• Trojan.Multi.Accesstr.a.ok
  • "%SystemRoot%\\system32\\osk.exe"
  • "%SystemRoot%\\syswow64\\osk.exe"
• Trojan.Multi.Accesstr.a.mf
  • "%SystemRoot%\\system32\\magnify.exe"
  • "%SystemRoot%\\syswow64\\magnify.exe"
• Trojan.Multi.Accesstr.a.ds
  • "%SystemRoot%\\system32\\displayswitch.exe"
  • "%SystemRoot%\\syswow64\\displayswitch.exe"
• Trojan.Multi.Accesstr.a.ab
  • "%SystemRoot%\\system32\\atbroker.exe"
  • "%SystemRoot%\\syswow64\\atbroker.exe"
• Trojan.Multi.Accesstr.a.um
  • "%SystemRoot%\\system32\\utilman.exe"
  • "%SystemRoot%\\syswow64\\utilman.exe"
• Trojan.Multi.Accesstr.a.sh
  • "%SystemRoot%\\system32\\sethc.exe"
  • "%SystemRoot%\\syswow64\\sethc.exe"
• Trojan.Multi.Accesstr.a.ed
  • "%SystemRoot%\\system32\\easeofaccessdialog.exe"
  • "%SystemRoot%\\syswow64\\easeofaccessdialog.exe"
• Trojan.Multi.Accesstr.a.nr
  • "%SystemRoot%\\system32\\narrator.exe"
  • "%SystemRoot%\\syswow64\\narrator.exe"

After attack is detected, KES will try to restore the original files by looking for a backup of the file on the endpoint machine. However backup of these files may be missing from the affected PC, so a manual attempt might be in order. Here's the recommended way to proceed with repairing an affected system manually:

1. Run sfc /scannow 
2. If sfc command fails to repair the files, try these steps:
   1. run DISM tool by executing DISM /Online /Cleanup-Image /RestoreHealth
   2. run sfc /scannow again after DISM finishes
3. If all of the above fails to restore original files or these tools are unavailable for some reason, you can replace the files manually using the list above.