oAwC.exe

MD5 5596d205b249b0edb2a3505d77a2d480
SHA1 90a4724ffd3ec83a13fb5f4b7555d606c0364c54
SHA256 e042db43b43cf990a86ce5ad1796bdea533eaf3c8e588651f32ef4d5522b5c47
SHA512 9244b57affa87c89a2aabded9f31df9b4d90656383a2760db1c78b535a1e68ebd0f8b11aeb0c1c171e8787ca8830ceee8ed6c72973383925690b06e9683a4dbe

C:\Users\Admin\AppData\Local\Temp\Kwwm.exe

MD5 fd2a369736c690465ab59ce7d871fdc4
SHA1 2eb9d45ea80801dcab86c2193bab5e2a3c31521d
SHA256 6e42e1eb1174cedd144cb9f82e232d777b36f2691a8778fd85a60b10dc8b59d4
SHA512 e8d04192149b31951d2677bc39184549fc1bfb85c339752e6a76ee17275f8227e2a0f760e86c159aeebc53896b5fd7e529f799571719812f0a6920e8fff5f9df

C:\Users\Admin\AppData\Local\Temp\YMIk.exe

MD5 faf554023d8c251452517d64e23415e6
SHA1 7d7335ad3a19878ec46decb53f2053109cb87890
SHA256 3d7bfbdd765e920575582ed881d5968ad2d804304177eb8f57247bbaa3a1f57a
SHA512 26af7a07512f31a90e6e5fc2487129ede7ceffc6744f338d9b7c0eb4213e60febaca7858039993275ceef56f8091870db6a2007ffcdffb8553a8c0301c0944ca

C:\Users\Admin\AppData\Local\Temp\aAUE.exe

MD5 6e7e27571c787dec629e643ac6630069
SHA1 df0fb0f889373020d2fdc97edebcdb43f2280a54
SHA256 2611bb8fdc9a53aaaeb267001919c2785e295f4ab7ecbb5459ec92bb212ba138
SHA512 50191f46e68e4a316c2d451cf817e019376df769d5168e0dd67f119ca121a270ea17eab14ac642cbf701c7e42eb52c345ae195c07f533172ec070ec74d1f3877

C:\Users\Admin\AppData\Local\Temp\oYYO.exe

MD5 93040f4ea1468c59e359c643feca480d
SHA1 4d0b911c5b4b7657588df2e330dc3985dc4b9d65
SHA256 eb9279ed2c39e30d58f438fc21c8ceb48e2b966f7ff47a56e9a0c7083b089f8f
SHA512 47b39a618beb904000bd8bf74a7df41019c26667ba58f81b194daff3adead4968640ada71bc23cec39a8c17ea406282c1af50076a13a734736ecbb33d7c691e6

C:\Users\Admin\AppData\Local\Temp\wYss.exe

MD5 e885d1e8fa3cc07ecbecc241a974245a
SHA1 0d11a8290a5cfc066e905992a314b0046f5c0af4
SHA256 9ec1d165349e7ee71e12b0c666f6dd48ab7582f03013ae907434f95979536805
SHA512 0e71fd209cf9a810c356e09bb91ec4bc872ac192dde20b55bfa98f293302219130aaf637f85ca3f7e56151ae3a4ad109c719da62d473aff1513f735ab3a37d12

C:\Users\Admin\AppData\Local\Temp\ogkQ.exe

MD5 9cf8a181c0d6cc98bc4624368ccd3256
SHA1 91a4836b6d2adb4830a2c20ec2278df2222d6ad6
SHA256 6bd7fb5bce00f7b3ba771b4cfccea1c01ea2c6a76b07d076457e2401212c13f0
SHA512 a5f7b5b45f334a32d5c25a23401c6d89ed9a3cac396aac21172a0e785e6199d5df5d44b3c9d6712f54bfb4d1d1d37740e081d61b7d501b5477808127584ce42f

C:\Users\Admin\AppData\Local\Temp\qAUY.exe

MD5 5ded628f9141fc91bd5117a4ff352114
SHA1 bb6d22cd9642ce1680e06344ad6cb5cf487e6d3e
SHA256 eaaa1e3069ae39ebfb1be44b85acbd29b4db31b0b0d9403bd7afc70187029026
SHA512 17ca3053c6c4d93bf4fee54b16ae2fadbbaba4def01a601c58d6de363258e849832d32799e554d2c746ecd4c540cd9b04e99b4a23f1c0a22095854ed7c6f3dad

C:\Users\Admin\AppData\Local\Temp\Qgge.exe

MD5 7788948817287deb8d552bbe36f27c82
SHA1 9baac1057140ed53a306570ae3bc9422c6ba1fc7
SHA256 c60b5f197a0c973a139663b002ea9b3e0c4246adae7c37750d0cbc4d537edab3
SHA512 4abccca14d8b335d1b90e6ab8adc9ac172ba429062c9e4efa3394f3dc354f9133f1a5382204f89ef3626fffe48895eaed30d1853e603d7521cda1db72cec6c40

C:\Users\Admin\AppData\Local\Temp\yMQu.exe

MD5 b124c5e04e0be8534b49a26a0f0d5f73
SHA1 07a1b41108b6bbc51bf296325aa0e90a12d3e664
SHA256 0936bc3e950b4b39c884a2b888e9aa6744555a4d3a7dd3a489f6d22846e537f2
SHA512 c6c76699fdeb0537048ddadcaff6807b514b277e000dba497ea43fb4a70dd691ced56a0dca1fe7bfc0cc028d6401e745ed957fb09d836a0f7495c0b6e80bf626

C:\Users\Admin\AppData\Local\Temp\AQsM.exe

MD5 2fe1aac53d1099f56fc7c36d1f92b504
SHA1 7d7b53b636a5dce496488d938a3c93dae2fe93fc
SHA256 a14ac6ab907cdf9d8abeaf589f247725c28390bab45395e44b27276a71b8060d
SHA512 c094d9ba74188db536a8e673280a71b87df7492261c37ff37952b215b6ccad744a8315b378bed84747d63a08c5a929a7e6ffb707ceaf2e7b81a370e1ba0d7023

C:\Users\Admin\AppData\Local\Temp\woIK.exe

MD5 e83fe797b95978e88a61e0354a5bc7d3
SHA1 7e3a67d1b00e491182d2511650a1639aa72f6567
SHA256 3a0dcf05ba7ae2bf2d639d615234efb3e7b13a3687b5158ed6634bebe93886f4
SHA512 04d9407fec480eda24c42520e5e9dd50fd905bbe0566af1c1597a8fc28d8674c4143bbeb3f819d2da8502c78e068072774f0370b8a2db94a921584d759386bbf

C:\Users\Admin\AppData\Local\Temp\UAYs.exe

MD5 1e600108d54dbaf31b88703196b36171
SHA1 37a193b5a18f56e84cd5eeb8e3101310686aed8b
SHA256 f1705e6103a3eacd350fda43d8f668a55e89b766b5907742b6bf6209b300c0c3
SHA512 1e4e506c930820d0e9edc070db6fa6c9fb8b0c57ca2b4f6269a051e74c59fe0c558ec62f0d68706ce1349bfbceca62c0f9b0cd8c1ab9513c6314cafa935ad304

C:\Users\Admin\AppData\Local\Temp\sUom.exe

MD5 07c4214da71ef308401f4a7322bc7009
SHA1 701c038d1cc9961dd42bbd832b1bb7ddf2573a5c
SHA256 52d5fafdcd9981c705b0bf420ce139340016a0c7cd22a0acaabae13672494406
SHA512 b182dde439b7aaf9d2dd0a132d951970eac2e32a9ea83d1a4535651da8bac991636cecb6b1f841e03a1e4eea7e98e8202076ab9f83468d2bc4e00db255b93826

C:\Users\Admin\AppData\Local\Temp\cIIM.exe

MD5 8f2b51e5722170ea71ce07454a848f3e
SHA1 4a5d8d6bbc19bd7ddd758146b864f61d8653b247
SHA256 d369a7d9e774d4cf97f7059aba2eb0f4d869738a8b9959b307b16ea0056083b6
SHA512 d744efde52371d2bcf4b4648cf1352883f3c69d854e18a049cdd204bd93ea6ad0e7e14f1ce66681d928bc8be6b9bf2a34f5f2f2542c1de4518e4af2a376d658b

C:\Users\Admin\AppData\Local\Temp\YAIo.exe

MD5 dd33ea4cb7b91db1bff67509f021df9d
SHA1 aefb8f4f5e36767d8ad17ed03b1b296db456452c
SHA256 9aadc65f472f5007a358a5e773af00d0973981e2175dcaf5ee7fb3e25d7b5023
SHA512 c14b601f90e46af9ec8962f51838439b972863e962ce83927f6e74c5e9ceeb0bf73c510ec4d42f96d081f708f8e923fd9c1769d3bd6fe9fce7a3a7154df92b4d

C:\Users\Admin\AppData\Local\Temp\OQYY.exe

MD5 3c051c1d5807ebde94f29de9cead72da
SHA1 fbd43870cc3e8ded6a2a009a84b6711a33d73c38
SHA256 f02333665f78bade850054d9868ec41d25dee456dededfc4f000764b6fa00920
SHA512 9e022fd567ac5f7c467a41c55768771e319c9eeef9adf0181cce738f4f770d64c126b5ded1cedbc38a763862bcd35be76ee721f37abf2853f9e47ced59631659

C:\Users\Admin\AppData\Local\Temp\QMgG.exe

MD5 e4d31cc49500aafdb33e35d19825131a
SHA1 932c53eee95bcd244395b2b763b1aec0196cba73
SHA256 d60c99bf1943808ea3b929f7036aa8ee5222945c09e7e50de98e5e5f82fad32b
SHA512 623cb667e5e95dccacce3cd4302caf572fd8da49dbfdc0fcc42f067cb372b0d4cf409dc963489d35e39baee199dcf26ad846f45c31485bd73d3f9c0d52bbb95c

C:\Users\Admin\AppData\Local\Temp\uosc.exe

MD5 2bd56e4863ccdb7a1fd39a5b04f85596
SHA1 e22805c2bb28fb98da330ed6a1dea350c9727141
SHA256 2e5d5eb17158756e6ef2d57d0d2b90f36a3298cfecb359c03c074ed6a81a3c6b
SHA512 0b31a4c1f3a0d1889259891c3c75216d48d0d82083782900b044eba630573461e43f90fb6ddb543d0f1d169c1f4fa16a23c080e69aea08895e0f6c7ec31527b3

C:\Users\Admin\AppData\Local\Temp\KkwK.exe

MD5 b3c105eea07a798498175d1aaea1d5ac
SHA1 1d33caf7125a10926c8b938bc0acd41fc5c880a1
SHA256 404be7936a896c84a47a78cbb19116e723efd504714992c39d23ccd345c67bef
SHA512 5c7607f62d3a08a2f0172efc90432d2274fab06d7f11dccce200da3af4c7f3898019c0b578614220ce63d6b67b61abe3320316c2969672b1744868a17e184f6f

C:\Users\Admin\AppData\Local\Temp\mwAw.exe

MD5 7d98e1e2fd1603bfa4c88c70536b5fe7
SHA1 91c49a8581436e3f0a50d0cf2bbb467245d634ec
SHA256 44d5a5002d7d3a48a306a4a7e85e6a89cd3c907fdaebaf5fb1c35389f85b3628
SHA512 f64ad918bba6042b296499ab8e71e057c791be4a541f551bb861b45e19a8c2e482336cff39c2591b0164c37bc9d06a863f9a76577fbffeb49bf1de0ebdff0c2d

C:\Users\Admin\AppData\Local\Temp\IsAk.exe

MD5 c39a4fb825f1fe6e56147dfc0bdcfd3a
SHA1 bf43438fe944b87a75f033320c96517939a731d7
SHA256 dd2b6495c570a68f50825271f75b6e5652e546ce7ee743ddfea9677ccbc0e473
SHA512 8cdd72094a76cd0656e3553eb01da93eb9bdec0d2e9187850615c1a1be823e795287ba449fa6a429fe28f388242f4484ac58c1e7aca4615e91f0440eaec380b0

C:\Users\Admin\AppData\Local\Temp\QwEW.exe

MD5 342bc4d78864e920a9b1152ed0806685
SHA1 3080e03aee04a18c90870a21a7b99f031b6aeabc
SHA256 b49330119fafe5766e4ed42c30baf165115cb22855b066d90ddab3f7b0639e87
SHA512 7ad87ae3a598f0af7a447750a30fdf966b8707c819c5e7272a7b534613937b6d87ff77abd3d789e1243567fe5eed18d602d6fead1e0fb9689a1b0c9b6b930606

C:\Users\Admin\AppData\Local\Temp\AIww.exe

MD5 f1dbc74ea2fccd77f9f05f6266d76181
SHA1 3688f79393a5016c5080cd9af03bedb1a8cfe4ea
SHA256 63fa69a2b52cd3a5e7c2e020b19270c8583e77e34ba808e0e77658b2604d24dd
SHA512 1d8c61d6bad25db45d50b2d2c3ce4f07d90f5720cc1c9fffc0302f432a3c52b8d0fd5ee1f7f753f35a5c933a83183d7dd302ad15c8dda538e20fecee0063e19b

C:\Users\Admin\AppData\Local\Temp\SkUi.exe

MD5 be505a59d810e4bc0d9d79d33520d03f
SHA1 dcd8bccfbfc279b1700a1b11d099a74160dc1c5d
SHA256 bb1b754a684e4049c726d174aefec22df2d00f99802e67008665cc5250d948e4
SHA512 cb64a09956c0904f2771bda6dd60e3a3ed55acb662a7edf5ae7be2ee30f2f6c7b895aedc6956d31d1c762f9dcfbab14003dddd9e6471c724867932532fb478a0

C:\Users\Admin\AppData\Local\Temp\asAM.exe

MD5 72ad128ca3fa8d485f3cb40938e059c4
SHA1 120237bc4ebe4bafa21a78ab14886a476d8c545f
SHA256 c578ab2e612d80f7fdebe9ceca9eb46f4454089cddab7c83a35c751509264448
SHA512 37082aeaced83d7b2f0609fdf3b7385da7b733e652c71ed865a50972bc11e3073677539265bb7872bc7c4907ed8fc0ac2d3c7cd71a916207497161002d7f4633

C:\Users\Admin\AppData\Local\Temp\IccA.exe

MD5 022e7f1c89e07387517ef8a77a2e27a6
SHA1 22291770272b452b3c48ca110872099f72bc1e76
SHA256 c3c3969a3db6ddbac7a005815c8cf1712fb88732dc95c35d666b183ca07147b1
SHA512 b00437794999be428508d49c6cae282ce1d221f94c7505f1bb913b0b2740e6d4870b5bb1c063a18fc1efc7b3d635c56633dc974435ad15b9bb474f4405cfed52

C:\Users\Admin\AppData\Local\Temp\CEAg.exe

MD5 b210e4f43435d5ee406aff544f26dd5b
SHA1 e762d7a5ef2253ec87782148edcf704ef0767a99
SHA256 975930170c4762d4b79444893a137521f0c552948b3f4e8e736e721bad9d0ee7
SHA512 4223b01042243618f0940584cd5e694fb64c80d4a711c972ad9568c27b3b9ef124f1335ac2926738c7d322c49defabfbfa1172906b4c95956e92071748341abb

C:\Users\Admin\AppData\Local\Temp\OUYA.exe

MD5 932a942fc0c1b9a5582cbcfc896551d4
SHA1 d85b3163bbb18c5c29cf7de56be6514db4c57fed
SHA256 ad78a5050d555564296da554e1db3155455f29b8aa65bf18fba6306ee7a5e4fe
SHA512 b9210c75c7d5ad91c5bd8cd729ce993aee8cb31bf74487121826c44b23e96c4559ab401dd244ecc8ff2b921143b65b48b75719741fc11f9e44ce8cce0bbd22c3

C:\Users\Admin\AppData\Local\Temp\msog.exe

MD5 3e0f928e1632a70b47fd730522d2714d
SHA1 73a520f96afb9a2d2e2a0a3e4882d449beaf17a3
SHA256 7288e426acfca05e0546d8becc2fa2d3ea7a712734b172ec9492d77692208193
SHA512 992581d5a54a8b2c89ecb99f54fe79c2ee14ba5b0fffe54d0c7bd3c211d1d5a8b48e01b601ba0acc72845aa24744f13567308cb1a0bc126da09791e3bf025866

C:\Users\Admin\AppData\Local\Temp\ckcO.exe

MD5 5ac29e678d9c7af10e111af369c14458
SHA1 2c0470af3659e27515a7a31707a18168e198c9a0
SHA256 dbd82998bfd253d63a134c024c67fbdd371405f154b59bcbe4f2252c54c26287
SHA512 6f335c74b46362935d4206ff1a179987921a724549b52ccba612d0be4c3f080dd04263e632625d6aa5cf9a1a86b65b32f57dd42811db35b81e97b17af5cf65fa

C:\Users\Admin\AppData\Local\Temp\mgoI.exe

MD5 9378c82891279ae86abb2e70a587506a
SHA1 8f203a7c0080d9d37e191e30633aa49a120213ea
SHA256 2e500a1d6d8d5ebb9ce67265c5515c8905ff14fe80fe0454cb45759d6d121c74
SHA512 8a9dad73aa5e400a2904195b1ee8d7e33873d0dfc8f6829e2a91c58180e07dba84d39cc7389590c1c26709c1f9b3d1ef7350615724b408add3aafdd6e973db35

memory/3412-1004-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkcu.exe

MD5 cbc9bd90ec496150897b16930cb653a0
SHA1 c3aae83c5eda58257e16e57c1f237e00ec641b14
SHA256 f06552684d17c2848324ceba70fa7852c85929acc79ca4be59108d541d426a71
SHA512 f9fcd4c8b69f2fa7c8427b9c055270fd517fa599d9abb603ff0a79ecf16a9d46f32f9ed6117b083d5ae0ab38609b4b841986097b8b893ed15a7538d0dcb788a3

C:\Users\Admin\AppData\Local\Temp\yIcS.exe

MD5 e28673406df3719d970c7b28f0bfe0d5
SHA1 3ce355a0a777c18fb748d63181a472ea92f9c0f7
SHA256 329b8459bfb2dd97ef9c8782a48646b57cfd8dabf27eaca3e92efc0553d4f40c
SHA512 0fd090ee85fb464486fccec96786f0e01e6752b5842d7c40cd2b02ef99c3494acc5e7bbcc44e0792cd044d37d2be77899358cfc3e8be12a03c7c53671be521eb

C:\Users\Admin\AppData\Local\Temp\mkoI.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\aMMS.exe

MD5 8f268b008a836e4b96e8653b4efb0158
SHA1 affbe2e4436151c5d33a26168a66298225b84cdc
SHA256 cbf99698bf0c63f133ed72189e9fb7d2fca37069f29d3ddb058842b10fcab213
SHA512 78b1c6379d46648675bee278878ea2d210a8b1e5ada285a8bb4a5632cba5916e65107d65bab87e0a8d160f2dec5d34fabe1165bfaeb2da99131ac8530569d4e1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 a6729768e0eb266d962fa1465756ab7d
SHA1 a6f5cdb0df59bc5c7959860cadaca64904a5a9e1
SHA256 c0a4de7ee46467b15aca3f2a18c585c51bf8de3a58af2c5bba392014682b1aa5
SHA512 e5ac7c4c16ade827a1fff43b37d159768bec1a6c7f68462131796124924243353491b66c2db80fea9032acc98fdcd4f7e6121eb0b14e7bfabab53730acb9ddec

C:\Users\Admin\AppData\Local\Temp\GgwU.exe

MD5 72d58da5f21a81c6820df35195662f96
SHA1 5e919ef1af593f3775ef94c546a8990c64d9fc70
SHA256 164b8ff6fd968ae5271b2597d5573cc11708620009bd7a4de6453040babdb9ea
SHA512 9534e3a5e49ab6916a684766038d3e03f95e07fb7c30d53aca29788b9e9b0cc79610f8b1652e44f8388a7a3c16ca29af0dab082af58e8c964576e186d947b1fb

C:\Users\Admin\AppData\Local\Temp\gEUW.exe

MD5 737bcbfebf5a925442dc451ad44fc022
SHA1 e25f483568b8732fe1d8a3aa3715aa29f4c47244
SHA256 76bd03c335aaf40c428fe6bc23a5ce88025078a63f65e5fd5b022b77244dcec1
SHA512 8a531b46745a27507894a0f5adc721d37b80dc9e219edae39e488f34642f00acc44caf9c30c1468bd02f8f2363019299b5c4edf99f73863a42904553075553c7

C:\Users\Admin\AppData\Local\Temp\aAkA.exe

MD5 80743e164c2325fdedbfb20704e5c334
SHA1 da86815936f7e0c5275d8a21c6f1a9b5e75fff8d
SHA256 1437b32587ac739515701d749af4839dc1b05ff55b4868947485e27ec99b6800
SHA512 c8640c92ade3d40366b199618f9cd26379885cb917de90f20256046b75d35b27132c549627dba03bf504c7d8a5e58b4b961d07e2bdf08014e228fe652f9b0494

C:\Users\Admin\AppData\Local\Temp\uQoY.exe

MD5 93e64c5d45ee12b70a00f9afee7c506b
SHA1 3dbe66634ef5c55036da7d38f8b531c5032ff319
SHA256 cda645ad5dd3cf82e6a756755bc28efe004375ede9c3208bc097563e531feb3e
SHA512 36895b70e78eddeb2e46a14f2441030ac8a38e53ef61d5f92592c043d7b09be068bd14706112b7dbb8de39d6960757d2425440fb04ba37bba35e1381225a3d88

C:\Users\Admin\AppData\Local\Temp\qMMo.exe

MD5 6e135067f412a5ff7f052a9bebb77676
SHA1 f74ad2a1fbfa8200f982dd6762ef7d9a127a9a2f
SHA256 f8761a5a28f28dcf4b8c2c6e2ed54d50c8a097cacc502f3ef5f8a0aad40e49ae
SHA512 95fe87bf526518cf8a35bfd4e8de921e923cc5ac92b273b59e580252b19db21be5991080d0b5d5404db8647994ff79b6ae4406213efec07ce3a60536562e23b3

C:\Users\Admin\AppData\Local\Temp\qwEI.exe

MD5 71bb96e01a2f3ddcd06a60eeff8024a9
SHA1 8a22b4e623484384a97a7c9403e3b2b034d6b881
SHA256 394078a3e965e33bcbbd95ad011c6a7e9f2172534c53211faf1482a3291b307c
SHA512 9f13340740b057cef5ea83754ab7a2c65e78ffb945a6472c14e29f8313ac2386f8cb0f6e49ad9d918f9e16d5a925e5646beeefbdf10406f9c27b79d321f80009

C:\Users\Admin\AppData\Local\Temp\AwwK.exe

MD5 0cf90f52af8523527f28d47df6908285
SHA1 b78e367b404a1546a1e28f965ec5a2a4e7403bce
SHA256 b8ddc56dc78b5e4069924f9ce6ff77bfdf7fb094d49903e124659d081e8f498c
SHA512 4be36b83a501d6e9de165ea888c21c0c21548403694b73d35aff92ce79334601cd47a78bba7bd69edea44c5c95694db96685abb2f62efe2cbf29f20831a68b60

C:\Users\Admin\AppData\Local\Temp\mcMo.exe

MD5 e8992eb1a4b2c8c53969b86b0d867b57
SHA1 758276462c727230cc3b41866ac87a80fb01ed32
SHA256 90710f0ba6990e816aa158f43b78a1a8f5f94897c6106207124da72e509c213b
SHA512 64e664f6866ed8992441d74cca975c35259a58a6273274c2b79baf9c49ed0c740e89c6788c68f5c1a3df18a8ef341d98ab18a76159fe7cfeec228452c86f919a

memory/2028-1196-0x0000000000400000-0x000000000046F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 01:35

Reported

2024-11-13 01:38

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (77) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\cAAwQEkU\fYUoksoc.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\WqQgoYIU\kUwAYgsw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" C:\ProgramData\WqQgoYIU\kUwAYgsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AigIMkQc.exe = "C:\\Users\\Admin\\OWIAIcQA\\AigIMkQc.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgkQIoUc.exe = "C:\\ProgramData\\FgggMEEw\\fgkQIoUc.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fYUoksoc.exe = "C:\\Users\\Admin\\cAAwQEkU\\fYUoksoc.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIcIkYQg.exe = "C:\\ProgramData\\ZOkYIMsM\\DIcIkYQg.exe" C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fYUoksoc.exe = "C:\\Users\\Admin\\cAAwQEkU\\fYUoksoc.exe" C:\Users\Admin\cAAwQEkU\fYUoksoc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\cAAwQEkU C:\ProgramData\WqQgoYIU\kUwAYgsw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\cAAwQEkU\fYUoksoc C:\ProgramData\WqQgoYIU\kUwAYgsw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\cAAwQEkU\fYUoksoc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A
N/A N/A C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\cAAwQEkU\fYUoksoc.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\cAAwQEkU\fYUoksoc.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\cAAwQEkU\fYUoksoc.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Users\Admin\cAAwQEkU\fYUoksoc.exe
PID 1628 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe
PID 1628 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe
PID 1628 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe
PID 1628 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe
PID 1628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 1628 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2572 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2572 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2572 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2868 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2612 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe
PID 2792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

"C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe"

C:\Users\Admin\cAAwQEkU\fYUoksoc.exe

"C:\Users\Admin\cAAwQEkU\fYUoksoc.exe"

C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe

"C:\ProgramData\ZOkYIMsM\DIcIkYQg.exe"

C:\ProgramData\WqQgoYIU\kUwAYgsw.exe

C:\ProgramData\WqQgoYIU\kUwAYgsw.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syMAUYgU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsgUAkQs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGckMwQU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgEAwwwU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmgcoQIc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGcEsAUo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWMwYMwA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMcIEgAo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOMAIIQA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eckcsokU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAMsoccY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuQMQMoU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYogkgoA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYckYAow.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEUcUMAE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RykckYgg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\OWIAIcQA\AigIMkQc.exe

"C:\Users\Admin\OWIAIcQA\AigIMkQc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 88

C:\ProgramData\FgggMEEw\fgkQIoUc.exe

"C:\ProgramData\FgggMEEw\fgkQIoUc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 88

C:\ProgramData\gsAEMoIo\FGYgocsg.exe

C:\ProgramData\gsAEMoIo\FGYgocsg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 116

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKAoYwEk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmEgcccE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQoAMYMo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqcQEQks.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgkEosco.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZusMscMc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKYMswIw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgYAcIcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkcoYokQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YioEcgcw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwcQwcgo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoQwMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGMcIMYM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RooscYws.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGIMAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkMookYs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOoMUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMUMEQoI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSEQIsAs.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgQEksAM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "210424574540740100-71035562160179620031328852918128232641452109412778216132"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyMEYgIo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQEYMEoc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyAwoskE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSgQkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqQAkIEM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsAMckcc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "824007554510331899-17402104871011416449-536244928448677737-21414160191643388998"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsQIMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "865038435-1330614331517939094-1973394147-2041853898-17671758871188856944661647508"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmYgoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-287895430156918594745216335-141139835619265033-759858536-1876963322139010940"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8062275844476257791790997259-1718453950123164339-809779726-1102022661-1625915255"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIMsQYAA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeoMAUQY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCIUUEQY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYsYwIgI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUYkUMEY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUQckcE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8913037086308454731320057118472870860-130649883512205377-303932825-2065509387"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQIUIwss.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1268320812-784268003-136003596-198395264823254058369191108814416834611471507500"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1376674157-1991686487204593274-12528376461450915188-1797768664-1210810694-168215724"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOAEEwsE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9658531131160923890573338208-1764326882-767757375-33805681414852203421662185986"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LogogYUo.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1966253435294325261741392675-477824433-751703830-1898621696-30396754-2081041036"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "610205007-8395348921885249743-12936102741271317717-1687758370144196111-2103369167"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qowcsUEc.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAIsQYkM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10084904794660838961035213682709300038-689817930104226467319456092171017236570"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAgwsgwY.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19153715321116303757-1693753756-3194786622101162995984873431-2056062476992421477"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1618689208356584637-1799307544-253762733-2029512572168587416791361307-168014609"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCMsQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7693136081375310949-204820003-613180094979791891-1365200887-1911557466-1483729125"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-423922278100623083612391640271092818737719150212-74699173-1174408847565292558"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "171320274615748107347821524631865019466-610678287-1024416081-1060156305-187463142"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgAwwgkk.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-566592364608682951-16116391851335632363-15811491291198076960742000067-120589360"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqgYUcAI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1245139163-1980779762-329340936501848733-1491730904-1380251118-1578325038-1104917837"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2133175796430104416-235820550-1598626619-13094759081987435481399229122-1353853886"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmUoskgI.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "667376920-3404032542028808971505922256-48915844919199752068974988671111177"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAIsgMYU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuQUAIgU.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "528473854-1253429812-148878897-1739976443-392507491-192033140375336744-429963241"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiQQUswE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOoMQosg.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoQAoYAM.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-604826851-1180020725497091787-1900642411363578231-2191150601475793822-1793645320"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-43486764344729589196868020113854857981739586622033265356-1728212493-1282585219"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "154161195120446188091456192384-1472089912-545813571195410634915131301-257625193"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSYIMcoE.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1664574991-572762325107063579612323872-646697906929729271-806724101-831775190"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577"

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSEwoEcA.bat" "C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1520900562-1748961358-1363564474-5410485689313147031469585923-934963642072826698"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1405396897-1775550800-16722203954409516541666333186537454589818262975682700031"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2145722898463559581-106765464-8050155301361689923283706070-1126914219-1235530397"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/1628-0-0x0000000000401000-0x000000000059A000-memory.dmp

\Users\Admin\cAAwQEkU\fYUoksoc.exe

MD5 46939c837187c721823e228c951b89d7
SHA1 9161f92ec03e999623cf4dea8eafc707609f7561
SHA256 fbaa173a8935ca24256f2bcd782977a53a63730f88efc0a261076f3184f2f7b4
SHA512 b2a57bc457553699797c8b4c0cbbcea8f08c363687a83e072c2b4c27246118aad1182c4b9bf5f42dac8f125cebb46388591df9b61b7d5cb1a6185b04b996d315

memory/2332-10-0x0000000000400000-0x000000000046F000-memory.dmp

\ProgramData\ZOkYIMsM\DIcIkYQg.exe

MD5 222198ac35ae8f11e18da3cb28e8f40a
SHA1 82f3da34c711af454298eb85334bcc067bee6870
SHA256 45b8b5849c0044f5cf7893f3f012d09e4e422f1265a1d71dcfb6470d356f1937
SHA512 043c6f39d80b5c25818cfcc92816641935da345a272e7e8f2921efa515d8caa56d5b331a48fc2325520b6c083c93dcbfc9f770c7b26419260173498c085cbbb7

C:\ProgramData\WqQgoYIU\kUwAYgsw.exe

MD5 3fa15a290f5471d9b33eae20575d4873
SHA1 c4e0f6edde09f0e583b5b9012f73aa4aaf4eaed5
SHA256 5c713d8e0b416851002cd36598dc27fbe47105731c9b99bb634c43bd5c4cef84
SHA512 cb68d8abf4ea1d1d96c366d9d855368edf674646c05ccc8c9a440dc2d46134d26cdbf00cde47a39934993a30425ec9bfb2d37f450f54c573bad2c466234b11bc

C:\Users\Admin\AppData\Local\Temp\ESsoswwI.bat

MD5 3d72e0e742a651e7e590098940df0f63
SHA1 17feca779d590c663f4b3a67e6a1a69e77e768a2
SHA256 3bda1601e2b01bbad5fa4c96aa0b05dcace9c011337cdf0d12e12b969fe3c40b
SHA512 e476f5b93ed8ce6f9f0a7d3d6c8a2251577ec08c0f3296d6aecaba39184458a13f2e178aa99a9799a157664747efd31d087d6b9cdf0543a141385ee7acf0c1ff

C:\Users\Admin\AppData\Local\Temp\UAEYMEIk.bat

MD5 56a79b8d4f52fa2c041ceeb03d27468a
SHA1 95f8a52ed5de1d55aedb4ceb11a93e7901001746
SHA256 a031fc839f45c1e1d82dae101cebe80faefee137a2743597fc1c1382f83a4a0b
SHA512 5bbd3b844614af4db30ac130cbf78817fe6ac99d081e2a4c42a115d0e715bac0a4e80a5052a85dbddbf03dc856cc5181c5f4d045156ffbb9c2aaa922f200078a

C:\Users\Admin\AppData\Local\Temp\aec178b1c16dfb2fc848efd81674462bcd274c3fe02f84cd31d2832ab8372577

MD5 01d093f84d9cb9f3c0508d6a377bc12e
SHA1 dff45052b451b4831809ebe044d82d3cdde943c4
SHA256 977f36483c0fb1b3dc95012d3e2e36c870f7b71e6dc669cb5741e0681509dee6
SHA512 d0e72be8cb77b714a6a39449c05fb4fee3c061bf59fabea6c68784ad2c0fc061ac1ac4e7b024c636436ce5c50c778b70b9ee5732de38a31e2f8e56872a996b46

C:\Users\Admin\AppData\Local\Temp\syMAUYgU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\EOwYIUkw.bat

MD5 e95c209b61fc3e7ddce2747eb3ff906d
SHA1 cb9b20e138dd058858af04ef89bca48c2903492a
SHA256 d3efaf4ede8fb2869e9fc32ea41edad8c777f6d09c8810596e6527723f11d6aa
SHA512 cc1a68cb0d1fad25356cf7f37d643bdbe4a3e4d6c0e4637f557327e7970a2de404b489387c003019147a2a29886b764d255a9553979215415809c7c569978580

C:\Users\Admin\AppData\Local\Temp\OecsMYYw.bat

MD5 3d537a2c6095b68fb96c587f64e84b0f
SHA1 f8623840dbc013879aa2bf75aa4e3fba531f96c3
SHA256 1629317d46594fb68abec6e5d50cf6e8c3b7694a3b65e930da01ef68c6365254
SHA512 70fbc9e4e93d677d2bec331a7f5359982fb22b0156008436e9768f7895b0d918125e5cc02b8ef0e381cbc7b909e176d9a735f5692dc769f585be4e6ba22ce294

C:\Users\Admin\AppData\Local\Temp\XUwkEIwk.bat

MD5 4a49fb1b382b400ade4aae1f81b59371
SHA1 5275c10ebc231e1ed2564a32d7c8023f832e7ab2
SHA256 df6f8681b4b543697db5f0e991f3c6af4524901ba0aaab1b823ccdbb92428359
SHA512 09cd79e37c8245e1c2554757a33255eb9e05935f1e5c6ce7ef070779bf0d831776ead255bb9b0f19572079f992dc704d4a330bcb50b9722196a93d3017dc698e

C:\Users\Admin\AppData\Local\Temp\zycEEYow.bat

MD5 35d09d01be1b5fbe8e8b5a574c45878c
SHA1 5a72835aac5c71b200c181fb61adcec8700c3bac
SHA256 d78927328e43f5b5a5f33b8ddfdbda78bcf5c68b2cfeea91b62b27e946707477
SHA512 be161c1ce2a9de087aff10c5961cab3b5a1c18a88d3056ddd6519ca2e2390f9bec669f57714d103ae77d2f6de4d75e63a7f1372e07a331e0230ae255c28bee35

C:\Users\Admin\AppData\Local\Temp\dIsoMMIk.bat

MD5 5836598f13ca2b4a21811e300944a2ac
SHA1 4eb7badf59b46ecb34a288a50eaea9e2072a0724
SHA256 db78a87bf2747ea493be981f9a8063513c0467bfe6cce769590a0cb75515bd18
SHA512 57c1acf6c96e52c70b8a0c897b105dcf0df11af92bbfc1580c84bba3ceddfb613f152a5ec43fdcf71ec9f9c5f316a134a31f97d9e58c92a6c2d168f14e6a7e7d

C:\Users\Admin\AppData\Local\Temp\jskcIgAU.bat

MD5 f44f9aa3c71df0c500f4e9ae1b51b8dd
SHA1 e46c119786c1c0f388efc1183c394263fe4d34ee
SHA256 78898213f086828cc39fb6b7461189811230bb011985f189a2e20389c13c3d46
SHA512 16207b69e397180b29850fb5dd1c691f7ebf6f3a3726c5a72c65b2f74c97bd3c82fef8824a8edac2ea62ade85de8a74c205b556e8065738d6726ef60109b4435

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\kssYwwYE.bat

MD5 abf0a5fe7b1e9768506180202ddc7236
SHA1 2f3e827e19610a97b4f1df493329880b4ca280c3
SHA256 ec8897cd5b3efefe0e0895bf998e495b142a9519c9e9c3f947287b51ee4d1bec
SHA512 a00e6c22e9e3ef3bba5426ea53d36ab5a70dd219767b638d2c9509930275cda208e98fcda0c561fddfe42640cef9315264094d3eb7b8f8517d1dd169375074ed

C:\Users\Admin\AppData\Local\Temp\gYYgQIkc.bat

MD5 96d810ff46942233da8ed31a0fc434e7
SHA1 829d2100e865b950fc83bc4b17c892a385fcb9fd
SHA256 02638e7a33dcaaa0de95e84446a9fed04a8bc4c529bea9ebcd682b9a3245a0fb
SHA512 f9c82e7ba75def5dec690b78fe8a696b8bc2ddea371752fdeae27417442477c4416ef79c1a51142416d4969114180ef34d0e6283f0a2008ac5bf9f004fbfa5d7

C:\Users\Admin\AppData\Local\Temp\wmoIAwUY.bat

MD5 44764bb7b84db44ba844f0a403c75797
SHA1 7ac928622461b2118be3ad10ea974b32d16a9aae
SHA256 e8c4a45e74d5c25235ba0ffc382e9cd82c61282d1bcfd626c9d2d5abeea180ac
SHA512 7fc260ceae4ad7221447d3b48e04e0bfb6d1b33228eba4b562aa2690203c7515aa63cbd48b33b8c512a745c61cf0c148ad5abd528bae89435b21d1730d224cf8

C:\Users\Admin\AppData\Local\Temp\uuwEQYsM.bat

MD5 2b81bed8bd495bad675d87ad82dad8e9
SHA1 a8d2b5969ce1bbaf6c52024e1593ff4afde00a39
SHA256 069e7f4a2b83a5bc258e825fe68bc07e7c6dd0684ff6a4fbb42480834c4a016d
SHA512 23cb0fe7cc4076fabaf78f12e3842c2bfcb995147a410372fb46274840333b2ba1acebdb9c2618eaa0e8d31fe3a953446650a50762a2f7dfe7ab55d706b1c4e5

C:\Users\Admin\AppData\Local\Temp\PGgkIwkY.bat

MD5 438f116228e3dfce192614645f5b246d
SHA1 aa095b3d483295531323f6acc79973d81c01416a
SHA256 86469b043342273d1190904c500e331931399598fb5a49fdc9afa03eba7ac10a
SHA512 7da5b6be0ce8780e7f318ea491b55a7116e39d0f528b0dfce1fab8b5d889efcb84f2cecf3bbb480058a2bc6f504cf15dea98ace32dd501c0325504d3cf719e3f

C:\Users\Admin\AppData\Local\Temp\leQIkUQc.bat

MD5 8545c53ab5050dd0ecce4022459c3344
SHA1 3dea760ddd0413abee756378849ffd79ea41c153
SHA256 7407f8fd1c3bfde63779dbc5a6ca2213a375ee15ca497f2601e9808271ede336
SHA512 531019ef8b23ae5a341616b5bb9317ed9024403abc042ae14f1219e6f1068641424f1a9fcb837364b37bb6a7dced4815ad6b0576707a4f6f715d3c3483cd6e6c

C:\Users\Admin\AppData\Local\Temp\hKssAYgI.bat

MD5 4032656e82bcfe5f26f0f1babe6e4c1a
SHA1 6d827056951fd5d4170cb956b49469ddab569475
SHA256 e4c5effb7b8caf7c4b2bac9c19f1bb96189a2e2379ae1ec9ae952691d916bfbd
SHA512 518026d8faa20d0d04c36c3306802c4882af6788d0cad20cba174998e5711e502bb7361e738d2e21864d17f6628490c62f5f97c729314d676d1b956460c79765

memory/1628-311-0x0000000000401000-0x000000000059A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HAkUokww.bat

MD5 20b93dcc43cd5b8f2a43662751ed419b
SHA1 4cd8834b4211df5b173e03a0f7920d882054df43
SHA256 89a664a54f09ec610704080d9cc0de8f4ef7997d8501b2f8e4c57777998babc8
SHA512 c8244f8cae9ad2209ad56637cd01f524e3b5812f6a2fa630a8149713c24b6823ee1612ef1c626cd783c423aaab2b0dc8aaa4cd33f2346c4e221d74618c8f9071

C:\Users\Admin\AppData\Local\Temp\ASgcMcsI.bat

MD5 04af2493d0dc2a2fe509487098fc3d6a
SHA1 eb655c1f1ad719f62c704190350b5f39c3fce483
SHA256 619df4171402a5f455143504dae9bce9dfebb8ac8ef752a43864aeccde857ed6
SHA512 9db37698da3b7f0a261744557d5af89f82ef306a3ffa8862aeb0565a553f0b1b6383b28745e76bb0c1ae17315ddc26e0b3bf017b3b725254a5e4a3c7cb79b6ae

C:\Users\Admin\AppData\Local\Temp\eiQwYsUs.bat

MD5 ea4460196ac5f680a8c8fcc1b072b9c8
SHA1 6b94c3f0cbaf644d50f657fb2857db695444f62a
SHA256 07cc18a1c930e57d7f9404312331002398a60e033c4570837633afba4cef0481
SHA512 33a913177a7c3ad78a7940fe29538dc9cd35f4ca45e2c03ceb15bcce248446ba64d0b4d6ec5fe9689f7a0be457f40f66b52fbcdae19da72eac0ba7473dffeb5c

C:\Users\Admin\AppData\Local\Temp\zqMwskUk.bat

MD5 460206ca4c50e45eb07068721b156830
SHA1 8e9923e7683981937a11105b50cada176e853ea3
SHA256 f8e7bea089ce10ef8f918549a0ec9f3f87f0148830b65dbbbd6c61760384f962
SHA512 05f89441131241316fe456b9bac833c5f3d925254746110db9f56e63f643a7fb11117dec08bc9837c0bb930dd5a57a972d8f360097c31c88e91f4dd54b37ea4b

C:\Users\Admin\AppData\Local\Temp\ZIAUcwUk.bat

MD5 7d68ae55aab9a751f06ab59912b0a45e
SHA1 b9b44d288bc2ee1b1f7ceaeb881a0eb6e86cb4b8
SHA256 59a1dfa7ae2f6081f2950c19567641f17b9866055270f7c43c4b79b6c76b641b
SHA512 79d938f7dafd7f986abb4150f8a44e0c15bb2064c98b6ec3f93000e689e071a79264731ae93d591a129ce8cb424a83075cde65b113864bf296251bb3ff691c15

C:\Users\Admin\AppData\Local\Temp\VYkckUIk.bat

MD5 cb2e5b2b99b770d38924ab2aca5e7fa0
SHA1 22a0a1edab8c9ae5e05d09e4b69019e2638b072e
SHA256 0925bfdfef0ddf3bae17bc7eb60d8a1985262caf833cbae82e3d1600c6fe2878
SHA512 9e641552df9378da403d4710196bce586b7b468201d0ef13dc37ccf5af1b278a4d8caa4f2a76644f4c4d8a21219a83fc465a11fe22deab3a266a4783039d0063

C:\Users\Admin\AppData\Local\Temp\feEQEIIs.bat

MD5 0f4bf914e67c57ec56698fc6c639d908
SHA1 541bc8ae207aafc63607694a77c9d80dd1af106c
SHA256 6e3d3636584b47702f7ee3dccf53fd10ee9cc685dbd28f0eff8981b04835fb8f
SHA512 70241651578f2d438d436a9cfb524e39fb2e5779086a34163ca0097a09396607a049717fedf41685971d522c8cfab6ed19a06f0249da81e68119fdbacdbac792

C:\Users\Admin\AppData\Local\Temp\LOUkoAQU.bat

MD5 4558e5858628895ef3a500cf9a3eb3e8
SHA1 db4f2c6cc80b425f2af952056b4b6ccd1c361af9
SHA256 0b3e8615a1a02061f6330e3619b32b2f02389df6590eb6e4a2f17b7cb5db9b96
SHA512 138cef77d6f004c2841822253896ff464001218b1a7fc0158924f397af18134c62b6359707ca73fd0da5db0038648e1b29f28d548bdd531fbc8999bc4ca68299

C:\Users\Admin\AppData\Local\Temp\uEsMQQoU.bat

MD5 055764a04aac20d63cc646b1979c0672
SHA1 73cc076bb1076fd3638f70724701863e3dd38ef6
SHA256 e718a4d2d7c0dab0464c2d0011d62110ab89f492d7e7717ccbb3455f6183770f
SHA512 cf9d3c939a79b256473f5059826e6bb4226cbb3038a53fcc05cbf20a1a6be075966000ca49855c192ace7f6784692a6e04b4e9919192adca21f0ae956c70d841

C:\Users\Admin\AppData\Local\Temp\YUAMEsAE.bat

MD5 296577e41b5e38f62f7a0582b0415376
SHA1 da2e6d05df0256d7095828d423727e2d11f7b891
SHA256 aef4f061edc30058a7f76d49428325de1745ca8147c938e9617df3b11c3dc0a1
SHA512 a7c00f9657a31d2c86cc22aa51bdeb5d4d35cbf0de116f32b97142fdc075b0d63eccd843533f2407fb7dd8e5aa9c402c3fe39528d7ba18f4d1e052034ec5b56d

C:\Users\Admin\AppData\Local\Temp\miYgAcEA.bat

MD5 6c842e080ef50b4fefcf35f1a59b5da1
SHA1 872af0345c7eabc93bfdbab80ba58118085e687e
SHA256 0c1259c0f206d72645b27f89554d0bf0e2183ae8ffdcd270772ed72f126b15c7
SHA512 9a56be76b854858e00dffb3e1a4a9436eb98b74ba695c1126c13719da450f93c71ead600837d75119588d0ee9559f37bfa5d6fc5c13d1cc5926a8245bf0711bf

C:\Users\Admin\AppData\Local\Temp\yWwkkggA.bat

MD5 78f01ffa19bd0f8a1d2f18b9ad99aced
SHA1 c9c06b1db0a8a4aa13f811d6b34bf15563ec9968
SHA256 72606b02c5ba64f5ed5d9bea3988bf247c0cb539f35779a69de4e15e938e4cef
SHA512 2694b95b87d150a7641ef11d745d39a748ae0bd5bb394b812c7bfcacea655f6e891e555c8ece94e84f0e488090386a6c5972e1cc8211add659469192fa8d6de5

C:\Users\Admin\AppData\Local\Temp\VmcQYkUU.bat

MD5 e75f25030cbae3d4bbdac14ff357aaae
SHA1 8514e14780e69c8ada0b96bf47dd0c6111541368
SHA256 5a1d666ab631d70af9eb37c9bd28f5ea70aca448560e0debf46d4f7c42da05e4
SHA512 2f59d8b85b542b18320531acdca4da0a0b6ce672077cbd5c2aca552cf5066b50a356b93628672a044448854680434ca7e020040177672b4555c3b08c21e376df

C:\Users\Admin\AppData\Local\Temp\hqUsooUg.bat

MD5 6e7fb27d370e70c8ac95a3702b70b78c
SHA1 dabe5b6315653c7ef63dc0dd4617fda174a22840
SHA256 e64399d1f8dd0818cfdccc77b7cee4e82e21c8997267be1430e06824cc8eb67a
SHA512 7b7a8b2d25cb74cad27fef68243a36c68e2c17c8335e42187e3fd92b90b9e3b22638441f406eb19da1cadb7a8e81ee6d17c5d6d307faaddb8cea6b6f9cd282ae

C:\Users\Admin\AppData\Local\Temp\ZMocsggM.bat

MD5 cf7a8f61043cbaa73a1a4abc297599c3
SHA1 e2716c4d216100fd7c83df3df73cc3637d13150e
SHA256 46b6a3b07479247c95e82d7a05ce73cd5e9779717f14665138d50b717a41a9e1
SHA512 9365b44b32f61ae990b14e8cd4d919596cc19ac7023e510c168454b76a99920275b87c54add2b5eee4f7b2a1ebe9deed1638dda12f6a24920b35f9376baeeb1c

C:\Users\Admin\AppData\Local\Temp\doMowsYA.bat

MD5 58700249c48c378baad4b161db8b333b
SHA1 830fba72f2ddd8008c38168ef9c7db2de6696947
SHA256 52aee35f1d4a2630d925a69d3ec395e5940138f48913948da3d470f8bc4ac1e4
SHA512 67d404ffdb38d2db2f2d66c06a5dacac4f4e00cfcd2b331e1edf5349c05266a6bf6e069204a6f794ba0e3314cc408c660e6666d2e528a21b186baf4570b8f6ca

C:\Users\Admin\AppData\Local\Temp\OmsEgEoQ.bat

MD5 63fa3455765160a0b1950f5efd07b63b
SHA1 99ee1b9da0ebb6ad5f0774b621905f432973c23f
SHA256 ce7889a4f239388c12f2a676c130847c6d24846cafceb32a04f5f1a84de3b6b4
SHA512 4702b886ebf557a4b46d4b994280d25245a5d83385958cc9f789626b1a2d3db7ac7bd39b67324477f8d8ecd1e977e9b57cdd32fe09998706620b991de829d061

C:\Users\Admin\AppData\Local\Temp\UQwG.exe

MD5 829fe373256dacbe3a2bdf9945afaa6e
SHA1 83687fa4eae5ead8ac9b21eaafe9676eca8af503
SHA256 e1be33766e210865d723573f0229e49e6586537a47a6f8bbc1b39b12393a362d
SHA512 7c88cdd71f111e028df8e9e547524f926e1cbe4f0cb736c1b1112359a75c2f3e7d3a3b260b14605d76149303803e5062273b5c8ebe237d5e8f08d969fae1f40d

C:\Users\Admin\AppData\Local\Temp\eMIU.exe

MD5 9cae2de834c56c906c2afc9e8609887d
SHA1 1f239ce44e1a2c04d5ca0e76ea2720334c33d282
SHA256 b47212a5bfc5f97120158e2ed34db7f7463bd1f8fda5a2c9f5044d52ef8701ad
SHA512 0c1a8965aa81e293f78b16c9f31aa6ef2f50b84e5e8a19dd1101f5abdc00a7ac97462680efda2f58071916ee269fd9c4f9e96f549a7069e3ab6fca10b0c8ce44

C:\Users\Admin\AppData\Local\Temp\acIm.exe

MD5 39545da13e5a0286128c75b8f26d5e46
SHA1 3bc32563ccf276de21b77135a22dc74f82d8fb9b
SHA256 56b5e3ae34dfd65a304880eee8c2b62f6422cd9002a5387a4b13950c8cd06e36
SHA512 1ddb12843ed4cae915dadef7e12c159c089e63e9ac179b281b7dd5c5404899ab57f619df9816382e647586f26faa97b8159ee3b8c04dec143274ebce48ee147a

C:\Users\Admin\AppData\Local\Temp\Uwcm.exe

MD5 3a0a7d2296deb918b78fec2c4f8484e6
SHA1 1093ef1e1b42fa1d563a89d4824ed28ad1e4a6ee
SHA256 4c5c9d9844e0534669f49846502e4687f9e0028539201ba34c4a4fc22c049e3a
SHA512 b053cf1b85e4f3f94cf75b78a045d721485ff584215991912a2e925176fa5327941f6f11e9fb08b4e7bbaf2f82e87bb767564052c7f1a4cd9d8944b3420bcf1c

C:\Users\Admin\AppData\Local\Temp\YuYA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\kMIo.exe

MD5 3845c1b4063268826acdf82d0cf6e50c
SHA1 668db66acc97345ad6e72718cf40c77971ef7804
SHA256 f6bfa88dc7ac3b0f5ec869133ed1316552f49eb11f572ce54dc3b2c9af7e20b1
SHA512 2e211ea8be693f1532096da103996beb641ef0bd72444d676bfce68f5f6b7109f2346e0f6e080d7853a5cc6692a15e70e2dd386d050183216657553c6cdd022a

C:\Users\Admin\AppData\Local\Temp\iasAYkow.bat

MD5 2690f3be05fbadfaf20a89e93e06a10a
SHA1 fe1eeac9e373f973ea8852856ab73b368e280913
SHA256 08c1aac3812c4436a7b9290eca2e21796acab3b9ce0291a6f73e7eb8e4a88394
SHA512 eba2b54e9e95d95328e278613803d52a86c7d183777682d19f857d24c15bb2d76e9e27da306b6dd3e589fae0ace4c054916c54856bb3fb67da1c7d54a29bd951

C:\Users\Admin\AppData\Local\Temp\SkQE.exe

MD5 6856304c8566277f13e261bcb30ae825
SHA1 1cd13c4c57d01d0d2f1edb025dd30b6471e037be
SHA256 1da6433111225a79e843c6d096fba5b3d6199dbc24862f8bfedf415098aa2c41
SHA512 372d87ce970d66f0f1b75693e81a5206bdc87259ffe5841488f50f9b1f60a6873bcb68133d946a6ec75b202b95e2b2e4c578dcba898155ef83e14704cd85055a

C:\Users\Admin\AppData\Local\Temp\yQsK.exe

MD5 1360c991e01c8a40cc26c07bec0b3cbd
SHA1 a3d594f340d7e5809226d97f8841f9281107bbc4
SHA256 acbb7752df568c00e435db6a4c838be6486b9a840d352c78e7d0f7d9d6f6c296
SHA512 e60356807bbdfc7a561c4ecfbcd4e233322d5c3c3ebf7213463131bc8153458d5a73ee2915c66b2b2e336133385927182f8339ebf0de5f1fb48ef7bf8be384c4

C:\Users\Admin\AppData\Local\Temp\AwcW.exe

MD5 df806f517624e240d7189c9cda8a3819
SHA1 468eea00bd75b2117e279cbf82e97e3ed2dd05e1
SHA256 97bf637613374ccb3cbde510c885f82d135ce896664cee3e1ed8d57abb901364
SHA512 9b5f4f4dc782a6f4c94aa33d8d91a0baef045ff391a685db899a34de8af66513113046e17ed49fb32ce6eeeadc2d4ff980b43ea5f7dd0112d56b90e61cf59b3e

C:\Users\Admin\AppData\Local\Temp\ukIi.exe

MD5 4e28ba731c7012366cf549ad7ebd76f4
SHA1 399e470ff878ecb7d073a6f2344f2f8143fdeca7
SHA256 46c11ae89c85741bb91dd1395e38c5779d7d65157036320542e0d19e7358e187
SHA512 02acfcb30c1e789dd6b2cf611820d68f2dd7419cfc0ef6614edfbef04efabbd9a988cf997be2b263288ab8c4b5e47b3a2dbc7b67fcf58b60ae961985116dc1b2

C:\Users\Admin\AppData\Local\Temp\okgC.exe

MD5 c964766eab0b49649665186e5cddc121
SHA1 b9052cf047ea6557ad98b555cf783188f07a296b
SHA256 526165cb1eb87b65ffcb0b42a707be8f4dd2ea7a2f1f8f257ffef7c5beb58e7a
SHA512 611b001057740c054b4a9efcf4fbee65d85f1e57b79f27bf14d9029cbb9fa349951cf3b6d447edafc71b75e12120f06cb0b1be9cb47f7d5b061126bdee406dc5

C:\Users\Admin\AppData\Local\Temp\CEge.exe

MD5 b37f32e9d4a3cd863d2b52e239321418
SHA1 772608190e966a79db157f49d99dc0f60ebad82f
SHA256 ce6c4bc758ac9f1eeb2c93b0b981fef89e496f76830410cc7b3d394f93a51a5d
SHA512 75f1e8ab5d59f4341b701f95a91e787b77a5e41479cac226cfa087155022475570bae29188e07ff8d4a4bb27ce86c3421f24e2be32f63fa2c6a2ed9f902ab534

C:\Users\Admin\AppData\Local\Temp\OeMooQwY.bat

MD5 b5e50b0bc6bc65e14730a5cca2f56503
SHA1 64535e5f41d4e75816abb2339a128e6cd8d260fe
SHA256 1bb6081212b4486c1e0a29160f49bf3618670322533ed62ac27c7caf27a5ea21
SHA512 6bc614c1a288235b5dcc0d086b9c1b3b3de94b2140503b8a6c377e0c09c6d66afc4b2de40dd808c5377f1b45a006770f0cfd0f0eac109e70afd944d993751eef

C:\Users\Admin\AppData\Local\Temp\yYEq.exe

MD5 5c290388963625a5be4c8fbef7900fba
SHA1 11db07bd60a5d1f432a6cb88c3e380bd1139d5c2
SHA256 df3c1e8ab01ba68ffee8541c08accd1b8f9b8acb13927cf774f38e40ac2fb193
SHA512 ecde3d8adf3afec195fb966545d56e54274553b18032e0dff9d1e91fc012bf903bb6e88a162d6b29e239b2163438f70c1f3270ac45ecd4a5359db72a97649320

C:\Users\Admin\AppData\Local\Temp\EwUE.exe

MD5 1cabfb1f1785b2629f40fa53762cf40e
SHA1 f080ca84434e428900cb83ab494207397bf471e4
SHA256 9d8fd53c7439897b16050c99b951023566bb6d0a6f60104b9484e6849a952b9c
SHA512 b53f129c0398ae32c251880a38fcce6ba9d2777684298ac9def4e693ab7144d97acf23df08bce2af4d76a9cc23577f15ae3d1ae594560d6254dc7166b3b4a73c

C:\Users\Admin\AppData\Local\Temp\EkMO.exe

MD5 713381eb9d437733f3f2d745e2ef3b53
SHA1 0399d502e30f3be4b4b845505661402555f513bb
SHA256 a136744caf113da03a138370792a1c7aeba7b6590a74659b6eb4a23505a52612
SHA512 1237e27557042c904367388c30c364b177ee3d2c98488897cb003cb5554551d0d477c773238a4b94e88e6a3e66650e5d27b0aff76d4d1e5cdb2872d945f0e630

C:\Users\Admin\AppData\Local\Temp\gQAW.exe

MD5 ca98cb71a6053ceba9f116c95d0e86af
SHA1 c3281e19a4926829c82322fbf130e31c6c856b62
SHA256 734adab417e4faf217e5f245a2756488853cdbfa9af231d830ba14c6d1cdbe97
SHA512 9992ffedd539f6a1ab1314c7bca4f973181d3d85873ca3fe4ca0c99998120275c62d22281aa1b90aa6ad7c7cd24256f704662261707354a1ba8c975b3fd6a85e

C:\Users\Admin\AppData\Local\Temp\isAc.exe

MD5 f5545de0a87b74fbb67fa005db56411b
SHA1 3cfe1a3b257ea986029473d99cc2ba7a8fb431c2
SHA256 798d94d1826db1e70e335e1503587ef17877ab201bd7d31d60c7ea96f9d5ff8c
SHA512 180aaac19fe840f2cc789578baeb72bb289b4819f4086d6298e03a174773a93f8ad16313f5e9cf36d4cabfbb076d4bc2a58965024d4cf5561adc2ab3d53190da

C:\Users\Admin\AppData\Local\Temp\OUgI.exe

MD5 045c66fb1a3c14b3cd7b6a98eaf1870e
SHA1 e45101d90a3638520db176ea2900787e4245cb21
SHA256 80a12f7600e05376cd682837f9aabd13ca1d96ace9d38009569cfa08e2db7282
SHA512 ab63507b623c051022539203b52d9d93a2365bbbe1de15c2810254eb13b2baf040e23b9fd0b70e1035383af59842b2c0a1a55c1e970b3c313b482ba4b9deb060

C:\Users\Admin\AppData\Local\Temp\Gsoo.exe

MD5 f9b1fa1edb95f6c03ec27ee2f4c243d8
SHA1 c1dd0d38c9437177d76e49faf5890eeb98537165
SHA256 a8d5deb9cce72725d5ad0d94435d7c09b55051eb77d26ef215f8adc15491238b
SHA512 0639852f294198c7e215d627dda300b29021073626a81eed3aec6e226630bf9f3728bae55c3d9ff9b3322046ed9f0dc3c9d0c85c44905655f473349b2871fbda

C:\Users\Admin\AppData\Local\Temp\OIku.exe

MD5 d2ae5b4d40d8191c157e916882252efa
SHA1 ec78a36dc5c22d78b263e966070b8858cdbc2aaf
SHA256 6bef415a0c53d98c8c616a44b11c5b082b6824beca63260b7688ec088d6110d9
SHA512 f84eedf09c4cd780fbdb7ebd45de3f4db971f67d1e0242a6725e436e786567f37218d6e37b7646586375919bd02e2ee961c1a17e7f4c1c4e85de2d6b1c9fd91e

C:\Users\Admin\AppData\Local\Temp\qoowUgIc.bat

MD5 692c614d77b5f22ffe3a50efa22deb7d
SHA1 3cb7e46fecfc50fde88313132e75b74c96afed1c
SHA256 d6f00b3d7eff8a7dd14771dbf8e3c439279b584707b0107e48f69dd732305998
SHA512 7da0ae8a8f8702b8c922e737faae67e0bd7cc8775eb4c5c8eba9f6bdbe1b2a4b2c4202d1816db4deae0c7c968a9b92a7b780e242d8e0ee3d9bea2095f365f5c2

C:\Users\Admin\AppData\Local\Temp\kQEu.exe

MD5 35ed8aa96cba087fee368b92f2b1a432
SHA1 5cf094c48784e9fcb8a651d4c3290b37b90f1e48
SHA256 a0e64859c1c65fa60a7e037f1d5f8b88abb18244a0e45ad09f8d99d310607dc8
SHA512 4a5f417850e715d16911de401f3da9554633c07b658a7ea7c007f7eb67379def81f7204027fb333e7c2ed7c33a1353a5084344ded15b2825dbe8857393381a65

C:\Users\Admin\AppData\Local\Temp\ekIM.exe

MD5 90c053b357083fdfda6adb40ba535343
SHA1 743c70a0c4f31f8ae7a31743dc314ae7c15924b2
SHA256 7f7b184ffe40e1c8d03acf299c876165e43a2dab74028ec217b3c7ba51a3aafd
SHA512 8b8b14d452b4f11c446bd6cef62b640ecb274aa1fe64fb7c37227f8ed47183326e90e953aea08e0fcdadbeadd0b830f1fc527ac96a237d9f7ac908d10259d09c

C:\Users\Admin\AppData\Local\Temp\McME.exe

MD5 f710aba00e1e7b0f0e84d3420cffae54
SHA1 1cee94bde7d2ec5e0f5ab69c957d5fca89ad5bbc
SHA256 69fddf6d4c1557f35cf1f1af11ef128797dfddcfab916c4273121163c57548a4
SHA512 f02ff392eb20b495f4d1098ff5468a010b109e33b80b8b2585642b4b4ff0dba6250bf47ab186bdf7a9e930239fcf9768ffd0ae08cb190e0019281f14a314b7c8

C:\Users\Admin\AppData\Local\Temp\ScQO.exe

MD5 1cf379b05d1be624b5fed395b8ea645c
SHA1 df36d753dfb4dc4575ddae8e806995cf50b8084b
SHA256 33e1a9ee3769196c97a80fb57fd6949fed43b11eb8c4d05a5aecaabfeab30e5a
SHA512 3840455b7fe8528cbb5cb80e004dc851357022a496207d536b4a087c2b30ea52b1adc8ea06889bded510400e7739811f6054865e034d771be7552f0fa7f5d083

C:\Users\Admin\AppData\Local\Temp\aEQG.exe

MD5 dbfd5f4ef132e80a64b83d8a0efc9ed2
SHA1 02cf9d93e57b1ef3f055f0462c8ce5a7c6005ddb
SHA256 48a2d80efd166cc2f808c509ee5a48b77aca4bd4541d2846493cd7aa15c410d3
SHA512 cdd545d117b8906deefaad06c6c2cb43b2d6ebe54bba07a1fb874065c5b32a22765059ec1d78d4b2bd94386e48fa585b7c0d7039b9c35434f6ffb5b49f4557bd

C:\Users\Admin\AppData\Local\Temp\bKIwoQsg.bat

MD5 827535c29e5f13f4fe08a3ab3336fb2b
SHA1 3de70ab50d665bb88ca2d8f4ee5d10c0607acf71
SHA256 94e7fbef830dd77533fb328b5d8bd9eda902d924e95b3316c431091fce8bb1f8
SHA512 c288f0345c5d4e60e5d2aa5045e9fb4416ad48577c16667b260fb0ef5e405c4b4192c8c6bbd0ffb602e6ee453c358fa8c167ff10abdded2af2c7f1db0da3742a

C:\Users\Admin\AppData\Local\Temp\gcgC.exe

MD5 1d68211c55d838fb0fbe5382e876a3eb
SHA1 a9ca36f4e7acfa3f55177fa0a25e3482e3db24bc
SHA256 9902d22c3a43f82833dbf66f450e64a074c8817e333ab8100646d10c4ded75b5
SHA512 13912505db37d2cab33e30820cc9684feb94343be80837655c696687c6a74edebc33f791a0153d2b64a570d6c6c771ce5775dc69c143cb9715c17c8e601c415e

C:\Users\Admin\AppData\Local\Temp\wgMm.exe

MD5 3828bb9504d2c2961731bf383ad462e5
SHA1 c94fb317214c617f2b7aaed184fbeb0660aaa803
SHA256 b09a60b29a74ff4b1e2bce18d3f99cdf9b1423f209dbfd4a32854456d7848a6b
SHA512 920721ca39a8f56ce9e132a32691d1e44923a0b139ff8e00fdc4ef2fe7ad66447b65b5f79bd0e7b641a3caf12e1afd86658fbcf70f28a9f8f590673326783648

C:\Users\Admin\AppData\Local\Temp\iQYo.exe

MD5 170447342f4998991576eacef31ebc61
SHA1 0667596d7e916b690d5fc8c7cb14c94baf43b97a
SHA256 16bcbccd11af81793ebbbf04003c3d314adb660b3863542c57ed1b03a6afb167
SHA512 10b57f6682a1abac2c36047be46143e5f144ad1bc31bcc98025a1cf09fea819490c97267386475f55e2d61d9c049930db00dae6009f38c4f9f8bb30ea621cb68

C:\Users\Admin\AppData\Local\Temp\mMko.exe

MD5 0011da9ecefabbf75e14e6f0d15fac9d
SHA1 45098a71a39c76ceffbc3db4e5feff6f10a33cfb
SHA256 f519340cf2181c928bb43b95b41356991bd5d35dda9fb32fe10f8ddcf82a9b7f
SHA512 8d7c370bd2fbe9420d199cd52d568523283265a2eae2c3a004698e23e7f656ea712f5805bd7ad0134ca50c331bb5083c9651ac0e4190c23b15e98276abaa5357

C:\Users\Admin\AppData\Local\Temp\sMwc.exe

MD5 d3133388576c8a8b21c19e47878fffe0
SHA1 c28e8d83dc08a9ed249218ec34db52ea1b75ccff
SHA256 6f0e315c26ebc5a5bb509b38958957765ef99a66d5a1722332ce348fc91829a0
SHA512 32002f140a02644c16915cb7cc878674e9a431a6774ac213ebafce58552fd118f3e6750bd0fe42210042b428eead86ec4502c24e9f4e4de85e9acab06b795749

C:\Users\Admin\AppData\Local\Temp\qcwo.exe

MD5 eb8ad370ea028ca2c680552902223aa0
SHA1 54ef7c2829ec95782997107f724f6b85bf8d1f95
SHA256 57b7ae5537ae59c98ebc635bc1bb7068d3aea427a4fa9d71cbe7253be1b07379
SHA512 f5529493faf4709d93f74ff60a96aa42934025b07fb0d94a8ebfc5826a0d1a164732324c229d9edb5f2d89fdcbc8f465f843a754ba6a2f9b313dd7ff16f159db

C:\Users\Admin\AppData\Local\Temp\rcUMMQoA.bat

MD5 ac67c06118ddc321b24c18f91fbddf73
SHA1 6df2f357bedd3673eb993d684d2045d0c269f9d0
SHA256 86b93ecab2e80845607292410ae1dc7fd76aab40bee08e583bdf54a78a26e467
SHA512 c8cbdf96e9f207a919cfd344eeb71d3bc96e73130c5b15b8fbd4f4ee275b114582c7d967c3db781b12980f9b0cddfccab783429f2fb9e3c0c0f98443094d46d1

C:\Users\Admin\AppData\Local\Temp\OYYe.exe

MD5 cc8f97cabd3a4f6b1a00be7a24863546
SHA1 857f0f4eb39bb8efe731db249e0a77b7a7ba57cc
SHA256 5ff438412ae17c3332d4862365f5a557cf73a7523e91195df82d1419e6b3c357
SHA512 7f7651ff9134da775014a8385bdbfbedab44654b4f77aebeb01f1576835eb4dc6626a40ecdccffda75ed9cece646bfcc765a0725fdef0194073297488510c0ab

C:\Users\Admin\AppData\Local\Temp\KQMY.exe

MD5 3feec10dfc6af1c7ebcbea05023defa3
SHA1 6386127827ddb13dfd339e8c1675523bbd485679
SHA256 e2a35d75b4b169e8c0b56f5324edcd2f0d7384180bf1f3b8969f1d62ef9e0135
SHA512 c8d2539c999eb066699c5b540bede8972666bfebe511871f1cf3f3427841b76bb0166ad80bda2102f718cd4a6f967b3a6abe28a6acf43212b39440527fb74458

C:\Users\Admin\AppData\Local\Temp\YEcK.exe

MD5 9a5d0665b669646eff1c6b165970207a
SHA1 dfdb6a6c1dcb0e5a5b09ade80cb329166a26f7bb
SHA256 bc70311afed5f0759cafe26c25bbbb23b88bf555348464d0451e3bff29832931
SHA512 8b4b5c2e3c6e5f99c32bc06834a4a846c751d14fc07f4bfbb82be5e3623cc4778d8f00ac38d4fd382bad945ec345bffe7da07f4914a787bc41261192bdf9e354

C:\Users\Admin\AppData\Local\Temp\oAQm.exe

MD5 87c14f6461effacdb17005f60c0b71ee
SHA1 c941bf6e40ccccc73e8f62634e934f2a86326782
SHA256 0eb451c4898f56acdc75d2cb1f8af33d9bfd3d98c2ebf1bc669f9854cf1e8543
SHA512 ed02efa09236d77c54ceebf84f88763550e0c7d4e2c03d97cdeb168ca86fb60a10a19dc9a47ca7f468e2584fc20f91ccc41134277645cba989d770ddaa4b76c0

C:\Users\Admin\AppData\Local\Temp\yAkG.exe

MD5 404e4c5afcc485befc571b6d4f185381
SHA1 dc8fce6f266573a687fc0ad7518d32ce5f696574
SHA256 afd1f1b0b15441b273c3b4fe0760d8fb01aaea12dbaa0aece8d8d580fc4a66a9
SHA512 55b1f07bfec6917733e6a333a115a45f0184fa1b2d8faf676d0e119519a4e08fec41f509e5185712c2326dc46116a93044667f14a47a9054a9176f19eb142884

C:\Users\Admin\AppData\Local\Temp\QEYa.exe

MD5 690194340d3611dbd0f9c1d82e61e68c
SHA1 2308cb9ae18354509a22b357c4efe36aa765c777
SHA256 28731c2f337f7baf4f3aee7deea0627d6818a26e750d832072c3e23aadfb602f
SHA512 3ae6167d09614d30f48a382eab31e92a44b0076ca1192556fe5f7e349955f1cf54a384c9071e10bd0df99ba218816b02a4e7e51172c2a1aab8cdb06ba23fe2c9

C:\Users\Admin\AppData\Local\Temp\JQIwMEww.bat

MD5 f8d344f7acfd6a6054d4e22e74cf6a22
SHA1 1456103f09959dc3afe03972c4a9ca4373c49365
SHA256 587fd2dcb8a67617c9c503f634cc6c426511a72903392350d331b7657b96b47f
SHA512 b45181f76e27b41ab0d29f70c899077444e051167752280374b48991409599ca02a22e8c06dbdb485160b844011bc68d07dc9d82e1a0dc2e0cda29fe22be9f93

C:\Users\Admin\AppData\Local\Temp\eQcg.exe

MD5 1114f9a4a5e12cbfb3c25983ee3b6faa
SHA1 eb2eb150337be3e8d9a72387152633ca19643ad7
SHA256 7a54ffebc306b9429b7c0ee06d1d9a3815d6a6e373a9802f24d984a58a3a734c
SHA512 4aa4c4656d1a28f4db4e50443fd40db39d0367fe50a5c3af73d77b9176048ceb7b2cc9454b605b3ea8097abfa8010f754e127406213dc8d2ff485ff19a335133

C:\Users\Admin\AppData\Local\Temp\kIMI.exe

MD5 736ee95c59d0f6d71560790cc96f0e71
SHA1 c7c0ddf8a9e6b9293de72dce15998826e809cf86
SHA256 5d3d0097bd4d4f9244f9b7455dc0df0bf40b7e324699802c0e1d6e04333e5f4b
SHA512 ef44bd1073b382f2d228b27e98d3136d35aaf76805077706bcf273179d4b78fbe26d23e15bc8b958cb9a04576254a35ec12447f882ee22fe298fd5a91631d96f

C:\Users\Admin\AppData\Local\Temp\QYoG.exe

MD5 90d477f2907a3bc991501702db34359e
SHA1 637020cc090a57a1de9ed7bd50b159f2a3d7f993
SHA256 eeb20368b6822f83b51068246645426e79134c4eb77faa558dd1ecb6c280f314
SHA512 bbb3fdd7ae0288953db1a2cce3a66f1bf646f3bc95e27992d41b0b45cfed2340d4d9bc39a703b11a282361f4f41a580400da059e3ae33db53cc77182c0ab0cc2

C:\Users\Admin\AppData\Local\Temp\IMww.exe

MD5 05dd4b153c0027805c13e3e3c780aa6e
SHA1 8e7ae26d3f6cfea00f5610adf513232895ef1ca8
SHA256 5247d807cae8c3de7629146bddb4ac8dacb505932c0c473669914e5032a29103
SHA512 e1438e9f9a1af671af45500bec1d74ace772377930caf29f11cd32e811a474f7b59c6d0f5d7dbc3710c910f77af4e2035846f79c442c9f3bf4a8b8f22d15d0cb

memory/2332-1270-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMAK.exe

MD5 488ff98a5e1b1132192f83b70711e084
SHA1 93aa8b63e84e2f3c70c042de3389ad1b710554e1
SHA256 a373bdc1ed983ef5946b83a8fdf0c4d64dc078871d76483c25a8e302527920be
SHA512 495a6f5e67ce8a6e955e0be0e849565ffaf0b09f5c52f4a9d554946ffb8a5415771e8ea7b9d44f672778dd01fd52e6757f1b1822a8866e6c87cbfdaee478361b

C:\Users\Admin\AppData\Local\Temp\GIko.exe

MD5 f98e030d6b1efe0b09b5630f276ee1cb
SHA1 55497511eb23c80978a5f66565a4683a78cd0cf5
SHA256 26bb788a1db972ac5cf20e25aa7274a50d5c933848baca5cb9749cd0c89fb608
SHA512 6850efd24b11dccdf27b3333f29632034cdb74ced90da24ebba8c94013935061cadf424b16263a6ff265b9d54c2cb927f4287d68d6978229adab3929ea6bc24e

C:\Users\Admin\AppData\Local\Temp\OYUU.exe

MD5 5f3fa31f19d82383397cdda280024ab3
SHA1 16a085ae4f1c162b823a2691f570d0f28fd8b9ec
SHA256 5d210f48b6fb13ec2216b2366a610b78f0f0507ad07f32f05f2044e2951c76c2
SHA512 e033cdab2bcda812ae97d98ea9325b80861ae5535f90d3495b5e242b510ab0f0a9936ac483aee3dd182a259d5ed85b51acfcf9afb34521be96239b694cdc8184

C:\Users\Admin\AppData\Local\Temp\CEwMAAYU.bat

MD5 7027d5f60d3f08a4f545bb8292652f3f
SHA1 ffa038d689ea35fee92fb59626fa9583f98ba925
SHA256 328a979194701ad0075979d1c2de2caf5febc5922aea9c45eb46a7b07e7f7d61
SHA512 35f154eb5f49336c72a4d456be329c779ec565c698a631149a16bfef1f66d9bd48154db371a41d7cdd7fe1deba2066230c8a4b81128f6c36a5d74822e2dd7f16

C:\Users\Admin\AppData\Local\Temp\iAAW.exe

MD5 a9217bc8da84bad86b8c1e350b6547df
SHA1 de59e8b93e14153217b51b320b0d0e8ed7624f11
SHA256 551ad663836d369a60b93abc414b0ad845d8cc2e5163e0fa7f5428c4b322c81e
SHA512 c871b21f2771feb8f9c592ddcedd9e463a35532b6599cb5da19451d3de5104e08e51d1bf6f9c0e178124bff1140978a738e02ccbe13f8553939a61f16bd6bd6c

C:\Users\Admin\AppData\Local\Temp\aEwA.exe

MD5 c1946410c90a56bc3f82ce361db8ab5d
SHA1 58a4bab0e5ac12f0bcd987d99e0b930f767ccb2c
SHA256 aae2a90b943ab583f1c78bd15006ade89f3a551426ac20781b8bc4c690edada1
SHA512 2ac38cdcccd6f1fab10ebbffa65f2f7655525ac1494e7b7f7aa582cb2db3917b166d580d7d42844b2cc390746ac9d00c00beb909246fa644a53dda3f647a4eff

C:\Users\Admin\AppData\Local\Temp\IEIU.exe

MD5 db9d33939abd578a9d15affdef094ecf
SHA1 69d8187ddb47f9d8525dd9c68c9b4354a14773ce
SHA256 a1095da451466eeef4a281f5245a24bf544391c2a29e2b4c719a3213d774ee0c
SHA512 e5d2c2f22a5937962e7c75dfe37a557bf7ebf5d2c5bac2d2559a3809b6097756181f635bd9372f93828053664976d0e313188f58323a1820e335274db50a34ee

C:\Users\Admin\AppData\Local\Temp\wycA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iMsW.exe

MD5 d442ad1110237ff8a7a91ba68d93815d
SHA1 a4ab1e7d8e6601d558366cc03628d5695c2b8c81
SHA256 728cf75c8db6813c225e689a5c3bf113fa8d09511a00a6258340f5dbfe4780fc
SHA512 4b35501f0205dfaf665b35e8153b69415da37229fb3f398c7642de98eaf3b92468634c95943c00f3c91e8100a1f7469992059c8c841a0d2f421a59903d7d922e

C:\Users\Admin\AppData\Local\Temp\MEcEQAQI.bat

MD5 7087f18b6fdd24a70d405fc8de266869
SHA1 7d23473ca5e8d74934e4382b89a3599e447f686f
SHA256 1a6258631451a0451a58b82b24c4de366e9ab18a5f2b924f5dfb80f6827cb77f
SHA512 e30b5ae744abb4229846dbdf3a1a2e1cf4aefaa85a10d62b9f2858a473b8c6c403ce7929f179c1c1353a2f7ffa2b8dbfbf36611211d3512c4a00a1866d0d306a

C:\Users\Admin\AppData\Local\Temp\MsAc.exe

MD5 79efe5afe2a448f5d45258c10b99e565
SHA1 12a7425ca058765687159dcca74f600dc18235f5
SHA256 25273442b8d7d70bfbb99ae7daf9d6d2b865bda634d1ec92af35cb827b07ef24
SHA512 134a7e4446f498066c2b50dae00e37100d1b4fa3c255767d84d5fd3b60531875a188fa8fbf8618c14b8a3f18705c846ec10802402439d711a0c5fe869123b249

C:\Users\Admin\AppData\Local\Temp\uQwc.exe

MD5 25591c106296b98cd09fc4dbb33037f4
SHA1 8d9a56fd5ad3b2fda06d187f39355b4172d0b899
SHA256 0b6c64cd28ee0d556ee24c8daff6c6a5bc0ec5629ee70761d0e5d674eec2890c
SHA512 d76a86a10840769f166957bd35c86b60da32a1f586733b160b2117e51dc286bc9a8bb8eb672d9e52e6fc9784984a763d0257157b9dd92d11fb1d40afe50703df

C:\Users\Admin\AppData\Local\Temp\GIwQ.exe

MD5 a200b70e14a0ded0e2451e3d91842490
SHA1 e37b65b96c0eeefbaeb45edcda323344b9b0e6db
SHA256 aa10680e41693388861ed2ebf508271d46d2f136bcc01eefbb5bbd74468332f0
SHA512 8cc1cbc525525a8fe3867dc9407f20df2ed43daf0b8d3f49abc2540fe58899806744af27c4f235f7a50f9137f02e5fa6dc2d999963b2084191e81103456b8682

C:\Users\Admin\AppData\Local\Temp\cYEM.exe

MD5 6a827537265780d449ce6f1e2cfd0376
SHA1 f4d066136dd70086da18e9fd357ef05c5b45446a
SHA256 2b27146f0a872141df83c3b204913c9546f58feaeed18c9de695a243f074aac8
SHA512 c97e5b3427951580dc2e4490dbf8c0ebf0f2d8c27619022555cee82b120d0625758bd9c21e59f4b1cb87f49530d8aacce68c841f1efcdf8bdd6d0435fabb5ac6

C:\Users\Admin\AppData\Local\Temp\eIEU.exe

MD5 ed09eb8d960a193fa6a30cd0461352fa
SHA1 f2738db4990be54552494847898d73effbf6e91d
SHA256 f0ea2d13b94c898a6c321cb3e8610e5be8c8c167dcefb654fcf25f6438bea797
SHA512 16f807caca426180eb5ebba0e6b95f5047473a117daceeb9765feff31c2b76a528eb61dc718f21036f01387b2623196102d3adbd68ecdc9d65b6c7abcc362b93

C:\Users\Admin\AppData\Local\Temp\akQK.exe

MD5 2b6633bd63c503f8a516110ad528c0f9
SHA1 5f992937069fa8d45c467a52e6a66e9b05bba58b
SHA256 40da5ffab0dc771a34dc2d3b7ba33b79fa8ec258cb66d0219b9343eb76215e74
SHA512 20db6dbb15b8f6480dd4392c61b0ff5b1abf2351452c1ed31b624db6df17862ee7e5c6c820b8cb05862d3ac5ae6676ac74925a3a9514e311966d882cc2b2ad6f

C:\Users\Admin\AppData\Local\Temp\ysAM.exe

MD5 eb363e41f8aa89c88b2bfeeae7501241
SHA1 3009161688eb0a47e25d8b1f3877d3e3f25be272
SHA256 74f2c34512ac77c9c9d534e1f66f00b6e5a60c9708c1588f742983e9b350135d
SHA512 a263e994afcbc0b4d9c30d1e34ca6273360cb6f7510ced3318d189eb4a2114be3f62cdd8817c89471bfe3c5b7542d4cb14cdd1fde5bf1d7097f76421152f9e8e

C:\Users\Admin\AppData\Local\Temp\wmcgYokI.bat

MD5 ec4271912131a617928c110d80442585
SHA1 feab98f9dd8b6502df834d86025d75a020241223
SHA256 7b0483725108fb7697a7238b3b66ec40d80705812ef9cf92f87fca2bee5c854d
SHA512 d1b927fda00666b969cce1b56eeec982e7256ac1a413d2f61d078d4c4474607a82d906a572a4133c8859ecec4082d1ffd98fa4f4ad9e543cbdfa9b3078788372

C:\Users\Admin\AppData\Local\Temp\KwcM.exe

MD5 80b5b11eba6c69eebad5dda0e235d5dc
SHA1 019da3428a82543321768fc38f12e9151783c7de
SHA256 4f22f2819daa6019a7c7c6dbab0efeb4c51200d96c2ba03aacfa244d88d16591
SHA512 de12822bd4bb0573cbedf1f59a4d2b615ab039c5d2b3bfa5718ff25b77d33b716388cd5c0423e0c6767d2c108642a2ffa8de8bf5526271a3d433bb3e25737730

C:\Users\Admin\AppData\Local\Temp\iUoI.exe

MD5 fbdb0be8892010cc9bb7dc970ef1478e
SHA1 3126e152d453cdb73a41f0f17f1dc0765531de1b
SHA256 c605efc74f6e088564c327a46b4867f2e4d734b41646df496cbf222c00723418
SHA512 e5bf0e08e169bc161b9c6f82ca60609af37b29b18cad8ce3db6671fc8c2616760cdf07dea0cb48bd1eb227f72b3470aeb74c5f699a1d6700f1e2291a3665c3d8

C:\Users\Admin\AppData\Local\Temp\WMMk.exe

MD5 660390a81e5b0110444191b21375c5a6
SHA1 a99b0f6f6e2293a742a24b368d711e1af54b185e
SHA256 0a61e5dcf4b39d42a254392876eea625ff0b4b9d61e03b72f95531350506e59b
SHA512 c75672267928bd68879168c1c4605617c480eb970dbc1db56c9fe5b4b8b74cda297b21d1500823902b8e75c71065f39463668e1789b941e311611c3c02caba0b

C:\Users\Admin\AppData\Local\Temp\IgkK.exe

MD5 8a93f498a90f28b9e727b9b40e9cc09f
SHA1 92e6080baec6ea4db0d4dcf267474ee7e7fe9678
SHA256 832b6cee5d57753e48edd0bbdaac7fd0f8267a072f49107f2def2668d8a57784
SHA512 2b5a3f8823b957d0ec29670090ab7ebd66211df0a2361798f1c68576f452381b932d6303a9efc237bf5f07ea0d862c0476fe576d6d682b52cf8b18ebfaf5329f

C:\Users\Admin\AppData\Local\Temp\EEge.exe

MD5 ecf4abbba7c72a4156c3dc1a0a699545
SHA1 fd9a12e69cb80999777284698ea182010d931ac6
SHA256 72149d364e0f4bc51152f5f9b41ec9aaca12d575aae82b75a1acd2188e17d46b
SHA512 ac61064a1553f0e82d673840b62c3deded0b596663a021e619f6427bd1be68e391e1952bfdfbc74d86b642155974ded819bea7b367e23feeebeff1f748b85fb0

C:\Users\Admin\AppData\Local\Temp\iUgQ.exe

MD5 4561b6c24f4f1b6cc7b435958452b9c7
SHA1 6e7c0c8116c09fea28aa3e39b010007dd6b5c63b
SHA256 41d90e25d4bde96e7244aa5e352d51debe47bb87f70e7c05e36dcb3128d54bac
SHA512 8217fcc8f3aea2d04d6d72c3f4ec673aee3cf0651c1eaa2ceced918ab71aa588bc1ec802c4d7250796e2943a9178361924a8ee9709b5dfd4722af7c6aef54efa

C:\Users\Admin\AppData\Local\Temp\EIwc.exe

MD5 0717903d94bda9d0059b78db44e3ac4d
SHA1 c25d596355d0f51cfad6362e1ed11b31e660980d
SHA256 ef18666231b07146d41c78da5bd631bededd0ed8557c5af9e799a4dafb9fa991
SHA512 f0e38ed78ce59810d9b2a454cec6c4fd219a80d6f6c3c1550e63b4cb6f57967f9e2546b92d8af1a936231963f7ee539531633593a448d1669738afe297d423c1

C:\Users\Admin\AppData\Local\Temp\egMS.exe

MD5 55c21abb4f5a50b35b5fb79b842729ba
SHA1 ad9bc71872ee24fe6f1baf5151f2bfe3ce18397b
SHA256 be2bf459ca5d923a6cf6ef8c2c1a8f9bcab25c67d5a7cb2f4e98bec8fb679196
SHA512 65ac48269fa8070731dc11778638cba7ab06a11a52d5a0e76936228660d04d0860bd42aa9eec4f0f1d3dacee1bffc27c9973875915dd7699b028bff03e6b3b82

C:\Users\Admin\AppData\Local\Temp\OoQU.exe

MD5 4090a02b7ed1dfa8db10e7cef85e6fc6
SHA1 731aa252542715b54c136660619987debaf2af15
SHA256 c1aceccb153436693bb839778ecb6679a4ebbd23aedc7250fa539080c7583c12
SHA512 0ed34a8eb115238b1a499d27356f4e4f2b635c4229c64a5d312407dbd7a86dfb8e93585620b4fe1e496a5773c4a7ecc98183eb96d1e90b20a97c295b723ae10f

C:\Users\Admin\AppData\Local\Temp\AggogkEg.bat

MD5 a4a012208f90bc50a11e9a453c947fe1
SHA1 a966fc8a49e160d23872328651e07dc9f40f3ed3
SHA256 40fa6dec924caaa8840ff2a7da9594f7641947a7d03f7820ca5abf0bcbc4ae76
SHA512 e609096cc603759e9a328ecb62b5621f5d5d39b182d292ecd6db99c0ffa871afc3e792cbae6198deeed32e4d9709ec277de1a93f888e49c3b1a5e3f08d7e144f

C:\Users\Admin\AppData\Local\Temp\mIAU.exe

MD5 e38670e66a26af3a7b2b12080cbe8300
SHA1 ac4ed6f6af5e6b80fd8a2bd3d981bc68a7b97c19
SHA256 b57ad2b029a01e97c73eccd03dc6390fa334092e2de014d2c32e65d510f3df5b
SHA512 81f189d877b61d5c7f9304b9db5affde23e0d2a353f40c1bbda5dc738c40caa9ada534e155f140cfe247eb048f08bc938277c7af4e577c0ecc0966eafc935226

C:\Users\Admin\AppData\Local\Temp\oAkY.exe

MD5 947f96e929aa0fe4447ff122b1dcef46
SHA1 70d014a1b86b4237252dfea63768d6d99e8684a4
SHA256 6321ac1407317508c847ceb5b7cb3c18c80596bdd030b5c9c3df042884711a1c
SHA512 01c498238b8bae5eed1145938a66a74b32535d3ab918c37483cf4141445604d7ac780c41f1570be204063405038c13b7d918dfce16e6a2f5e22fc3fce67b4d6b

C:\Users\Admin\AppData\Local\Temp\UoIU.exe

MD5 649b379b4b7bfdac10e95fa8ef1daba3
SHA1 6da0c37c8f7117cd94ae31cb5666d5c6d10f0943
SHA256 db44e3fb05302f5f0c11f369fae789304adee49bcd4bb687aad821fc38b7a181
SHA512 2285a02013dbf16ee9425de739bcd5ea2f601db0426044c13ef931cf0f0caefdfb621bb68a8a06240f6f7e6c7d2746d67f55bd2e3acd89342b4113e060d891ee

C:\Users\Admin\AppData\Local\Temp\AkQg.exe

MD5 9469fdfd34049ebddc0029f3666d7472
SHA1 3be31d5cdfed099fa76b28d50f7b9c79c74bf29f
SHA256 3a80a50568b379a47dd233816dfa7e5130572817bc81972441ebb18a616c974b
SHA512 765026dc8685951d40cf0557f02655dca38d11006e7adc980502a6137045fa0d67663e5236c57fb0a5a2893b8e5c0f017ef07b23976afb430a021b7e93869ff8

C:\Users\Admin\AppData\Local\Temp\uQwk.exe

MD5 7ecaee6b398a9f82386c82cb8e95e1a3
SHA1 2c26dccbed0880972b02323be6510b6a46105f7e
SHA256 74834f3712c8d54304f32faabc653e8628c7b9d50e388643be2bf3665f0ea5ee
SHA512 dd9f8a56d52dedcbc136d551d6bc86f209fa0a7409dddfcb1f784f68681b3a95d3ce6be83a8524b8e58d4ec19e08c606266681ee26814beb4ea779193db63fc4

C:\Users\Admin\AppData\Local\Temp\pGAIMYUc.bat

MD5 95eb353f94fcb974b01d5cce15b0ff56
SHA1 9e8081c8abdce249238c6cf960bb6ea5e41e15d2
SHA256 bba10eec4c8869fba1778fc5d379d09aa5dba5472a3c7f7ede304cda6cbed128
SHA512 2445597461373ec7de7203f1f4514d4b938b539025e81982f740dfd22e18e4ab5af3c6d1f74cca79530fb8273bc9dbca7c172ea511fb90dee1910b5922a1eb4d

C:\Users\Admin\AppData\Roaming\InvokeUse.pdf.exe

MD5 55cd61ef61da4d386259699ffbd327b1
SHA1 dece4e0e9441a9718a1e7e077539ba1ea73050a0
SHA256 4e131e0b3096235b7322d80250abd821a29315ef0d59b9c57654206b54a679e6
SHA512 717f2cc7e6d9145fb63404a8749f97a87d0d4905a78faa573f617dce71078747f1480a432e27a2f7a25e3482b9844219f794c47effbbbfd01a4035d0beecbb41

C:\Users\Admin\AppData\Local\Temp\sQYe.exe

MD5 673bc0dadd2a6eee6cfad404a89c49b7
SHA1 5de4e319b08236a0e5d55bae4f61ff1cc411497a
SHA256 7acf73c8ca87c34c232c5bcbd08ea2a76ddb54b8a5509d0720164d6d4fd78f8a
SHA512 07d96d745ea46f7df8155561fa0352dc7d59076abbb6cde94811b4ca48d282efa91e59540f2b810890d2d39cf7336183bffdfee168e24944d5fdff0540a966f9

C:\Users\Admin\AppData\Local\Temp\YEku.exe

MD5 e2d91bee59644c8d125af91167835025
SHA1 83c802c2fbcbd2f82ae480b6bf427fea5274822a
SHA256 340205007359d22852d0c8947d549b632d3b23722865f0970e74894bc445793f
SHA512 59747ba337673fefa8d2c337757287ffa515f2331bd74c037a66fa35761762dd97439c4a445a92c5d74ce77dd16583739268f63a4b10a6bc8c602e17c75dd2a8

C:\Users\Admin\AppData\Local\Temp\NsgcIUko.bat

MD5 02a5c6ebd9f7974bf7a25a9840e77a60
SHA1 fa6ae670686d6633fdb801de609848c1fb4ee1e9
SHA256 4075802806d5b877017aeaa34a932b563ec530e308e37e1a0c7e67fb59dd214a
SHA512 7a350e8ccba3720e34e372df3e245355ec7ccfb1fdb633144aaaf05d0f9f605986d9fe3b7cb645c80eeb4d9312539fd9a6c5acd4b110e7264de487dc3462fa9f

C:\Users\Admin\AppData\Local\Temp\WIMY.exe

MD5 fadbdaa232cfb15b6ad63b8a4588b8aa
SHA1 fc5da1657938f569123f7e42d07cf1f61c62a3ab
SHA256 b27e97be2e2167481eb5b8f95234ffb22adc39e0dc0072e998a7f2292844d481
SHA512 3d8a0cb6ce85408010a9eae832e187f3a0ca0d5b4995486805bf3cea0fdce634f874228a464ff4518f76c86b133ec5511ed33dd81465922f4771dbde2e04a36f

C:\Users\Admin\AppData\Local\Temp\qQsY.exe

MD5 7daee096cb45ff46bd973005b43ae6ff
SHA1 26fa8abe7c16fb5d59096aa1ed284ed819404946
SHA256 2d71f83c3b7b8d6f5fd9054cbc97f1a03902bf7101731a5b2834084ad885cf7d
SHA512 5a7a9e1c2b07366f527c11ea912b404e816fa360deb7fa45435999c342c38a4ae7e62f73d28028693c78ff613fcdcbc44c6cfc80205f7ea9ac0dce9a60585411

C:\Users\Admin\AppData\Local\Temp\owsi.exe

MD5 a48eebbf7764b8757427eed886ca64c0
SHA1 7896849655e3a79bf9276378c0eb36af5ee4bebb
SHA256 0e083a0b71956552ccbe1314fea675f9e16ee548ea52dba57c165f4090c1ac49
SHA512 e3c8d7b302e99a71bb65a3b0fa2d770a35ad9ae0323b26e6d86fcae824cdb14549babb1e24da5d6a0c4dbed6e82235d7899ce616f5e9ebe90838f3c1fe5b5984

C:\Users\Admin\AppData\Local\Temp\GYEC.exe

MD5 3249353c34764e8a409b15f9c5405daf
SHA1 4ecbb6962021a68c0b099104fd5d7d2d894ec304
SHA256 c322be791926315d141545a8be066adb7d70ceb3ecd6d2c5664c5bd90132188c
SHA512 f224f5ada107f3dd7bc80f99e05b5936444e9c20ddf02862e4caecdcb61063edbe3b122f09452662ea0079432a1c23b6aca9ded95c8d45a894ed565a5b9f4c50

C:\Users\Admin\Desktop\StepInvoke.docx.exe

MD5 a5328c90ce9ba471c3807f4117bc333f
SHA1 2feb4678d237ed26b1d292543cc48ed9a2c9c66f
SHA256 068e667f105a25be1ddd7e1f05a600610395fa877303871ba27ae700c6d88bb7
SHA512 6a18d4c2eb235efb542ac3a8184fdf8f33a68bc0ad98c1a62ab7771477f224e040a4b2cd0be2a621e57f5a25b7059f2b2784a82b4cd2e9de5a413b195e07da9a

C:\Users\Admin\AppData\Local\Temp\Oaso.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\ggUm.exe

MD5 988e381ac719cc6369b418bfc81296ee
SHA1 b59acbe6aa1e43777bdb9122c4e45adee0bcfec7
SHA256 d6f3f94374500ca2718a9c10ac444af07640dd32ace05f80dda1df29356e6cbe
SHA512 7438e42ea3259f2151c1556f28b85bb1b6827ba586a2465ba88562c18765b676057358b6267d57b790fa1f43e1de152b94031d0fad85f77f171622805a3a2dcf

C:\Users\Admin\AppData\Local\Temp\vEIMkoco.bat

MD5 665fe9686b3daa9d0db64e9bf5eb8f32
SHA1 29fb7c248aaf18d21b5308f8a50ad3360833e155
SHA256 b19a2eb0e434affc440513671ae92aa424a544d53a4b9fdf6fa85f1d08cc136f
SHA512 6ba5beea56aceb41e11a6f0acee0bdcea8664d6d1d0b7d16ecbf8f8b95d896c537d9254853e9103c944721f9107d671743c37e86e9c4384a0b7e290c630cb8f5

C:\Users\Admin\AppData\Local\Temp\iUcg.exe

MD5 c35b14115cdd53eb00e22764e443df13
SHA1 64a31130fe7a8e7e5f2548a7ba0aa30c9ad96929
SHA256 3e512ee6f1620f63d3d39b1a499ee52efdbffd5f9953e716163a82578e2d8472
SHA512 86ea29c33bee0db7579eb7ba0ddca1d4acd6f6e6dba37fe2cbcd2e5c32e9ed1f4b2d115f37e3f6a5a0086d02287d1fd711aad96773873867ff3246d264a66dfb

C:\Users\Admin\AppData\Local\Temp\ywok.exe

MD5 b08e3383c94d06ce789fd841cf7d68a6
SHA1 74f15c483bde86dff6d5718337a141dfe0fb5047
SHA256 cc69396ab92c3482fe44a7ebd0846dbc7ec5bb6406351b84626e9b0848e6d7e8
SHA512 2d8e587623009744d654fa9284b0ec906fa196e648f3944b809995ef86f6b0521b3344a33a490b84ffc7f534b63d534835dd52a384f2a8993470a5d48d23ebff

C:\Users\Admin\AppData\Local\Temp\UmAY.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\QQsw.exe

MD5 df739cf364826efdc39cb92960e784f7
SHA1 aac5c8b843d77d138c2ef9d2c46f942d4e430a4a
SHA256 a45541f437ac68a05f40ec952e141f0d565abd74cc41975c96571f2c8a78065e
SHA512 44880db98f596950cf700832d41091c1a8c27ec082b94719c9501df36a69f1539fbd2822f249ab46e20bf8367eb18ce6a6610ee03b82b18eb7aaf7bcb6f8cb9e

C:\Users\Admin\AppData\Local\Temp\eksM.exe

MD5 462cb7638900101394c34f91713c2924
SHA1 0e53ac059e540a19a3508cd85fdca8bd5771d25e
SHA256 31ed89c58baff34fe199fa5a11eac36e62dbef20b133ca2fa3a1314149431662
SHA512 6438de1e61f777d504765524561338d466d37efeebb5b96812b9a7faaadc8073802d1fda58130fe3d7755957c80400f808ad150b92cd8189baca8945ee89cc23

C:\Users\Admin\AppData\Local\Temp\sQgW.exe

MD5 b7fb1010910da35e167b26ff393f816b
SHA1 32668f002b5033518e58d62630878d5c080d78b8
SHA256 9d6d07a6f807d408f1550f2dda18b82761d8479934013279bad24118d06a6b66
SHA512 66d52e62284b08a6c17caadd6341ccf142a930de8209b9a5273c5e7aa00d0b0d3fc2e89e1bd07164be818916c040b3431df785800347c752da4bcc0b7d19cfac

C:\Users\Admin\AppData\Local\Temp\QAYE.exe

MD5 d8ccb0738f3349a0b186af8b360ed828
SHA1 e3dba17e2c6b14d5ed450eb7d09e8f83ab6a9427
SHA256 762f29897c54a58b26faf6d3ef4be8301da27a34a1fcca2db26de9655d1b1ff7
SHA512 e08e4fd2aff67f92c308087a0802abffa2160884af4c0e0e5eda37c1ebd8eba7a161aaa9dfdaca4b2c498fd17a239ef04b4ee03b58d387f25baac0cf4c364485

C:\Users\Admin\AppData\Local\Temp\Ugce.exe

MD5 373f0078658e4be863fcadd2c3c3cb35
SHA1 fe5f4c3e7a1835aaa21ce8924f0ca12e6489d772
SHA256 11ccf72f9ef191cfbd0d4fc6b54088f31c570300ef50762696ab29024a055c0d
SHA512 6be4de0988100d94d1eb7f10d3591fd7ce67bba5f6643939a6dd8d96ad1572ff74756f7dfaf403250c5e06a10ec9414dad02da1a43d51e02cf49de75f9fee674

C:\Users\Admin\AppData\Local\Temp\gUws.exe

MD5 9d5edfa95386f4a535a998e041128f86
SHA1 37e24fbc6c16c560e3eb0503af836385e63ff770
SHA256 0c11095539105fefac7bab9f01281a013913b6cba7e810af4f5dfa1ca4f9304b
SHA512 baeaaf431d2c740233e920082226ddd7f9bca7eac35bc2e95738faf36a7d4da4f8128d0b9115dd5d87283e9e8516c28aa666f600744fd7aa344f0aa6a488ed81

C:\Users\Admin\AppData\Local\Temp\vYAscwcc.bat

MD5 6b040326c344371ae4041521742df79a
SHA1 052561eabe09de8b63c76b22217ed579801b7a13
SHA256 ef3b091dc9919fccd649a2d75c0d043c0264e9482d4d0819394eebd37004c702
SHA512 f71f1d2e0d67dac6704ba2beebd4f84e4bf9522f12184872b2df5941fb3421d9d7c6031d7e6146cc99825f4a2b99338660bb60299e38104cbfd470274a376504

C:\Users\Admin\AppData\Local\Temp\Gksc.exe

MD5 637594ac35c505a301c83675c4aaed77
SHA1 d2691739b3d9bda0f76cdd9b44d7d0ad1b330ce6
SHA256 91139fbcd06e3c9ea54bf735a259a22a46c0010cb13486b17ed52257e171761b
SHA512 bca5a7627cfb4352e2ecf43dff48f34f29d350efc04580d9bc6518b1f88900833ac8c9875c464ded3f9cb225f46da7524f96f8bfdc384a64f4d0a60d460646bb

C:\Users\Admin\AppData\Local\Temp\cYcA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\MUYa.exe

MD5 8b01888c22e8b8093c8437c813aba494
SHA1 d31ce5542052a9bdf15919c0b5604880c9becca7
SHA256 4fbd98c2da5f92cd95837d8dc3b64879f7a1d39447241941e326f4b3ab1d9efa
SHA512 c040c41d9a020aef78942ff0ec8a5d5eea5f49c8cac15556dff1b0c10e4bcf63d70eea310a0a39a768c2c989a5d65955ffadb13a229abbe45de12305a989e6aa

C:\Users\Admin\AppData\Local\Temp\yUIS.exe

MD5 1e7fa0e1d2bb00aa3be07849c496218c
SHA1 d9d700b1ba1139eebe9f3825975d6f935262a527
SHA256 d9f23f0830aff2d1e8f66fbce930ae8515568ab53e7d2d44736c1f95983f125c
SHA512 4e61466ade4cc482ec46b02e4c189b69384ca4c1bde6de98e4bc16c02f73beaccec282058d734f72c388ac99bb682c8d002d79adda3ef89015d03a2f22a8a831

C:\Users\Admin\Downloads\FindMerge.zip.exe

MD5 d5c69f727e65f7b467f10d3c66495e84
SHA1 f1497120eaf7138edf974ccd96ab6a5808052a8c
SHA256 58fea97de31d0ac7e32a08c3187ffbbe7a48a2a2c6eb80f2aca46a295f42be35
SHA512 7bb9f0c85a2337e9ba2e56bcd498572e655fbccb286464ac3e7d67f347288839882fb63dcdf0d93e196c64b3b455c95821503270381c9b78901a6fda3de5d054

C:\Users\Admin\AppData\Local\Temp\ocIk.exe

MD5 d322bffdbfbec436fa6ab3ec4aa8425b
SHA1 9ff3608971824886d806363f5f634e31f45e8526
SHA256 c6cbba88135dfcd9ba717e3e5a8a09d7e8efcf41c9fcefcf829fc631c6c477ad
SHA512 e0cc6560967fa99f18fee28b6e55df08e86fd43349039d63c53b4273f188ed09055b067db198a3d01eb20cc7320a44fe42cb38c6dc7a37decd715618418d55e2

C:\Users\Admin\AppData\Local\Temp\QMcgIwUY.bat

MD5 2abed7255a3f1bf1349c447dcb704e22
SHA1 f771ddf8f7f6f1ef69bd7c169917b2ee879c37f6
SHA256 aae56dcf9f33ae451022b26ce0e2d591072c5851adda45f2fdb07a67422bf9b8
SHA512 207f16b1ffc841900be5bd845732574e19022b27fdba0685cc67493239144db826171126cf6f40762df2387ee427db587f695ffd558236051851663b5d94bf29

C:\Users\Admin\AppData\Local\Temp\skUk.exe

MD5 c63bad214f8e9f9ce10ce3cde8082168
SHA1 35d83f3642318726ab6d3326dce7dadb43650ab1
SHA256 6dfa6ecf6395af17dec40563b0d62b83e81a626bc6ce86b0da4f3a4db6121478
SHA512 af070534d2c43ec1f62d9126e3e47725ca71a1710243ce9b91307c572ae462b2c8c72244431763699bddc17d6946135ed69cbc6a4047cd86699b3b13c7414082

C:\Users\Admin\AppData\Local\Temp\UogA.exe

MD5 92642a2a2bb4149e212c6d4fde267200
SHA1 7ac59c70851feb9a0066681c05f68419dc7cee96
SHA256 e9627bdb826dc0f55ea7ab0e78fbfaf24e80b0d936cb5a9011fd9e7eca7b5443
SHA512 a4ac5612ecd75b4fb0d38a14a157b3c1c56d49040eaf2d3ce6b008ed68623d0f1feefadd707be2e53c61d5954c1d84e2a0dc54803d314908f4b7ed6564e0ac00

C:\Users\Admin\AppData\Local\Temp\EwUk.exe

MD5 62a78d5d3a36cf67a58087718f3b86c7
SHA1 41f4745fcab5dd68e5a9df351c60915f04337b52
SHA256 0b330e124bda687a00d77b1b1efa7e0d495ee1ba742ae2985ed5e74790014bf1
SHA512 8f46396552ddf924c0485ce24b838d348ebd01381d6717d440166530caacc1d8c22be52419ac8fbad9988a994c1d58b94c4788a9ce8f789ee1222d1d77673e1b

C:\Users\Admin\AppData\Local\Temp\WQYI.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\SYcM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\AMga.exe

MD5 0e7d1f3d50bf5157f5773d4b96ade78f
SHA1 3ca93bb194b77e52f10be3b5d78bbe92a6768f1d
SHA256 002c510f64358d96e33f012b90458e552257ef8b1fc57758fcd2601748f6f470
SHA512 3a692b736bde126d0b763eff12adc60c3d0a20c98f9bb26707b0f5d8e38e5b3363b48f5189297d06ca96573b6cc9e7b2ed097bea181c9e2c5f4868527ff0e269

C:\Users\Admin\AppData\Local\Temp\IkIK.exe

MD5 8a2f1bdda6cec2f56b6d7ca63249bad2
SHA1 d97c72129925d71adf665a88caad1d6fd82a77cd
SHA256 08d547686924eb399b23e746ab6ea36846b484cfc1e775cc38f1ec05a30fa300
SHA512 44e47a5349c7a097c618f86081831673f84b81b0b5699559a62429ba80be47116511e2b81d4a3991e4bd9abdc6149c8977b82fbbbfa126746891e094d9db1289

C:\Users\Admin\AppData\Local\Temp\EwMk.exe

MD5 ac3d079aa22dcac19ff595cc065e0600
SHA1 9be5302e18644ff1beb35a7034d2a0e06fc56926
SHA256 a75975f7616f9e87d68608c1a4114955641b178bb3b13b232968d69a439903a5
SHA512 d460760f5010dcf5844a55994a05eb006e4f5b0854ecdfb978a09f0d4694513a66ca51425a55477f1ef85d6de3b5f7b3300f06795f1b7a2b143a98ca7d707fd6

C:\Users\Admin\AppData\Local\Temp\mYIS.exe

MD5 2b549a64c2411a514e7dec38006dd316
SHA1 4a2e63a4d85619bd4c878a2216fb15270ef49822
SHA256 54019245f5897bab2f6b9e8ccd3380822e28e15decda8182513151c2c18896d5
SHA512 af71de0543aa5dd0049901c89fb89ac4773f0ecf789bf5e2017ec466626903d3f1a21e9aabd6c3638277a5888ece03ef2908e86183deacedf78ab72702f8cbd4

C:\Users\Admin\AppData\Local\Temp\WgoIEAgc.bat

MD5 fa74f8e5a7b7f3b3eaa5664ceaf3f8cb
SHA1 7453c0285cf7d8862f5dca2a4c7f5c470c323837
SHA256 634c047b9b841a1ba6469cbd78f47a71e8e5006e8a1f1720286d6cd0db128244
SHA512 7fe88445cfed27ab5873411794929da97f007d8910858b36b772aa21f4d71da646a1cbbde80a30e0dfbeb3e30b4516eaa96629fd1fdce2fec87da599cf2198bb

C:\Users\Admin\AppData\Local\Temp\qEky.exe

MD5 f5ef96f238bbe6b9193843fcc62ab125
SHA1 bfb7f0ea80a5d6867b4651d14407264d9d0d953b
SHA256 0bbd62c4842842b564413d08fd55aef7780a1d0762e3f85740265731c4e6cfa7
SHA512 0737bee41bbaf8733740f14c87c85e3a9bf62e5ef3f541afad231f2e87d663a5a239e78f3f1c832465885943b3c7c6ddb2363796e22db78c12fab43e3b52dab7

C:\Users\Admin\AppData\Local\Temp\uIIy.exe

MD5 ad4e1cfa87227481f457eb3ab63dbaf6
SHA1 0adfea87dcbff3f3bacdfd8dc3c32cd39cbffa8d
SHA256 238e60b16e1decef94ba08cc35212526ead64f7132da5e811dfb7777934db11b
SHA512 52d4ce4a3fc08b9cb56a85937af4d45719ea80295e01a5cd0c265a740b1f4aab8b6016dadadaab7b14d3d1554fce5d258ec9621c325f129794b45fed6ac9d6b2

C:\Users\Admin\AppData\Local\Temp\YAMC.exe

MD5 fa3a6a5e6117c1eef28ae3a4180c78d0
SHA1 dc315d6dbacbdc93f288f51f92c00c6efa4ba522
SHA256 6596af8cc3291502094dfc2ab2d65c854a54d98c846106de383e26dc7917e1f2
SHA512 e01c7ec84dd56eb824b86700ab9bb32bb1251154716cba3caf8064fb690596a9f40502478506c832ec0257fd95d57b826a9e490a4480ebbcf2f2c1fbc5f45641

C:\Users\Admin\AppData\Local\Temp\GmIc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\KAgw.exe

MD5 865c8a8f59277a0710b4f22040ea3393
SHA1 480a8333b6e1611c606bffebe913a0f7473c91ea
SHA256 d634654508c97c82ae1fd65eb35c3952f25234bb12d19b211d686befecd1bbb4
SHA512 666f2a7c21228f0dd00d8a7a0f284b52af498f98fae5f8770ab1884eb167f9073e48a8f31aa628b785b43e577924b088cc194ac6445e42a6d94b2bdac4aa65a2

C:\Users\Admin\AppData\Local\Temp\asII.exe

MD5 e62a4772b20c7047267c2d01d695bac2
SHA1 ab73fd67c888a63f989550cfa4da3e52f4331855
SHA256 cdea27152dea47a44671113042f1c800fbdc29909d478d6c479c5b3f48987b49
SHA512 3231e964f1f20205d1dfded3b43bb1dbae713d2b79ce523d98c7de62fb001136e44a4fd3d0751bdea7bb533fbf278897f7d633d263575788484527e8ee011d02

C:\Users\Admin\AppData\Local\Temp\WssU.exe

MD5 1f76c847e27270d63914825954f197ba
SHA1 8a77f81671ec2b882ea69f046a4229d8dead7c97
SHA256 0389597e1d2fb3fbf93e70c60b28c30ee18cb6fcc56c1e99298ba5f69e7c16ce
SHA512 8399ccfc8054532ef691586d5fda19470c22cc42cde0ba0b3a58b6d63f62ad18a8e5a9cd3c6b68c38206ed319a0e3b7de8ea21bcc5d4a1c6e2fc7e1cde560bb8

C:\Users\Admin\AppData\Local\Temp\Acgy.exe

MD5 c77044235fb7712fd8700e6ed2fb76fe
SHA1 452c155fe75c1e9cfb7aa0b89414e12f50e36f0f
SHA256 e9063ea5f0c8fa34bf6c8512badc7c4205e9032177db63a1c922959c8ec50cec
SHA512 48370714cafe393443e6cf14885afbad7e19fa0955682d5a98c20224d31f74fe3ee68ba54619f88d4d3be7f87dadee5d5b25b7472f1d0e102876408c609b905c

C:\Users\Admin\AppData\Local\Temp\iEoo.exe

MD5 890ec2d3e502ab97c4fef8abca314d19
SHA1 1c6ce073136c4cccb6745fd7b65da902f589353c
SHA256 9051fba81e20249b1b7b0489668feae636d1c77f55a808c1a1bec2e554ec9748
SHA512 e3e640aa784f493c05f16949ba0c6cb45b8f8176d4c02e56f898a643cfce65bbfab79a144d85233d1e0cb7b9784238a5fe156b955a846a1b28f550e6ad020702

C:\Users\Admin\AppData\Local\Temp\IGIQkUok.bat

MD5 a953c6b18f4bfdc0431dcee07ec452ca
SHA1 01a95f26815b3a61b7c5b25d3458b707c320ef1a
SHA256 3579f4dab7e0be45e0259fc36c896857bb91ae6137c74dba7c4679ed68778137
SHA512 207c22a8b4d63750933b5650d0e8a260569ef398ca052cb52334454eba4d452f89b517ec72813258e10d22c7c650f6eb2838814e94eeb13b3c0d25e4a7ab9137

C:\Users\Admin\AppData\Local\Temp\GUkg.exe

MD5 4e2cdb96312165f35a882267ceecccce
SHA1 8064e02b214012253ec4285ed44c5be8271d0c5f
SHA256 fee6c4028b6ecdb1b10c20db0699a91330f8401a977cde7c8bff6116f86913d1
SHA512 aaf8fe86698c81f155d2a2be2e68309891f5ef25f9dddc75deb9b8d32828a32872ad0938978821c287abdf61697c83d43245b3d39f96129346be690156b9bc89

C:\Users\Admin\AppData\Local\Temp\YksU.exe

MD5 b7309629747ab19a0f57959dd3a57e15
SHA1 e837d8c2b17fc4d0ed7db73aa73478e8ce7a5b9a
SHA256 ebd5026ca30145ef0a764849439fd2d76e2277950f926218479832db261e3aa3
SHA512 7d4f49fc52fb4de23803fba809468316d7e5ec073354f1e2caa71d188bf3463c2100ce201057cbbf679ac753a12fdac304baeafbe5d11dc591a2a9fd21573f60

C:\Users\Admin\AppData\Local\Temp\GoQS.exe

MD5 5d2748d3084eb6aa23e4ef1b3e5b3847
SHA1 9151be66166f1e37afde3b7d2e1126685b3ae3f2
SHA256 4720010645710790085308391cfd62fa5830f88dbad208f039fc663ce8435cbf
SHA512 06f8682055a8de2630b68efcb15ee5ce6b247cf11c52269968155506c8f83673ab22cc1b31292c4d777e81fa9c0a0ccfaeb2564830298f712d4f12f48b53586c

C:\Users\Admin\AppData\Local\Temp\cooY.exe

MD5 1b45de4375ffda20b924537025f61e55
SHA1 0bc536117da7a9a57d1cbdf731c07c7a7a379fad
SHA256 b11fecc6758d9abff4afab5367ddee8fda71bf720487330a44a5aed4d5de6c66
SHA512 2817ae58b65ede8a7cbd494696205d7d8fadc35e7c8e0b16c0a07bdb61b8e350057583ea5b983bf63322c0e84bbb6c1fd8adad098556c5f61f4b7f7464111742

C:\Users\Admin\AppData\Local\Temp\EEEg.exe

MD5 616cdf046ee76ab93dccf1032890fb7b
SHA1 2c281f64bec710ca871a9b93381fcbf99d6a8eae
SHA256 037b6f87ecb2492e52b7eb7df36a36eb67b55e0f1f381105a5d798b98fa73015
SHA512 18dadd3d7b2a2b2fe03d3cba458b9570d3ba07c33268ec9c9279461e694b72c7c8192eb832139ccf21781eba19c582428f49c348e5d2f54b7a1c6e7ac5d3d73c

C:\Users\Admin\AppData\Local\Temp\OIAS.exe

MD5 fee403bb29a117b74816ee3db123894c
SHA1 ec35badaaba6e9322a90f1fab8977434da818dce
SHA256 a197afc8412f9976b4ea9712749dde0efba34764433213f43cb33c3a0ebbbcd2
SHA512 171b7c3a892a6006ecbeed139bf3a40aea2418498743a44f47d7d255cd01751429f1183d48d85be6ce1025c70639098cde7bb9f939d2444c17a4ca987f9ea10b

C:\Users\Admin\AppData\Local\Temp\CwQO.exe

MD5 9cbb373b28551352c3a0c2010ca9c295
SHA1 4fa4967f8c9e2aa92d0dfaba31f307192724fa48
SHA256 ef6bd4a37229740e1d71eee84b68043e6c1100a0afdb2eaebf2500c87948a7c0
SHA512 81e19e2d855d4eaee3824dcb75f62e4f71360758886b4665829ebe32dd3f8e491bb7748808f799b73c052efca07aa407074d40ad4838d4dd75a93ee8cdd7ff20

C:\Users\Admin\AppData\Local\Temp\BqwsAMYo.bat

MD5 0a6ed4cab2812cef10e8a818b92aeaab
SHA1 3524f97ea391dc44a584f5272ce5ed92d927688f
SHA256 3ea3f60830005ca1d6b6f08323a59bffec0a6c971ba7f7269dc12600d172af55
SHA512 131292acf3ee27dd815f2e144716947151e7e331deb933915a85549e4505bc0ff4f507269272aca6d98a39411b3e0da6812d1e398c79857003cce67df692a03b

C:\Users\Admin\AppData\Local\Temp\oggw.exe

MD5 a494c3258c703450365cc5825dd74a3d
SHA1 9065ba2ed0f09be56b9c11e71b94ec193410b8e4
SHA256 31813cc0d3ddefe5129bcb959c4ae6b9ebf56a2b2d0b13e1e214b1d8a894a0f3
SHA512 03aaae54c685a168b720b8598b8f2be5fdb5e4bcde931d278aa65fa5bae938227ff4177301461cb8b1d1f470ac3519dea75efe1fd388cfe1c5ad7c6405401c5e

C:\Users\Admin\AppData\Local\Temp\UMkM.exe

MD5 c9b2c33a875b4512343e081dc8e84663
SHA1 674c0925c2a6edc13361cc8a2f66ae2446844bff
SHA256 6d2a5f8ba8cdc2ad02fa827cb3b4ba3263222de1dbbf86e833a141791d3269b3
SHA512 a9a456042074992359b94f3f46219eb137663ee3e627dba8c970f9651239fbcf44c8067242a4d8bfa2a56e7457102a4bf402cb87e9618e8c656aff199f9aa72e

C:\Users\Admin\AppData\Local\Temp\gkAA.exe

MD5 5c863f5fd32d99d8d2072da8512dc42c
SHA1 30d7b8efade1265c83b020c1265438c9895f1369
SHA256 8703a40453deddba2f6b46a6eef46443ed9f2691e06f829d23557223319d5451
SHA512 7124de5a9edcc0f02361ec31824a297cfc12722d94669d600aa0097429251629951ee77a5a9e147d3492a232443d44dede6d93964b196f4cd6e11b1e16bb8129

C:\Users\Admin\AppData\Local\Temp\ccYQ.exe

MD5 9a0b874ce9d985560d784ec8ddccf57c
SHA1 08d50efac50d49968b5969e13f4c3e3681ed87b5
SHA256 5e8681ab78ba2c930f21c972a8dfae6adbd20b2d19d77b88fdc881cfd8b6decd
SHA512 11f7efb43d1012dc2b6691a85d807ea4b4219cda36a7d943d7a25f23cf846527fa1cb7f4fa356f88d5a2f2a4577e6c02af9fed1c70412fcd8b2a641440c67b04

C:\Users\Admin\AppData\Local\Temp\OMQC.exe

MD5 7f323b47c51688a308c2255bc21ac066
SHA1 ecf776ceab4b34c5049313108039583d743b87e5
SHA256 cd0fa4703db4c39e26b6468a5582492cfebadb58fdd15f716c5dc16e6c070203
SHA512 c76a4514ba56e637676949a83799f9beae63830739393ab1dcaaa6d82739d9013585d4870f3f617465e38303cf167a6ca45803aa30fb87f87cb6886efb005134

C:\Users\Admin\AppData\Local\Temp\McAY.exe

MD5 14747ccad28358b94b43c7239038c8ad
SHA1 f819b8601c1a801a0bd2059232058dbbefbdbaa9
SHA256 f978e3daa899fe8855c816202051ec94ade68560ef9e26daa9d5cc1a7759569c
SHA512 af166cec97202ef0a4159e37d1117463a91be9136fa4ec77d52a3ae179d6b7bdb8c6b7b14f1fddb9927d271227201ba7fd26d29f7f82ce848523eaf6c09a3044

C:\Users\Admin\AppData\Local\Temp\oIYe.exe

MD5 7a156e9b035bab32e33c5823f780b5a2
SHA1 de1a33b1ca1951e2c9deacb11ca61528681baae8
SHA256 255c42c75ff51f6f7c6cbce8250ab95c4f5a12f03a37d152013afe1b6003935f
SHA512 02a0e359bdfff522e84f2559cda944b828f508fdbb550c7d81f20286294b39c033e1124151314288d4c1d8fe5b026aaca1bb359503904761b829cced2c72158a

C:\Users\Admin\AppData\Local\Temp\kUYu.exe

MD5 5c0cf23055c39b50a3f80d8af5a6494f
SHA1 057d20337d32f0e4d3ea7ef34ad9f59ec63066b3
SHA256 21b04546e60fb0997ec8b206bfefe3322315b087358c5263997f1e21842bd9c3
SHA512 d1632f231373f80737f698a4102ce84d68f8627bfebdfdc324a231af126f389388fce9ba1b5dfb54e702d41fa15fafa5e14fac867f306fae227ce48cae3c492d

C:\Users\Admin\AppData\Local\Temp\Wsog.exe

MD5 17cf49d30ff2a9aa9a47c6501c69c3e5
SHA1 28cc87d91838410ff9ab90f5724b50f9d519419e
SHA256 e66a8c453913acecb3bd7f8c31770f3d80132c28a729322a10dafccb2ae462c5
SHA512 e9b4d45bff254fa807420064cb1601cc512182866332886d46f13314346c6a7f758f081923dc223a4dd85d52aff50788025203e8d7d559c3bcc2c45df8b701f6

C:\Users\Admin\AppData\Local\Temp\VCAwMIgo.bat

MD5 46e54e59d81fba0b9b7bdc6ba4d3b1d8
SHA1 7b0f33241b75c58d1657ac1b80df6adca1789b9b
SHA256 e306d522f55a9c7e9b21a0a7223ea3529e561f387ae27a40ed0327efe29da074
SHA512 af6b99ee2cc1bf3681a76dc084244a8d4158471556db358d1be1a1bc5ea2e969bd9cd1305d9e4e91bb5e8d9d71c457ed0966d343b9ff60ce72b21aaff71c0015

C:\Users\Admin\AppData\Local\Temp\OEIE.exe

MD5 082b42426a7869a087ac8128433fa33d
SHA1 6b3e12a666a3d43570fc11ed8744f89c56dd1a11
SHA256 b07cc0901ff8d9548c2f3672c0aebc849282c4017efb4246c2510ebc4ba66ac2
SHA512 e011db8ef5eabdccf0e642932730d93402e49373dbd1e3ea36294e08334ea7a26cd0454a1b940c0f6354be2cd994d1a1661032a0f02b9b38517f6b5829ca9bcd

C:\Users\Admin\AppData\Local\Temp\uMco.exe

MD5 48216daba1564d54a690a63fa2ee33cb
SHA1 a0044cd6af3040ff7e874616ef3fa8ae670bff70
SHA256 09cfa901992373fa5de5b3b127ec4a0271109762a143bce977d0120931d458bd
SHA512 8aa12fc897e0853efb22f8049a33f9b0d36f7eb2700aff6fca400bede8e37a4d9a9760a485637b7ec574fa1c3a536fc7f49c4206f7ad566e1872a4c8274ea59b

C:\Users\Admin\AppData\Local\Temp\EUwQ.exe

MD5 03308a883934e322948f4bfa6536b386
SHA1 4dc9dee57e5f6a3135caedb85e7fb8b7f676b3af
SHA256 f2274651f15fe5fa4c8285921d1404487990290191a2d6f56db7da203b280821
SHA512 a6804189650861ec87d00de4f0b27b66d14344e7e86f10c4cef90dc280a33b69226db4f9479b9a491c682c8659d748c4e1cafce1155cc9bb134dcb53c77e09d4

C:\Users\Admin\AppData\Local\Temp\iMYG.exe

MD5 78bc291479c66e00e07bcb06c44af7e5
SHA1 28b179d91dc8843165da8b974e196e73640b908d
SHA256 f316f8282fa3daa867e8356cf7882f60707a1baa5bea7de84b39be1767316909
SHA512 7f92ca0e40efcc42416082403bda8ec45fca28bd40911348a6f37f7c2ee41738d47330d4490b9ed382910185b261365a1f0a1c84d1f65a08bf18a71b865ed9fb

C:\Users\Admin\AppData\Local\Temp\sQYM.exe

MD5 de3cbc314a8c49e54acc0f40fe94400f
SHA1 552e1f5ac631b6c190297ce945d3107afd424714
SHA256 6f5558fe5e63036cd963705923c5cb82709c8e707b4ae3ff2a643f466ccd6eac
SHA512 5da0dd55a46008dbe822e961eaf759080b30319878f225f8f4ffbf1cf8073ecaab0faa55b625ace93a3cda050e2820c7581c301fdb896ac446a2773e2ecf74d9

C:\Users\Admin\AppData\Local\Temp\YAAu.exe

MD5 897ac3ccd3c29b083c265dfbde375deb
SHA1 7997708a803f39aeaa2e24a7f4c80335b0a1bf08
SHA256 f3b8c9436f168e94048257c6b7b2beb2547e771dcfcb793e124545c717117a95
SHA512 be599a9ad7777cd8799cdb23f07d3a8bc2539ee4375bebe3459c0d0298c9127fb5c5a223cbda9cfa032da03bced56e121b7cd964e963f5702b72182fee8f5976

C:\Users\Admin\AppData\Local\Temp\qAgE.exe

MD5 c7bc384890bce6a9d4a33c4d72d7dd0c
SHA1 a8258a87f33234562fd28bc670aedc4cca03e44b
SHA256 26118c670f79db4e333af1cd816e5456138e1f76f88ce01c23839e65d5505691
SHA512 26f2b8544e6fdc108d89739684cafff864b5fbe8d118255af8e04ec6e8100cb0d3715164c932adaf67fe47e17cdf5c75083dee3029857150f298f3c190bd5f4a

C:\Users\Admin\AppData\Local\Temp\IIwq.exe

MD5 15266130c3adfc6e380512dddad93bff
SHA1 185f87ee482038707e014e9aea978b8d2d48936e
SHA256 c5ab201413734e01befca7a749aa6f5a3e7e59c2966ebb356b0c307b870e8859
SHA512 42e213952f5e0b241fe623c178e1626f80b3906f1c63d587e92663beb4ea67de2a733eed2cac003b052b2e4a303262de885b3015d654f57869b1d201d8459f0b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 ae3991c8ef16e29c52fef4b0e48dc81f
SHA1 55588b3cef6940f3e2363d761b3667c1e27676eb
SHA256 a8b85898a5f6c9549cbf09b74088ee30aa48ef8dc0df677f63c245aae688942e
SHA512 5d4e197f917aa1bfa9c6b9261f7fe12360a832f9b166c215b70525e0311e3468ee8731326e2fa3bee3986b45932c6147668b76d021e75207381148bbd051acff

C:\Users\Admin\AppData\Local\Temp\OQoy.exe

MD5 b01329f09a69dc5efad1e58fa8bea5a7
SHA1 960aa91284264ab0ce88f4fe6915c1ce6510764d
SHA256 89a9f576564b435ca380d97588e2ae8a1a10bf12317c81776a1f9693485907e0
SHA512 5e8f1217c2772f697021bfadf176a99bc2fec94818b4bdb2133d2b98da606980064f08eb0210938faeb0cca05fd33a06b1af5d7041b1c5a8195c05aff5c7237e

C:\Users\Admin\AppData\Local\Temp\CEMo.exe

MD5 7291f4ae9514575bd576acecc4c66e4f
SHA1 0a09651f4db4b731199724366652a7699e380081
SHA256 efdac6cf2957aeb09004fe563b01cff166960be164b35575fcb34a13f55e0ac3
SHA512 cf6f4b8aa0a52e57d1294aa413410bb47b9a6b21bd90925d436d02d0282e33b173d9049c7cfb1ebf0848d0e6b89dfecb9c5373aaf52bd66a1b5fc06eef3b74eb

C:\Users\Admin\AppData\Local\Temp\xCUsEkcg.bat

MD5 99ff2747af4585cf8f89883928324bee
SHA1 12b5ba6f72a9d0bdba63c1217b1a1a504c827996
SHA256 fa3eefec44182377a95f10f39bc64dd699bdd2bdfa48fc10e89530e19f99ab15
SHA512 e1c098686c008c797349b310d45afa49981f4db0b85e80ff5aeb4d6ff717aa59857a922a3d63fdad74fc93f71098110acb7d31f43770055b548acbfa28fbc6f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 f4d18231d69275428a9de5e88b181257
SHA1 08ddde0c18e85d6a591e7f48270d43d76b76555a
SHA256 c8c050a80ac72eb3cb35c702c45369c226fb62cebd593a4a39db86a45b39b1b4
SHA512 176ba1a44dce0c7f95d2a1236f47ad35add25d8c5fee45d94b975b1fc1af2cfac6f4e62dceed8276dd08806dcb85c989e5480865df95adfd498b9321ffedd38b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 fe449cc48df3a663b381269daa4d528c
SHA1 b67d70e961ef06e539e8433c4ee50fb2821f6575
SHA256 efe831ea77f7e7e2283deea88b79053fe82106ab9f82be76c7e1471ed75276c2
SHA512 7b139a8a5b7d2f0deb51519b94583b7154965776a3d5577509af71809e8535c6b8f83f7d2229a3dbe71428a6a932bcfbc4c8e3538c649eb546b8fd4b3b9cbfc9

C:\Users\Admin\AppData\Local\Temp\GIYy.exe

MD5 ff821418b7389dc6597a0664f3609b18
SHA1 958ac08a0d35b518f41efa3dc5f365fbdee35c79
SHA256 9f286ee3bdf5adaa00aed63bcf99354d08c22c24e90521b082f84e386d3e61e1
SHA512 29f45a26115bf9c2e07bdc64be8276fad553fa85dbb2301bd9d27fa6305b128048fd274d6da52da9ba9a566ea2784a1fde8ebd86090c00658067c3320b71fba6

C:\Users\Admin\AppData\Local\Temp\WEcg.exe

MD5 bac31fbfffa3caf16144daa39d860dcb
SHA1 eef2d71124db6cfa2b655308ba50add26eb03ceb
SHA256 3bb1f1296fd27e3a73cda043981dbbc054f7cdb0142b6e03d2b90a3f1079fb6e
SHA512 b9b536df5791aa63624936b552455251cf6dfb80581f0613df99c4a29957833169daba1625d49268a4774fa0d601c759c7eb636c3599d0061dc08d322a9a4cdc

C:\Users\Admin\AppData\Local\Temp\yoEA.exe

MD5 2e1bca99e3ab38bcc4083ca204108aaa
SHA1 ae18ce4e6d242c25c46ce9a830700fc2795f66cc
SHA256 454b1a4ea46bef93f25888ee29159471ab183985347d14b4019051d98ec6d906
SHA512 359bca5f0db3da33ebd8d060603bc96a6e34ff68179fad82f67f223df9045db3f28dfe53bb59a54292a23ff1b3e45dbd3355be6a879a4dc6a5280eb1c61265ef

C:\Users\Admin\AppData\Local\Temp\ssokUUMc.bat

MD5 5122e6f480dae67807acf001617ff2d4
SHA1 f339b24244a1b2ff2fc4b6a29e1c9b78375ef36f
SHA256 f95bee5da19fbf0397098973c688b69f6cb001e997d90bc4450cdab03b8bde0d
SHA512 3ca958f4e6b38be0911ef9d9ede7eb4ea89c2c615e814874f5a81af319bbd36011830705dceca0e14384e265922abb141c105c069b5f321925d643d198ac251f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 25cedf6312557288364cdc0dc88b8270
SHA1 21be72ce9c77069c3c6ec9c2a72e13e792982289
SHA256 518fe064120e69a90e529125cc851b7c342e481bce88151859883ad6d3826b64
SHA512 f2598d37924b98b08c9abb2791a1e3db740d73f7a404cc18e577970dcbb06d1e568359b408a243914c4804bb8ee58c72e66277246bdbfb016c070e5d9e9baff8

C:\Users\Admin\AppData\Local\Temp\mccA.exe

MD5 aa15d10a5fa45eb975ad81dfe04eecea
SHA1 cb416a5fb36dbb0e22b884d4fd99fc033c33aeba
SHA256 9c814f3594a166c0089cafef0a94069c2b99e2af7b87692dd7099ad453eb4a67
SHA512 179111ee2778907096cc47107014412f6051f536b731bec8f90cc6158753c374b89c4358eaf7fe7a77c76b7b2f68559ebeaeea229d290db01fd0d77d7fe83548

C:\Users\Admin\AppData\Local\Temp\GIwy.exe

MD5 a9342ff0d7d61ce9e66a073c9e910c53
SHA1 e966c5374f274baee50ccbc9b140987788acef44
SHA256 fe090e435a3d448c785bdfd45bf1e868e6d223034b34d8cb2cd8f0c10996eaa1
SHA512 ca2015aa7ac6a71766b634f04745887c82ecb15969c3f2deacdada9010a5170cea654fd6d21450a7d026ecfbe408d2db69d149fe852c7212efee4a346bf00859

C:\Users\Admin\AppData\Local\Temp\CYII.exe

MD5 0e0c19bffdb491d92dbadfa0825851f3
SHA1 66a02e88d728b2929821d487f0103e7a85d3a5e7
SHA256 db1172c4270e592785e989368a0d3fb6437fe83796b3db9922ce59358330c9e6
SHA512 856b6bfe90d364d2c629b754b8c587da97d366e5de402d881791c1091e789f2852959291666d3dde2e4d89848c9e6d5ffb79c44b06de58db721502dbf69de79e

C:\Users\Admin\AppData\Local\Temp\CgIg.exe

MD5 ff42581fdc2b77c5c022669c3830d4f9
SHA1 1e330b97e2cae11c7cec1c034d031900ba5b09b0
SHA256 b9011dbaf5a80a1858ac88fa11f06129e19672737c5df9179bc47cd5c503728e
SHA512 bec4eced0b01d6b2f3c95ce97a5ad6ee67619b6a597777768f94f99a11e9ba8231bf179812b3e54e357f41a65be9d6e604a4f8712fca8628bce204e1b97e38f0

C:\Users\Admin\AppData\Local\Temp\KIIy.exe

MD5 8df17a33aa1c9a464a187f6b1e753d20
SHA1 21e62b5ea0e4cc036ad7ba113dd29852f91e5e36
SHA256 799befd7affdc6dd2ed3130c32787ae583dff9a40ca84c6027f9a61111f0b763
SHA512 5e00a26210f6594126b8437dbe53c4703446a6bb95c6fdb93c1b40e9448a1227378c14e1490ab06fa9f63e00834d17c3dae9cf8d733cd91a1c89188b5255adf1

C:\Users\Admin\AppData\Local\Temp\iAUe.exe

MD5 33474fd42a610b2444563e1dc1839113
SHA1 1eeadd2d1c4f19ebc4ce6c5855deeb206ad730c7
SHA256 1437a81887a5f8115152a1224b89bde02f96d14e89a3dbb427de5f64ae44fa6e
SHA512 ee08364d6d21374a89b0c458bd2749aa0b2ef7a1503bbb8420522c41dbdc3de987aae09c0d9d332355ae74398e3aed3dd7072350c7f71a90c188986aa7cc0eb8

C:\Users\Admin\AppData\Local\Temp\sMkG.exe

MD5 a43a4dd6377df5d5724b630c93d6cd00
SHA1 f1eb29703d9bfbc61785c72ed5e8b1bed4a3c350
SHA256 e29ed21ff220c64736bea06d1ae304d57667f108f44bc5cffab55274d3328f43
SHA512 1e42621e22fd093f8745345397544297adf95ae81594fe20c979c798ad992f5bd3421e7127b2b55f97e7171847fbd621682fe4a542c85d2cf7da75bfcba47512

C:\Users\Admin\AppData\Local\Temp\KUYA.exe

MD5 007feffb9735100cc076e781fe6b051f
SHA1 d4404c3734b0505140b748c847e8cec19019cc16
SHA256 0c3b92b564e142c037177b872642fb50ba669eba6d82dffe7df88c058115c7cb
SHA512 e7fb50f4ff0037eedb19febfcd5ebf0b421a929dfecc9c6a960206c51a46827b873432d85701584fe0f162e70af42c8a78efd943b357e3b0fa026bb7ac908540

C:\Users\Admin\AppData\Local\Temp\gkIm.exe

MD5 cb2f13681e5a5e658f105960cfe9c182
SHA1 c494d72def8aa731eee0b72b6bc869bb89d569e4
SHA256 0d1f804a1e74cfdf04b8b1b877b31beffcdc268d7a390d73f134b43e051f9b72
SHA512 fa70247812a2d9a2c81fe005ac4d0deb3e49a8a2659d340d43b7e32c54631fb690e660b3e22347eedd094f9f37a2f92d351225c646005a703e0a71a24a238d10

C:\Users\Admin\AppData\Local\Temp\oIkC.exe

MD5 2ce3ecf23b7b14995fec828fcb18177d
SHA1 ae03919021d072a4475a3cb10dc9fbe86d9703d8
SHA256 6a3e22f6f2fc582b1882af94e1adaf16cfa2db261e8a1ec804f3694e53b953e7
SHA512 2b030dd94c4c92fb9c3807061e0846f411bf6b9738dd57238f2d8ce205b98e45b6984c9deba110bb6e3407ef3d9c9efcef627372d0ea74e90ab892e9c86cc773

C:\Users\Admin\AppData\Local\Temp\umIkAAEc.bat

MD5 3ddccb143969143f1922f88658325f55
SHA1 2c6057599bb9d3cb6a74aed60498406618fd1573
SHA256 55627f11524f67596b39b016c70a7521f3551d247490f3bda85d8bcc6cdb93bb
SHA512 fdf6324bf860ee6bf7c2a30c37712aef35fd3c648325c70322cece8fe852861a00cb5170a384caf3b6319e966d3f98bbcdfa26bf0e7bda0dbeff930293d21998

C:\Users\Admin\AppData\Local\Temp\IAge.exe

MD5 09d8587817cbd1b24678d54990ccd3c9
SHA1 7780f32401f4a9bf77f3df9902ce3f6ce2e5a3f4
SHA256 c1dab9155e84d8ab29eea7e48974b86a8b981f5923a54c41c74df75a292cab33
SHA512 973f8d8397c16f3c03c37615f6503fe56cfc4c787e64d0dccd2a3aa1219408a406e83cdabdacefdae52f2bef63bcd9e8a370721b8ffeb4a134213ae056bb2c71

C:\Users\Admin\AppData\Local\Temp\IMwG.exe

MD5 6d623226c8480241d9d548538831cffe
SHA1 0b21bbe3754f9c1942c620fa011115bb7203b0bb
SHA256 2772928fd2837cd8b513ec2a1520fb5ff7c7835bbb40dcdaec81291ca4d0a6cb
SHA512 a63edcf3e87fde275ad3a918057dd2baf171f24eda1aa0941e245e09bfb75ece9a9af814701c6ee64ae95ab329d9f648db1326a4ab1711adccd438cfe6a788c5

C:\Users\Admin\AppData\Local\Temp\iKYwoYIs.bat

MD5 86e25ea66964f00b0a88577a78bee37b
SHA1 bd3bfc2ea33809f7917f837d414d68dfb8bd8508
SHA256 0d8fb328cc62a27d8a392506f799ffeaa609051b1674e52ee42120098fc8408e
SHA512 2744a6f79e4f61be573b1dff3f6e93aa4c0fe56fa6427d3cf2864279c63524058028c02085c102b352b70e16715239f91164e62513efa41d2670e6210300b3e6

C:\Users\Admin\AppData\Local\Temp\sgcu.exe

MD5 31055c74553afa3ac72509fd2e9e31e8
SHA1 16579cf505435b0886aeda56836504db307b5c36
SHA256 1fbc41f2c63dc65ffc00f2b70d3859dc4e7a9eedce6009aa6b0122a49c35bc70
SHA512 dc8b9cc753ff22034043f656b7e7f1816be5a24870a05f88de9edf3a5b293ac18110ebb9eaeff2cc2e5d417f2a10608c2cfb46aaea4d00eeb9220376defb66d8

memory/2996-3219-0x0000000076F20000-0x000000007703F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ykkc.exe

MD5 9a193bcbb84b0d5534076384904c1381
SHA1 c258779d47ac88d8aab6c62e67f4037ac82472d1
SHA256 658890228c98ba69666840c4c04fbf57fd69d16bf7ad6af84a45374c3abd2c2e
SHA512 c835e04b40394375c02dc44acaffce70d491478e1403956cbe83113e3da1a0a48aa93bda3d6bc6af3fec96fdee86b28a48a645239b6226418fa5252c900b27d1

memory/2996-3220-0x0000000076E20000-0x0000000076F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UUQq.exe

MD5 b5e1ed18551957057ec5735b967f2276
SHA1 44a78bed6fdac46ec4ecbe11fe802d136bafcc92
SHA256 92ca820853fbf9fc776c29db6bdb272241be8af1771d61aed77897a7a9cf1576
SHA512 992cd33e45b13aa981f401ed548005d6b3719ffde3ad09a5cae86ebbccbb52f0889875d5c26f17c37eafc43356752faa4dd39bbb003935d22a2d138ab5c9c8be

C:\Users\Admin\AppData\Local\Temp\zCcUIcws.bat

MD5 62d085bcd2f1c3c1415fa1ab25ed65d8
SHA1 ded53f561f391305b1a4c89e0d92ac887f68b713
SHA256 d9db40da2b4b73cfaed51024d82b10225d62c0423fff9b1d0aead18c7775cad7
SHA512 87403d8d5862b44f3f7edd42f97f0c8f0f9920fb5f6d27ee9c08f1bf5abc525eb047a474bfeefeaf971eacabd684bd663010f99067bd5d2978db0a49451e908b

C:\Users\Admin\AppData\Local\Temp\EQMW.exe

MD5 d7861837c1a231cd3defb459ebf77d97
SHA1 f5cd5ce6f4b03efabe88ab865e687bd4c33f82fd
SHA256 796f0a76c364b300fe34d83b8698514d9ddd94bfcdc0de322feba8ece6809447
SHA512 d1416a20532e35b6d9178a3fcdc0fcad35e0238f124b1be8d5037c9676487b63343f645b493b68e7d706053c288cdecfe4f009d6bb6793cbdc8add4a00ca814b

C:\Users\Admin\AppData\Local\Temp\qcYg.exe

MD5 d702ef435dbfaa4f92781d59a9371114
SHA1 d4b2642ef7c9d88e98072449f833755ba5c252af
SHA256 7134d177a574af3e2903d78df045f6f4c4a3cffca0062767c0bdd8f0b05e3acd
SHA512 df96d82102100976eb83d2282efae1fbf588a63e5abcf3e47fc6133d417b0a8791b354a2be45f8cfe8e0e7064478f8c32d3ef60139ba4fd2101c8b74a8d8f830

C:\Users\Admin\AppData\Local\Temp\wUAc.exe

MD5 6fd143d38a2d381768ed7505654e29d4
SHA1 f2bce73f86a0a9bf78bd29974c402540ae7c4b25
SHA256 e8c7bd335374281a2a07cad4ac538048437c0a3cea06f34aeaef312089e4a991
SHA512 4ce6f7384a90ec8c3365abbb8b0dea0c09cebd55d21406daee0baa502698ad63de04c56ffe5825c45e1d5b8f81079724b7a01708737750ffd5e236b4704321fa

C:\Users\Admin\AppData\Local\Temp\CgIy.exe

MD5 3714051f3832d58696c73bfb1d6d8ba5
SHA1 d7363879092a4c5058af57e2e48de0c120ac8bf5
SHA256 cd50940e70917e5db82e169f17d7ad43d51978c223bff465b1df32855970e7fb
SHA512 feb9f19db99a79f18dcd509c2ae070e38d001741fa2a9ba2ea4e8c153fac4cfc73bdceb3103f25c19cab14bacd45eff6873ae4f21cb12958e913a0cee67a0906

C:\Users\Admin\AppData\Local\Temp\IsEO.exe

MD5 67102d7fd86776f95bbc29cfdbd6cd38
SHA1 191f17ca7a4c39ba0fa00d61ce0c9a5811604408
SHA256 6bf21da2339ef61f466dc20c0b037050614f5e4c20ae7241f2b48a01aa101368
SHA512 cb3b87e80c2c68d4049f5cd39d91e50f90dae9d7a0c55d6256abe1b9212d630c5e740776a290950e7b0405f4950c35edb892be49b895ee7180fac74ec024cdd2

C:\Users\Admin\AppData\Local\Temp\mcsg.exe

MD5 a12b5391b8315e71618927ede49aa737
SHA1 39c7e951f941b11262d6c2027995013f16e0cc09
SHA256 9b4de83d4c82fd8d89e5ada5cea264960170df47d51b0f2cdda19d3757fc0fdd
SHA512 ee44679a2774e41abd7b62ee6349c5877272fa02cc01b205753bc44ad40abfe7328ee73bf8afbce8b178e8085fba040b6b0490255f11c18791ed30731b26cd9a

C:\Users\Admin\AppData\Local\Temp\xugkAkUI.bat

MD5 72a3567a1ad3b2c96902ca220340f7d5
SHA1 56e418fb79f80f5eb63490ceb0e79bf2c169a348
SHA256 2676f0313781279dfa9445d231f9947e75f457e4014aca2b1bddb0a8fa2d4168
SHA512 39ac7d00260c3d62cf57cf833c52ca9fa34f0821ec88ae9d84b3c67fc07c4bfe1daa8cc6f112316dfccddb5e0810cbf88d8576c2fde11d6cbb695d89f2b26d57

C:\Users\Admin\AppData\Local\Temp\jqIAkYos.bat

MD5 470c11563ff7d0375800402776c95111
SHA1 3e8e1e7c444e6df341bebfb82532a3bc8a6424a4
SHA256 fcc421f8bb71feb362414e30c991d1e7f7d3c007e1c96c14cfdff4fbf5f4a054
SHA512 af0cb375fad568c4edca5d642fcb9620605dd7d516b830b3c72fb408b4febf22be988c24fff1e055692a4f848d84db2c943f7e4b110fbcf5304f58d6f79a3ee1

C:\Users\Admin\AppData\Local\Temp\dMEcAcwQ.bat

MD5 0b41e4ec7d36762e13d535bb10a7fe97
SHA1 1376fbb96985508f1feaf447e26304423d3060b4
SHA256 174cfb4d24099fdf417126faca07a1dc7d181d53ff031545539aae4812241ebb
SHA512 ff684394db6afd3a4bc4cd641a1a3d56db4b6aa0584f13eecde612fbd5ea06a0b9ed3d993653690fb4a8cf61ae0860aaaf04bc86a0e80d608222e7fb1980e6a0

memory/2996-3384-0x0000000076F20000-0x000000007703F000-memory.dmp

memory/2996-3385-0x0000000076E20000-0x0000000076F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQUcgkUc.bat

MD5 a271bdef35c9314f1a2831c51ceaf246
SHA1 b0c8544d3a33ad0afe0ac4506fb05a5b87bee7ff
SHA256 ac1fd85eca0ac24f0ec67d6a2540a8e550fe156a1cc5f23a48955fec08ac708c
SHA512 66190cd1c5d942c9b34bb0d455e3187fa56ef33e2a5d69f182b5d2fee9397b6dc874612df47ca80169c814adfbde67c4ec6505f0453091bb2b2895fb5f8f7419

C:\Users\Admin\AppData\Local\Temp\cucQswcE.bat

MD5 824275c6dfa8ef22bc322d5e3380622b
SHA1 073688e04b01ba3c303829b398554794e3d408fc
SHA256 f8cb29281e8622250033bfb60f70961a7a1809f2828b13dc3f208322619185ce
SHA512 7cea5bd860edc684434179c056e24641eec6619304a6d1beac86565479d2d67931f99131fb95ba4a5e17a0b83a95d741be6fc206681f72ae59a3bf2bdb3d237c

C:\Users\Admin\AppData\Local\Temp\wSMcsEgk.bat

MD5 646471d1db29473e8c7f17a39cd4c9c6
SHA1 dc4abb26223d1bda78677094ee9e5cd9ba89fe4f
SHA256 512a1255e7be2e792902fd89e16078b4dcf5b11b0937792b2264a5a5f65748ee
SHA512 cd1375b95dbe1a7e76483b81f17c273615b6bc6856de74a36f8b356a70ab8af26600a11bb5555917eebbc2880a3e2f73839c680d25e8abc6fd3960054a6d7a81

C:\Users\Admin\AppData\Local\Temp\asQAMAkg.bat

MD5 d36a0a00713d5a57f7a17a11a6468700
SHA1 ba94412ed5152f30db0342109fcc4d429711f2cb
SHA256 857b8dd4348ea252cfbb2a6a738fdad074911eda1fa8c75e6b19d664ad258f31
SHA512 1d3970b6e9f44238f47808b089dfe377d6517ada5a30804b45725f3653c22331c51a6ed6dca156aff8371bf78c5a816c34ca14db340fd8e8559804c8d5855b66

C:\Users\Admin\AppData\Local\Temp\dOwcsMoo.bat

MD5 7e3a80937c623847137753d42871918b
SHA1 e5063755b58e7ca0e80e27ca872e9956c923c0b0
SHA256 5d6bb1046677bc17ea44cf5b77ef84552f66e88b2a880e4a6e0271f091bb7085
SHA512 b227ce89a9b25d9327718797b743272c8b13ee17582923e50c18163d617363a155d5c7eaffd9d858ed6c6ae8c1973e6ed591d3f4567469407189c138c0393418

C:\Users\Admin\AppData\Local\Temp\DYMIkQcQ.bat

MD5 29683ef507889785fc04fdf191ac4d36
SHA1 e1ce07817331b21a03d461b6505d2f9a2349f19a
SHA256 d2aedf34226c6d5f5c875f8c18f025c34d0b76a4f83876c459e0a0ac4fa1c56b
SHA512 246ece676849f97e8323059dd05b4629779d75ed184975351180bc3a16b4fc96938119a692f518aa8a35a97e96936b5e453b276a82efb0aab3e92f7c8ec56a1e

C:\Users\Admin\AppData\Local\Temp\bucoMcgc.bat

MD5 9029b37f8306e00c8109be2a9d4834f5
SHA1 b1af7178dde4dae53a273b53115233b00afc11e8
SHA256 b420fb198da6609c0fb84d987da325c8aca016fd5edd7aaae2744e82301f75a7
SHA512 40a3aadd1ac7020d605fe0a544585d74e75dfec7bc6d57129ffbdacf426fbde469df529e3e1778a2fb357e078011e6048b82b20888ba2a1cbb97867407aba289