Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x2s8ssdcb3
Target a4ac9a267d30bbd90e7305ecd29ed4e7.exe
SHA256 2574e9a742b102417c4e2afe4ea95e8e8e2115b64c1bb0e8b230e127a757f6e4
Tags
persistence evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2574e9a742b102417c4e2afe4ea95e8e8e2115b64c1bb0e8b230e127a757f6e4

Threat Level: Known bad

The file a4ac9a267d30bbd90e7305ecd29ed4e7.exe was found to be: Known bad.

Malicious Activity Summary

persistence evasion trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry key

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe N/A
N/A N/A C:\ProgramData\waoYUQws\rgQoYAEU.exe N/A
N/A N/A C:\ProgramData\ZcAsYkkY\puIwwoYU.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hEIoIMIU.exe = "C:\\Users\\Admin\\EiYAQYEc\\hEIoIMIU.exe" C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" C:\ProgramData\waoYUQws\rgQoYAEU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" C:\ProgramData\ZcAsYkkY\puIwwoYU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hEIoIMIU.exe = "C:\\Users\\Admin\\EiYAQYEc\\hEIoIMIU.exe" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\EiYAQYEc C:\ProgramData\ZcAsYkkY\puIwwoYU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\EiYAQYEc\hEIoIMIU C:\ProgramData\ZcAsYkkY\puIwwoYU.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 4820 N/A N/A C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe
PID 1508 wrote to memory of 4820 N/A N/A C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe
PID 1508 wrote to memory of 4820 N/A N/A C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe
PID 1508 wrote to memory of 1776 N/A N/A C:\ProgramData\waoYUQws\rgQoYAEU.exe
PID 1508 wrote to memory of 1776 N/A N/A C:\ProgramData\waoYUQws\rgQoYAEU.exe
PID 1508 wrote to memory of 1776 N/A N/A C:\ProgramData\waoYUQws\rgQoYAEU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"

C:\ProgramData\ZcAsYkkY\puIwwoYU.exe

C:\ProgramData\ZcAsYkkY\puIwwoYU.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIckAgYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGYksQcY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAQAUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgsgIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nicAccYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoEoUMkw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\nGUIEwUY\QiUswMgw.exe

"C:\Users\Admin\nGUIEwUY\QiUswMgw.exe"

C:\ProgramData\yGcIsoAM\AAQQYkEk.exe

C:\ProgramData\yGcIsoAM\AAQQYkEk.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1740 -ip 1740

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSwsgsMA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCYkwQQA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCcoAwcY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIsEAYYA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkMkIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUMQIcoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIYEwQQA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqkwMEgU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksEMookw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuwIQIMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUQAssUU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMAkAEwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pycgkkYE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqkcgUgw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYoAkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiwwYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eosYYowE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgEcwAwU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqQEIowc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pywccMsw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwocgcIY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQUoIQQo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEIkwkc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGQosEYY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQgAUwMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQgEYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIQAkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcgMYcwM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYcQMYkk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqkgwQoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOUEEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCUggIIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUUAIQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUIAwMUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REsMccoc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSwQwMEI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcwIAUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgsccMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAIAEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkQMUYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAgkIgc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAYcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QocIUQQs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgkMkIE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEkowkY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiocIogA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSsoQoIs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiQIMYIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIkAwMYo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qggEkwwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMUUocgg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQQcAEUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\ProgramData\eGssYows\oOQkUUEo.exe

"C:\ProgramData\eGssYows\oOQkUUEo.exe"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqIgUUso.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiocEAUY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioggcosY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWsoAkwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQAgQYs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAwQkIUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEUcQskU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIAIMAY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCAwUswQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWcAAkEU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAMwEAoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWAUQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgokYMsw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckgUkUAo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSMAIoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGssggMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSEcooIw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngMcwYkY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmIAQssU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYwAYUoM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUAowgcA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cskMoUwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKIsQUsM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsswQMMs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEUIEkM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwwEYYoM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\ProgramData\waoYUQws\rgQoYAEU.exe

"C:\ProgramData\waoYUQws\rgQoYAEU.exe"

C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe

"C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
IE 51.104.136.2:443 tcp
IE 51.104.136.2:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 20.114.59.183:443 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1508-0-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2984-17-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1776-12-0x0000000000400000-0x000000000046E000-memory.dmp

memory/5040-31-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2472-42-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4452-55-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1616-67-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3228-92-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4452-105-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1696-116-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1776-118-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4860-143-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3096-156-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3244-169-0x0000000000400000-0x000000000047A000-memory.dmp

memory/5040-233-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMUA.exe

MD5 a1e1efe06ce1b17c9c05f50254aa4d5f
SHA1 b9a1db0a611fc6f40c83a10410c5e8b6e65c36e7
SHA256 ebfd009694f91dce05b9b590bc3a79ea01c6718bcaf2f8e4a23b2699c2c039ff
SHA512 1e2d3a40e41e8a8b82cd1251c6885d23ac75893fb93f6d43088567b7cdfac4ae8e503d674dd104aa86f3605ddd168ce5552e2e63a3c62c5b543998ea005d6922

memory/2284-906-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4452-928-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4452-936-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QwUk.exe

MD5 b0e6148e9d6eafc7e9781fdbb64ab7b8
SHA1 b356f7813411cf992d90760ac46ab5eafdaa2430
SHA256 0ee91888327ed8e394c9cfcfffe67ebdb011421fe2143dd077c9441eeebb3b4f
SHA512 f0ca8962106654ddb5756d3b97e3185fe42800876a3b350a5824f8e08358a28a833ac9646f6ce46cfc2c44ec92b589f27818416663610eb4b26e10e707623f1b

C:\Users\Admin\AppData\Local\Temp\ugwO.exe

MD5 2483cbe4055fc4248ccd9715fdf1b5fe
SHA1 c692802da7ab05dbb6a8c3a4c95f9735d301568e
SHA256 26c27a97cfd57964a0b0334cf9912a822e39eaa5b5dabb0d8692f8adfa0ceb42
SHA512 a1fc49674e2452cc4ea5264b246288266e9390453dd1990da269bdc0110857931475e4afe48181b84dcfe7a606672b885f8702b1a439b1ddd77ed3aea2f0257d

C:\Users\Admin\AppData\Local\Temp\oAow.exe

MD5 97d92aae83e9fbfab4b49df18218ba79
SHA1 0ecd83c01ffbb6fd14541fce8baa91428325a8c0
SHA256 233c9a49c5db666894d290ed428e025bf700e3e010db1e1f72947780fbd6e14c
SHA512 f21055eebcfb3f8305a6c1ea9b40353949bdc3fd6e7138730b99737b3f5bf22c5e80c41ec737028c5aff8d999b9572f4bff7301f51c218206a5991cd47d7a9bd

C:\Users\Admin\AppData\Local\Temp\eswS.exe

MD5 eb2debbedf4594408be9eb907a619921
SHA1 5965350674a165ca9f25b476ba931a5ed0140a0c
SHA256 8d257b14e00edcef03b1dd2b24b3c62d4d5431786f641b0111183c7e8bc8ccc3
SHA512 9d5d51c6b374dc7147e7afd98066b24acae8f402c9d42168176f116602d449bafe811605db732b8abedab76e222ae014fac4b9ee800705a3b23cb2bd35c60f6c

C:\Users\Admin\AppData\Local\Temp\kkQE.exe

MD5 2b782a0a76110d1c2e5c947910afebb2
SHA1 fbbd8fdf2de66568a8b5688287d500734b3d16e1
SHA256 d9a2b9d50d404e301209898f9fa369bb1098d0be53581578635da28310376c46
SHA512 c19081826af35e3a6a80c7e39b410ae24c93e834f6ff8a2f409a47303133de44859564eb2c14d257354ad6e22d5ff972bba00f9b37a80087d20a7d631dbc6d13

C:\Users\Admin\AppData\Local\Temp\UAEk.exe

MD5 7b396f4957ea94b0802e45ef324dafc6
SHA1 f1dcdad58905941e6e097375268f55e741fe85bb
SHA256 4f3ffefbcf41b1ce354cd0e1588176f04a24aa300deb68f00c7c73b49cd3b99a
SHA512 97fb4698c869814d5fb4cb7f510163150deb54ea4bf40dd928c5be0b1eb96ab4b99a96d4c67a04a22bf4e5d528523ac7b0f6542fde2174dc9a2a13f799d8ce42

C:\Users\Admin\AppData\Local\Temp\aEkC.exe

MD5 fc31653274322f1e03e386a5139722be
SHA1 103bf9f8805f98ed93c5eeaf4fb6887ec8bf2b21
SHA256 83a3af8a7f354f7b50bffb0b6a95175749292ae4bd4d4d4401d67fa698d8accd
SHA512 bffcfa0549cdc4b6da6cf89f7a8837890d29991b3f92a34f7c3ac9835a5f2a1db1c8f9e39d22440431a2aa6ec37c80a30f54c55b963493cd5bfebcbc1cde4b4f

C:\Users\Admin\AppData\Local\Temp\WUgk.exe

MD5 4439f5fa24b89be6b733ad989414cc49
SHA1 72e4475de7647bc0829b96401eff32c33292b337
SHA256 7548c1d52f5236587d8db7a80e4410c151162b51c974f017b676416996e65757
SHA512 41b508dc39d42218aba185b607ab28bdd61cf53a1f8c9e6778d8f839364a2723dc3c41b200c30cf517fc592c0708fecde9f1b9ad178cc0f73cc2cd081125176c

C:\Users\Admin\AppData\Local\Temp\eMgs.exe

MD5 1146193e3343f0d005ad2c62daffe8ec
SHA1 77d16a939854cd0d9d726ff7cc67a466e56adf3b
SHA256 601c2966adfef1668fe43c9b5cc0638bdd0d989f837fb30eee4bd07ca26eeed2
SHA512 6babfcb2bf8774e2d3189d65ce2b9f5140aa0a866e546ea258073fe7bb57d631977b54d31bf06fda5e6f4da41c3b80b84879bccf13740ea192d3fb0d6fb067e2

C:\Users\Admin\AppData\Local\Temp\UAsw.exe

MD5 04af86dd79bbea4a325dcb31be56a0e9
SHA1 a340799c073b148751c26b6b1627eb92ec456b29
SHA256 4ee265d1c7823cbf8f32d93613234d6bf75eb694a80619ca6c854b790dcbed0f
SHA512 c972f83295af0792b0cb87a0b6b030bde0436c970b79a5f7161f3569ce46b11a2bed4ddf964f8bde1d9078331f55a6389591b11396bcf7eac0d828c7a8c5d852

C:\Users\Admin\AppData\Local\Temp\oosM.exe

MD5 7b9eac56907ea13f01d2d7d9f2895fe0
SHA1 f2c4f9c3d9422ff3e43582fdd15511322e3a3bf9
SHA256 2d16573516fa082ded0d359ef835d3e6858ff237bf157fb1af3b5b54a9d0024b
SHA512 68b607ed25e6fc08d0199ac24d3b4e443844037fe84a93e3e6e9aa8a2e8f0244b017aefcb61d6b08560bdc6df4d4ebe6aa56ce5ac4ffb021a1322e76969c90dc

C:\Users\Admin\AppData\Local\Temp\sAYm.exe

MD5 697f6c8980cf8c9d617a63ac43f8a8e7
SHA1 e7b5ddb5e2774171b5203877445c6f0c80e9d615
SHA256 eafbc43b45d8fe095bb2c19b0b640a2e229eb6515c8ed2e8dd9ad0109d01fc27
SHA512 5f4bf7e50d83e64ebb7f41452196269c9ef5c7bf0e5f57083c1db8c4fc7fd1e0adfbbd15ec0e6eb82f831d1ab47e02b14a0c7bafab569453ba903825f5478352

C:\Users\Admin\AppData\Local\Temp\ikks.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\goQi.exe

MD5 2910a7a1d3613d068450628aafb598b0
SHA1 d97eadd1ca9865e6dc745108150ff469c4b5084a
SHA256 d6049dcad025aa5953a16b8aff1770c4045334ffd1b0a7da389542707292ceb8
SHA512 3e4fb26890089415b33c9483ffabdebdcae98f267d00bccab4cbb1c593faa2e79eb8d109c981efe6fbf08b91115baf003cd94e5d94ed5da5b378e2375053761b

C:\Users\Admin\AppData\Local\Temp\AAcS.exe

MD5 56de12c255876de3685003f8b2be602c
SHA1 2e9203e7452d58e79c3cd13c75e44cf7d035613d
SHA256 d6ba0e3585f0425025b0b5958636a8dd82a95e8eb61ed7e8ea47ddc33a7d57ed
SHA512 01508eb0fa1753de575f83d8f9b9556a2ef7b662bb75878e3f0252fd970ab8be2f4620b8c0ca017f1d0fcffb796a50b77482ce73bc5f701cde7a99acb54b88bc

C:\Users\Admin\AppData\Local\Temp\gAEu.exe

MD5 fb6c0d2b37e52225dbb9bf9d59c8776a
SHA1 6281cfa0bad4dcedcb7d867028fdf70cc2906049
SHA256 6ac3f642be7e4629e1a3a394f1e1d1ff37b2ec2cbf1c740eea9255da863fcd2f
SHA512 ff7b7dcd298a4237b627dea63a336db65bd89c1c583e12cc7cc7209983e421a0f392333837cb61fe74214f2a101b05739f2e32c1b81f07509553e2ea667e54df

C:\Users\Admin\AppData\Local\Temp\gMQa.exe

MD5 dbe5689ec20dc7ea26048039d17161a3
SHA1 af33f44fd4b1610c447709680c186f9e8ea53df0
SHA256 8b2512e9f939f431e5687746b33d0d129d09d31f5efd8c460d77db10e1e96444
SHA512 8f07ef38d6e7a643c097d3029411c7b302794fc7c067a653e18c2344e05cda7e40806a7a7a48ec2f9d2e8ff9ef5d1af40fae9b97f58098b1205b96c1c4e5b44b

C:\Users\Admin\AppData\Local\Temp\swUe.exe

MD5 99d3a078c256d0d0d5692eebffc3caac
SHA1 55ceccd9b3416141fb5ea97323fd45f1ab02597e
SHA256 ea78894ce0ce2d58dbdea3fca45ea0772cff2a5259a9c584dda4df36822f7609
SHA512 d9d3971e36370c116e5197b963557c40cdaf06f7b46bdc1b65b6c0293adc09e61a027e49387941e6ea6e791f92a33c7eeb2a8726e2b3afc8936258d90d87d2b1

C:\Users\Admin\AppData\Local\Temp\Ewgi.exe

MD5 92ae9bdd380600fbecccd67580d2bb0a
SHA1 e6f0b62559ac9d3b9281f463a3960733c227a175
SHA256 fdce04f2e484616b0c6a0247c659eb6d55a8932cd889133936682aa05d1e4036
SHA512 a06f5d1a81ce5933f6cf8ef52442175d911705a75fc459d81f7362b98be7b7b2862a1fcc529141b7669c8f02c2ca35c0b378590ea1c59a1cf41e31bdfbd45da3

C:\Users\Admin\AppData\Local\Temp\Esgg.exe

MD5 1fd62683b1becd7b9e30fbd6a6906719
SHA1 96040b9c0fd69d0dcd2d3f6f90cdbb0e2b3334be
SHA256 522fba5aca5e69d474c3b069cc2fff015d10eb9d1b4b615ea27e8ab8a10c218d
SHA512 c99d1a63093dceba8dd366d84ae62fc0b37893aec68bd3565b5a5cd7ac48b00417786ac1a909e4b825fb1c1bf34411883a8396d226f4ea14ba3c5781297db3a1

C:\Users\Admin\AppData\Local\Temp\GgEW.exe

MD5 54c53bef9581dc8330cf37f3cffe04be
SHA1 dd3b97118679fcb0467f1683b2f18efd83f1b033
SHA256 b878892bafe71a6fd28f21955148e2850183640c61fd2a2c018331b7992629f3
SHA512 675e5923bbbc2fb3ccb539fb639d074eafd96097d7598ba615e444c6212dd7a0411a4c1fb90a7181ee8ccbb028f454bc7655b217b72903fd279e480941173cd3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 d8f0397327bd02305455a67c3b97fbe6
SHA1 0ac56e66542c59e2173af73d9c611da6cb901a46
SHA256 b832a0d23d1aaeff64bcd67db4ae9613480c4c74082ce9e1f2d38cd23e2ff425
SHA512 f323b7d79db4b1634080bbd2ad96348ba7f8010d72ae0ba6d8da942f9863db9d28f08a32cdbd29ccb9192afd7d7f1c4c7bf771f5f562ec36f6acffcee3aaae87

C:\Users\Admin\AppData\Local\Temp\mQcU.exe

MD5 c03fec8d4a221a4b55d0dbe679a1990d
SHA1 46016a2c7ace732eace55830b61dd8fc861f68e1
SHA256 51f77a6f7bfdbe5b26cae05fc617d0729729f4455581de431a58cf096966aecd
SHA512 a617e20166e64a6eff955a7073af91686938c38b680680310754ea585ab9dd3d3f2d829f9a7fac83e85b4cf3ddfef4a128fb911395577f7e6c6e38824554d65b

memory/2056-932-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\akYA.exe

MD5 9058b09d8a8c46aeea2e77d92990e2ae
SHA1 0786dbf922a9eca715f1d83a918e09e233837292
SHA256 264a258daa5cbcec09fc110e01ec59ba3ba460a7f199cd93bc3b801d0b899a2e
SHA512 4e8ec7f18a943d1b1429bc677d679e409753df401d9834fb6ec341cd60534182a1454ef0454e32c34e40ac9424590a0db06d243d0a20a8280f3615fee01045b8

C:\Users\Admin\AppData\Local\Temp\KYcG.exe

MD5 9a2661f89a6bd94ddb9529b6d636fb03
SHA1 612c7b1e91539d0732b352d4c8877802cd3c9275
SHA256 98ca765fa523f1c0e69b9fc5c0c8d65969ec78b36de1ca77842837f6ae099fa8
SHA512 3011534b2c5441abaf88bc54f53db21528ec3b65b6b21765a0b33553e53a0a0acd1e2e0c9c0a8b8f50f8b217afd465ba6ac9cf23b94905e1f7b5cee4297ebb48

C:\Users\Admin\AppData\Local\Temp\uUEy.exe

MD5 995c655d620f2fb1269d5dbce1426ae7
SHA1 24fdbfad1a0c361ff819fb8265a13d23f20d8ee7
SHA256 865902ab0f8bb881366e880f31e4eb73d5381b8d15ffb3735ff897c1a225c219
SHA512 fcc25ba3acb2bf9a3b6ec40b91583d548f2f2ef06c5046d1b3b0d17ece9f7ecdd312a4f333f1684186753b811b2dca3c7bbecbace7a510c0895586f9f65d3fb2

C:\Users\Admin\AppData\Local\Temp\eIgq.exe

MD5 5c67a85c0df04edf58b5a670911827bc
SHA1 d7502c6a6ad69db9a3b27543f9b47529b8c78c84
SHA256 4257bb7a144613785131f08c91a3d44dda8734fb543c9a9260e74a1e2997c3e1
SHA512 c8c41dbb0b762893bd15dfc59efd41dc405464bfbacfb954288a40a9f254513b60c9687b409cf037345023d975f8f0d099a328e0682ad632a24b005b83ce676b

memory/4248-844-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2284-827-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2760-764-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4248-747-0x0000000000400000-0x000000000047A000-memory.dmp

memory/220-630-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2760-617-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1368-564-0x0000000000400000-0x000000000047A000-memory.dmp

memory/220-547-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2336-431-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1368-413-0x0000000000400000-0x000000000047A000-memory.dmp

memory/512-311-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2336-301-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4716-258-0x0000000000400000-0x000000000047A000-memory.dmp

memory/512-254-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2176-245-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4716-241-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2176-229-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3576-221-0x0000000000400000-0x000000000047A000-memory.dmp

memory/5040-218-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4560-209-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3576-205-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3980-197-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4560-193-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3980-185-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3244-181-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2284-177-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2284-157-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1508-146-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3096-139-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1460-131-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4860-130-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2984-126-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

MD5 9be40486ad4e673aec97906a636ccb2b
SHA1 19130bbaf3f33098a884ae68b3e5b0e8e2789c14
SHA256 622d8defdd6b6abd80a45ccec629363cf38a7d338945cf1af27bdfe7d0b777b6
SHA512 9017b561dff451148f1f1a5da2028b2eba6162ab37dceece82b28f28269dd2bb6295d02c097f9550aa87b64841290a7cc587c6aae123168bf53efed0620172ed

memory/1460-119-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vEgsgIsQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1696-102-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4820-100-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/4452-88-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1508-87-0x0000000000400000-0x000000000047A000-memory.dmp

memory/992-79-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3228-75-0x0000000000400000-0x000000000047A000-memory.dmp

memory/992-63-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1616-52-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4452-43-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2472-27-0x0000000000400000-0x000000000047A000-memory.dmp

memory/5040-21-0x0000000000400000-0x000000000047A000-memory.dmp

C:\ProgramData\waoYUQws\rgQoYAEU.exe

MD5 38ef86528a052a9755cfb9407997750b
SHA1 31b400331fdb503a5ad80e94d54d83240aea3d02
SHA256 ac4f9cefbf2860df0312cc7c29709ecd91f959bf084429e6cb76234a4a70d608
SHA512 ea80fa89179bdab7dae454bdfe934d1a4ba72334e4362286d6358abc76498d519bcda361e0d34967d873db300aba84735a485b17f18d417ede378734ff48e366

memory/4820-6-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe

MD5 fa10f15d2c2b900ec50d54ba5ce88029
SHA1 7db6d67e474e791018cc08a2b755880271615d5e
SHA256 1487f2b0d6fcf018c6701a755708ba410097a8db7f0dd0d4ab50917d7db58401
SHA512 47b7389df2497d40453341d721c419babb1ff68112cce7630a732abc94519e16b5795f17bf9b654e49632b2ce786a88a0fd2b0cfaa85a3a94926de9ed447d4d9

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:25

Platform

win7-20231215-en

Max time kernel

165s

Max time network

218s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\kSkcMIIs\duUEccEA.exe N/A
N/A N/A C:\ProgramData\guYwUoIY\fyAAYsIM.exe N/A
N/A N/A C:\ProgramData\dyIgEEcE\csUgAwMs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\duUEccEA.exe = "C:\\Users\\Admin\\kSkcMIIs\\duUEccEA.exe" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\duUEccEA.exe = "C:\\Users\\Admin\\kSkcMIIs\\duUEccEA.exe" C:\Users\Admin\kSkcMIIs\duUEccEA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" C:\ProgramData\guYwUoIY\fyAAYsIM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" C:\ProgramData\dyIgEEcE\csUgAwMs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\kSkcMIIs\duUEccEA C:\ProgramData\dyIgEEcE\csUgAwMs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\kSkcMIIs C:\ProgramData\dyIgEEcE\csUgAwMs.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Users\Admin\kSkcMIIs\duUEccEA.exe
PID 2472 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Users\Admin\kSkcMIIs\duUEccEA.exe
PID 2472 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Users\Admin\kSkcMIIs\duUEccEA.exe
PID 2472 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Users\Admin\kSkcMIIs\duUEccEA.exe
PID 2472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\ProgramData\guYwUoIY\fyAAYsIM.exe
PID 2472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\ProgramData\guYwUoIY\fyAAYsIM.exe
PID 2472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\ProgramData\guYwUoIY\fyAAYsIM.exe
PID 2472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\ProgramData\guYwUoIY\fyAAYsIM.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 2080 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 2080 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 2080 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 2472 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 2472 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 2472 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 2472 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 2472 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1496 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1496 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1496 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 2708 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 1976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\system32\conhost.exe
PID 1976 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 1976 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 1976 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe
PID 1976 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe C:\Windows\SysWOW64\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"

C:\Users\Admin\kSkcMIIs\duUEccEA.exe

"C:\Users\Admin\kSkcMIIs\duUEccEA.exe"

C:\ProgramData\guYwUoIY\fyAAYsIM.exe

"C:\ProgramData\guYwUoIY\fyAAYsIM.exe"

C:\ProgramData\dyIgEEcE\csUgAwMs.exe

C:\ProgramData\dyIgEEcE\csUgAwMs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-596646768-802512095622783779-868951223-195724543418692914761190657459-1720438155"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9810981441396653579-1849624713595898508-454275408211637420210607638891375812296"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2172345871209378423-137478335764207028-860254577-16450157491189135076-1950457964"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "193694251662382749215606233-140588349713075674951110542037472729274518400706"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15808430114194992921351289086-1009520093785116381318175564312617550-766454493"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-897312723-179116586347957918914212337941012119365-575955322-977739556538644422"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1585858678134878694-4329983391455858552-9047406632585850401950038754561563785"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2002840291-744457640-589974179-1434134956-19838075432107869803-1227632892-884813411"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "704562590-585285965-377786896-1328209219903737704-772817530-1064819093-142454218"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19243831581432487016838186580-1208101387551380418-583093998315879403-788769682"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2078166580-19389559911292402187-373443740922846530-17403182861745428509-1817076594"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1464464388357939922-3056601989027792417774761571967089542-933394529987516035"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-794179335-1350961775-14197859451460564036-2038009802-133731579317543756781608977565"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "733794590-409830049-19425671791302348956-2044380983111066871415487563931642118925"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1310731163500083244-1855368625-1335343528-16817510041534493641597817377-1050035658"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwQQkIYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAEMIcMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqkcEogQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOowgccM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaocYAws.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEsUcEwY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMAUEgws.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMksUMQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKAcgwIU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqkcocMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKYIAUso.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOMIUsYc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmcYYgEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGIYccUs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGQUkkoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwcUUMQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMEsgoYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWAoEIYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywgYMAEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqAQMwAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwUAsAEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUAkQQAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\naQwIEoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YegYQAME.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaosYIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGcsgsQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQggIEoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XucwwoYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmMAsIok.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQIYwcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEcEMIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkIkAcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsIAEwsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYEMwkgM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqskAIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAgIQIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUskowsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCYkwgoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewwIoUcc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQAwkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEsYUAoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCAoQIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEMEUcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAYMQsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAQAkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp

Files

memory/2472-0-0x0000000000400000-0x000000000047A000-memory.dmp

\Users\Admin\kSkcMIIs\duUEccEA.exe

MD5 cb32c721ef5316939175779387393f09
SHA1 064751b2765d7391b9fcb65e64ebaffa18fe2545
SHA256 4f08b81bcb82359e9d187d8b7ed3f190668de7cb279e13f92b4cc75f083036a7
SHA512 82af7812032b858e67f51d681f6bc1b2212a6fb2c543b932993befdd8fd12bdbab2835563dc5360f83def781e191a0039d7592a626031e7392bf9b1c5843051a

memory/2680-10-0x0000000000400000-0x0000000000470000-memory.dmp

\ProgramData\guYwUoIY\fyAAYsIM.exe

MD5 e2978b6224c45171d7ee54eb4ec297c4
SHA1 09ee9187480077e0e1db42146491724af30830ac
SHA256 5f25c614284cf68ac71e293c1195cb5ce8ea781d99158574f6f2b2cb5b116e33
SHA512 5ea983dea542cdff4c455bce250f74fe038e346175bf4d879511e5df5f04c0d56aba9d3a24cd599fe0a04e0abe659ae302feba4f636822a8e3f1dd3263e957f1

memory/1316-20-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2680-23-0x0000000000400000-0x0000000000470000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/1316-28-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\dyIgEEcE\csUgAwMs.exe

MD5 6be17175c0143606219f4633cf470631
SHA1 0f15b2a5bff36f07068d7402c252cfe802f90d4b
SHA256 b2e6191af4b7c86dafbd00d63ff200c5de9be77f2de36d2a9bafe2d842d8c83c
SHA512 29bfda9646a1dedeeeb080c4c10682eab0a3362ca257bc0e5832768199fca39dd852ad83e0fb4d6e8108d78486bb9138bfa7ab1979d6ce8dbe70007ec2c7ad67

memory/1188-30-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwIYIQoQ.bat

MD5 83745461fd9d4eb275c904854e4795e8
SHA1 6eaa0582cccebf9db234bce7de1e9c24248f817c
SHA256 9c71a5f5381f2495e6e3d646930dfaa3826b5c594495af1e5621ff88c21f97d3
SHA512 549f15ea3408b4913497883a2bdb0a465d247a0f5b683bfcb30e9570d6a49f93e61da8200af3d471a3406464fc69e17c368d1e8a499399f68eadecdb35b6ecdf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 38160822cd6e4d222426d91786dee8ae
SHA1 7f9aedf3d0fa9ad935d153f8f18f90acd096924a
SHA256 d80b7a00674ec137cd5348568294ccdb85c881e932e64451bcde2c897d5ab6a1
SHA512 5ce4320edec1f0777f84d44afdd2d33fdf5f1e6911c4e71d4a8abf78b1f5b923eb971943c5d6d3d05fac0933959cfdb7215dcf44a2262b7d32db6a163670c155

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\guYwUoIY\fyAAYsIM.exe

MD5 83fa5bdc75812c2e029a604044cac1d4
SHA1 ca1d8b625ec631d0d6110a473bc649aea6840cd5
SHA256 95fc044faedd71e41414d11f8ec40bd6746c5aeeda21fe38f597ce4a0b2bfa96
SHA512 8a5745bea395e7f911eb799e4c0401a143644bbbe015b0b732314cf071bc22a45054bef347ea62f0f40e186969b1fc38bc676d44976ae0289481130344377057

memory/2708-69-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQoYEgEs.bat

MD5 eb470aa71b6fd6a8565d81c1214bb71b
SHA1 829a4020b532eaf850aea7b11322f25a62ca2d07
SHA256 d0d8ab0694845cb2ab921a3d3786a0d3fe270b478b1db28eefee709b3dcd7840
SHA512 7cbe011a232c74b473083123d70d1f5952df56aae47db37ef440bfebf7c81afc02f5e07f60baa7ceba28bb83b7ecbb1fe4e47953d2f1e343608493ace5e87320

memory/1188-79-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1976-81-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7

MD5 9be40486ad4e673aec97906a636ccb2b
SHA1 19130bbaf3f33098a884ae68b3e5b0e8e2789c14
SHA256 622d8defdd6b6abd80a45ccec629363cf38a7d338945cf1af27bdfe7d0b777b6
SHA512 9017b561dff451148f1f1a5da2028b2eba6162ab37dceece82b28f28269dd2bb6295d02c097f9550aa87b64841290a7cc587c6aae123168bf53efed0620172ed

C:\Users\Admin\AppData\Local\Temp\SQkoUYEY.bat

MD5 61ed1cd6dbc714b644e544fec2ec6cbc
SHA1 ca15c01cf06f000d2b629f94a5d1e9288a8bf76c
SHA256 cc47e1ee55deec732b72a1ab323153dcfee57d53b3ff33796c0cd87e51ff3e9a
SHA512 ec5147b4ce4a5165d28c8fd8d419ff435cff57f7a6c10d145caa111d5f23dd59d605f3538a04901bdb818ef1a395fb1202e8f932242bd385a6480875ff2e06d7

memory/1708-92-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AIsAwowA.bat

MD5 5adc6d2cb1c4fcf204122cb631a28710
SHA1 7c9a68a3ff85696875217b11403fe2ff6360cd1f
SHA256 5824fe3211b877a5dc836eebcf05525408ad94cfd3c990f606e448223afecc5e
SHA512 5ea5608cb9cbaa5ed707532d28f0021501a08cefd87f63d431ee6c7ba2f67869f492a08a8d755f64c09cb0624f9e6dee149cbd7cbebeb3b362b88a902829c62d

memory/1716-103-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUUEcEIk.bat

MD5 234460e039b1fc58586b0e028ed7b7ea
SHA1 59e49ed5b178218e17f58b52fa09b67833343a4d
SHA256 ef16fca8629ec877220a0a2902d27a8b9a952aa6effcc05ce848023cbd8f33fb
SHA512 beb1fcc41c6ffa98e09fe0a7a6d48d1466f27de4e977e349ab42a7364150faccab394715bc357466ad2606f6897466beaf6715e2e631d329db437fe2929ee302

memory/2572-114-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oSkkcgYo.bat

MD5 29f0e891243e26e93cc3174adc88d7eb
SHA1 b129c734665a68d2a2dd396aea0ebc74016f241d
SHA256 ee08c2603028d10f05c9925bcd570dec274021548725d2f535d059f870afe50b
SHA512 e96eeecfd939bd4344a4342d2344a7558cba863d1d0999ea21a56c8b90675df44e7df96f01c952115b79bf5e1a08ac1465b4f6dad630767be8b61873fe773c34

memory/2776-125-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WQYoooYI.bat

MD5 fface49b8226302b405985488b0be246
SHA1 6b70b9efeff628efca9f9233c669457095a2fb21
SHA256 c08f4b67e5e6e65123e5e699755434ec83702cc98c4c8c6d4246112d2b0ede98
SHA512 aa2df4d819eba5cf71f725dba51ae993b8bca49da1486386d412f25101adf241dd1598e08189f5dc8e1826bbd0c79a3907a6228373de32809da861ce82115399

memory/1380-136-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WSQAQsIo.bat

MD5 5c536ff36cb26834d1458062c3dfdab0
SHA1 c930b532fb4490fc02093e3a776c882a98b8db96
SHA256 78940848178550f09ecdcd45aeaf21e224c1d882f3fb8ee1a12402f733f81738
SHA512 1bab0d678a4fc59723ef41d28863f30d3fc450897ec51cbf6fdc77432cb8a9ebefb40feb8c7aa6aa89e221dcd628a08e0f3eb7acb975e4de407069708538b49f

memory/1808-147-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xkAIkQwU.bat

MD5 9d39b2baaa0ac944735ab8af4609ad10
SHA1 063da2c0b65fa74e5cca0e98c0d3f999dc925d9c
SHA256 ae84e4f27fae23da11143ad58569c37c1090d15968eed0bff29c018109654ac6
SHA512 08ea1f604c4cc1001c027078dd55827c1b7bb571809e3f6ad4059b6a67577c44ca091e3cf6b39daf0b2f212c78163da357e4298796cba034eb1831c490922863

memory/1064-158-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IGIcYMkQ.bat

MD5 729e077dcf7e4c49dfa20bbca140ed23
SHA1 cd3575becd08436182bcfd4551fc060114697ad6
SHA256 3f9687ac1de34989572e87d566a58c6b1570ba7814ea198d0e1d1def1b193790
SHA512 ffef00e971d1abaa77777e46e84360e1ef92ee219e3e353eff2ddb481d8d0fd099c3a41bacf56ccec5edef72d446b081ce7ab2d89d8befde73ae27f048e50b63

memory/1816-169-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ISkUYEYw.bat

MD5 dfa854889922bc3ed41eed8b8199d4ed
SHA1 880f6f31e6a926d8c6c7358b5280c1296b956fbd
SHA256 860d73a1a1d5ad0d487712800ad4f979e991db1a77205879c1179e5b41755f4a
SHA512 ded45752088036388c86ff96f48c61b1c9f8e0f6a085530ca5432a6e550e65338318f9966b90170fee33cef6025bfe58cd528ff8a903653f383df95aa6d5f33c

memory/2524-190-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2708-189-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BggcYYsA.bat

MD5 f6221278e1a284b0eb54fb70ac47835b
SHA1 c6d97e0749baa79c3259805919429c9ad01056c2
SHA256 2bf5d5b183d7c6fcdcf27560c64f3c5e4b05d636441dfc2e6e81455529d4750c
SHA512 0324b712656c42c0a5dce6bf94289964bb2fad1770993de7669583b4f95ec552bdbb8fe738a3b2d265fdb9aebd0bf70b2773b7ed81919c853182b2f8d147506c

memory/2356-202-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1976-201-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YAUsUQIA.bat

MD5 72a074677553b8f96d7a4bb0f588da02
SHA1 9ae1daf45fd19fcedf76ffc79c41fae96f076107
SHA256 cc16ae033778836d6b6c697560b91570c13de1c4f7ce7548dc56439274a6504b
SHA512 ef23143f73a442e5e626e7067e8e18a70f17eba2351c9adfd1801b513365831fd15c54ce25c108fec306f826eb8cd06c1ecab484028a5723ebd17c31b594ef68

memory/1708-213-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1616-214-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qaYUQMQo.bat

MD5 6a93ae91d74f05b90c5f993adc28a62d
SHA1 6a3d57601b01fe4a6df2ab12dde4c87a68b5a747
SHA256 ddcdb28183f15d19805a3cc3fa453229f62d923512e4d694cc26da4f2df43bf6
SHA512 d4dc055b1f8a4fc84bc514d10e2ccef2d3e706aaee7f6eeda712bc9c697d402039ffacfaf75bc2333744a6830cf0fb8d8f549cbeb68f76c20f74726a86d81b6d

memory/1716-225-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1456-226-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAsgYggg.bat

MD5 82b51d01338366d29608baedc7dfef09
SHA1 1de94c189dabbb9e37befe8eb7bbc448526b18be
SHA256 75271ae41bce81f55529e804185b588d47b85891adc932960615a8fb0c963d2a
SHA512 16a872428a76b7a4a497ad46ffb8f7167089eab3b7985491919e554ebf0399b40f43c12600a77776f609c5c8f59f015a80af1e58bad87cc94381d7a5d5c0f1bf

memory/2440-238-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2572-237-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zmkAEUIc.bat

MD5 e85512b2d73151f23ba5eac1c4b37f2d
SHA1 7d1866ca515c600bada277ced174fbfe0ac045f7
SHA256 344862da2ba11cbf9b8392778af43368a6f315a365541c09f41bdd9fed42a4c9
SHA512 c38ac0ad7340723b07db97ef6c0bf9d7cdcf8031fbe5e07c7d79d692a1f26d4ba8b2e00f5c813aa17e89aee01b5ed6bd686357229effa91019d5832e9e556cc0

memory/2776-249-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2580-250-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QgowcgEQ.bat

MD5 6f3cc9966851f9ff1a6be27f7755f2a6
SHA1 2ff77e1e846048dcdef5d0c1e527373b98fc1387
SHA256 8b78c5b29f89b1cd8f52a3c580ea722bf1a1806714f1fda2644d1394ba9501a6
SHA512 52f0822e6e487ce9c296e88a4dea63830e991381f6e6e0011e35755b9d45c5096f1b4ba8b00a802c1766cff6cfe6a97d971894aa8b72ee8aa0df114a2719f397

memory/1732-262-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1380-261-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VUsUYcck.bat

MD5 1520b1200d18de35cc374c50bb7f6047
SHA1 94d641f2f1d96e5017ad30255358c47bb32f1189
SHA256 524073084735ac7e1e82bceb1674900e53a3af20a48f2fdddd478234634a3df2
SHA512 510fca1a3f54ec2d74525a699f40723fb5fc788be111e66ec4aa5bac5595925168355af3da853136e6e8a9a85b790512a36c40da570c6c1f82df77b17051b4e9

memory/1692-274-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1808-273-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\siAowwcw.bat

MD5 5a920ae26993efb1cbf8c85d0e79f516
SHA1 f44123cb6bc024de17d4c33c5abd2873ceef48a7
SHA256 d6162a1c2657015b5db902317dab5a104c99bec664b2b19922d6b3e27817fd7b
SHA512 1d296970f9b34c10b27e95f2263679517100719c6f7436c1c73a4445f9fc017a3e0988ccac08ac15b60908c041765ade0749f696450d5a98b09d025ffc27f71d

memory/2088-285-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1064-284-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1816-296-0x0000000000400000-0x000000000047A000-memory.dmp

memory/992-310-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2524-309-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SOQsAEQc.bat

MD5 dd845af7ecc14f8c1f678270b47f8a0a
SHA1 b690f347cd7e9a6d3e3ae476261e12c7befce5ef
SHA256 2bd549fbf8eccb082101db32b10013691ebbfb0f499b4a3b04a824d82d7bb7c9
SHA512 6e36929f996cb3dfc138e109f448b89beee439d209a2a05429b3d69d86f736aec49a1a2018ef6a7e5c1574bb9c4ce1e8e51abd464d0d4d5f9637a8b9893ba24e

memory/2880-298-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TIscgkAw.bat

MD5 f0b9bf3c34e21a58fc1699ec4cf96aef
SHA1 48177d854de5a31dd5bdd7bac5a457ab2a0d0ea2
SHA256 7a764cf2085e94b7635e54b0090f4cd4c7553019623e27d59e66a331880b0f71
SHA512 e8bc50b00cee7cb09816192b46da16f1378a83649f7b80ec9ca049b78a1aaf6419d5c3eb0039da837a236fd144cebdce318effd99b2597948be9f2b8ac7feec7

memory/2412-322-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2356-321-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fAwAEoMk.bat

MD5 e78efd1d09b81978cca1619879b411ac
SHA1 30f9cbec067f5abce77db68a35eef38466e50f5c
SHA256 ed9a7e32e672786a71063c522fa250de230cad9ae052c04c21443763c639275c
SHA512 34c1a5c30a308acf4dc9a10c55ce8c77ef26eb69e8e805bca4ec50358b0126cef0253b0423a7ad280273ac489818c0589c1d81fccc9c9264c5c7224d3c0e7977

memory/1616-333-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1552-334-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pEIUYsgM.bat

MD5 8ed7b613c519dfa6df6cb4d7f551186a
SHA1 de9e60fe03d7e7ed26255f6a9ef1c35f2d2c3313
SHA256 cb2d424011e8f113db405ca363cc30c327095b80120d4b07fdfdbe1699d6ffd2
SHA512 667918691db725494383572332eadc280a2baf48f9169225bab4435d5d09db92a09348017f00d767b2046d5ef6fb8ccf30a211480285ce66db2683f01e957443

C:\Users\Admin\AppData\Local\Temp\HkgwAUoM.bat

MD5 8af896f2038de09959a23ee0dd331857
SHA1 0334bcb1cfc4d7bea314ad8b11439597e30b146d
SHA256 c06257e20ee30ffcea70c7ffce8199a7bc94c3087c20cb48b765753b8487a3da
SHA512 95695c01ed613b7556f4f9a38efe98e860d29bdf27613b0994e901d3a35f751b21a31f51754b1d4ff3736f6892d71cb1aa930cd5007a411b97925b517d9fa4ae

memory/2156-346-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1456-345-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zSMAsEMQ.bat

MD5 d1b332b8b1c0722010438ad151eefc1e
SHA1 aec05461227495343b1ac72f91972d5f08810275
SHA256 20b23b6dbbd484a6ee83a421282ed46107d99b95ff17a9b06d776ae0887f7f3b
SHA512 b2f3ff0efd8e00a7797018552db771403320f18b4c38857511d0939dcc347b5a5450961ed66a14632fc716f65758862f92c73b0ad8ffacb0abffb73acb024358

memory/2440-356-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2496-358-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DuEQUIgE.bat

MD5 90bb55a4fa79cb3520bb684a6615cfb7
SHA1 7bfd40f5e90f58d672bc57c0fc2678af0548535d
SHA256 86c6c827c417f01f610f46b3a187260bd5f0b46149339d6aab604ab03279fc95
SHA512 8a35e2b9695a78b20c7dc79ce770f67e3ff3feca5883050a7798f7b896b3e258181fba8bef797b6bed1b3632b2b6ff28759ab307fc7595ce3e61f84273e28742

memory/2580-368-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2784-370-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MiAckEME.bat

MD5 3c331240d037916d04429b8273e39c93
SHA1 1cb722eda868ead044f54834c908ebaa57c4726b
SHA256 0dc9304b7d0880563f664e416e9b395409ac76df7b2887bca6c50035d6f9d941
SHA512 2710f6cd13ae6432b7c48e2fd538792271a904521c9c70cf325780b0b148280f03e45e3461ea1cdbe2a4122e6ac7937bc4173f061df3882bc631e1fc02daf75b

memory/1732-380-0x0000000000400000-0x000000000047A000-memory.dmp

memory/240-382-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OGMIUgwY.bat

MD5 92fc94d1cd6d6aa7883ad235babc5cd1
SHA1 79f6a25152df36088b67eddbee06a9adbea97522
SHA256 2be9ca1bae6cbf15ca5c9608d327dbe9ba738325f37a0b858a6e5a916d54b595
SHA512 19d330d5493cc5faa8452795329ca368b5b41c6f2ee3773878bb73db4918b7f0ff8c7f712099c4752a94b757f9aba262b82cf8d67c38959660a46acd7872d17a

memory/1584-394-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vKswIwwo.bat

MD5 5921479bd3addc751935c7755207c2fc
SHA1 d80d5d7340b8a9292e199822c483a0ebc490257e
SHA256 91d6c0d28ac38ac754ed932e4108dc8499278f8ed1a7466b691afbad4a8a152b
SHA512 049c0d63e3b87795fcc6d6060ab8d089b95691f089fec486629cfe124f8c84d34e907cd40861548d07a9aa6b516801bfa07d281349aa3209837b4111046f979b

memory/2528-406-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2088-405-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1692-392-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2880-407-0x0000000000400000-0x000000000047A000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 c4fb82689204f7e8471db70d8c694443
SHA1 271c67977ead74695df274d5eec01750eb82f908
SHA256 ca1e448276c229bb957cd0654ef7e7dcb2cf97357ec10446a51ec6aaa475c805
SHA512 5056ae05bc0db8df5d14879db82153a4b810fa70fb1eee17fa69d6cedf3252b5c7186c8d62bc8781beb90ed39c65cca430b8ee93bb4b96b8383e74779091613b

C:\Users\Admin\AppData\Local\Temp\laIYwQAo.bat

MD5 0054ea2abc2d960fa5401fc5b49f3086
SHA1 a2be0c51043f326182b1b933a7e62be9a67c8261
SHA256 64d89dc621bed52d252bfddb3556f35166de8739e4096065f364f99007efeaef
SHA512 c7ae53397a79318d641edc3ac38fe1fa335c8317b78054c838a4556085c0b395fea87f4c151b347b77cbedee7559ea736e2f0c4df4fecc8a696dc7e6527ac5db

memory/992-422-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2852-423-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2412-425-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1552-433-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2156-434-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yEAs.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\eigUkQEo.bat

MD5 8fc0736328368aaf220150b63f039281
SHA1 ee5abd3f272e88883efd2515814d74e6fa8be507
SHA256 b60ed3ab07c22533ac71c6671b3e6678c928b30c15150c39145621d33871370e
SHA512 e3ad088af06430ccdaef1c8b1c51978fb28939c89f19ad54036517f287e78621aace2f225ddbcc406c317e8945caecc88dab51a20c1b80e4a866f47128d54925

memory/2496-454-0x0000000000400000-0x000000000047A000-memory.dmp

memory/692-455-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2784-456-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMksUMQI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\NIQsUwko.bat

MD5 bd2093115aaefd6f679b01cb86528095
SHA1 f392496c103729efb7716899b66975f9a1241451
SHA256 c1a001c4c287ff0833c63104e5ffaf0d72e477aa878012dfeb0dd89862212b34
SHA512 9cb94214bba01b0535169cf024d42e30c61ba659f2f3cf9385b008847bb9ea90c973326e391828ac382fb1c80018a3ea0b0d880155292aeab97c8847be58eff3

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\TeYkMIEM.bat

MD5 aa826646b03c15b22ae3749fb0a85cc0
SHA1 62bf01637893e968d5d4e4d398c93f23428d8ab3
SHA256 82dc65e0f9ce0d2ec898450563d70f65dc26f9c262fda7127a4d78843a772c5f
SHA512 14288b9ed059b4d8a6ebecd96f0d7e0473d6c41cefb7514d666afecd7641391157f14c09ca9a95f07eb6f3da7ffbf21e04f975b4131ee0d66e2b5726fd98ddef

C:\Users\Admin\AppData\Local\Temp\FoEEogoQ.bat

MD5 1245a2529053ae63ed3026fce9dbe8ed
SHA1 fe3ae318465c95d0bf31ea20e4e18b749a18fa4d
SHA256 0e114f089f47feb5fddb1ddef0ed51b9aaad2538c521eaa70983fad54e84c4f3
SHA512 1fb8f57e6bf07595186e36ae32f478f8ed40810ae4bf4bc9fe6ed9a78fe569a8b11ac90f86c1fe050d0268134e91a31c5390c055b6674f6f29170c3380767b63

C:\Users\Admin\AppData\Local\Temp\RcES.exe

MD5 ea259e9823b1de4be766d71a01bbf7f1
SHA1 c44cdfbb6778d977726eed96580f19879ac5bbd4
SHA256 63653511bdff4c3126714ce81005a6a97d1432339cfba7d894101a686bb50628
SHA512 6d8b67bc2f3f9f736f2718a41f516a7ff3528a1130f02d9f64e639c9a1904a65d4f58ad7082457c7a7fbeb100a072753b0dd72c6c06f26311c1ccffb6d226cef

C:\Users\Admin\AppData\Local\Temp\ZMoQ.exe

MD5 e277563d3ae121a8b38c6947740b31ec
SHA1 7dc11cbae01815e8ce65c8d3d29a1eebeedbcbfc
SHA256 d1e6e57feee08344920c6892d368c901cf176fee1be1aa13bad42a2d3f635b87
SHA512 7dec9b3c5fbe67e019066c9b05ce1feb076b0a8ff7ea53f4860073c7309a28b299128f6a589c78c63d9fcb9ad145da1e39e4f089e7655eae4062596090761fbd

C:\Users\Admin\AppData\Local\Temp\xKEkgkUs.bat

MD5 595648218fbf2fe0d6aadf433852cc3b
SHA1 900c5391233f906ae4d56635cee4b53f24e32888
SHA256 621f5deda020a9d607c5348c5cb7db4d4563111ad1ead001b089c7e124447ecf
SHA512 3543159cd3635274064f357eb46a48774137b26489b2c6cce11d6d1b828eab8f2236ba27ea2a63adaeabe41286f52fb7c0fcfcc720a7cfb99f0fb2c8a4834079

C:\Users\Admin\AppData\Local\Temp\FwsQEkUs.bat

MD5 dbc647eee41820dd67754b690107bef4
SHA1 00b11fc567a4b8f8b20578fd41698c803ed89838
SHA256 88f5dca316916dbe89d7942ec119adb6ddcb9d5c0a76f037523ee089711e6718
SHA512 f4aac470ff138c48257cc6db0058e44a2aa6750618b13caf81f275eeb9a8297c8c6a82705716561417123eed32ee30924274434df8bc6ca9e0ea8f06eb430652

C:\Users\Admin\AppData\Local\Temp\XEIoIgwg.bat

MD5 3089e144b42199d89e263baadf8f6c56
SHA1 cbe83eb1e2c0f39b13201b592de5cf1d24bb4321
SHA256 028c3667a21e4f7182560d22a1a6cf1975b99132e232689ced79318e6813c17b
SHA512 24d225cf7705f6ae03d587dd270889edb1f852a07935a160ea6044b32477882b50c958767e517a0fdd7241cf74ae43c45c2e266a143f09512a64df5cf1b0ecb1

C:\Users\Admin\AppData\Local\Temp\BWgAYUsQ.bat

MD5 15fa449cdbb761c76e368a9329c9b0ae
SHA1 703e9413b1aba3853d091d8f6aa8536f824b30f9
SHA256 2ab206bc33ebf30c6fb2ba1945e826ddd8fce961c68a610b36be13b74aba013b
SHA512 fb8710704366e632f2f9fd160c001250cb0db28f762e2fa7b2a2311185214f476f7841a80ead388d2a173e1d36c918220b01a28cc0c93f7efaec6d96040b3fa4

C:\Users\Admin\AppData\Local\Temp\BeUUUgYc.bat

MD5 5d1170306bab93bbc7852e73002848d0
SHA1 67922d53e0e0fd4d2a0951587e17f22238216fac
SHA256 1d00d22c32de7a565cc72261de8de0941f2dbf982535ff558e6ebc9caae87651
SHA512 199f2f90e6568dc272b9d7e6eccd41cf12583485f33d850f18bbadd1ca72d94cdf0e2cdfccb489952dcd7d8bc2e5e8fb1214f56f1902a9e45db32d0b1ef4f456

C:\Users\Admin\AppData\Local\Temp\OYwAMgcQ.bat

MD5 211cd2e2be91312d39c2c59ca8841e5f
SHA1 8027003dcd8fbe1706915d08e79cad2a8e5754e9
SHA256 e182ac98f331197b042f7833501902ed1b3ab68fa51d747b8d03183897151ccb
SHA512 173e65db8bf904c9b6aacc39178582a0d2da045d24e497f9b9b459b20dd8c02133ffafbbe5c79bb250a7687a75ddf37989c839091b89fbdf965448e5fe3418b2

C:\Users\Admin\AppData\Local\Temp\lKgIIIQE.bat

MD5 32cda953950b1e2958e7d173eea7462d
SHA1 5ff9bd72dddaee8ccf6bc16d42e73fa1c76d4b89
SHA256 c25444d0b77bed94964729fa314049557bd6fd2971a792701c2a58ef960284e7
SHA512 cb71f8e62b4eb22450bd56fc5de20965fbb6521c7e72db5430a387964f7f3537fafcf87de82e97de6db0b1113529ec2f53ccd1ff563ade3a423239fab10f91ec

C:\Users\Admin\AppData\Local\Temp\LaMIQYoY.bat

MD5 1cea4e328a9c32585421312e94ec6e19
SHA1 cf1f814eb722dd02150df15efaaabd8a8c51df21
SHA256 0195444b0665af262a28263cd48889fe6e36bca3161cb053e1b1270362cb3bc3
SHA512 d434dad260b86bda8c1721f523a4e80d459373abd4edbf16d94e7fdab8eefb9ff7b507d4a4e328e32198363fe933ad3861e6f12ea0303752a610c0375fde4c14

C:\Users\Admin\AppData\Local\Temp\fEIAoEAE.bat

MD5 cbc782233ffbfdc2e2167a953bb40512
SHA1 53803bafc5d8b94cc96a2bd8944d297620869a4a
SHA256 60f0f80c04c5aa4aaa882d07faeaefc626795f3257c1138207b53c03e240ab8f
SHA512 30cd74ae9e70018ed3285c3754d2124844be554d7a072c98c0dac6f8952514bc5a07fcdf6d5b03f8da4882ba1a9bda5f863300162f6bc1e8fcd20cb90d33bc0a

C:\Users\Admin\AppData\Local\Temp\yqgccEIE.bat

MD5 a4851d0e7b6b3aa8aa2ab82590cf90f6
SHA1 9cd6cee8601b2bede481854b5fccecbe7368dbf2
SHA256 dadb9353b5da2baf6e23584814edb51685b83b58c431d84c312bd4cfc045af0d
SHA512 628be2b210a7c80c593085bb4d6e2111fb203ead03cb04f8bec31b32194b153d587f6006032fea5faaacfdf30c5199881e023483ff1c58494a5f52b184167a57

C:\Users\Admin\AppData\Local\Temp\DSUsccsk.bat

MD5 403f3255a9ed877362b4e9072e63a4c0
SHA1 e6df5f1a4fcc04bf9be70300078ebc186201e068
SHA256 8abcfa921e09ddd61d0760bec6e450a81f6a754a9bce70b02b440fbd4e9cefec
SHA512 4f3194dc8e32c891341b503ca9e363cd6b3eeed7d31bf076db3f3784fdade498ce17b8a3816968651b8ac9bc8bcf73857073c1ea3f5267073a0758dcf4ed2999

C:\Users\Admin\AppData\Local\Temp\dEcMsYQQ.bat

MD5 c79a6f121f1a5a48b69b9691739b0549
SHA1 3a56608ac989bcace9635ab244a4e362588177d0
SHA256 8f41daab3d78f9e298cfff2ed6876199828e1186f75227a414d1a6b6c844feda
SHA512 75da75bc9736dff5be7b82a5bf28aaca0a249ed61277455531e1e8d95304f6f801c42fe0637ff152c3cd2518e86d7528b881090c2ee407e5c8f40bed7460bf62

C:\Users\Admin\AppData\Local\Temp\ciskEwsg.bat

MD5 ce2030d646156f50c45f308aed671cef
SHA1 ff43fa1c06f14c08941c6c98401dd899dd8fb46c
SHA256 f00aab7065690a1847778f82b8abca803649eb51c3afa09dfc922fd3b16d671d
SHA512 8c9ff63447bae8db8840f63411fe71951a7f9fc66d424f385d006a2c183a85cac6792402cfd2fcef9e2566c49d1a26acc9e900688c3c7aa8ed1e18d099f41107

C:\Users\Admin\AppData\Local\Temp\MCQkQEYQ.bat

MD5 d754f8c8e93800c22f289287ff473c0c
SHA1 b9dc3000c34df263a962b4baae8b1e0c698da214
SHA256 6f2c668c0d58ce20b1f6c54a7faf8f9414b5c56b542da30aa544409f997e8318
SHA512 4e8de51640d18178fd78c159ee3c66d503c69aaa44e3ee3eb767b993c93753c960e6c045753f1986bd5b1dc2bff1957a3f01b9abf8fe8930c05e8dd10e0945ba

C:\Users\Admin\AppData\Local\Temp\qeAAwMMk.bat

MD5 bdf78c8be39b7e9f2740fd60810953bf
SHA1 6576790e0cf6672e35c9ceb4ffe16ef9ef4cb058
SHA256 f5e2c24a3f3f3967c6f4df5539bcb6c4cffe25241d1cacd45ac78e1329bfb6df
SHA512 f4f44eae8f6b60dfd61ec36162f6789333103abead8d74d93cacfdc7c129f95029c955cb4439e475180efb9f29238297fd2809ef4a94580bbc905c4918cc058d

C:\Users\Admin\AppData\Local\Temp\vIkQ.exe

MD5 d703b197310f5eee5907b1f483ea3348
SHA1 316990351ad6436c8750b1bda5c667869e14c858
SHA256 7b3bfe07c660efc6421fe9379140e7d4dc00fbc09ff66c341ee60f0c2ef1aacc
SHA512 86433179bbf4f616236a686d7f2ad8deb110d5a599530af6e45121a2f04ea2e7f1e0451e20b891ad1abcf0f14388565147a57649f590b657b562519ebd44489e