Malware Analysis Report

2025-01-03 09:24

Sample ID 240620-rgvm8swbql
Target 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118
SHA256 03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
Tags
bootkit evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149

Threat Level: Known bad

The file 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bootkit evasion persistence

Modifies security service

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:10

Reported

2024-06-20 14:12

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\iqlvu.com N/A
N/A N/A C:\Windows\SysWOW64\mktvt.com N/A
N/A N/A C:\Windows\SysWOW64\euhvs.com N/A
N/A N/A C:\Windows\SysWOW64\pqifi.com N/A
N/A N/A C:\Windows\SysWOW64\cgdir.com N/A
N/A N/A C:\Windows\SysWOW64\jwyad.com N/A
N/A N/A C:\Windows\SysWOW64\qhxfa.com N/A
N/A N/A C:\Windows\SysWOW64\bdqyh.com N/A
N/A N/A C:\Windows\SysWOW64\qljgo.com N/A
N/A N/A C:\Windows\SysWOW64\avyik.com N/A
N/A N/A C:\Windows\SysWOW64\idmiw.com N/A
N/A N/A C:\Windows\SysWOW64\xxjvf.com N/A
N/A N/A C:\Windows\SysWOW64\zklya.com N/A
N/A N/A C:\Windows\SysWOW64\uybij.com N/A
N/A N/A C:\Windows\SysWOW64\uclvt.com N/A
N/A N/A C:\Windows\SysWOW64\jniic.com N/A
N/A N/A C:\Windows\SysWOW64\wiryi.com N/A
N/A N/A C:\Windows\SysWOW64\glhiv.com N/A
N/A N/A C:\Windows\SysWOW64\tbjlm.com N/A
N/A N/A C:\Windows\SysWOW64\gaeou.com N/A
N/A N/A C:\Windows\SysWOW64\poflk.com N/A
N/A N/A C:\Windows\SysWOW64\dbobq.com N/A
N/A N/A C:\Windows\SysWOW64\kmvgn.com N/A
N/A N/A C:\Windows\SysWOW64\zchou.com N/A
N/A N/A C:\Windows\SysWOW64\msbrd.com N/A
N/A N/A C:\Windows\SysWOW64\wdrbq.com N/A
N/A N/A C:\Windows\SysWOW64\juuez.com N/A
N/A N/A C:\Windows\SysWOW64\wwalk.com N/A
N/A N/A C:\Windows\SysWOW64\grbea.com N/A
N/A N/A C:\Windows\SysWOW64\txkyo.com N/A
N/A N/A C:\Windows\SysWOW64\gnnbw.com N/A
N/A N/A C:\Windows\SysWOW64\sptri.com N/A
N/A N/A C:\Windows\SysWOW64\coxos.com N/A
N/A N/A C:\Windows\SysWOW64\pfsrj.com N/A
N/A N/A C:\Windows\SysWOW64\cduur.com N/A
N/A N/A C:\Windows\SysWOW64\mczrc.com N/A
N/A N/A C:\Windows\SysWOW64\wblom.com N/A
N/A N/A C:\Windows\SysWOW64\mrwwt.com N/A
N/A N/A C:\Windows\SysWOW64\wumho.com N/A
N/A N/A C:\Windows\SysWOW64\gebrb.com N/A
N/A N/A C:\Windows\SysWOW64\trthh.com N/A
N/A N/A C:\Windows\SysWOW64\ginkq.com N/A
N/A N/A C:\Windows\SysWOW64\qpzha.com N/A
N/A N/A C:\Windows\SysWOW64\avswy.com N/A
N/A N/A C:\Windows\SysWOW64\kcecj.com N/A
N/A N/A C:\Windows\SysWOW64\xtzer.com N/A
N/A N/A C:\Windows\SysWOW64\hslck.com N/A
N/A N/A C:\Windows\SysWOW64\uurkv.com N/A
N/A N/A C:\Windows\SysWOW64\hkmme.com N/A
N/A N/A C:\Windows\SysWOW64\uxeck.com N/A
N/A N/A C:\Windows\SysWOW64\dlwza.com N/A
N/A N/A C:\Windows\SysWOW64\qkzci.com N/A
N/A N/A C:\Windows\SysWOW64\defsc.com N/A
N/A N/A C:\Windows\SysWOW64\nljpm.com N/A
N/A N/A C:\Windows\SysWOW64\acmsv.com N/A
N/A N/A C:\Windows\SysWOW64\npwha.com N/A
N/A N/A C:\Windows\SysWOW64\xdwfr.com N/A
N/A N/A C:\Windows\SysWOW64\ktrih.com N/A
N/A N/A C:\Windows\SysWOW64\xgjxn.com N/A
N/A N/A C:\Windows\SysWOW64\hryia.com N/A
N/A N/A C:\Windows\SysWOW64\uhbkj.com N/A
N/A N/A C:\Windows\SysWOW64\yjhsu.com N/A
N/A N/A C:\Windows\SysWOW64\imwcp.com N/A
N/A N/A C:\Windows\SysWOW64\yywxl.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\iqlvu.com N/A
N/A N/A C:\Windows\SysWOW64\iqlvu.com N/A
N/A N/A C:\Windows\SysWOW64\mktvt.com N/A
N/A N/A C:\Windows\SysWOW64\mktvt.com N/A
N/A N/A C:\Windows\SysWOW64\euhvs.com N/A
N/A N/A C:\Windows\SysWOW64\euhvs.com N/A
N/A N/A C:\Windows\SysWOW64\pqifi.com N/A
N/A N/A C:\Windows\SysWOW64\pqifi.com N/A
N/A N/A C:\Windows\SysWOW64\cgdir.com N/A
N/A N/A C:\Windows\SysWOW64\cgdir.com N/A
N/A N/A C:\Windows\SysWOW64\jwyad.com N/A
N/A N/A C:\Windows\SysWOW64\jwyad.com N/A
N/A N/A C:\Windows\SysWOW64\qhxfa.com N/A
N/A N/A C:\Windows\SysWOW64\qhxfa.com N/A
N/A N/A C:\Windows\SysWOW64\bdqyh.com N/A
N/A N/A C:\Windows\SysWOW64\bdqyh.com N/A
N/A N/A C:\Windows\SysWOW64\qljgo.com N/A
N/A N/A C:\Windows\SysWOW64\qljgo.com N/A
N/A N/A C:\Windows\SysWOW64\avyik.com N/A
N/A N/A C:\Windows\SysWOW64\avyik.com N/A
N/A N/A C:\Windows\SysWOW64\idmiw.com N/A
N/A N/A C:\Windows\SysWOW64\idmiw.com N/A
N/A N/A C:\Windows\SysWOW64\xxjvf.com N/A
N/A N/A C:\Windows\SysWOW64\xxjvf.com N/A
N/A N/A C:\Windows\SysWOW64\zklya.com N/A
N/A N/A C:\Windows\SysWOW64\zklya.com N/A
N/A N/A C:\Windows\SysWOW64\uybij.com N/A
N/A N/A C:\Windows\SysWOW64\uybij.com N/A
N/A N/A C:\Windows\SysWOW64\uclvt.com N/A
N/A N/A C:\Windows\SysWOW64\uclvt.com N/A
N/A N/A C:\Windows\SysWOW64\jniic.com N/A
N/A N/A C:\Windows\SysWOW64\jniic.com N/A
N/A N/A C:\Windows\SysWOW64\wiryi.com N/A
N/A N/A C:\Windows\SysWOW64\wiryi.com N/A
N/A N/A C:\Windows\SysWOW64\glhiv.com N/A
N/A N/A C:\Windows\SysWOW64\glhiv.com N/A
N/A N/A C:\Windows\SysWOW64\tbjlm.com N/A
N/A N/A C:\Windows\SysWOW64\tbjlm.com N/A
N/A N/A C:\Windows\SysWOW64\gaeou.com N/A
N/A N/A C:\Windows\SysWOW64\gaeou.com N/A
N/A N/A C:\Windows\SysWOW64\poflk.com N/A
N/A N/A C:\Windows\SysWOW64\poflk.com N/A
N/A N/A C:\Windows\SysWOW64\dbobq.com N/A
N/A N/A C:\Windows\SysWOW64\dbobq.com N/A
N/A N/A C:\Windows\SysWOW64\kmvgn.com N/A
N/A N/A C:\Windows\SysWOW64\kmvgn.com N/A
N/A N/A C:\Windows\SysWOW64\zchou.com N/A
N/A N/A C:\Windows\SysWOW64\zchou.com N/A
N/A N/A C:\Windows\SysWOW64\msbrd.com N/A
N/A N/A C:\Windows\SysWOW64\msbrd.com N/A
N/A N/A C:\Windows\SysWOW64\wdrbq.com N/A
N/A N/A C:\Windows\SysWOW64\wdrbq.com N/A
N/A N/A C:\Windows\SysWOW64\juuez.com N/A
N/A N/A C:\Windows\SysWOW64\juuez.com N/A
N/A N/A C:\Windows\SysWOW64\wwalk.com N/A
N/A N/A C:\Windows\SysWOW64\wwalk.com N/A
N/A N/A C:\Windows\SysWOW64\grbea.com N/A
N/A N/A C:\Windows\SysWOW64\grbea.com N/A
N/A N/A C:\Windows\SysWOW64\txkyo.com N/A
N/A N/A C:\Windows\SysWOW64\txkyo.com N/A
N/A N/A C:\Windows\SysWOW64\gnnbw.com N/A
N/A N/A C:\Windows\SysWOW64\gnnbw.com N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aambo.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\qljgo.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cvzaq.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rrfsv.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\nhldu.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\oojlq.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\glhiv.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\pfsrj.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\uclvt.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\etalv.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\emfhe.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rzwib.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\zkfvo.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\vjmlo.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\iwbeq.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\wumho.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\mcafr.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\gbzuc.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cdgjx.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\zewtm.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\iiduf.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\mktvt.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\coxos.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\bolfn.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\lrfwg.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\qpzha.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\idofp.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\nhevn.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\wzshu.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\twudz.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\vqmix.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\usouf.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\yzuhe.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ruhpm.com N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A
File opened for modification \??\PhysicalDrive0 N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ktrih.com C:\Windows\SysWOW64\xdwfr.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\eagmz.com N/A
File opened for modification C:\Windows\SysWOW64\waayo.com N/A N/A
File created C:\Windows\SysWOW64\rcoob.com N/A N/A
File opened for modification C:\Windows\SysWOW64\yieck.com C:\Windows\SysWOW64\lrbzc.com N/A
File opened for modification C:\Windows\SysWOW64\fxtrt.com C:\Windows\SysWOW64\vqhtb.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\blgue.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\rkhck.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\nuefk.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\clnux.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\avyik.com C:\Windows\SysWOW64\qljgo.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\ylmtc.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\otujo.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\gbole.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\ebqza.com N/A N/A
File opened for modification C:\Windows\SysWOW64\eegay.com C:\Windows\SysWOW64\rolxp.com N/A
File created C:\Windows\SysWOW64\vbgsw.com C:\Windows\SysWOW64\izsll.com N/A
File created C:\Windows\SysWOW64\jqvbx.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\ndjpy.com N/A N/A
File opened for modification C:\Windows\SysWOW64\tscnq.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\cknqm.com C:\Windows\SysWOW64\siyfr.com N/A
File opened for modification C:\Windows\SysWOW64\nafnh.com C:\Windows\SysWOW64\ayzxw.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\vjopg.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\ospfz.com N/A
File created C:\Windows\SysWOW64\rgyuz.com C:\Windows\SysWOW64\epdrq.com N/A
File opened for modification C:\Windows\SysWOW64\cpsrp.com N/A N/A
File opened for modification C:\Windows\SysWOW64\igxst.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\onmbc.com N/A N/A
File opened for modification C:\Windows\SysWOW64\ayohg.com N/A N/A
File opened for modification C:\Windows\SysWOW64\tvigl.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File opened for modification C:\Windows\SysWOW64\fjubz.com N/A N/A
File opened for modification C:\Windows\SysWOW64\klrch.com C:\Windows\SysWOW64\xjlmv.com N/A
File opened for modification C:\Windows\SysWOW64\lcmcl.com C:\Windows\SysWOW64\bolfn.com N/A
File created C:\Windows\SysWOW64\dbosz.com C:\Windows\SysWOW64\uvnuj.com N/A
File created C:\Windows\SysWOW64\lrfwg.com C:\Windows\SysWOW64\zlnbs.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\agdpw.com N/A N/A
File created C:\Windows\SysWOW64\ndrni.com N/A N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\iqlvu.com N/A
File opened for modification C:\Windows\SysWOW64\vqmix.com C:\Windows\SysWOW64\jsrop.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A
File created C:\Windows\SysWOW64\nnbco.com N/A N/A
File opened for modification C:\Windows\SysWOW64\uptnq.com N/A N/A
File created C:\Windows\SysWOW64\aambo.com C:\Windows\SysWOW64\nygtc.com N/A
File opened for modification C:\Windows\SysWOW64\cwwlj.com N/A N/A
File opened for modification C:\Windows\SysWOW64\ymprl.com C:\Windows\SysWOW64\lwuoc.com N/A
File created C:\Windows\SysWOW64\vjopg.com C:\Windows\SysWOW64\kkksw.com N/A
File opened for modification C:\Windows\SysWOW64\sldxk.com N/A N/A
File opened for modification C:\Windows\SysWOW64\tfffj.com N/A N/A
File opened for modification C:\Windows\SysWOW64\qbttf.com C:\Windows\SysWOW64\ddyqw.com N/A
File created C:\Windows\SysWOW64\fejwl.com C:\Windows\SysWOW64\snotc.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini N/A N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\iqlvu.com
PID 2352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\iqlvu.com
PID 2352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\iqlvu.com
PID 2352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\iqlvu.com
PID 2700 wrote to memory of 2896 N/A C:\Windows\SysWOW64\iqlvu.com C:\Windows\SysWOW64\mktvt.com
PID 2700 wrote to memory of 2896 N/A C:\Windows\SysWOW64\iqlvu.com C:\Windows\SysWOW64\mktvt.com
PID 2700 wrote to memory of 2896 N/A C:\Windows\SysWOW64\iqlvu.com C:\Windows\SysWOW64\mktvt.com
PID 2700 wrote to memory of 2896 N/A C:\Windows\SysWOW64\iqlvu.com C:\Windows\SysWOW64\mktvt.com
PID 2896 wrote to memory of 548 N/A C:\Windows\SysWOW64\mktvt.com C:\Windows\SysWOW64\euhvs.com
PID 2896 wrote to memory of 548 N/A C:\Windows\SysWOW64\mktvt.com C:\Windows\SysWOW64\euhvs.com
PID 2896 wrote to memory of 548 N/A C:\Windows\SysWOW64\mktvt.com C:\Windows\SysWOW64\euhvs.com
PID 2896 wrote to memory of 548 N/A C:\Windows\SysWOW64\mktvt.com C:\Windows\SysWOW64\euhvs.com
PID 548 wrote to memory of 596 N/A C:\Windows\SysWOW64\euhvs.com C:\Windows\SysWOW64\pqifi.com
PID 548 wrote to memory of 596 N/A C:\Windows\SysWOW64\euhvs.com C:\Windows\SysWOW64\pqifi.com
PID 548 wrote to memory of 596 N/A C:\Windows\SysWOW64\euhvs.com C:\Windows\SysWOW64\pqifi.com
PID 548 wrote to memory of 596 N/A C:\Windows\SysWOW64\euhvs.com C:\Windows\SysWOW64\pqifi.com
PID 596 wrote to memory of 1624 N/A C:\Windows\SysWOW64\pqifi.com C:\Windows\SysWOW64\cgdir.com
PID 596 wrote to memory of 1624 N/A C:\Windows\SysWOW64\pqifi.com C:\Windows\SysWOW64\cgdir.com
PID 596 wrote to memory of 1624 N/A C:\Windows\SysWOW64\pqifi.com C:\Windows\SysWOW64\cgdir.com
PID 596 wrote to memory of 1624 N/A C:\Windows\SysWOW64\pqifi.com C:\Windows\SysWOW64\cgdir.com
PID 1624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cgdir.com C:\Windows\SysWOW64\jwyad.com
PID 1624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cgdir.com C:\Windows\SysWOW64\jwyad.com
PID 1624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cgdir.com C:\Windows\SysWOW64\jwyad.com
PID 1624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cgdir.com C:\Windows\SysWOW64\jwyad.com
PID 2952 wrote to memory of 2032 N/A C:\Windows\SysWOW64\jwyad.com C:\Windows\SysWOW64\qhxfa.com
PID 2952 wrote to memory of 2032 N/A C:\Windows\SysWOW64\jwyad.com C:\Windows\SysWOW64\qhxfa.com
PID 2952 wrote to memory of 2032 N/A C:\Windows\SysWOW64\jwyad.com C:\Windows\SysWOW64\qhxfa.com
PID 2952 wrote to memory of 2032 N/A C:\Windows\SysWOW64\jwyad.com C:\Windows\SysWOW64\qhxfa.com
PID 2032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\qhxfa.com C:\Windows\SysWOW64\bdqyh.com
PID 2032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\qhxfa.com C:\Windows\SysWOW64\bdqyh.com
PID 2032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\qhxfa.com C:\Windows\SysWOW64\bdqyh.com
PID 2032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\qhxfa.com C:\Windows\SysWOW64\bdqyh.com
PID 2456 wrote to memory of 1560 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1560 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1560 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1560 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1560 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1560 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1560 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2456 wrote to memory of 2652 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\qljgo.com
PID 2456 wrote to memory of 2652 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\qljgo.com
PID 2456 wrote to memory of 2652 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\qljgo.com
PID 2456 wrote to memory of 2652 N/A C:\Windows\SysWOW64\bdqyh.com C:\Windows\SysWOW64\qljgo.com
PID 2652 wrote to memory of 2560 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2560 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2560 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2560 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2560 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2560 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2560 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2652 wrote to memory of 1760 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\avyik.com
PID 2652 wrote to memory of 1760 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\avyik.com
PID 2652 wrote to memory of 1760 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\avyik.com
PID 2652 wrote to memory of 1760 N/A C:\Windows\SysWOW64\qljgo.com C:\Windows\SysWOW64\avyik.com

Processes

C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iqlvu.com

C:\Windows\system32\iqlvu.com 524 "C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

C:\Windows\SysWOW64\mktvt.com

C:\Windows\system32\mktvt.com 552 "C:\Windows\SysWOW64\iqlvu.com"

C:\Windows\SysWOW64\euhvs.com

C:\Windows\system32\euhvs.com 564 "C:\Windows\SysWOW64\mktvt.com"

C:\Windows\SysWOW64\pqifi.com

C:\Windows\system32\pqifi.com 568 "C:\Windows\SysWOW64\euhvs.com"

C:\Windows\SysWOW64\cgdir.com

C:\Windows\system32\cgdir.com 556 "C:\Windows\SysWOW64\pqifi.com"

C:\Windows\SysWOW64\jwyad.com

C:\Windows\system32\jwyad.com 572 "C:\Windows\SysWOW64\cgdir.com"

C:\Windows\SysWOW64\qhxfa.com

C:\Windows\system32\qhxfa.com 560 "C:\Windows\SysWOW64\jwyad.com"

C:\Windows\SysWOW64\bdqyh.com

C:\Windows\system32\bdqyh.com 576 "C:\Windows\SysWOW64\qhxfa.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qljgo.com

C:\Windows\system32\qljgo.com 588 "C:\Windows\SysWOW64\bdqyh.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\avyik.com

C:\Windows\system32\avyik.com 592 "C:\Windows\SysWOW64\qljgo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\idmiw.com

C:\Windows\system32\idmiw.com 600 "C:\Windows\SysWOW64\avyik.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xxjvf.com

C:\Windows\system32\xxjvf.com 596 "C:\Windows\SysWOW64\idmiw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zklya.com

C:\Windows\system32\zklya.com 492 "C:\Windows\SysWOW64\xxjvf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uybij.com

C:\Windows\system32\uybij.com 608 "C:\Windows\SysWOW64\zklya.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uclvt.com

C:\Windows\system32\uclvt.com 584 "C:\Windows\SysWOW64\uybij.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jniic.com

C:\Windows\system32\jniic.com 616 "C:\Windows\SysWOW64\uclvt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wiryi.com

C:\Windows\system32\wiryi.com 624 "C:\Windows\SysWOW64\jniic.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\glhiv.com

C:\Windows\system32\glhiv.com 628 "C:\Windows\SysWOW64\wiryi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tbjlm.com

C:\Windows\system32\tbjlm.com 620 "C:\Windows\SysWOW64\glhiv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gaeou.com

C:\Windows\system32\gaeou.com 632 "C:\Windows\SysWOW64\tbjlm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\poflk.com

C:\Windows\system32\poflk.com 644 "C:\Windows\SysWOW64\gaeou.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dbobq.com

C:\Windows\system32\dbobq.com 636 "C:\Windows\SysWOW64\poflk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kmvgn.com

C:\Windows\system32\kmvgn.com 640 "C:\Windows\SysWOW64\dbobq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zchou.com

C:\Windows\system32\zchou.com 652 "C:\Windows\SysWOW64\kmvgn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msbrd.com

C:\Windows\system32\msbrd.com 660 "C:\Windows\SysWOW64\zchou.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wdrbq.com

C:\Windows\system32\wdrbq.com 648 "C:\Windows\SysWOW64\msbrd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\juuez.com

C:\Windows\system32\juuez.com 656 "C:\Windows\SysWOW64\wdrbq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wwalk.com

C:\Windows\system32\wwalk.com 668 "C:\Windows\SysWOW64\juuez.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\grbea.com

C:\Windows\system32\grbea.com 604 "C:\Windows\SysWOW64\wwalk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\txkyo.com

C:\Windows\system32\txkyo.com 672 "C:\Windows\SysWOW64\grbea.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gnnbw.com

C:\Windows\system32\gnnbw.com 680 "C:\Windows\SysWOW64\txkyo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sptri.com

C:\Windows\system32\sptri.com 676 "C:\Windows\SysWOW64\gnnbw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\coxos.com

C:\Windows\system32\coxos.com 688 "C:\Windows\SysWOW64\sptri.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pfsrj.com

C:\Windows\system32\pfsrj.com 692 "C:\Windows\SysWOW64\coxos.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cduur.com

C:\Windows\system32\cduur.com 684 "C:\Windows\SysWOW64\pfsrj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mczrc.com

C:\Windows\system32\mczrc.com 696 "C:\Windows\SysWOW64\cduur.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wblom.com

C:\Windows\system32\wblom.com 700 "C:\Windows\SysWOW64\mczrc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mrwwt.com

C:\Windows\system32\mrwwt.com 704 "C:\Windows\SysWOW64\wblom.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wumho.com

C:\Windows\system32\wumho.com 712 "C:\Windows\SysWOW64\mrwwt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gebrb.com

C:\Windows\system32\gebrb.com 716 "C:\Windows\SysWOW64\wumho.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\trthh.com

C:\Windows\system32\trthh.com 720 "C:\Windows\SysWOW64\gebrb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ginkq.com

C:\Windows\system32\ginkq.com 724 "C:\Windows\SysWOW64\trthh.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qpzha.com

C:\Windows\system32\qpzha.com 708 "C:\Windows\SysWOW64\ginkq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\avswy.com

C:\Windows\system32\avswy.com 728 "C:\Windows\SysWOW64\qpzha.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kcecj.com

C:\Windows\system32\kcecj.com 732 "C:\Windows\SysWOW64\avswy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xtzer.com

C:\Windows\system32\xtzer.com 744 "C:\Windows\SysWOW64\kcecj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hslck.com

C:\Windows\system32\hslck.com 740 "C:\Windows\SysWOW64\xtzer.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uurkv.com

C:\Windows\system32\uurkv.com 748 "C:\Windows\SysWOW64\hslck.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hkmme.com

C:\Windows\system32\hkmme.com 736 "C:\Windows\SysWOW64\uurkv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uxeck.com

C:\Windows\system32\uxeck.com 752 "C:\Windows\SysWOW64\hkmme.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dlwza.com

C:\Windows\system32\dlwza.com 756 "C:\Windows\SysWOW64\uxeck.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qkzci.com

C:\Windows\system32\qkzci.com 764 "C:\Windows\SysWOW64\dlwza.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\defsc.com

C:\Windows\system32\defsc.com 760 "C:\Windows\SysWOW64\qkzci.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nljpm.com

C:\Windows\system32\nljpm.com 768 "C:\Windows\SysWOW64\defsc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\acmsv.com

C:\Windows\system32\acmsv.com 776 "C:\Windows\SysWOW64\nljpm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\npwha.com

C:\Windows\system32\npwha.com 772 "C:\Windows\SysWOW64\acmsv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xdwfr.com

C:\Windows\system32\xdwfr.com 780 "C:\Windows\SysWOW64\npwha.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ktrih.com

C:\Windows\system32\ktrih.com 788 "C:\Windows\SysWOW64\xdwfr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xgjxn.com

C:\Windows\system32\xgjxn.com 784 "C:\Windows\SysWOW64\ktrih.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hryia.com

C:\Windows\system32\hryia.com 792 "C:\Windows\SysWOW64\xgjxn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uhbkj.com

C:\Windows\system32\uhbkj.com 800 "C:\Windows\SysWOW64\hryia.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yjhsu.com

C:\Windows\system32\yjhsu.com 796 "C:\Windows\SysWOW64\uhbkj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\imwcp.com

C:\Windows\system32\imwcp.com 804 "C:\Windows\SysWOW64\yjhsu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yywxl.com

C:\Windows\system32\yywxl.com 812 "C:\Windows\SysWOW64\imwcp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ixjve.com

C:\Windows\system32\ixjve.com 816 "C:\Windows\SysWOW64\yywxl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\siyfr.com

C:\Windows\system32\siyfr.com 808 "C:\Windows\SysWOW64\ixjve.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cknqm.com

C:\Windows\system32\cknqm.com 820 "C:\Windows\SysWOW64\siyfr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pbisv.com

C:\Windows\system32\pbisv.com 828 "C:\Windows\SysWOW64\cknqm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cwaib.com

C:\Windows\system32\cwaib.com 832 "C:\Windows\SysWOW64\pbisv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mcafr.com

C:\Windows\system32\mcafr.com 824 "C:\Windows\SysWOW64\cwaib.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wjedj.com

C:\Windows\system32\wjedj.com 840 "C:\Windows\SysWOW64\mcafr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mrqli.com

C:\Windows\system32\mrqli.com 844 "C:\Windows\SysWOW64\wjedj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zqtnq.com

C:\Windows\system32\zqtnq.com 848 "C:\Windows\SysWOW64\mrqli.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lkzvk.com

C:\Windows\system32\lkzvk.com 852 "C:\Windows\SysWOW64\zqtnq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vrdtu.com

C:\Windows\system32\vrdtu.com 856 "C:\Windows\SysWOW64\lkzvk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iljig.com

C:\Windows\system32\iljig.com 836 "C:\Windows\SysWOW64\vrdtu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vjmlo.com

C:\Windows\system32\vjmlo.com 864 "C:\Windows\SysWOW64\iljig.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iahox.com

C:\Windows\system32\iahox.com 868 "C:\Windows\SysWOW64\vjmlo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vqbqg.com

C:\Windows\system32\vqbqg.com 860 "C:\Windows\SysWOW64\iahox.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hshgz.com

C:\Windows\system32\hshgz.com 876 "C:\Windows\SysWOW64\vqbqg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\srudj.com

C:\Windows\system32\srudj.com 880 "C:\Windows\SysWOW64\hshgz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\etalv.com

C:\Windows\system32\etalv.com 872 "C:\Windows\SysWOW64\srudj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rkuod.com

C:\Windows\system32\rkuod.com 884 "C:\Windows\SysWOW64\etalv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eixqm.com

C:\Windows\system32\eixqm.com 888 "C:\Windows\SysWOW64\rkuod.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\owqok.com

C:\Windows\system32\owqok.com 892 "C:\Windows\SysWOW64\eixqm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bntqt.com

C:\Windows\system32\bntqt.com 896 "C:\Windows\SysWOW64\owqok.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oacgy.com

C:\Windows\system32\oacgy.com 900 "C:\Windows\SysWOW64\bntqt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xodeo.com

C:\Windows\system32\xodeo.com 904 "C:\Windows\SysWOW64\oacgy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lbutu.com

C:\Windows\system32\lbutu.com 912 "C:\Windows\SysWOW64\xodeo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vlkep.com

C:\Windows\system32\vlkep.com 908 "C:\Windows\SysWOW64\lbutu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iybtv.com

C:\Windows\system32\iybtv.com 920 "C:\Windows\SysWOW64\vlkep.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sbrej.com

C:\Windows\system32\sbrej.com 924 "C:\Windows\SysWOW64\iybtv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\edxtu.com

C:\Windows\system32\edxtu.com 916 "C:\Windows\SysWOW64\sbrej.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ruswd.com

C:\Windows\system32\ruswd.com 932 "C:\Windows\SysWOW64\edxtu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\behyy.com

C:\Windows\system32\behyy.com 940 "C:\Windows\SysWOW64\ruswd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\orzwe.com

C:\Windows\system32\orzwe.com 936 "C:\Windows\SysWOW64\behyy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\btfep.com

C:\Windows\system32\btfep.com 944 "C:\Windows\SysWOW64\orzwe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lwuoc.com

C:\Windows\system32\lwuoc.com 928 "C:\Windows\SysWOW64\btfep.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ymprl.com

C:\Windows\system32\ymprl.com 948 "C:\Windows\SysWOW64\lwuoc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kovhe.com

C:\Windows\system32\kovhe.com 956 "C:\Windows\SysWOW64\ymprl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ybmwk.com

C:\Windows\system32\ybmwk.com 952 "C:\Windows\SysWOW64\kovhe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kdsmv.com

C:\Windows\system32\kdsmv.com 964 "C:\Windows\SysWOW64\ybmwk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xunpe.com

C:\Windows\system32\xunpe.com 960 "C:\Windows\SysWOW64\kdsmv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ksqjn.com

C:\Windows\system32\ksqjn.com 968 "C:\Windows\SysWOW64\xunpe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xjlmv.com

C:\Windows\system32\xjlmv.com 976 "C:\Windows\SysWOW64\ksqjn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\klrch.com

C:\Windows\system32\klrch.com 972 "C:\Windows\SysWOW64\xjlmv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ukdzr.com

C:\Windows\system32\ukdzr.com 980 "C:\Windows\SysWOW64\klrch.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gmjpl.com

C:\Windows\system32\gmjpl.com 984 "C:\Windows\SysWOW64\ukdzr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tcert.com

C:\Windows\system32\tcert.com 988 "C:\Windows\SysWOW64\gmjpl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gbzuc.com

C:\Windows\system32\gbzuc.com 992 "C:\Windows\SysWOW64\tcert.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\idofp.com

C:\Windows\system32\idofp.com 996 "C:\Windows\SysWOW64\gbzuc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vfcma.com

C:\Windows\system32\vfcma.com 1000 "C:\Windows\SysWOW64\idofp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hzicm.com

C:\Windows\system32\hzicm.com 1004 "C:\Windows\SysWOW64\vfcma.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uydfc.com

C:\Windows\system32\uydfc.com 1012 "C:\Windows\SysWOW64\hzicm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ilnui.com

C:\Windows\system32\ilnui.com 1008 "C:\Windows\SysWOW64\uydfc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rznsy.com

C:\Windows\system32\rznsy.com 1016 "C:\Windows\SysWOW64\ilnui.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\emfhe.com

C:\Windows\system32\emfhe.com 1020 "C:\Windows\SysWOW64\rznsy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rolxp.com

C:\Windows\system32\rolxp.com 1028 "C:\Windows\SysWOW64\emfhe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eegay.com

C:\Windows\system32\eegay.com 1032 "C:\Windows\SysWOW64\rolxp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rvich.com

C:\Windows\system32\rvich.com 1040 "C:\Windows\SysWOW64\eegay.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bfyfc.com

C:\Windows\system32\bfyfc.com 1036 "C:\Windows\SysWOW64\rvich.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nhevn.com

C:\Windows\system32\nhevn.com 1044 "C:\Windows\SysWOW64\bfyfc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ayzxw.com

C:\Windows\system32\ayzxw.com 1048 "C:\Windows\SysWOW64\nhevn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nafnh.com

C:\Windows\system32\nafnh.com 1056 "C:\Windows\SysWOW64\ayzxw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\anwdn.com

C:\Windows\system32\anwdn.com 1052 "C:\Windows\SysWOW64\nafnh.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kbxal.com

C:\Windows\system32\kbxal.com 1060 "C:\Windows\SysWOW64\anwdn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xssvu.com

C:\Windows\system32\xssvu.com 1072 "C:\Windows\SysWOW64\kbxal.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kinxc.com

C:\Windows\system32\kinxc.com 1068 "C:\Windows\SysWOW64\xssvu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xhpal.com

C:\Windows\system32\xhpal.com 1064 "C:\Windows\SysWOW64\kinxc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jxkdu.com

C:\Windows\system32\jxkdu.com 1076 "C:\Windows\SysWOW64\xhpal.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tllas.com

C:\Windows\system32\tllas.com 1080 "C:\Windows\SysWOW64\jxkdu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gcgda.com

C:\Windows\system32\gcgda.com 1084 "C:\Windows\SysWOW64\tllas.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\taifj.com

C:\Windows\system32\taifj.com 1088 "C:\Windows\SysWOW64\gcgda.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ddyqw.com

C:\Windows\system32\ddyqw.com 1096 "C:\Windows\SysWOW64\taifj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qbttf.com

C:\Windows\system32\qbttf.com 1092 "C:\Windows\SysWOW64\ddyqw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cvzaq.com

C:\Windows\system32\cvzaq.com 1104 "C:\Windows\SysWOW64\qbttf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\putdz.com

C:\Windows\system32\putdz.com 1100 "C:\Windows\SysWOW64\cvzaq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ckwgp.com

C:\Windows\system32\ckwgp.com 1112 "C:\Windows\SysWOW64\putdz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mjada.com

C:\Windows\system32\mjada.com 1116 "C:\Windows\SysWOW64\ckwgp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\czmlg.com

C:\Windows\system32\czmlg.com 1120 "C:\Windows\SysWOW64\mjada.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mcjvu.com

C:\Windows\system32\mcjvu.com 1108 "C:\Windows\SysWOW64\czmlg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zaeyc.com

C:\Windows\system32\zaeyc.com 1124 "C:\Windows\SysWOW64\mcjvu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mrzbl.com

C:\Windows\system32\mrzbl.com 1128 "C:\Windows\SysWOW64\zaeyc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wbolg.com

C:\Windows\system32\wbolg.com 1136 "C:\Windows\SysWOW64\mrzbl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jsrop.com

C:\Windows\system32\jsrop.com 664 "C:\Windows\SysWOW64\wbolg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vqmix.com

C:\Windows\system32\vqmix.com 1140 "C:\Windows\SysWOW64\jsrop.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ftbtl.com

C:\Windows\system32\ftbtl.com 1144 "C:\Windows\SysWOW64\vqmix.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sjewt.com

C:\Windows\system32\sjewt.com 1152 "C:\Windows\SysWOW64\ftbtl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\flkln.com

C:\Windows\system32\flkln.com 1156 "C:\Windows\SysWOW64\sjewt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pwawa.com

C:\Windows\system32\pwawa.com 1160 "C:\Windows\SysWOW64\flkln.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\faare.com

C:\Windows\system32\faare.com 1164 "C:\Windows\SysWOW64\pwawa.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\opaou.com

C:\Windows\system32\opaou.com 1148 "C:\Windows\SysWOW64\faare.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bfdjc.com

C:\Windows\system32\bfdjc.com 1172 "C:\Windows\SysWOW64\opaou.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oeyll.com

C:\Windows\system32\oeyll.com 1168 "C:\Windows\SysWOW64\bfdjc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\butou.com

C:\Windows\system32\butou.com 1176 "C:\Windows\SysWOW64\oeyll.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\olork.com

C:\Windows\system32\olork.com 1184 "C:\Windows\SysWOW64\butou.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yvlbx.com

C:\Windows\system32\yvlbx.com 1180 "C:\Windows\SysWOW64\olork.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lxrrj.com

C:\Windows\system32\lxrrj.com 1188 "C:\Windows\SysWOW64\yvlbx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vwvot.com

C:\Windows\system32\vwvot.com 1196 "C:\Windows\SysWOW64\lxrrj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zqben.com

C:\Windows\system32\zqben.com 1192 "C:\Windows\SysWOW64\vwvot.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mpehv.com

C:\Windows\system32\mpehv.com 1200 "C:\Windows\SysWOW64\zqben.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zfzje.com

C:\Windows\system32\zfzje.com 1208 "C:\Windows\SysWOW64\mpehv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jqomr.com

C:\Windows\system32\jqomr.com 1212 "C:\Windows\SysWOW64\zfzje.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zuwhv.com

C:\Windows\system32\zuwhv.com 1216 "C:\Windows\SysWOW64\jqomr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jipel.com

C:\Windows\system32\jipel.com 1204 "C:\Windows\SysWOW64\zuwhv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wzshu.com

C:\Windows\system32\wzshu.com 1220 "C:\Windows\SysWOW64\jipel.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jmbwi.com

C:\Windows\system32\jmbwi.com 1224 "C:\Windows\SysWOW64\wzshu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\voimt.com

C:\Windows\system32\voimt.com 1232 "C:\Windows\SysWOW64\jmbwi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gnukd.com

C:\Windows\system32\gnukd.com 612 "C:\Windows\SysWOW64\voimt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\spazp.com

C:\Windows\system32\spazp.com 1240 "C:\Windows\SysWOW64\gnukd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ffvcx.com

C:\Windows\system32\ffvcx.com 1244 "C:\Windows\SysWOW64\spazp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sexxg.com

C:\Windows\system32\sexxg.com 1248 "C:\Windows\SysWOW64\ffvcx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cgnhb.com

C:\Windows\system32\cgnhb.com 1236 "C:\Windows\SysWOW64\sexxg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pitxn.com

C:\Windows\system32\pitxn.com 1252 "C:\Windows\SysWOW64\cgnhb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cvcms.com

C:\Windows\system32\cvcms.com 1256 "C:\Windows\SysWOW64\pitxn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\obuph.com

C:\Windows\system32\obuph.com 1268 "C:\Windows\SysWOW64\cvcms.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bolfn.com

C:\Windows\system32\bolfn.com 1260 "C:\Windows\SysWOW64\obuph.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lcmcl.com

C:\Windows\system32\lcmcl.com 1264 "C:\Windows\SysWOW64\bolfn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ypvsq.com

C:\Windows\system32\ypvsq.com 1272 "C:\Windows\SysWOW64\lcmcl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lrbzc.com

C:\Windows\system32\lrbzc.com 1280 "C:\Windows\SysWOW64\ypvsq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yieck.com

C:\Windows\system32\yieck.com 1276 "C:\Windows\SysWOW64\lrbzc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kkksw.com

C:\Windows\system32\kkksw.com 1288 "C:\Windows\SysWOW64\yieck.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vjopg.com

C:\Windows\system32\vjopg.com 1284 "C:\Windows\SysWOW64\kkksw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hzjsp.com

C:\Windows\system32\hzjsp.com 1292 "C:\Windows\SysWOW64\vjopg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rkhck.com

C:\Windows\system32\rkhck.com 1296 "C:\Windows\SysWOW64\hzjsp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\emnsv.com

C:\Windows\system32\emnsv.com 1300 "C:\Windows\SysWOW64\rkhck.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rzwib.com

C:\Windows\system32\rzwib.com 1304 "C:\Windows\SysWOW64\emnsv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\etcpn.com

C:\Windows\system32\etcpn.com 1308 "C:\Windows\SysWOW64\rzwib.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rrfsv.com

C:\Windows\system32\rrfsv.com 1312 "C:\Windows\SysWOW64\etcpn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eiave.com

C:\Windows\system32\eiave.com 1324 "C:\Windows\SysWOW64\rrfsv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ospfz.com

C:\Windows\system32\ospfz.com 1316 "C:\Windows\SysWOW64\eiave.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xvfpm.com

C:\Windows\system32\xvfpm.com 1328 "C:\Windows\SysWOW64\ospfz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\liwfs.com

C:\Windows\system32\liwfs.com 1320 "C:\Windows\SysWOW64\xvfpm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ygrib.com

C:\Windows\system32\ygrib.com 1336 "C:\Windows\SysWOW64\liwfs.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\husfz.com

C:\Windows\system32\husfz.com 1340 "C:\Windows\SysWOW64\ygrib.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ulmih.com

C:\Windows\system32\ulmih.com 1332 "C:\Windows\SysWOW64\husfz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ekzfs.com

C:\Windows\system32\ekzfs.com 1344 "C:\Windows\SysWOW64\ulmih.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uaknz.com

C:\Windows\system32\uaknz.com 1348 "C:\Windows\SysWOW64\ekzfs.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\edzym.com

C:\Windows\system32\edzym.com 1356 "C:\Windows\SysWOW64\uaknz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rfgff.com

C:\Windows\system32\rfgff.com 1360 "C:\Windows\SysWOW64\edzym.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\esxvl.com

C:\Windows\system32\esxvl.com 1352 "C:\Windows\SysWOW64\rfgff.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qudlw.com

C:\Windows\system32\qudlw.com 1364 "C:\Windows\SysWOW64\esxvl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\awtvk.com

C:\Windows\system32\awtvk.com 1368 "C:\Windows\SysWOW64\qudlw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nvnys.com

C:\Windows\system32\nvnys.com 1376 "C:\Windows\SysWOW64\awtvk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\alqbb.com

C:\Windows\system32\alqbb.com 1372 "C:\Windows\SysWOW64\nvnys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nkldj.com

C:\Windows\system32\nkldj.com 1380 "C:\Windows\SysWOW64\alqbb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\aaggs.com

C:\Windows\system32\aaggs.com 1388 "C:\Windows\SysWOW64\nkldj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kddqn.com

C:\Windows\system32\kddqn.com 1384 "C:\Windows\SysWOW64\aaggs.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pbytw.com

C:\Windows\system32\pbytw.com 1392 "C:\Windows\SysWOW64\kddqn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cstwf.com

C:\Windows\system32\cstwf.com 1400 "C:\Windows\SysWOW64\pbytw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lgtlv.com

C:\Windows\system32\lgtlv.com 1396 "C:\Windows\SysWOW64\cstwf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ywool.com

C:\Windows\system32\ywool.com 1404 "C:\Windows\SysWOW64\lgtlv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lrgdr.com

C:\Windows\system32\lrgdr.com 1412 "C:\Windows\SysWOW64\ywool.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ylmtc.com

C:\Windows\system32\ylmtc.com 1408 "C:\Windows\SysWOW64\lrgdr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iwbeq.com

C:\Windows\system32\iwbeq.com 1416 "C:\Windows\SysWOW64\ylmtc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vqhtb.com

C:\Windows\system32\vqhtb.com 1420 "C:\Windows\SysWOW64\iwbeq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fxtrt.com

C:\Windows\system32\fxtrt.com 1424 "C:\Windows\SysWOW64\vqhtb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\snotc.com

C:\Windows\system32\snotc.com 1428 "C:\Windows\SysWOW64\fxtrt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fejwl.com

C:\Windows\system32\fejwl.com 1436 "C:\Windows\SysWOW64\snotc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rcmrt.com

C:\Windows\system32\rcmrt.com 1432 "C:\Windows\SysWOW64\fejwl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bfbbg.com

C:\Windows\system32\bfbbg.com 1440 "C:\Windows\SysWOW64\rcmrt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oewep.com

C:\Windows\system32\oewep.com 1448 "C:\Windows\SysWOW64\bfbbg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\burgg.com

C:\Windows\system32\burgg.com 1444 "C:\Windows\SysWOW64\oewep.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\otujo.com

C:\Windows\system32\otujo.com 1456 "C:\Windows\SysWOW64\burgg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yzuhe.com

C:\Windows\system32\yzuhe.com 1460 "C:\Windows\SysWOW64\otujo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lxpjn.com

C:\Windows\system32\lxpjn.com 1452 "C:\Windows\SysWOW64\yzuhe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yokmw.com

C:\Windows\system32\yokmw.com 1468 "C:\Windows\SysWOW64\lxpjn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kmnpe.com

C:\Windows\system32\kmnpe.com 1464 "C:\Windows\SysWOW64\yokmw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xdhrn.com

C:\Windows\system32\xdhrn.com 1472 "C:\Windows\SysWOW64\kmnpe.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hrihl.com

C:\Windows\system32\hrihl.com 1476 "C:\Windows\SysWOW64\xdhrn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uhdjt.com

C:\Windows\system32\uhdjt.com 1480 "C:\Windows\SysWOW64\hrihl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hggmc.com

C:\Windows\system32\hggmc.com 1488 "C:\Windows\SysWOW64\uhdjt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rfkjm.com

C:\Windows\system32\rfkjm.com 1484 "C:\Windows\SysWOW64\hggmc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\evfmd.com

C:\Windows\system32\evfmd.com 1492 "C:\Windows\SysWOW64\rfkjm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ruhpm.com

C:\Windows\system32\ruhpm.com 1500 "C:\Windows\SysWOW64\evfmd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\aaimc.com

C:\Windows\system32\aaimc.com 1504 "C:\Windows\SysWOW64\ruhpm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lhmkm.com

C:\Windows\system32\lhmkm.com 1496 "C:\Windows\SysWOW64\aaimc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\blmfq.com

C:\Windows\system32\blmfq.com 1508 "C:\Windows\SysWOW64\lhmkm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kokpl.com

C:\Windows\system32\kokpl.com 1516 "C:\Windows\SysWOW64\blmfq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xqqxx.com

C:\Windows\system32\xqqxx.com 1512 "C:\Windows\SysWOW64\kokpl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kdzuc.com

C:\Windows\system32\kdzuc.com 1524 "C:\Windows\SysWOW64\xqqxx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\urakt.com

C:\Windows\system32\urakt.com 1520 "C:\Windows\SysWOW64\kdzuc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hivmb.com

C:\Windows\system32\hivmb.com 1528 "C:\Windows\SysWOW64\urakt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ugypk.com

C:\Windows\system32\ugypk.com 1532 "C:\Windows\SysWOW64\hivmb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hxsss.com

C:\Windows\system32\hxsss.com 1536 "C:\Windows\SysWOW64\ugypk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uvnuj.com

C:\Windows\system32\uvnuj.com 1540 "C:\Windows\SysWOW64\hxsss.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dbosz.com

C:\Windows\system32\dbosz.com 1544 "C:\Windows\SysWOW64\uvnuj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qarvi.com

C:\Windows\system32\qarvi.com 1548 "C:\Windows\SysWOW64\dbosz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dqmpq.com

C:\Windows\system32\dqmpq.com 1552 "C:\Windows\SysWOW64\qarvi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qpgsz.com

C:\Windows\system32\qpgsz.com 1560 "C:\Windows\SysWOW64\dqmpq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dfjvh.com

C:\Windows\system32\dfjvh.com 1556 "C:\Windows\SysWOW64\qpgsz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qhpkb.com

C:\Windows\system32\qhpkb.com 1568 "C:\Windows\SysWOW64\dfjvh.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zkfvo.com

C:\Windows\system32\zkfvo.com 1564 "C:\Windows\SysWOW64\qhpkb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mizxx.com

C:\Windows\system32\mizxx.com 1576 "C:\Windows\SysWOW64\zkfvo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wlpik.com

C:\Windows\system32\wlpik.com 1580 "C:\Windows\SysWOW64\mizxx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mpxdo.com

C:\Windows\system32\mpxdo.com 1572 "C:\Windows\SysWOW64\wlpik.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zosfw.com

C:\Windows\system32\zosfw.com 1588 "C:\Windows\SysWOW64\mpxdo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bcsvu.com

C:\Windows\system32\bcsvu.com 1584 "C:\Windows\SysWOW64\zosfw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\osnxd.com

C:\Windows\system32\osnxd.com 1592 "C:\Windows\SysWOW64\bcsvu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bjqam.com

C:\Windows\system32\bjqam.com 1608 "C:\Windows\SysWOW64\osnxd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nhldu.com

C:\Windows\system32\nhldu.com 1596 "C:\Windows\SysWOW64\bjqam.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ayggd.com

C:\Windows\system32\ayggd.com 1612 "C:\Windows\SysWOW64\nhldu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kmgdb.com

C:\Windows\system32\kmgdb.com 1600 "C:\Windows\SysWOW64\ayggd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xcjgk.com

C:\Windows\system32\xcjgk.com 1604 "C:\Windows\SysWOW64\kmgdb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kbeas.com

C:\Windows\system32\kbeas.com 1616 "C:\Windows\SysWOW64\xcjgk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xrzdb.com

C:\Windows\system32\xrzdb.com 1620 "C:\Windows\SysWOW64\kbeas.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kqcgj.com

C:\Windows\system32\kqcgj.com 1628 "C:\Windows\SysWOW64\xrzdb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\twudz.com

C:\Windows\system32\twudz.com 1632 "C:\Windows\SysWOW64\kqcgj.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\guxgi.com

C:\Windows\system32\guxgi.com 1624 "C:\Windows\SysWOW64\twudz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\thhvw.com

C:\Windows\system32\thhvw.com 1636 "C:\Windows\SysWOW64\guxgi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gjnlh.com

C:\Windows\system32\gjnlh.com 1640 "C:\Windows\SysWOW64\thhvw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tapoq.com

C:\Windows\system32\tapoq.com 1644 "C:\Windows\SysWOW64\gjnlh.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\doqdg.com

C:\Windows\system32\doqdg.com 1656 "C:\Windows\SysWOW64\tapoq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qelgo.com

C:\Windows\system32\qelgo.com 1652 "C:\Windows\SysWOW64\doqdg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cdgjx.com

C:\Windows\system32\cdgjx.com 1648 "C:\Windows\SysWOW64\qelgo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ptilg.com

C:\Windows\system32\ptilg.com 1660 "C:\Windows\SysWOW64\cdgjx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ckdow.com

C:\Windows\system32\ckdow.com 1668 "C:\Windows\SysWOW64\ptilg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pmjei.com

C:\Windows\system32\pmjei.com 1664 "C:\Windows\SysWOW64\ckdow.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zlnbs.com

C:\Windows\system32\zlnbs.com 1672 "C:\Windows\SysWOW64\pmjei.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lrfwg.com

C:\Windows\system32\lrfwg.com 1680 "C:\Windows\SysWOW64\zlnbs.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zewtm.com

C:\Windows\system32\zewtm.com 1676 "C:\Windows\SysWOW64\lrfwg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mcrov.com

C:\Windows\system32\mcrov.com 1688 "C:\Windows\SysWOW64\zewtm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vqslt.com

C:\Windows\system32\vqslt.com 1684 "C:\Windows\SysWOW64\mcrov.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ihnob.com

C:\Windows\system32\ihnob.com 1696 "C:\Windows\SysWOW64\vqslt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vxprk.com

C:\Windows\system32\vxprk.com 1700 "C:\Windows\SysWOW64\ihnob.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\izvgv.com

C:\Windows\system32\izvgv.com 1692 "C:\Windows\SysWOW64\vxprk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\syaeo.com

C:\Windows\system32\syaeo.com 1704 "C:\Windows\SysWOW64\izvgv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eagmz.com

C:\Windows\system32\eagmz.com 1712 "C:\Windows\SysWOW64\syaeo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\snxjf.com

C:\Windows\system32\snxjf.com 1708 "C:\Windows\SysWOW64\eagmz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\epdrq.com

C:\Windows\system32\epdrq.com 1716 "C:\Windows\SysWOW64\snxjf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rgyuz.com

C:\Windows\system32\rgyuz.com 1720 "C:\Windows\SysWOW64\epdrq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eiejk.com

C:\Windows\system32\eiejk.com 1724 "C:\Windows\SysWOW64\rgyuz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oktuy.com

C:\Windows\system32\oktuy.com 1728 "C:\Windows\SysWOW64\eiejk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bfljm.com

C:\Windows\system32\bfljm.com 1732 "C:\Windows\SysWOW64\oktuy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\owgmu.com

C:\Windows\system32\owgmu.com 1740 "C:\Windows\SysWOW64\bfljm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ykgjk.com

C:\Windows\system32\ykgjk.com 1744 "C:\Windows\SysWOW64\owgmu.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kajmt.com

C:\Windows\system32\kajmt.com 1736 "C:\Windows\SysWOW64\ykgjk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xzehb.com

C:\Windows\system32\xzehb.com 1748 "C:\Windows\SysWOW64\kajmt.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kpzkk.com

C:\Windows\system32\kpzkk.com 1752 "C:\Windows\SysWOW64\xzehb.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\usouf.com

C:\Windows\system32\usouf.com 1760 "C:\Windows\SysWOW64\kpzkk.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hqrxo.com

C:\Windows\system32\hqrxo.com 1756 "C:\Windows\SysWOW64\usouf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xydfv.com

C:\Windows\system32\xydfv.com 1768 "C:\Windows\SysWOW64\hqrxo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hjspi.com

C:\Windows\system32\hjspi.com 1764 "C:\Windows\SysWOW64\xydfv.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uznsq.com

C:\Windows\system32\uznsq.com 1776 "C:\Windows\SysWOW64\hjspi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gyquz.com

C:\Windows\system32\gyquz.com 1772 "C:\Windows\SysWOW64\uznsq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qeqkx.com

C:\Windows\system32\qeqkx.com 1784 "C:\Windows\SysWOW64\gyquz.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dzazd.com

C:\Windows\system32\dzazd.com 1780 "C:\Windows\SysWOW64\qeqkx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\itgpo.com

C:\Windows\system32\itgpo.com 1788 "C:\Windows\SysWOW64\dzazd.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vsjsx.com

C:\Windows\system32\vsjsx.com 1800 "C:\Windows\SysWOW64\itgpo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iiduf.com

C:\Windows\system32\iiduf.com 1796 "C:\Windows\SysWOW64\vsjsx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rwesw.com

C:\Windows\system32\rwesw.com 1804 "C:\Windows\SysWOW64\iiduf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\enzvm.com

C:\Windows\system32\enzvm.com 1808 "C:\Windows\SysWOW64\rwesw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\raqks.com

C:\Windows\system32\raqks.com 1812 "C:\Windows\SysWOW64\enzvm.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\borai.com

C:\Windows\system32\borai.com 1816 "C:\Windows\SysWOW64\raqks.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lnvfs.com

C:\Windows\system32\lnvfs.com 1792 "C:\Windows\SysWOW64\borai.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bzdaw.com

C:\Windows\system32\bzdaw.com 1824 "C:\Windows\SysWOW64\lnvfs.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lyixp.com

C:\Windows\system32\lyixp.com 1820 "C:\Windows\SysWOW64\bzdaw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vminf.com

C:\Windows\system32\vminf.com 1828 "C:\Windows\SysWOW64\lyixp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\izsll.com

C:\Windows\system32\izsll.com 1832 "C:\Windows\SysWOW64\vminf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vbgsw.com

C:\Windows\system32\vbgsw.com 1836 "C:\Windows\SysWOW64\izsll.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\isbvf.com

C:\Windows\system32\isbvf.com 1844 "C:\Windows\SysWOW64\vbgsw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\srfsx.com

C:\Windows\system32\srfsx.com 1848 "C:\Windows\SysWOW64\isbvf.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fpivg.com

C:\Windows\system32\fpivg.com 1852 "C:\Windows\SysWOW64\srfsx.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rjolr.com

C:\Windows\system32\rjolr.com 1856 "C:\Windows\SysWOW64\fpivg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eiina.com

C:\Windows\system32\eiina.com 1860 "C:\Windows\SysWOW64\rjolr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oojlq.com

C:\Windows\system32\oojlq.com 1840 "C:\Windows\SysWOW64\eiina.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bnefy.com

C:\Windows\system32\bnefy.com 1864 "C:\Windows\SysWOW64\oojlq.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\odhip.com

C:\Windows\system32\odhip.com 1872 "C:\Windows\SysWOW64\bnefy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bcbly.com

C:\Windows\system32\bcbly.com 1868 "C:\Windows\SysWOW64\odhip.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lervl.com

C:\Windows\system32\lervl.com 1880 "C:\Windows\SysWOW64\bcbly.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xgxlw.com

C:\Windows\system32\xgxlw.com 1876 "C:\Windows\SysWOW64\lervl.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ktobc.com

C:\Windows\system32\ktobc.com 1888 "C:\Windows\SysWOW64\xgxlw.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xvvqn.com

C:\Windows\system32\xvvqn.com 1884 "C:\Windows\SysWOW64\ktobc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kmpte.com

C:\Windows\system32\kmpte.com 1892 "C:\Windows\SysWOW64\xvvqn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xckwn.com

C:\Windows\system32\xckwn.com 1896 "C:\Windows\SysWOW64\kmpte.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hqlld.com

C:\Windows\system32\hqlld.com 1904 "C:\Windows\SysWOW64\xckwn.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\udcbi.com

C:\Windows\system32\udcbi.com 1900 "C:\Windows\SysWOW64\hqlld.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hcxdr.com

C:\Windows\system32\hcxdr.com 1908 "C:\Windows\SysWOW64\udcbi.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\renom.com

C:\Windows\system32\renom.com 1916 "C:\Windows\SysWOW64\hcxdr.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dgtdy.com

C:\Windows\system32\dgtdy.com 1912 "C:\Windows\SysWOW64\renom.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qxvgg.com

C:\Windows\system32\qxvgg.com 1924 "C:\Windows\SysWOW64\dgtdy.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dvqjp.com

C:\Windows\system32\dvqjp.com 1920 "C:\Windows\SysWOW64\qxvgg.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nygtc.com

C:\Windows\system32\nygtc.com 1928 "C:\Windows\SysWOW64\dvqjp.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\aambo.com

C:\Windows\system32\aambo.com 1932 "C:\Windows\SysWOW64\nygtc.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nqoee.com

C:\Windows\system32\nqoee.com 1936 "C:\Windows\SysWOW64\aambo.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2352-0-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2352-1-0x0000000000510000-0x0000000000554000-memory.dmp

memory/2352-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2352-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2352-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2352-6-0x00000000005A0000-0x00000000005A4000-memory.dmp

memory/2352-5-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2352-44-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2352-47-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2352-46-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2352-45-0x0000000002500000-0x0000000002501000-memory.dmp

memory/2352-43-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/2352-42-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2352-41-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2352-40-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2352-39-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2352-37-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2352-36-0x0000000002470000-0x0000000002471000-memory.dmp

C:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2352-34-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2352-33-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2352-32-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2352-31-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2352-30-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2352-29-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2352-28-0x0000000002420000-0x0000000002421000-memory.dmp

memory/2352-26-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2352-24-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2352-23-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2352-22-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/2352-20-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/2352-19-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/2352-18-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2352-17-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/2352-16-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2352-15-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/2352-14-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2352-13-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2352-12-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2352-11-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2352-10-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2352-9-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2352-8-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 748bce4dacebbbd388af154a1df22078
SHA1 0eeeb108678f819cd437d53b927feedf36aabc64
SHA256 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512 d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a437192517c26d96c8cee8d5a27dd560
SHA1 f665a3e5e5c141e4527509dffd30b0320aa8df6f
SHA256 d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23
SHA512 f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2352-158-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2352-163-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2352-165-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/2352-164-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/2352-162-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2352-161-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2352-160-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2352-159-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2352-157-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2352-156-0x0000000002980000-0x0000000002981000-memory.dmp

\Windows\SysWOW64\iqlvu.com

MD5 06b2a063d4f7ed1fbdf89ac4da07890a
SHA1 cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40
SHA256 03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
SHA512 35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec

memory/2352-189-0x0000000002E00000-0x0000000002E98000-memory.dmp

memory/2352-188-0x0000000002E00000-0x0000000002E98000-memory.dmp

memory/2352-182-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/2352-181-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/2352-180-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/2352-179-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/2352-178-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/2352-177-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/2352-176-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/2352-175-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2352-174-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/2352-173-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/2352-172-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/2352-171-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/2700-191-0x0000000000320000-0x0000000000364000-memory.dmp

memory/2352-193-0x0000000000510000-0x0000000000554000-memory.dmp

memory/2352-192-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2700-195-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2700-194-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/2700-207-0x0000000002DC0000-0x0000000002E58000-memory.dmp

memory/2700-209-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2700-214-0x0000000000320000-0x0000000000364000-memory.dmp

memory/548-220-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2896-222-0x0000000000400000-0x0000000000498000-memory.dmp

memory/548-232-0x0000000002DC0000-0x0000000002E58000-memory.dmp

memory/548-234-0x0000000000400000-0x0000000000498000-memory.dmp

memory/596-243-0x0000000002DC0000-0x0000000002E58000-memory.dmp

memory/1624-245-0x0000000000400000-0x0000000000498000-memory.dmp

memory/596-250-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2952-259-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1624-258-0x0000000002E00000-0x0000000002E98000-memory.dmp

memory/1624-261-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2032-272-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2952-271-0x0000000002E40000-0x0000000002ED8000-memory.dmp

memory/2952-277-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2032-284-0x0000000002DB0000-0x0000000002E48000-memory.dmp

memory/2456-290-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2032-403-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2652-413-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d67d51b859c99a46a906a4c3a6ff6560
SHA1 b685cc703a1c86ba8ad681b545a6f3014b80d585
SHA256 33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a
SHA512 c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558e454bc2d99d7949719cf24f540dd2
SHA1 e9c772bcee4ae780cdc28b0b4876385639e59b39
SHA256 677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a
SHA512 5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64

memory/2456-529-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2652-541-0x0000000002E30000-0x0000000002EC8000-memory.dmp

memory/2652-540-0x0000000002E30000-0x0000000002EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 67a0c98a371995d5434cb9788ee1c42f
SHA1 7171d3dca52f038ca9d9e8b13f356462dbc8f3cc
SHA256 2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3
SHA512 f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

memory/2652-659-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1604-670-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4117e5a9c995bab9cd3bce3fc2b99a46
SHA1 80144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA256 37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512 bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

memory/1760-785-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1836-799-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1604-796-0x0000000002BB0000-0x0000000002C48000-memory.dmp

memory/1604-795-0x0000000002BB0000-0x0000000002C48000-memory.dmp

memory/1604-808-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1836-925-0x0000000002E00000-0x0000000002E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1daa413d1a8cd1692f2e4ae22b54c74a
SHA1 2e02e2a23cfaa62f301e29a117e291ff93cc5d31
SHA256 10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33
SHA512 b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6fe56f6715b4c328bc5b2b35cb51c7e1
SHA1 8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3
SHA256 0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be
SHA512 8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bf7ee07851e04b2a0dbe554db62dc3aa
SHA1 cad155b66053cd7ce2b969a0eb20a8f4812b1f46
SHA256 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9
SHA512 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 584f47a0068747b3295751a0d591f4ee
SHA1 7886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512 ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 831afd728dd974045c0654510071d405
SHA1 9484f4ee8e9eef0956553a59cfbcbe99a8822026
SHA256 03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2
SHA512 ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

memory/2656-1291-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2824-1412-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4cee92ad10b11dbf325a40c64ff7d745
SHA1 b395313d0e979fede2261f8cc558fcebfefcae33
SHA256 eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA512 3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3637baf389a0d79b412adb2a7f1b7d09
SHA1 f4b011a72f59cf98a325f12b7e40ddd0548ccc16
SHA256 835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba
SHA512 ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f1cbbc2ce0d93c45a92edcc86780e9f0
SHA1 d893306caae2584cdeba4c80c3bfe18548fa227a
SHA256 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7
SHA512 b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 895301bce84d6fe707b5cfd50f1f9f97
SHA1 50a012f59655621768f624c4571654145663c042
SHA256 b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4
SHA512 a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2b307765b7465ef5e4935f0ed7307c01
SHA1 c46a1947f8b2785114891f7905f663d9ae517f1b
SHA256 a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85
SHA512 fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 47985593a44ee38c64665b04cbd4b84c
SHA1 84900c2b2e116a7b744730733f63f2a38b4eb76e
SHA256 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70
SHA512 abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5bf31d7ea99b678c867ccdec344298aa
SHA1 2e548f54bf50d13993105c4f59bbeaeb87b17a68
SHA256 52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281
SHA512 1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 54ca6e3ef1c12b994043e85a8c9895f0
SHA1 5eaccfb482cbe24cf5c3203ffdc926184097427e
SHA256 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 294976e85ad11a45853f99c1b208723f
SHA1 8d83101d69420b5af97ec517165d849d3ab498fc
SHA256 04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff
SHA512 e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

memory/1540-1534-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e78a2688839aaee80b2bfdc4639329c5
SHA1 818a0dd05493b075a9f2eaf063e64d5a653f470a
SHA256 bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d
SHA512 2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c8441ec8a2edf9b2f4f631fe930ea4d9
SHA1 2855ee21116b427d280fcaa2471c9bd3d2957f6f
SHA256 dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184
SHA512 b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

memory/1132-1655-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1c6131354c6987300ea512b765475b82
SHA1 2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53
SHA256 3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640
SHA512 b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0bccb0cc2d0641cd0ac7ce17afe64b9f
SHA1 103f5bc2b153913e8a614a7abb43941fe90862a4
SHA256 cae50ec401dae988f1221cead7de58cf4301040fd9fbb8d1c4ad032034ee1842
SHA512 cce4edc7c607ca3969fb19f93a836d87170e2c50fcf136acb3bcb5500b99b1ae73a999b7d648a3643f58cf960b071b24215e1c59f874ca38a50cf1ef90b06389

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a36f3bf3750851d8732b132fa330bb4
SHA1 1cb36be31f3d7d9439aac14af3d7a27f05a980eb
SHA256 5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9
SHA512 a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5020988c301a6bf0c54a293ddf64837c
SHA1 5b65e689a2988b9a739d53565b2a847f20d70f09
SHA256 a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512 921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4be01c629881eddccb675ba267a66899
SHA1 23324e7814bcd157b27e810f4c786b0c39bfc9b1
SHA256 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30
SHA512 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 61ec72543aaac5c7b336d2b22f919c07
SHA1 5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d
SHA256 088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea
SHA512 e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

memory/2560-1898-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c6b0028a6f5508ef564d624eda0e72bc
SHA1 18901c9856a9af672c2e27383c15d2da41f27b6b
SHA256 b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06
SHA512 5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a13ff758fc4326eaa44582bc9700aead
SHA1 a4927b4a3b84526c5c42a077ade4652ab308f83f
SHA256 c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588
SHA512 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5088b4be1b90717121e76c1fc33c033a
SHA1 090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256 d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA512 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 159bb1d34a927f58fc851798c7c09b58
SHA1 c3a26565004531f3a93e29eabb0f9a196b4c1ba2
SHA256 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd
SHA512 b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ffbb389d817acf25cc38799c239d512c
SHA1 8b4854ed9e257c3da9ec11d0f145805c6ae6193f
SHA256 f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39
SHA512 382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b9dc88ed785d13aaeae9626d7a26a6a0
SHA1 ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e
SHA256 9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc
SHA512 df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5575ef034e791d4d3b09da6c0c4ee764
SHA1 50a0851ddf4b0c4014ad91f976e953baffe30951
SHA256 9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14
SHA512 ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

memory/3012-2023-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2e2266221550edce9a27c9060d5c2361
SHA1 f39f2d8f02f8b3a877d5969a81c4cb12679609f3
SHA256 e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb
SHA512 e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 614dc91c25423b19711b270e1e5a49ad
SHA1 f66496dcf9047ae934bdc4a65f697be55980b169
SHA256 cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e
SHA512 27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0d1e5715cf04d212bcd7c9dea5f7ab72
SHA1 a8add44bf542e4d22260a13de6a35704fb7f3bfb
SHA256 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473
SHA512 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5855edf3afa67e11de78af0389880d18
SHA1 c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f
SHA256 c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa
SHA512 5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f708dcfd087b5b3763678cfb8d63735e
SHA1 a38fa7fa516c1402762425176ff1b607db36c752
SHA256 abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10
SHA512 fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6dd7ad95427e77ae09861afd77104775
SHA1 81c2ffe8c63e71f013a07e5794473b60f50c0716
SHA256 8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2
SHA512 171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fa83299c5a0d8714939977af6bdafa92
SHA1 46a4abab9b803a7361ab89d0ca000a367550e23c
SHA256 f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03
SHA512 85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b79d7c7385eb2936ecd5681762227a9b
SHA1 c2a21fb49bd3cc8be9baac1bf6f6389453ad785d
SHA256 fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019
SHA512 7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ff6c57e8ec2b96b8da7fe900f1f3da1c
SHA1 a6f0dc2e2a0a46e1031017b81825173054bf76ae
SHA256 ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6
SHA512 c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 117efa689c5631c1a1ee316f123182bd
SHA1 f477bf1e9f4db8452bd9fe314cd18715f7045689
SHA256 79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7
SHA512 abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

memory/1332-2390-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

memory/1772-2632-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1608-2753-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b6b8b04c60361e2df1d3e29fc4fc3138
SHA1 bd732238f8d5894ca6020081adef617dabadf94e
SHA256 f255a5447d3a3eda8715938993357971faeabf92eecf172e2fc0dfbdaa239c1b
SHA512 16e7247fdc0c1191229ea44b4f6584dce588255e775642c343cffb2030c05bd77f4eb716d87d21defb0fe7edcc62a7a2e12ecbebbd72bc9a5247934fdd02fe40

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 eee5718ce97d259fd8acec31375fc375
SHA1 989c64b0c9a049f1b7ad9e677c4566ab1559744f
SHA256 1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb
SHA512 6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9fa547ff360b09f7e093593af0b5a13b
SHA1 9debc99bb7450f59a7b09f16c0393e5c7a955ba4
SHA256 7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705
SHA512 30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

memory/376-3117-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0a839c0e3eb1ed25e6211159e43f4df1
SHA1 a227a9322f58b8f40b2f6f326dca58145f599587
SHA256 717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0
SHA512 bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 cd085b8c40e69c2bf1eb3d59f8155b99
SHA1 3499260f24020fe6d54d9d632d34ba2770bb06e0
SHA256 10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c
SHA512 3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

memory/1896-3238-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1848-3359-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 989c5352030fafd44b92adf4d4164738
SHA1 e02985c15eb20682115e3fc343f829e28770ed6c
SHA256 248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38
SHA512 9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2d37af73d5fe4a504db3f8c0d560e3d
SHA1 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d
SHA256 e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008
SHA512 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c2d6056624c1d37b1baf4445d8705378
SHA1 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83
SHA256 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96
SHA512 d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 501effddf60a974e98b67dc8921aa7e8
SHA1 734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA512 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bef09dc596b7b91eec4f38765e0965b7
SHA1 b8bb8d2eb918e0979b08fd1967dac127874b9de5
SHA256 8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265
SHA512 0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f82bc8865c1f6bf7125563479421f95c
SHA1 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d
SHA256 f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6
SHA512 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8c6aa92ac8ffdfb7a0fb3dafd14d65f1
SHA1 cac3992d696a99a5dec2ab1c824c816117414b16
SHA256 dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa
SHA512 f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f5fa5178657d29a36c5dc4ac9445cbdc
SHA1 4be1a87a89715d24d52b23c59006f9cb74437ba0
SHA256 f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114
SHA512 54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

memory/112-3482-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2880-3601-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2d9f1ff716273d19e3f0d10a3cd8736f
SHA1 b4ca02834dd3f3489c5088d2157279d2be90f5ff
SHA256 9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623
SHA512 1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1a00c84e2e8a76c3caa6c0b89f9f0d6d
SHA1 2650e962d49c5800edb569ee1b989edc8868d9b9
SHA256 f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6
SHA512 a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c

memory/1240-4088-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5f6aefafda312b288b7d555c1fc36dc9
SHA1 f25e2fdea9dd714d0fae68af71cace7bb49302ce
SHA256 60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a
SHA512 97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a57e37dfb6f88b2d04424936ed0b4afb
SHA1 35e2f81486b8420b88b7693ad3e92f846367cb12
SHA256 411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA512 41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2564fc59a86ea85b7485ab7288c68c4
SHA1 bc1544d9a03d1adafe399067ac32bf8d1cedbdb0
SHA256 68e8d8ef14bfbe96ebad3fb391fd4c1e57068a7f950dd31840884f6d58b078a8
SHA512 e09c6741d99ec41763e939aa39adb4e0f8508d37556c52251eec268849e85960da42ace7e9b82f1927de5bcf29ebec205189b113d2bb123025f3e6615b28ff0a

memory/1880-4332-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2716-4574-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2972-4695-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2312-4814-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2688-4935-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e1df6d58e6c905e4628df434384b3c9
SHA1 e67dd641da70aa9654ed24b19ed06a3eb8c0db43
SHA256 25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0
SHA512 93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

memory/1344-5056-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2140-5301-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a0897226da780b90c11da0756b361f1
SHA1 67f813e8733ad75a2147c59cca102a60274daeab
SHA256 115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee
SHA512 55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

memory/2300-5666-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2448-5789-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1108-6032-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2404-6275-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2156-6396-0x0000000000400000-0x0000000000498000-memory.dmp

memory/584-6514-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1272-6636-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2696-6758-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1832-6877-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2332-6997-0x0000000000400000-0x0000000000498000-memory.dmp

memory/924-7118-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1216-7237-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c756b8eac93de58d57105a6c35adb50f
SHA1 b18d370dabc3c5b9e82d74f19bbc101a1be009f2
SHA256 853448e59c9bb7599fa8a5ff03a0b608781a02d41f58576f1192e0c48cb8d635
SHA512 09fbfe4a17b1fb6167c6889e5a0ab41cfef9e1372796e69c2558a50a002d9c1e2b0d81d45d7f96be9d02a8025d0ae276ecc01f135e9ccb04c301adcffd67d263

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:10

Reported

2024-06-20 14:13

Platform

win10v2004-20240226-en

Max time kernel

54s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scxbt.com N/A
N/A N/A C:\Windows\SysWOW64\mzjoo.com N/A
N/A N/A C:\Windows\SysWOW64\nvhox.com N/A
N/A N/A C:\Windows\SysWOW64\pfyep.com N/A
N/A N/A C:\Windows\SysWOW64\zbzwx.com N/A
N/A N/A C:\Windows\SysWOW64\wyywy.com N/A
N/A N/A C:\Windows\SysWOW64\fkixz.com N/A
N/A N/A C:\Windows\SysWOW64\hrxho.com N/A
N/A N/A C:\Windows\SysWOW64\nsfcf.com N/A
N/A N/A C:\Windows\SysWOW64\uasur.com N/A
N/A N/A C:\Windows\SysWOW64\cpoqd.com N/A
N/A N/A C:\Windows\SysWOW64\zjkdt.com N/A
N/A N/A C:\Windows\SysWOW64\kbzig.com N/A
N/A N/A C:\Windows\SysWOW64\pgtir.com N/A
N/A N/A C:\Windows\SysWOW64\jmztg.com N/A
N/A N/A C:\Windows\SysWOW64\rqjgy.com N/A
N/A N/A C:\Windows\SysWOW64\zrige.com N/A
N/A N/A C:\Windows\SysWOW64\flcbp.com N/A
N/A N/A C:\Windows\SysWOW64\knkwf.com N/A
N/A N/A C:\Windows\SysWOW64\xdfzo.com N/A
N/A N/A C:\Windows\SysWOW64\cjkoc.com N/A
N/A N/A C:\Windows\SysWOW64\jryho.com N/A
N/A N/A C:\Windows\SysWOW64\rjwhc.com N/A
N/A N/A C:\Windows\SysWOW64\cfxrk.com N/A
N/A N/A C:\Windows\SysWOW64\phemh.com N/A
N/A N/A C:\Windows\SysWOW64\zgrsa.com N/A
N/A N/A C:\Windows\SysWOW64\hdefd.com N/A
N/A N/A C:\Windows\SysWOW64\ohokv.com N/A
N/A N/A C:\Windows\SysWOW64\wezxe.com N/A
N/A N/A C:\Windows\SysWOW64\ebmkq.com N/A
N/A N/A C:\Windows\SysWOW64\eqkqh.com N/A
N/A N/A C:\Windows\SysWOW64\uukll.com N/A
N/A N/A C:\Windows\SysWOW64\zhetw.com N/A
N/A N/A C:\Windows\SysWOW64\krtyj.com N/A
N/A N/A C:\Windows\SysWOW64\rzpqv.com N/A
N/A N/A C:\Windows\SysWOW64\euygb.com N/A
N/A N/A C:\Windows\SysWOW64\opzyr.com N/A
N/A N/A C:\Windows\SysWOW64\xfnmv.com N/A
N/A N/A C:\Windows\SysWOW64\haowc.com N/A
N/A N/A C:\Windows\SysWOW64\oijow.com N/A
N/A N/A C:\Windows\SysWOW64\zazub.com N/A
N/A N/A C:\Windows\SysWOW64\eywkp.com N/A
N/A N/A C:\Windows\SysWOW64\jzeff.com N/A
N/A N/A C:\Windows\SysWOW64\omxmy.com N/A
N/A N/A C:\Windows\SysWOW64\oxkfn.com N/A
N/A N/A C:\Windows\SysWOW64\reyhc.com N/A
N/A N/A C:\Windows\SysWOW64\mzbfp.com N/A
N/A N/A C:\Windows\SysWOW64\rijax.com N/A
N/A N/A C:\Windows\SysWOW64\ldoqx.com N/A
N/A N/A C:\Windows\SysWOW64\wypaf.com N/A
N/A N/A C:\Windows\SysWOW64\raulw.com N/A
N/A N/A C:\Windows\SysWOW64\rbvwq.com N/A
N/A N/A C:\Windows\SysWOW64\wzsle.com N/A
N/A N/A C:\Windows\SysWOW64\yjsbw.com N/A
N/A N/A C:\Windows\SysWOW64\jbhhb.com N/A
N/A N/A C:\Windows\SysWOW64\mwcwo.com N/A
N/A N/A C:\Windows\SysWOW64\tlywi.com N/A
N/A N/A C:\Windows\SysWOW64\zjven.com N/A
N/A N/A C:\Windows\SysWOW64\hccec.com N/A
N/A N/A C:\Windows\SysWOW64\jmtuu.com N/A
N/A N/A C:\Windows\SysWOW64\rmsub.com N/A
N/A N/A C:\Windows\SysWOW64\bxjsi.com N/A
N/A N/A C:\Windows\SysWOW64\jmefl.com N/A
N/A N/A C:\Windows\SysWOW64\wolnx.com N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\qdsun.com N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\hrxho.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\dbxdr.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cztmu.com N/A
File opened for modification C:\Windows\SysWOW64\cjkoc.com C:\Windows\SysWOW64\xdfzo.com N/A
File created C:\Windows\SysWOW64\rijax.com C:\Windows\SysWOW64\mzbfp.com N/A
File created C:\Windows\SysWOW64\ebmkq.com C:\Windows\SysWOW64\wezxe.com N/A
File created C:\Windows\SysWOW64\rmsub.com C:\Windows\SysWOW64\jmtuu.com N/A
File created C:\Windows\SysWOW64\etqxc.com C:\Windows\SysWOW64\wevky.com N/A
File created C:\Windows\SysWOW64\eywkp.com C:\Windows\SysWOW64\zazub.com N/A
File opened for modification C:\Windows\SysWOW64\rmsub.com C:\Windows\SysWOW64\jmtuu.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\scxbt.com N/A
File created C:\Windows\SysWOW64\bmjiw.com C:\Windows\SysWOW64\txvvs.com N/A
File created C:\Windows\SysWOW64\tlywi.com C:\Windows\SysWOW64\mwcwo.com N/A
File opened for modification C:\Windows\SysWOW64\qoepg.com C:\Windows\SysWOW64\ntbst.com N/A
File created C:\Windows\SysWOW64\fkixz.com C:\Windows\SysWOW64\wyywy.com N/A
File created C:\Windows\SysWOW64\knkwf.com C:\Windows\SysWOW64\flcbp.com N/A
File created C:\Windows\SysWOW64\raulw.com C:\Windows\SysWOW64\wypaf.com N/A
File created C:\Windows\SysWOW64\vadtq.com C:\Windows\SysWOW64\ghgyg.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\ysocp.com N/A
File opened for modification C:\Windows\SysWOW64\zrige.com C:\Windows\SysWOW64\rqjgy.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cfxrk.com N/A
File created C:\Windows\SysWOW64\rdizd.com C:\Windows\SysWOW64\ducws.com N/A
File opened for modification C:\Windows\SysWOW64\lqpgi.com C:\Windows\SysWOW64\yhref.com N/A
File opened for modification C:\Windows\SysWOW64\eqkqh.com C:\Windows\SysWOW64\ebmkq.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\euygb.com N/A
File opened for modification C:\Windows\SysWOW64\jpypq.com C:\Windows\SysWOW64\bozoc.com N/A
File created C:\Windows\SysWOW64\yywsd.com C:\Windows\SysWOW64\ndvho.com N/A
File opened for modification C:\Windows\SysWOW64\jbhhb.com C:\Windows\SysWOW64\yjsbw.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\jryho.com N/A
File created C:\Windows\SysWOW64\yjsbw.com C:\Windows\SysWOW64\wzsle.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\vadtq.com N/A
File opened for modification C:\Windows\SysWOW64\qdwis.com C:\Windows\SysWOW64\jvbqy.com N/A
File created C:\Windows\SysWOW64\ghgyg.com C:\Windows\SysWOW64\ajjqs.com N/A
File opened for modification C:\Windows\SysWOW64\hvzdn.com C:\Windows\SysWOW64\bmjiw.com N/A
File opened for modification C:\Windows\SysWOW64\qhsym.com C:\Windows\SysWOW64\gigbc.com N/A
File opened for modification C:\Windows\SysWOW64\wezxe.com C:\Windows\SysWOW64\ohokv.com N/A
File created C:\Windows\SysWOW64\tstge.com C:\Windows\SysWOW64\jtpju.com N/A
File created C:\Windows\SysWOW64\vmqrq.com C:\Windows\SysWOW64\lqpgi.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\dxahm.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\eywkp.com N/A
File created C:\Windows\SysWOW64\gfkek.com C:\Windows\SysWOW64\tstge.com N/A
File opened for modification C:\Windows\SysWOW64\jmtuu.com C:\Windows\SysWOW64\hccec.com N/A
File opened for modification C:\Windows\SysWOW64\lfrfg.com C:\Windows\SysWOW64\bnbhb.com N/A
File opened for modification C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\scxbt.com N/A
File created C:\Windows\SysWOW64\bvmox.com C:\Windows\SysWOW64\qdwis.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\rbvwq.com N/A
File created C:\Windows\SysWOW64\oqokz.com C:\Windows\SysWOW64\jpypq.com N/A
File created C:\Windows\SysWOW64\nsfcf.com C:\Windows\SysWOW64\hrxho.com N/A
File created C:\Windows\SysWOW64\ohokv.com C:\Windows\SysWOW64\hdefd.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\jgkfv.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\tolam.com N/A
File opened for modification C:\Windows\SysWOW64\ghgyg.com C:\Windows\SysWOW64\ajjqs.com N/A
File opened for modification C:\Windows\SysWOW64\dxahm.com C:\Windows\SysWOW64\qdsun.com N/A
File opened for modification C:\Windows\SysWOW64\zgrsa.com C:\Windows\SysWOW64\phemh.com N/A
File created C:\Windows\SysWOW64\wolnx.com C:\Windows\SysWOW64\jmefl.com N/A
File opened for modification C:\Windows\SysWOW64\bxjsi.com C:\Windows\SysWOW64\rmsub.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\rzpqv.com N/A
File created C:\Windows\SysWOW64\ldoqx.com C:\Windows\SysWOW64\rijax.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\yoxim.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\xfnmv.com N/A
File created C:\Windows\SysWOW64\qhsym.com C:\Windows\SysWOW64\gigbc.com N/A
File opened for modification C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\pfyep.com N/A
File opened for modification C:\Windows\SysWOW64\dbxdr.com C:\Windows\SysWOW64\ghcqb.com N/A
File opened for modification C:\Windows\SysWOW64\phemh.com C:\Windows\SysWOW64\cfxrk.com N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1576 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1576 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4832 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\scxbt.com
PID 4832 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\scxbt.com
PID 4832 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe C:\Windows\SysWOW64\scxbt.com
PID 4552 wrote to memory of 4724 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4724 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4724 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4724 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4724 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\mzjoo.com
PID 4552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\mzjoo.com
PID 4552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\scxbt.com C:\Windows\SysWOW64\mzjoo.com
PID 2180 wrote to memory of 1396 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1396 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1396 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1396 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1396 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2180 wrote to memory of 3912 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\nvhox.com
PID 2180 wrote to memory of 3912 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\nvhox.com
PID 2180 wrote to memory of 3912 N/A C:\Windows\SysWOW64\mzjoo.com C:\Windows\SysWOW64\nvhox.com
PID 3912 wrote to memory of 1208 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 1208 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 1208 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 3100 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\pfyep.com
PID 3912 wrote to memory of 3100 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\pfyep.com
PID 3912 wrote to memory of 3100 N/A C:\Windows\SysWOW64\nvhox.com C:\Windows\SysWOW64\pfyep.com
PID 1208 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\knkwf.com
PID 1208 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\knkwf.com
PID 1208 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\knkwf.com
PID 3100 wrote to memory of 1272 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1272 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1272 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2912 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\zbzwx.com
PID 3100 wrote to memory of 2912 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\zbzwx.com
PID 3100 wrote to memory of 2912 N/A C:\Windows\SysWOW64\pfyep.com C:\Windows\SysWOW64\zbzwx.com
PID 2912 wrote to memory of 4948 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4948 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4948 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4948 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4948 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 4592 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\wyywy.com
PID 2912 wrote to memory of 4592 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\wyywy.com
PID 2912 wrote to memory of 4592 N/A C:\Windows\SysWOW64\zbzwx.com C:\Windows\SysWOW64\wyywy.com
PID 4592 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2520 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2520 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4592 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\fkixz.com
PID 4592 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\fkixz.com
PID 4592 wrote to memory of 4820 N/A C:\Windows\SysWOW64\wyywy.com C:\Windows\SysWOW64\fkixz.com
PID 4820 wrote to memory of 1604 N/A C:\Windows\SysWOW64\fkixz.com C:\Windows\SysWOW64\jryho.com
PID 4820 wrote to memory of 1604 N/A C:\Windows\SysWOW64\fkixz.com C:\Windows\SysWOW64\jryho.com
PID 4820 wrote to memory of 1604 N/A C:\Windows\SysWOW64\fkixz.com C:\Windows\SysWOW64\jryho.com
PID 1604 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\scxbt.com

C:\Windows\system32\scxbt.com 1096 "C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mzjoo.com

C:\Windows\system32\mzjoo.com 1208 "C:\Windows\SysWOW64\scxbt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nvhox.com

C:\Windows\system32\nvhox.com 1076 "C:\Windows\SysWOW64\mzjoo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\pfyep.com

C:\Windows\system32\pfyep.com 1108 "C:\Windows\SysWOW64\nvhox.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zbzwx.com

C:\Windows\system32\zbzwx.com 1112 "C:\Windows\SysWOW64\pfyep.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wyywy.com

C:\Windows\system32\wyywy.com 1116 "C:\Windows\SysWOW64\zbzwx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fkixz.com

C:\Windows\system32\fkixz.com 1120 "C:\Windows\SysWOW64\wyywy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hrxho.com

C:\Windows\system32\hrxho.com 1080 "C:\Windows\SysWOW64\fkixz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nsfcf.com

C:\Windows\system32\nsfcf.com 1084 "C:\Windows\SysWOW64\hrxho.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\uasur.com

C:\Windows\system32\uasur.com 1088 "C:\Windows\SysWOW64\nsfcf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cpoqd.com

C:\Windows\system32\cpoqd.com 1136 "C:\Windows\SysWOW64\uasur.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zjkdt.com

C:\Windows\system32\zjkdt.com 1124 "C:\Windows\SysWOW64\cpoqd.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kbzig.com

C:\Windows\system32\kbzig.com 1092 "C:\Windows\SysWOW64\zjkdt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\pgtir.com

C:\Windows\system32\pgtir.com 1148 "C:\Windows\SysWOW64\kbzig.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jmztg.com

C:\Windows\system32\jmztg.com 1140 "C:\Windows\SysWOW64\pgtir.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rqjgy.com

C:\Windows\system32\rqjgy.com 1100 "C:\Windows\SysWOW64\jmztg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zrige.com

C:\Windows\system32\zrige.com 1104 "C:\Windows\SysWOW64\rqjgy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\flcbp.com

C:\Windows\system32\flcbp.com 1164 "C:\Windows\SysWOW64\zrige.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\knkwf.com

C:\Windows\system32\knkwf.com 1168 "C:\Windows\SysWOW64\flcbp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xdfzo.com

C:\Windows\system32\xdfzo.com 1172 "C:\Windows\SysWOW64\knkwf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cjkoc.com

C:\Windows\system32\cjkoc.com 1176 "C:\Windows\SysWOW64\xdfzo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jryho.com

C:\Windows\system32\jryho.com 1144 "C:\Windows\SysWOW64\cjkoc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rjwhc.com

C:\Windows\system32\rjwhc.com 1156 "C:\Windows\SysWOW64\jryho.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cfxrk.com

C:\Windows\system32\cfxrk.com 1200 "C:\Windows\SysWOW64\rjwhc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\phemh.com

C:\Windows\system32\phemh.com 1128 "C:\Windows\SysWOW64\cfxrk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zgrsa.com

C:\Windows\system32\zgrsa.com 1192 "C:\Windows\SysWOW64\phemh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hdefd.com

C:\Windows\system32\hdefd.com 1196 "C:\Windows\SysWOW64\zgrsa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ohokv.com

C:\Windows\system32\ohokv.com 1152 "C:\Windows\SysWOW64\hdefd.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wezxe.com

C:\Windows\system32\wezxe.com 1184 "C:\Windows\SysWOW64\ohokv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ebmkq.com

C:\Windows\system32\ebmkq.com 1132 "C:\Windows\SysWOW64\wezxe.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\eqkqh.com

C:\Windows\system32\eqkqh.com 1220 "C:\Windows\SysWOW64\ebmkq.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\uukll.com

C:\Windows\system32\uukll.com 1332 "C:\Windows\SysWOW64\eqkqh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zhetw.com

C:\Windows\system32\zhetw.com 1160 "C:\Windows\SysWOW64\uukll.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\krtyj.com

C:\Windows\system32\krtyj.com 1228 "C:\Windows\SysWOW64\zhetw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rzpqv.com

C:\Windows\system32\rzpqv.com 1340 "C:\Windows\SysWOW64\krtyj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\euygb.com

C:\Windows\system32\euygb.com 1344 "C:\Windows\SysWOW64\rzpqv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\opzyr.com

C:\Windows\system32\opzyr.com 1180 "C:\Windows\SysWOW64\euygb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xfnmv.com

C:\Windows\system32\xfnmv.com 1236 "C:\Windows\SysWOW64\opzyr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\haowc.com

C:\Windows\system32\haowc.com 1252 "C:\Windows\SysWOW64\xfnmv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oijow.com

C:\Windows\system32\oijow.com 1360 "C:\Windows\SysWOW64\haowc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zazub.com

C:\Windows\system32\zazub.com 1256 "C:\Windows\SysWOW64\oijow.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eywkp.com

C:\Windows\system32\eywkp.com 1248 "C:\Windows\SysWOW64\zazub.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jzeff.com

C:\Windows\system32\jzeff.com 1240 "C:\Windows\SysWOW64\eywkp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\omxmy.com

C:\Windows\system32\omxmy.com 1244 "C:\Windows\SysWOW64\jzeff.com"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oxkfn.com

C:\Windows\system32\oxkfn.com 1380 "C:\Windows\SysWOW64\omxmy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\reyhc.com

C:\Windows\system32\reyhc.com 1268 "C:\Windows\SysWOW64\oxkfn.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mzbfp.com

C:\Windows\system32\mzbfp.com 1188 "C:\Windows\SysWOW64\reyhc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rijax.com

C:\Windows\system32\rijax.com 1216 "C:\Windows\SysWOW64\mzbfp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ldoqx.com

C:\Windows\system32\ldoqx.com 1284 "C:\Windows\SysWOW64\rijax.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wypaf.com

C:\Windows\system32\wypaf.com 1320 "C:\Windows\SysWOW64\ldoqx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\raulw.com

C:\Windows\system32\raulw.com 1204 "C:\Windows\SysWOW64\wypaf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rbvwq.com

C:\Windows\system32\rbvwq.com 1276 "C:\Windows\SysWOW64\raulw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wzsle.com

C:\Windows\system32\wzsle.com 1260 "C:\Windows\SysWOW64\rbvwq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yjsbw.com

C:\Windows\system32\yjsbw.com 1296 "C:\Windows\SysWOW64\wzsle.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jbhhb.com

C:\Windows\system32\jbhhb.com 1420 "C:\Windows\SysWOW64\yjsbw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\mwcwo.com

C:\Windows\system32\mwcwo.com 1288 "C:\Windows\SysWOW64\jbhhb.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tlywi.com

C:\Windows\system32\tlywi.com 1292 "C:\Windows\SysWOW64\mwcwo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zjven.com

C:\Windows\system32\zjven.com 1280 "C:\Windows\SysWOW64\tlywi.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\hccec.com

C:\Windows\system32\hccec.com 1316 "C:\Windows\SysWOW64\zjven.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jmtuu.com

C:\Windows\system32\jmtuu.com 1440 "C:\Windows\SysWOW64\hccec.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rmsub.com

C:\Windows\system32\rmsub.com 1444 "C:\Windows\SysWOW64\jmtuu.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bxjsi.com

C:\Windows\system32\bxjsi.com 1264 "C:\Windows\SysWOW64\rmsub.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jmefl.com

C:\Windows\system32\jmefl.com 1212 "C:\Windows\SysWOW64\bxjsi.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wolnx.com

C:\Windows\system32\wolnx.com 1456 "C:\Windows\SysWOW64\jmefl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jffqo.com

C:\Windows\system32\jffqo.com 1460 "C:\Windows\SysWOW64\wolnx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\txvvs.com

C:\Windows\system32\txvvs.com 1312 "C:\Windows\SysWOW64\jffqo.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bmjiw.com

C:\Windows\system32\bmjiw.com 1232 "C:\Windows\SysWOW64\txvvs.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hvzdn.com

C:\Windows\system32\hvzdn.com 1476 "C:\Windows\SysWOW64\bmjiw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ooydb.com

C:\Windows\system32\ooydb.com 1328 "C:\Windows\SysWOW64\hvzdn.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\odnjs.com

C:\Windows\system32\odnjs.com 1224 "C:\Windows\SysWOW64\ooydb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tqiwx.com

C:\Windows\system32\tqiwx.com 1364 "C:\Windows\SysWOW64\odnjs.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bqhwe.com

C:\Windows\system32\bqhwe.com 1348 "C:\Windows\SysWOW64\tqiwx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gsxru.com

C:\Windows\system32\gsxru.com 1352 "C:\Windows\SysWOW64\bqhwe.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\owzem.com

C:\Windows\system32\owzem.com 1396 "C:\Windows\SysWOW64\gsxru.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bnbhb.com

C:\Windows\system32\bnbhb.com 1272 "C:\Windows\SysWOW64\owzem.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lfrfg.com

C:\Windows\system32\lfrfg.com 1384 "C:\Windows\SysWOW64\bnbhb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wevky.com

C:\Windows\system32\wevky.com 1508 "C:\Windows\SysWOW64\lfrfg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\etqxc.com

C:\Windows\system32\etqxc.com 1368 "C:\Windows\SysWOW64\wevky.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jgkfv.com

C:\Windows\system32\jgkfv.com 1372 "C:\Windows\SysWOW64\etqxc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\oisal.com

C:\Windows\system32\oisal.com 1300 "C:\Windows\SysWOW64\jgkfv.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yaiyq.com

C:\Windows\system32\yaiyq.com 1528 "C:\Windows\SysWOW64\oisal.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jvbqy.com

C:\Windows\system32\jvbqy.com 1304 "C:\Windows\SysWOW64\yaiyq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qdwis.com

C:\Windows\system32\qdwis.com 1404 "C:\Windows\SysWOW64\jvbqy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bvmox.com

C:\Windows\system32\bvmox.com 1412 "C:\Windows\SysWOW64\qdwis.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\luqlp.com

C:\Windows\system32\luqlp.com 1408 "C:\Windows\SysWOW64\bvmox.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vqrdx.com

C:\Windows\system32\vqrdx.com 1548 "C:\Windows\SysWOW64\luqlp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gigbc.com

C:\Windows\system32\gigbc.com 1544 "C:\Windows\SysWOW64\vqrdx.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qhsym.com

C:\Windows\system32\qhsym.com 1424 "C:\Windows\SysWOW64\gigbc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ducws.com

C:\Windows\system32\ducws.com 1416 "C:\Windows\SysWOW64\qhsym.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rdizd.com

C:\Windows\system32\rdizd.com 1432 "C:\Windows\SysWOW64\ducws.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bozoc.com

C:\Windows\system32\bozoc.com 1392 "C:\Windows\SysWOW64\rdizd.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jpypq.com

C:\Windows\system32\jpypq.com 1400 "C:\Windows\SysWOW64\bozoc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oqokz.com

C:\Windows\system32\oqokz.com 1324 "C:\Windows\SysWOW64\jpypq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tolam.com

C:\Windows\system32\tolam.com 1376 "C:\Windows\SysWOW64\oqokz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yeqmi.com

C:\Windows\system32\yeqmi.com 1308 "C:\Windows\SysWOW64\tolam.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jtufk.com

C:\Windows\system32\jtufk.com 1588 "C:\Windows\SysWOW64\yeqmi.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lzipa.com

C:\Windows\system32\lzipa.com 1056 "C:\Windows\SysWOW64\jtufk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qeuxt.com

C:\Windows\system32\qeuxt.com 1464 "C:\Windows\SysWOW64\lzipa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vnksj.com

C:\Windows\system32\vnksj.com 1468 "C:\Windows\SysWOW64\qeuxt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\blhap.com

C:\Windows\system32\blhap.com 1472 "C:\Windows\SysWOW64\vnksj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dvzyh.com

C:\Windows\system32\dvzyh.com 1436 "C:\Windows\SysWOW64\blhap.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\itegv.com

C:\Windows\system32\itegv.com 1612 "C:\Windows\SysWOW64\dvzyh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gnztl.com

C:\Windows\system32\gnztl.com 1480 "C:\Windows\SysWOW64\itegv.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\twgeo.com

C:\Windows\system32\twgeo.com 1356 "C:\Windows\SysWOW64\gnztl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\esyoe.com

C:\Windows\system32\esyoe.com 1492 "C:\Windows\SysWOW64\twgeo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jtpju.com

C:\Windows\system32\jtpju.com 1388 "C:\Windows\SysWOW64\esyoe.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tstge.com

C:\Windows\system32\tstge.com 1628 "C:\Windows\SysWOW64\jtpju.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gfkek.com

C:\Windows\system32\gfkek.com 1636 "C:\Windows\SysWOW64\tstge.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jxacp.com

C:\Windows\system32\jxacp.com 1452 "C:\Windows\SysWOW64\gfkek.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qfncj.com

C:\Windows\system32\qfncj.com 1640 "C:\Windows\SysWOW64\jxacp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ygmcq.com

C:\Windows\system32\ygmcq.com 1496 "C:\Windows\SysWOW64\qfncj.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iyczd.com

C:\Windows\system32\iyczd.com 1512 "C:\Windows\SysWOW64\ygmcq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ndvho.com

C:\Windows\system32\ndvho.com 1524 "C:\Windows\SysWOW64\iyczd.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yywsd.com

C:\Windows\system32\yywsd.com 1488 "C:\Windows\SysWOW64\ndvho.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bnmie.com

C:\Windows\system32\bnmie.com 1428 "C:\Windows\SysWOW64\yywsd.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\iuzir.com

C:\Windows\system32\iuzir.com 1448 "C:\Windows\SysWOW64\bnmie.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tepfd.com

C:\Windows\system32\tepfd.com 1532 "C:\Windows\SysWOW64\iuzir.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\yoxim.com

C:\Windows\system32\yoxim.com 1536 "C:\Windows\SysWOW64\tepfd.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\sikqm.com

C:\Windows\system32\sikqm.com 1484 "C:\Windows\SysWOW64\yoxim.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ajjqs.com

C:\Windows\system32\ajjqs.com 1500 "C:\Windows\SysWOW64\sikqm.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ghgyg.com

C:\Windows\system32\ghgyg.com 1556 "C:\Windows\SysWOW64\ajjqs.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vadtq.com

C:\Windows\system32\vadtq.com 1564 "C:\Windows\SysWOW64\ghgyg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yhref.com

C:\Windows\system32\yhref.com 1504 "C:\Windows\SysWOW64\vadtq.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\lqpgi.com

C:\Windows\system32\lqpgi.com 1516 "C:\Windows\SysWOW64\yhref.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vmqrq.com

C:\Windows\system32\vmqrq.com 1560 "C:\Windows\SysWOW64\lqpgi.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qdsun.com

C:\Windows\system32\qdsun.com 1580 "C:\Windows\SysWOW64\vmqrq.com"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3672 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dxahm.com

C:\Windows\system32\dxahm.com 1584 "C:\Windows\SysWOW64\qdsun.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ntbst.com

C:\Windows\system32\ntbst.com 1604 "C:\Windows\SysWOW64\dxahm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qoepg.com

C:\Windows\system32\qoepg.com 1576 "C:\Windows\SysWOW64\ntbst.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ysocp.com

C:\Windows\system32\ysocp.com 1616 "C:\Windows\SysWOW64\qoepg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ghcqb.com

C:\Windows\system32\ghcqb.com 1520 "C:\Windows\SysWOW64\ysocp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dbxdr.com

C:\Windows\system32\dbxdr.com 1732 "C:\Windows\SysWOW64\ghcqb.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nbbak.com

C:\Windows\system32\nbbak.com 1600 "C:\Windows\SysWOW64\dbxdr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fmzyx.com

C:\Windows\system32\fmzyx.com 1572 "C:\Windows\SysWOW64\nbbak.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\cztmu.com

C:\Windows\system32\cztmu.com 1592 "C:\Windows\SysWOW64\fmzyx.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nfyee.com

C:\Windows\system32\nfyee.com 1568 "C:\Windows\SysWOW64\cztmu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\swcra.com

C:\Windows\system32\swcra.com 1624 "C:\Windows\SysWOW64\nfyee.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vnucc.com

C:\Windows\system32\vnucc.com 1752 "C:\Windows\SysWOW64\swcra.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vcshb.com

C:\Windows\system32\vcshb.com 1608 "C:\Windows\SysWOW64\vnucc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dguul.com

C:\Windows\system32\dguul.com 1540 "C:\Windows\SysWOW64\vcshb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\iezcy.com

C:\Windows\system32\iezcy.com 1632 "C:\Windows\SysWOW64\dguul.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nnhxp.com

C:\Windows\system32\nnhxp.com 1656 "C:\Windows\SysWOW64\iezcy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\sppax.com

C:\Windows\system32\sppax.com 1552 "C:\Windows\SysWOW64\nnhxp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\aposm.com

C:\Windows\system32\aposm.com 1660 "C:\Windows\SysWOW64\sppax.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ngsig.com

C:\Windows\system32\ngsig.com 1648 "C:\Windows\SysWOW64\aposm.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\pbvlb.com

C:\Windows\system32\pbvlb.com 1744 "C:\Windows\SysWOW64\ngsig.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ngcgl.com

C:\Windows\system32\ngcgl.com 1596 "C:\Windows\SysWOW64\pbvlb.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vkeld.com

C:\Windows\system32\vkeld.com 1792 "C:\Windows\SysWOW64\ngcgl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vkoyo.com

C:\Windows\system32\vkoyo.com 1676 "C:\Windows\SysWOW64\vkeld.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\abklk.com

C:\Windows\system32\abklk.com 1620 "C:\Windows\SysWOW64\vkoyo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lhpem.com

C:\Windows\system32\lhpem.com 1704 "C:\Windows\SysWOW64\abklk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\fnfhp.com

C:\Windows\system32\fnfhp.com 1684 "C:\Windows\SysWOW64\lhpem.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\sxljs.com

C:\Windows\system32\sxljs.com 1680 "C:\Windows\SysWOW64\fnfhp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xcfrl.com

C:\Windows\system32\xcfrl.com 1644 "C:\Windows\SysWOW64\sxljs.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\clnmu.com

C:\Windows\system32\clnmu.com 1828 "C:\Windows\SysWOW64\xcfrl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\aquhm.com

C:\Windows\system32\aquhm.com 1652 "C:\Windows\SysWOW64\clnmu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\forpa.com

C:\Windows\system32\forpa.com 1832 "C:\Windows\SysWOW64\aquhm.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nwnpm.com

C:\Windows\system32\nwnpm.com 1700 "C:\Windows\SysWOW64\forpa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qzqnz.com

C:\Windows\system32\qzqnz.com 1844 "C:\Windows\SysWOW64\nwnpm.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xdssq.com

C:\Windows\system32\xdssq.com 1696 "C:\Windows\SysWOW64\qzqnz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dbxiw.com

C:\Windows\system32\dbxiw.com 1848 "C:\Windows\SysWOW64\xdssq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sutvf.com

C:\Windows\system32\sutvf.com 1712 "C:\Windows\SysWOW64\dbxiw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\npxts.com

C:\Windows\system32\npxts.com 1688 "C:\Windows\SysWOW64\sutvf.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\uxklm.com

C:\Windows\system32\uxklm.com 1692 "C:\Windows\SysWOW64\npxts.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cxjlt.com

C:\Windows\system32\cxjlt.com 1664 "C:\Windows\SysWOW64\uxklm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qhpww.com

C:\Windows\system32\qhpww.com 1740 "C:\Windows\SysWOW64\cxjlt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\utjwp.com

C:\Windows\system32\utjwp.com 1748 "C:\Windows\SysWOW64\qhpww.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fpkox.com

C:\Windows\system32\fpkox.com 1872 "C:\Windows\SysWOW64\utjwp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\iknmj.com

C:\Windows\system32\iknmj.com 1668 "C:\Windows\SysWOW64\fpkox.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\sgfwz.com

C:\Windows\system32\sgfwz.com 1880 "C:\Windows\SysWOW64\iknmj.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\akqji.com

C:\Windows\system32\akqji.com 1736 "C:\Windows\SysWOW64\sgfwz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\fxjrc.com

C:\Windows\system32\fxjrc.com 1756 "C:\Windows\SysWOW64\akqji.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\pskcj.com

C:\Windows\system32\pskcj.com 1788 "C:\Windows\SysWOW64\fxjrc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zolmz.com

C:\Windows\system32\zolmz.com 1768 "C:\Windows\SysWOW64\pskcj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kjefg.com

C:\Windows\system32\kjefg.com 1900 "C:\Windows\SysWOW64\zolmz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\svofh.com

C:\Windows\system32\svofh.com 1728 "C:\Windows\SysWOW64\kjefg.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xainb.com

C:\Windows\system32\xainb.com 1764 "C:\Windows\SysWOW64\svofh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xlufp.com

C:\Windows\system32\xlufp.com 1716 "C:\Windows\SysWOW64\xainb.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\cncaf.com

C:\Windows\system32\cncaf.com 1920 "C:\Windows\SysWOW64\xlufp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ftjlv.com

C:\Windows\system32\ftjlv.com 1776 "C:\Windows\SysWOW64\cncaf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nuplb.com

C:\Windows\system32\nuplb.com 1928 "C:\Windows\SysWOW64\ftjlv.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\uysyt.com

C:\Windows\system32\uysyt.com 1708 "C:\Windows\SysWOW64\nuplb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\crrqz.com

C:\Windows\system32\crrqz.com 1772 "C:\Windows\SysWOW64\uysyt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ahjyv.com

C:\Windows\system32\ahjyv.com 1672 "C:\Windows\SysWOW64\crrqz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fjrtl.com

C:\Windows\system32\fjrtl.com 1800 "C:\Windows\SysWOW64\ahjyv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kvlbw.com

C:\Windows\system32\kvlbw.com 1780 "C:\Windows\SysWOW64\fjrtl.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\urmlm.com

C:\Windows\system32\urmlm.com 1952 "C:\Windows\SysWOW64\kvlbw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mfdei.com

C:\Windows\system32\mfdei.com 1720 "C:\Windows\SysWOW64\urmlm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\uczrm.com

C:\Windows\system32\uczrm.com 1956 "C:\Windows\SysWOW64\mfdei.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ckmjg.com

C:\Windows\system32\ckmjg.com 1796 "C:\Windows\SysWOW64\uczrm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kwxsh.com

C:\Windows\system32\kwxsh.com 1804 "C:\Windows\SysWOW64\ckmjg.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mjauc.com

C:\Windows\system32\mjauc.com 1724 "C:\Windows\SysWOW64\kwxsh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xyene.com

C:\Windows\system32\xyene.com 1976 "C:\Windows\SysWOW64\mjauc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\fcosw.com

C:\Windows\system32\fcosw.com 1820 "C:\Windows\SysWOW64\xyene.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fvnsc.com

C:\Windows\system32\fvnsc.com 1760 "C:\Windows\SysWOW64\fcosw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nvmsr.com

C:\Windows\system32\nvmsr.com 1840 "C:\Windows\SysWOW64\fvnsc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\uawfa.com

C:\Windows\system32\uawfa.com 1836 "C:\Windows\SysWOW64\nvmsr.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\usxqc.com

C:\Windows\system32\usxqc.com 1856 "C:\Windows\SysWOW64\uawfa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mdmvo.com

C:\Windows\system32\mdmvo.com 1860 "C:\Windows\SysWOW64\usxqc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\xvbba.com

C:\Windows\system32\xvbba.com 1884 "C:\Windows\SysWOW64\mdmvo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zfbrt.com

C:\Windows\system32\zfbrt.com 1824 "C:\Windows\SysWOW64\xvbba.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kxqwx.com

C:\Windows\system32\kxqwx.com 1816 "C:\Windows\SysWOW64\zfbrt.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cafhz.com

C:\Windows\system32\cafhz.com 1808 "C:\Windows\SysWOW64\kxqwx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\kpsud.com

C:\Windows\system32\kpsud.com 1784 "C:\Windows\SysWOW64\cafhz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\hnzue.com

C:\Windows\system32\hnzue.com 1812 "C:\Windows\SysWOW64\kpsud.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rxprj.com

C:\Windows\system32\rxprj.com 1876 "C:\Windows\SysWOW64\hnzue.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xdmhx.com

C:\Windows\system32\xdmhx.com 1904 "C:\Windows\SysWOW64\rxprj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cifpq.com

C:\Windows\system32\cifpq.com 1908 "C:\Windows\SysWOW64\xdmhx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xzhkf.com

C:\Windows\system32\xzhkf.com 1912 "C:\Windows\SysWOW64\cifpq.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jxcno.com

C:\Windows\system32\jxcno.com 1916 "C:\Windows\SysWOW64\xzhkf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\snqiz.com

C:\Windows\system32\snqiz.com 1924 "C:\Windows\SysWOW64\jxcno.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zulam.com

C:\Windows\system32\zulam.com 1940 "C:\Windows\SysWOW64\snqiz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\merdp.com

C:\Windows\system32\merdp.com 1888 "C:\Windows\SysWOW64\zulam.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rfagf.com

C:\Windows\system32\rfagf.com 1896 "C:\Windows\SysWOW64\merdp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zvvyz.com

C:\Windows\system32\zvvyz.com 1892 "C:\Windows\SysWOW64\rfagf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jflde.com

C:\Windows\system32\jflde.com 1868 "C:\Windows\SysWOW64\zvvyz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\zvwdl.com

C:\Windows\system32\zvwdl.com 2072 "C:\Windows\SysWOW64\jflde.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\hzgqu.com

C:\Windows\system32\hzgqu.com 1992 "C:\Windows\SysWOW64\zvwdl.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\umqga.com

C:\Windows\system32\umqga.com 1960 "C:\Windows\SysWOW64\hzgqu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\cfpgp.com

C:\Windows\system32\cfpgp.com 1852 "C:\Windows\SysWOW64\umqga.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\mmbez.com

C:\Windows\system32\mmbez.com 1944 "C:\Windows\SysWOW64\cfpgp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\phebm.com

C:\Windows\system32\phebm.com 1972 "C:\Windows\SysWOW64\mmbez.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ccorr.com

C:\Windows\system32\ccorr.com 2096 "C:\Windows\SysWOW64\phebm.com"

C:\Windows\SysWOW64\mxojh.com

C:\Windows\system32\mxojh.com 2084 "C:\Windows\SysWOW64\ccorr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rgtwv.com

C:\Windows\system32\rgtwv.com 1964 "C:\Windows\SysWOW64\mxojh.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eprhy.com

C:\Windows\system32\eprhy.com 1996 "C:\Windows\SysWOW64\rgtwv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\etcmp.com

C:\Windows\system32\etcmp.com 1984 "C:\Windows\SysWOW64\eprhy.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\opcfx.com

C:\Windows\system32\opcfx.com 1864 "C:\Windows\SysWOW64\etcmp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wqbfm.com

C:\Windows\system32\wqbfm.com 2000 "C:\Windows\SysWOW64\opcfx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\eumkv.com

C:\Windows\system32\eumkv.com 1968 "C:\Windows\SysWOW64\wqbfm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rkgne.com

C:\Windows\system32\rkgne.com 1932 "C:\Windows\SysWOW64\eumkv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wmpiu.com

C:\Windows\system32\wmpiu.com 2132 "C:\Windows\SysWOW64\rkgne.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\heenz.com

C:\Windows\system32\heenz.com 2152 "C:\Windows\SysWOW64\wmpiu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\eyaax.com

C:\Windows\system32\eyaax.com 1988 "C:\Windows\SysWOW64\heenz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\otbtf.com

C:\Windows\system32\otbtf.com 2024 "C:\Windows\SysWOW64\eyaax.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wjogq.com

C:\Windows\system32\wjogq.com 2016 "C:\Windows\SysWOW64\otbtf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wbxqk.com

C:\Windows\system32\wbxqk.com 1936 "C:\Windows\SysWOW64\wjogq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\htnwp.com

C:\Windows\system32\htnwp.com 2156 "C:\Windows\SysWOW64\wbxqk.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ecxel.com

C:\Windows\system32\ecxel.com 2008 "C:\Windows\SysWOW64\htnwp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\enkwz.com

C:\Windows\system32\enkwz.com 2032 "C:\Windows\SysWOW64\ecxel.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oqzhm.com

C:\Windows\system32\oqzhm.com 1948 "C:\Windows\SysWOW64\enkwz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rhrrw.com

C:\Windows\system32\rhrrw.com 2040 "C:\Windows\SysWOW64\oqzhm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\riacq.com

C:\Windows\system32\riacq.com 2004 "C:\Windows\SysWOW64\rhrrw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wfxse.com

C:\Windows\system32\wfxse.com 2028 "C:\Windows\SysWOW64\riacq.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jwsum.com

C:\Windows\system32\jwsum.com 2036 "C:\Windows\SysWOW64\wfxse.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mzvsz.com

C:\Windows\system32\mzvsz.com 2060 "C:\Windows\SysWOW64\jwsum.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jlqfp.com

C:\Windows\system32\jlqfp.com 2064 "C:\Windows\SysWOW64\mzvsz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\rpash.com

C:\Windows\system32\rpash.com 2088 "C:\Windows\SysWOW64\jlqfp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zewfk.com

C:\Windows\system32\zewfk.com 2012 "C:\Windows\SysWOW64\rpash.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\hjylc.com

C:\Windows\system32\hjylc.com 1980 "C:\Windows\SysWOW64\zewfk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\jpnvr.com

C:\Windows\system32\jpnvr.com 2020 "C:\Windows\SysWOW64\hjylc.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\hjiih.com

C:\Windows\system32\hjiih.com 2044 "C:\Windows\SysWOW64\jpnvr.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ochiw.com

C:\Windows\system32\ochiw.com 2216 "C:\Windows\SysWOW64\hjiih.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ouibq.com

C:\Windows\system32\ouibq.com 2136 "C:\Windows\SysWOW64\ochiw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bpbwh.com

C:\Windows\system32\bpbwh.com 2100 "C:\Windows\SysWOW64\ouibq.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\guueb.com

C:\Windows\system32\guueb.com 2080 "C:\Windows\SysWOW64\bpbwh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\grire.com

C:\Windows\system32\grire.com 960 "C:\Windows\SysWOW64\guueb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lwbzy.com

C:\Windows\system32\lwbzy.com 2092 "C:\Windows\SysWOW64\grire.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\worek.com

C:\Windows\system32\worek.com 2128 "C:\Windows\SysWOW64\lwbzy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bbkmw.com

C:\Windows\system32\bbkmw.com 2116 "C:\Windows\SysWOW64\worek.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\mixfg.com

C:\Windows\system32\mixfg.com 2120 "C:\Windows\SysWOW64\bbkmw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tmzkp.com

C:\Windows\system32\tmzkp.com 2252 "C:\Windows\SysWOW64\mixfg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yzssi.com

C:\Windows\system32\yzssi.com 2124 "C:\Windows\SysWOW64\tmzkp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\mizcl.com

C:\Windows\system32\mizcl.com 2104 "C:\Windows\SysWOW64\yzssi.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\whlaw.com

C:\Windows\system32\whlaw.com 2164 "C:\Windows\SysWOW64\mizcl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\eikak.com

C:\Windows\system32\eikak.com 2160 "C:\Windows\SysWOW64\whlaw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\goqda.com

C:\Windows\system32\goqda.com 2056 "C:\Windows\SysWOW64\eikak.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bfsgp.com

C:\Windows\system32\bfsgp.com 2068 "C:\Windows\SysWOW64\goqda.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ownix.com

C:\Windows\system32\ownix.com 2148 "C:\Windows\SysWOW64\bfsgp.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\txvdo.com

C:\Windows\system32\txvdo.com 2172 "C:\Windows\SysWOW64\ownix.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bujqa.com

C:\Windows\system32\bujqa.com 2076 "C:\Windows\SysWOW64\txvdo.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\jztej.com

C:\Windows\system32\jztej.com 2180 "C:\Windows\SysWOW64\bujqa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\rrsey.com

C:\Windows\system32\rrsey.com 2184 "C:\Windows\SysWOW64\jztej.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\welmr.com

C:\Windows\system32\welmr.com 2196 "C:\Windows\SysWOW64\rrsey.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dxkmy.com

C:\Windows\system32\dxkmy.com 2188 "C:\Windows\SysWOW64\welmr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\lxjmm.com

C:\Windows\system32\lxjmm.com 2108 "C:\Windows\SysWOW64\dxkmy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\oexpc.com

C:\Windows\system32\oexpc.com 2176 "C:\Windows\SysWOW64\lxjmm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\otvut.com

C:\Windows\system32\otvut.com 2208 "C:\Windows\SysWOW64\oexpc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yooma.com

C:\Windows\system32\yooma.com 2328 "C:\Windows\SysWOW64\otvut.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gejam.com

C:\Windows\system32\gejam.com 2228 "C:\Windows\SysWOW64\yooma.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gpwsb.com

C:\Windows\system32\gpwsb.com 2212 "C:\Windows\SysWOW64\gejam.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qslco.com

C:\Windows\system32\qslco.com 2168 "C:\Windows\SysWOW64\gpwsb.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\wqikb.com

C:\Windows\system32\wqikb.com 1048 "C:\Windows\SysWOW64\qslco.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dusyl.com

C:\Windows\system32\dusyl.com 2224 "C:\Windows\SysWOW64\wqikb.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gahaa.com

C:\Windows\system32\gahaa.com 2236 "C:\Windows\SysWOW64\dusyl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qswgn.com

C:\Windows\system32\qswgn.com 2256 "C:\Windows\SysWOW64\gahaa.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bopqv.com

C:\Windows\system32\bopqv.com 2240 "C:\Windows\SysWOW64\qswgn.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\lgfwz.com

C:\Windows\system32\lgfwz.com 2364 "C:\Windows\SysWOW64\bopqv.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tkpjr.com

C:\Windows\system32\tkpjr.com 2244 "C:\Windows\SysWOW64\lgfwz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\wufgw.com

C:\Windows\system32\wufgw.com 2264 "C:\Windows\SysWOW64\tkpjr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yeweo.com

C:\Windows\system32\yeweo.com 2144 "C:\Windows\SysWOW64\wufgw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gigjx.com

C:\Windows\system32\gigjx.com 2220 "C:\Windows\SysWOW64\yeweo.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ofcej.com

C:\Windows\system32\ofcej.com 2268 "C:\Windows\SysWOW64\gigjx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nydod.com

C:\Windows\system32\nydod.com 2232 "C:\Windows\SysWOW64\ofcej.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ietex.com

C:\Windows\system32\ietex.com 2192 "C:\Windows\SysWOW64\nydod.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vgzuj.com

C:\Windows\system32\vgzuj.com 2428 "C:\Windows\SysWOW64\ietex.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yfrft.com

C:\Windows\system32\yfrft.com 2248 "C:\Windows\SysWOW64\vgzuj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gnfxf.com

C:\Windows\system32\gnfxf.com 2272 "C:\Windows\SysWOW64\yfrft.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qtrpp.com

C:\Windows\system32\qtrpp.com 2296 "C:\Windows\SysWOW64\gnfxf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tpusk.com

C:\Windows\system32\tpusk.com 2200 "C:\Windows\SysWOW64\qtrpp.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ffpvs.com

C:\Windows\system32\ffpvs.com 2412 "C:\Windows\SysWOW64\tpusk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\awiyi.com

C:\Windows\system32\awiyi.com 2204 "C:\Windows\SysWOW64\ffpvs.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ogpil.com

C:\Windows\system32\ogpil.com 2420 "C:\Windows\SysWOW64\awiyi.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dojbl.com

C:\Windows\system32\dojbl.com 2300 "C:\Windows\SysWOW64\ogpil.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\oyzgy.com

C:\Windows\system32\oyzgy.com 2304 "C:\Windows\SysWOW64\dojbl.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vzxyf.com

C:\Windows\system32\vzxyf.com 2448 "C:\Windows\SysWOW64\oyzgy.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vovew.com

C:\Windows\system32\vovew.com 2260 "C:\Windows\SysWOW64\vzxyf.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\gkowm.com

C:\Windows\system32\gkowm.com 2436 "C:\Windows\SysWOW64\vovew.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ocnws.com

C:\Windows\system32\ocnws.com 2320 "C:\Windows\SysWOW64\gkowm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yvcuf.com

C:\Windows\system32\yvcuf.com 2444 "C:\Windows\SysWOW64\ocnws.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\gcyur.com

C:\Windows\system32\gcyur.com 2312 "C:\Windows\SysWOW64\yvcuf.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tmewu.com

C:\Windows\system32\tmewu.com 2456 "C:\Windows\SysWOW64\gcyur.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\bqokm.com

C:\Windows\system32\bqokm.com 2308 "C:\Windows\SysWOW64\tmewu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\dagze.com

C:\Windows\system32\dagze.com 2288 "C:\Windows\SysWOW64\bqokm.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qjmkh.com

C:\Windows\system32\qjmkh.com 2332 "C:\Windows\SysWOW64\dagze.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bffup.com

C:\Windows\system32\bffup.com 2472 "C:\Windows\SysWOW64\qjmkh.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\odixx.com

C:\Windows\system32\odixx.com 2480 "C:\Windows\SysWOW64\bffup.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\tfqso.com

C:\Windows\system32\tfqso.com 2336 "C:\Windows\SysWOW64\odixx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\ajafx.com

C:\Windows\system32\ajafx.com 2416 "C:\Windows\SysWOW64\tfqso.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\bjblr.com

C:\Windows\system32\bjblr.com 2276 "C:\Windows\SysWOW64\ajafx.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nliac.com

C:\Windows\system32\nliac.com 2344 "C:\Windows\SysWOW64\bjblr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\veftx.com

C:\Windows\system32\veftx.com 2280 "C:\Windows\SysWOW64\nliac.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ivivg.com

C:\Windows\system32\ivivg.com 2284 "C:\Windows\SysWOW64\veftx.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\neqyw.com

C:\Windows\system32\neqyw.com 2356 "C:\Windows\SysWOW64\ivivg.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vibdg.com

C:\Windows\system32\vibdg.com 2352 "C:\Windows\SysWOW64\neqyw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dbaeu.com

C:\Windows\system32\dbaeu.com 2368 "C:\Windows\SysWOW64\vibdg.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nxswc.com

C:\Windows\system32\nxswc.com 2292 "C:\Windows\SysWOW64\dbaeu.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ypith.com

C:\Windows\system32\ypith.com 2376 "C:\Windows\SysWOW64\nxswc.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ikjmw.com

C:\Windows\system32\ikjmw.com 2380 "C:\Windows\SysWOW64\ypith.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\sgkwe.com

C:\Windows\system32\sgkwe.com 2316 "C:\Windows\SysWOW64\ikjmw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\yhsru.com

C:\Windows\system32\yhsru.com 2324 "C:\Windows\SysWOW64\sgkwe.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\lgnud.com

C:\Windows\system32\lgnud.com 2544 "C:\Windows\SysWOW64\yhsru.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\azluy.com

C:\Windows\system32\azluy.com 2392 "C:\Windows\SysWOW64\lgnud.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\fabpg.com

C:\Windows\system32\fabpg.com 2396 "C:\Windows\SysWOW64\azluy.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qsqvt.com

C:\Windows\system32\qsqvt.com 2400 "C:\Windows\SysWOW64\fabpg.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\tzxxj.com

C:\Windows\system32\tzxxj.com 2388 "C:\Windows\SysWOW64\qsqvt.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\adhks.com

C:\Windows\system32\adhks.com 2408 "C:\Windows\SysWOW64\tzxxj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\lzivi.com

C:\Windows\system32\lzivi.com 2564 "C:\Windows\SysWOW64\adhks.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vymss.com

C:\Windows\system32\vymss.com 2568 "C:\Windows\SysWOW64\lzivi.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\qlcqe.com

C:\Windows\system32\qlcqe.com 2424 "C:\Windows\SysWOW64\vymss.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\dcxlv.com

C:\Windows\system32\dcxlv.com 2608 "C:\Windows\SysWOW64\qlcqe.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nunqa.com

C:\Windows\system32\nunqa.com 2492 "C:\Windows\SysWOW64\dcxlv.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xxcbn.com

C:\Windows\system32\xxcbn.com 2432 "C:\Windows\SysWOW64\nunqa.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vryol.com

C:\Windows\system32\vryol.com 2584 "C:\Windows\SysWOW64\xxcbn.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\fxkgn.com

C:\Windows\system32\fxkgn.com 2440 "C:\Windows\SysWOW64\vryol.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nfygz.com

C:\Windows\system32\nfygz.com 2592 "C:\Windows\SysWOW64\fxkgn.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nqkzw.com

C:\Windows\system32\nqkzw.com 2372 "C:\Windows\SysWOW64\nfygz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\sssue.com

C:\Windows\system32\sssue.com 2496 "C:\Windows\SysWOW64\nqkzw.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\qilca.com

C:\Windows\system32\qilca.com 2384 "C:\Windows\SysWOW64\sssue.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\ppazr.com

C:\Windows\system32\ppazr.com 2464 "C:\Windows\SysWOW64\qilca.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vzjuh.com

C:\Windows\system32\vzjuh.com 2488 "C:\Windows\SysWOW64\ppazr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\atcxk.com

C:\Windows\system32\atcxk.com 2452 "C:\Windows\SysWOW64\vzjuh.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\csovd.com

C:\Windows\system32\csovd.com 2624 "C:\Windows\SysWOW64\atcxk.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\vognz.com

C:\Windows\system32\vognz.com 2504 "C:\Windows\SysWOW64\csovd.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xygdr.com

C:\Windows\system32\xygdr.com 2476 "C:\Windows\SysWOW64\vognz.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\iqviw.com

C:\Windows\system32\iqviw.com 2484 "C:\Windows\SysWOW64\xygdr.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\iuibk.com

C:\Windows\system32\iuibk.com 2512 "C:\Windows\SysWOW64\iqviw.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kaoda.com

C:\Windows\system32\kaoda.com 2340 "C:\Windows\SysWOW64\iuibk.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xcutl.com

C:\Windows\system32\xcutl.com 2508 "C:\Windows\SysWOW64\kaoda.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\foetm.com

C:\Windows\system32\foetm.com 2516 "C:\Windows\SysWOW64\xcutl.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\keboi.com

C:\Windows\system32\keboi.com 2460 "C:\Windows\SysWOW64\foetm.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\afywj.com

C:\Windows\system32\afywj.com 1336 "C:\Windows\SysWOW64\keboi.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\fssec.com

C:\Windows\system32\fssec.com 2528 "C:\Windows\SysWOW64\afywj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\vadmj.com

C:\Windows\system32\vadmj.com 2532 "C:\Windows\SysWOW64\fssec.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\xgrpz.com

C:\Windows\system32\xgrpz.com 2536 "C:\Windows\SysWOW64\vadmj.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kfmrh.com

C:\Windows\system32\kfmrh.com 2500 "C:\Windows\SysWOW64\xgrpz.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\nappu.com

C:\Windows\system32\nappu.com 2360 "C:\Windows\SysWOW64\kfmrh.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\acvff.com

C:\Windows\system32\acvff.com 2552 "C:\Windows\SysWOW64\nappu.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\kxwpn.com

C:\Windows\system32\kxwpn.com 2572 "C:\Windows\SysWOW64\acvff.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4832-0-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4832-1-0x0000000000960000-0x00000000009A4000-memory.dmp

memory/4832-3-0x0000000000910000-0x0000000000911000-memory.dmp

memory/4832-4-0x0000000000700000-0x0000000000701000-memory.dmp

memory/4832-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/4832-6-0x0000000002300000-0x0000000002304000-memory.dmp

memory/4832-5-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/4832-13-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4832-27-0x0000000002550000-0x0000000002551000-memory.dmp

memory/4832-26-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4832-25-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4832-24-0x0000000002540000-0x0000000002541000-memory.dmp

memory/4832-23-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4832-22-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4832-21-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4832-20-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4832-19-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4832-18-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4832-17-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4832-16-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4832-15-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4832-14-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4832-12-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4832-11-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4832-10-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4832-9-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/4832-8-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4832-7-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4832-29-0x0000000002580000-0x0000000002581000-memory.dmp

memory/4832-40-0x0000000002620000-0x0000000002621000-memory.dmp

memory/4832-39-0x0000000002630000-0x0000000002631000-memory.dmp

memory/4832-38-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/4832-37-0x0000000002610000-0x0000000002611000-memory.dmp

memory/4832-36-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/4832-35-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/4832-34-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/4832-33-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/4832-32-0x0000000002590000-0x0000000002591000-memory.dmp

memory/4832-31-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/4832-30-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4832-42-0x0000000002640000-0x0000000002641000-memory.dmp

memory/4832-41-0x0000000002650000-0x0000000002651000-memory.dmp

\??\c:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d67d51b859c99a46a906a4c3a6ff6560
SHA1 b685cc703a1c86ba8ad681b545a6f3014b80d585
SHA256 33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a
SHA512 c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5b77620cb52220f4a82e3551ee0a53a6
SHA1 07d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA256 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA512 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/4832-152-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/4832-153-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/4832-161-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4832-160-0x0000000003370000-0x0000000003371000-memory.dmp

memory/4832-159-0x0000000003340000-0x0000000003341000-memory.dmp

memory/4832-158-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4832-157-0x0000000003320000-0x0000000003321000-memory.dmp

memory/4832-154-0x0000000003310000-0x0000000003311000-memory.dmp

memory/4832-156-0x0000000003330000-0x0000000003331000-memory.dmp

memory/4832-155-0x0000000003300000-0x0000000003301000-memory.dmp

memory/4832-175-0x0000000003420000-0x0000000003421000-memory.dmp

memory/4832-177-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/4832-176-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4832-174-0x0000000003430000-0x0000000003431000-memory.dmp

memory/4832-173-0x0000000003400000-0x0000000003401000-memory.dmp

memory/4832-172-0x0000000003410000-0x0000000003411000-memory.dmp

memory/4832-171-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/4832-170-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4832-169-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4832-168-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/4832-167-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/4832-166-0x0000000003380000-0x0000000003381000-memory.dmp

memory/4832-165-0x0000000003390000-0x0000000003391000-memory.dmp

C:\Windows\SysWOW64\scxbt.com

MD5 06b2a063d4f7ed1fbdf89ac4da07890a
SHA1 cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40
SHA256 03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
SHA512 35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec

memory/4832-180-0x0000000000960000-0x00000000009A4000-memory.dmp

memory/4552-182-0x0000000000990000-0x00000000009D4000-memory.dmp

memory/4552-185-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4552-184-0x0000000002250000-0x0000000002251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 7fe70731de9e888ca911baeb99ee503d
SHA1 0073da5273512f66dbf570580dc55957535c2478
SHA256 ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a
SHA512 4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

memory/4832-295-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4552-324-0x0000000000990000-0x00000000009D4000-memory.dmp

memory/4552-322-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2180-434-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f8a9a1aa9bab7821d25ae628e6d04f68
SHA1 c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a
SHA256 76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb
SHA512 0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

memory/3912-543-0x0000000000400000-0x0000000000498000-memory.dmp

memory/3100-549-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/4592-664-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2912-764-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5002319f56002f8d7ceacecf8672ce25
SHA1 3b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256 f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA512 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

memory/4592-893-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4820-915-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c93c561465db53bf9a99759de9d25f07
SHA1 5386934828e2c2589bfe394ac1f03ffbfba93bfa
SHA256 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851
SHA512 bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

memory/2492-1032-0x0000000000400000-0x0000000000498000-memory.dmp

memory/3016-1038-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5bf31d7ea99b678c867ccdec344298aa
SHA1 2e548f54bf50d13993105c4f59bbeaeb87b17a68
SHA256 52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281
SHA512 1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6fe56f6715b4c328bc5b2b35cb51c7e1
SHA1 8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3
SHA256 0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be
SHA512 8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

memory/2408-1077-0x0000000000400000-0x0000000000498000-memory.dmp

memory/960-1155-0x0000000000400000-0x0000000000498000-memory.dmp

memory/3016-1164-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 584f47a0068747b3295751a0d591f4ee
SHA1 7886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512 ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

memory/2388-1272-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3637baf389a0d79b412adb2a7f1b7d09
SHA1 f4b011a72f59cf98a325f12b7e40ddd0548ccc16
SHA256 835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba
SHA512 ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

memory/960-1314-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4752-1320-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

memory/2388-1431-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2672-1438-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

memory/4752-1482-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2672-1559-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 748bce4dacebbbd388af154a1df22078
SHA1 0eeeb108678f819cd437d53b927feedf36aabc64
SHA256 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512 d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 54ca6e3ef1c12b994043e85a8c9895f0
SHA1 5eaccfb482cbe24cf5c3203ffdc926184097427e
SHA256 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 117efa689c5631c1a1ee316f123182bd
SHA1 f477bf1e9f4db8452bd9fe314cd18715f7045689
SHA256 79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7
SHA512 abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5e073629d751540b3512a229a7c56baf
SHA1 8d384f06bf3fe00d178514990ae39fc54d4e3941
SHA256 2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA512 84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

memory/2712-1676-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5855edf3afa67e11de78af0389880d18
SHA1 c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f
SHA256 c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa
SHA512 5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6b0182442d6e09100c34904ae6d8ee0c
SHA1 6255e65587505629521ea048a4e40cc48b512f2c
SHA256 cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4
SHA512 64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

memory/4468-1794-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1832-1738-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 67a0c98a371995d5434cb9788ee1c42f
SHA1 7171d3dca52f038ca9d9e8b13f356462dbc8f3cc
SHA256 2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3
SHA512 f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

memory/4908-1873-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4536-1899-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4468-1912-0x0000000000400000-0x0000000000498000-memory.dmp

memory/4536-1993-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c8441ec8a2edf9b2f4f631fe930ea4d9
SHA1 2855ee21116b427d280fcaa2471c9bd3d2957f6f
SHA256 dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184
SHA512 b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

memory/1308-2033-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1536-2263-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f708dcfd087b5b3763678cfb8d63735e
SHA1 a38fa7fa516c1402762425176ff1b607db36c752
SHA256 abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10
SHA512 fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6dd7ad95427e77ae09861afd77104775
SHA1 81c2ffe8c63e71f013a07e5794473b60f50c0716
SHA256 8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2
SHA512 171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

memory/1392-2485-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2292-2710-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1436-2719-0x0000000000400000-0x0000000000498000-memory.dmp

memory/980-2747-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2564fc59a86ea85b7485ab7288c68c4
SHA1 bc1544d9a03d1adafe399067ac32bf8d1cedbdb0
SHA256 68e8d8ef14bfbe96ebad3fb391fd4c1e57068a7f950dd31840884f6d58b078a8
SHA512 e09c6741d99ec41763e939aa39adb4e0f8508d37556c52251eec268849e85960da42ace7e9b82f1927de5bcf29ebec205189b113d2bb123025f3e6615b28ff0a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 989c5352030fafd44b92adf4d4164738
SHA1 e02985c15eb20682115e3fc343f829e28770ed6c
SHA256 248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38
SHA512 9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 831afd728dd974045c0654510071d405
SHA1 9484f4ee8e9eef0956553a59cfbcbe99a8822026
SHA256 03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2
SHA512 ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ff6c57e8ec2b96b8da7fe900f1f3da1c
SHA1 a6f0dc2e2a0a46e1031017b81825173054bf76ae
SHA256 ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6
SHA512 c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5020988c301a6bf0c54a293ddf64837c
SHA1 5b65e689a2988b9a739d53565b2a847f20d70f09
SHA256 a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512 921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 159bb1d34a927f58fc851798c7c09b58
SHA1 c3a26565004531f3a93e29eabb0f9a196b4c1ba2
SHA256 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd
SHA512 b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b6b8b04c60361e2df1d3e29fc4fc3138
SHA1 bd732238f8d5894ca6020081adef617dabadf94e
SHA256 f255a5447d3a3eda8715938993357971faeabf92eecf172e2fc0dfbdaa239c1b
SHA512 16e7247fdc0c1191229ea44b4f6584dce588255e775642c343cffb2030c05bd77f4eb716d87d21defb0fe7edcc62a7a2e12ecbebbd72bc9a5247934fdd02fe40

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 09e45f09a25fed7995c8430f4a370ade
SHA1 fc49fec86e600a7c4e1b6bfa274f883635d65687
SHA256 f827e79f717d490ba61a9ec5f8198ebc3066e22fd25871f06ce15f04162f57b9
SHA512 1a6ed68eced45f30fff3f281ceb082d6ae9e13bc71f6f7da5b4ba064e9876ef7efd76eaffe1325f6e3dfa3a5429200302ea84915245f26ac393105fd1ec365ad

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 63ff40a70037650fd0acfd68314ffc94
SHA1 1ab29adec6714edf286485ac5889fddb1d092e93
SHA256 1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b
SHA512 2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

memory/4548-5368-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2524-5830-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2d37af73d5fe4a504db3f8c0d560e3d
SHA1 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d
SHA256 e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008
SHA512 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89