Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-2fqm1awbnm
Target 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN
SHA256 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290c
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290c

Threat Level: Known bad

The file 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (60) files with added filename extension

Renames multiple (72) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 22:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 22:31

Reported

2024-10-20 22:33

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (72) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\ProgramData\fGoIwkok\pWEYIMQs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoEoMkQo.exe = "C:\\Users\\Admin\\ueMcoUsA\\xoEoMkQo.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pWEYIMQs.exe = "C:\\ProgramData\\fGoIwkok\\pWEYIMQs.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoEoMkQo.exe = "C:\\Users\\Admin\\ueMcoUsA\\xoEoMkQo.exe" C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pWEYIMQs.exe = "C:\\ProgramData\\fGoIwkok\\pWEYIMQs.exe" C:\ProgramData\fGoIwkok\pWEYIMQs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A N/A
N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A
N/A N/A C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe
PID 1248 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe
PID 1248 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe
PID 1248 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\fGoIwkok\pWEYIMQs.exe
PID 1248 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\fGoIwkok\pWEYIMQs.exe
PID 1248 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\fGoIwkok\pWEYIMQs.exe
PID 1248 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 4460 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 4460 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2108 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4204 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3572 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3572 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 916 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 916 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 916 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3748 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3900 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3900 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3748 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe

"C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe"

C:\ProgramData\fGoIwkok\pWEYIMQs.exe

"C:\ProgramData\fGoIwkok\pWEYIMQs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juEQgswk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAsIscU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riwsooIw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQgAgsco.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seMUMEQc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkwgwsIs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aecQkcAE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoAwUIQs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEQYoMwM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VicUkMsI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwwAAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgMAAIMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmswYYQk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UogAUYYY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkEYUoMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TigUwEsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWUEEEYE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuUUsYAM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYYYIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWMIEAEY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYUEoYso.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwkoUUEY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYcMYYoM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKYckYsw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsskIMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKkUAcsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUkQUwMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MisEcIYA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWYIYoUs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiAkMUwg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcQcgwIU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riMwEEEE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMsoEIgo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOskcAIE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOEsEAAg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAIsMcEk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAQYEgUk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiUoIcIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYIUcYwE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osAEckUk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGYMscgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwwUMYs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYossIMA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCkMYAoY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rioYUMgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiAIEoEA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqcIswYo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meIcIkQM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCwIUsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEAAQkoc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqYwAUcM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMYEcoUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMIAgYE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmIAYYcY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SagwYgIs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIoUkQcA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suUscEoI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUIQEcI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dikAwwMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgYoAow.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwYskskI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWIIEMcE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQkMwAQU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYsEUwkM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGYkMAUE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCMAUwEM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSoMQQkY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyQQUsko.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQYscgsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeogkoMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEAIwgMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMcMIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RokEwQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAgQMkIs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KskosQgE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKUkAcoY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSoIgIYw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKwMggEQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMcowMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkwMEYUg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paIMAsIs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgkcOEw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSkcAgQU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umQAcQcE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqUAgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMwwMUgk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKscYEIY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgsIMwcw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOcswYYM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccQssQMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWEwMAoI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSsQUAwA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWcgwkQI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMEIUcg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWgcwowI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyIwIAkA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQogEsQE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWkkcYcI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoIAYIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEYcQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAgUwkUY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEQoUIcs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsoQckQw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIMkocsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUUAoQcw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOYUgosE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeMYccks.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwscksoM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUcwQswA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoYAkMss.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngUIQYko.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMwsscow.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MggIoMIM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGgUkckI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYokoEAI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWUwosks.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGIQEIcE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yywUccEs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkkkcEMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meQYMIMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuEwsgUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIAsYosU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGYMEwsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lecEgYkU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUUsQIsU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMIYQMwE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umskAQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWQIoQoc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuUMgUQA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOMkgcIY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAMAcAYI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqIsosEM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueQMcgAs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEIIIkkE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIIEUUMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIowYMsI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQckAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1248-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe

MD5 32a6cebef78f9a851bfa7edee34c02a3
SHA1 9db706fef3aa1e682d786f0081e94d706b6673db
SHA256 38d054ae4a4b1f9147338f8bd23c137a77f92e30da7f5088440b1728a8d269ea
SHA512 b3a576943d6234351acafa81860c8df19d3b0fcc8a9b31559f233c9f920b79ba1ad5185bcb5ab017dfb4e41e880704724312697460f878414f2fba579450e5ec

C:\ProgramData\fGoIwkok\pWEYIMQs.exe

MD5 f8d62a1f1aff92f4d386d455fde0a126
SHA1 702a16e830dfc83a6cd19ab5fd7f3a68347717c0
SHA256 855a48621fca99637a19677566ddd37cc9d06d2e71663328f8814008f398c69f
SHA512 be63c7e3c34b364676f29b94eacb71e64da6c49907a1ef09c53538edf8bb6a353e888658ab7887d0fae8c13251c7abd40718bb01c6da7840c3d867cfbb712944

memory/2644-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4768-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1248-19-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4204-20-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\juEQgswk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

MD5 465608ce506144bb84af2ccfc475e15b
SHA1 ad35db7aedb4d245d4151fe7f91a195248f71f73
SHA256 862c779a739524499e4d3ab328d041769417ff471e5eb7b183372c82a408a329
SHA512 c026a6ca05f92fb8b749cb1bddecca2d5101e3cda05c488ac354860cc6b333392780ca4fbdc71c1310500c168623c365a6db80fe9a11e0e5b2d24ca34f098d95

memory/4204-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3748-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5056-42-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3748-46-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5056-57-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5020-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1516-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2272-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5028-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2832-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4092-138-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4180-149-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4232-150-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4232-163-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4608-174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2968-185-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-193-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4640-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-210-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1368-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/384-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\fGoIwkok\pWEYIMQs.inf

MD5 f278d1eb754615a3e65f152eff901ffc
SHA1 74af2d041fe6ecff3835167d43acb3512aed3f7b
SHA256 71a341aaffcb148a16f7b85b525dbeb1c6d4a0a09f4fcce6b813b21a5b790674
SHA512 ea0e6a3e5696ceb6fdd2f0794c7fb2446976b9de3346c4de91845801feb89cf55dcae84264f632cd4a52482ecf2087b1f940671ff353f0051b063f276b1bcf5a

C:\Users\Admin\ueMcoUsA\xoEoMkQo.inf

MD5 23b381bb9912c3e9411d9419e0fc8f46
SHA1 644d8d3ec5d1da88d1f0d3c08cfe81228b3fc04c
SHA256 f07aa7a79bb82dd2b2e2d66f1dd5f6d276ab5c6e2388ccd6a211b40bfafc4b55
SHA512 4a1368de4cdf127dcd15a267b0bfb9f36f0fbc117ad8a707612fa878d4b657add094962606d5156c1efbee3cc62105ed8b364e6185010fdebe710c1c30be7196

memory/768-247-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-248-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-257-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4760-265-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-270-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2788-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-284-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1220-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2336-300-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-308-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1464-318-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3364-326-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-336-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3544-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2372-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2372-362-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2484-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1060-380-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4464-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4464-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-390-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2040-408-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3052-416-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2028-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3500-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1360-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3808-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-469-0x0000000000400000-0x0000000000433000-memory.dmp

memory/512-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4200-485-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3888-486-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3888-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1176-497-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4632-502-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1176-506-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4632-514-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1220-522-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3664-531-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2336-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3748-548-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2256-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3364-574-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-582-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4808-592-0x0000000000400000-0x0000000000433000-memory.dmp

memory/972-600-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-608-0x0000000000400000-0x0000000000433000-memory.dmp

memory/264-616-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4676-626-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4652-635-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4512-631-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4512-643-0x0000000000400000-0x0000000000433000-memory.dmp

memory/220-652-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4324-661-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3692-669-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4620-670-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4620-679-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-688-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5024-690-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5024-697-0x0000000000400000-0x0000000000433000-memory.dmp

memory/392-699-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1232-704-0x0000000000400000-0x0000000000433000-memory.dmp

memory/392-709-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMca.exe

MD5 edb7f852ad74d1f791fe0ed2e6e6b350
SHA1 fb79e595d57914a0db028c2960dd53676f101542
SHA256 668258561d2c2f7a55e296151a6b4f348fc5197c4843d8f9722c82c355829996
SHA512 9408af883b099cf599dcabe84d8d9fba3b5e286aed183eac3b8009016ce36284b47f3217a2df03417a7e57e51b038bebe6d3635e6c4ad5272226675844e5e5c0

memory/1232-732-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iIoO.exe

MD5 1020ff4cb8b5c8f6ea137a7f389b90cf
SHA1 8fd5445813e04a79a2576b30e020d136eb4a8618
SHA256 da0bde72b87f84a67c4589d74704fe9a1ef3b45d4aa0d4b06d5bcc13fd52f935
SHA512 8b7ec4924b2bb3023658a66414ebaebc01d09ee3a9508e51077406505ae8730f6e6778ff2b741aba4766183893edda8c24181a483f5c20bb60385233ca434dac

C:\Users\Admin\AppData\Local\Temp\AgoO.exe

MD5 399f48d3731bfa9e0ca93d74f58b21b0
SHA1 91e2efaeee570fe830ab1c8c2adc414e0bb52348
SHA256 19a79c3383b74e26691b65e771bceefd98b4d37889a029f5dd8d6d8a3c1f96cd
SHA512 02c8d328378aa85a5a8264fe50e1c8f33a711c680cbfec4cc69c249d80a9bd9f2adb7bf296b112c1fa747ab06e108fbd20faa14d7668b69c35771e8245da6669

C:\Users\Admin\AppData\Local\Temp\sUAg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\QUMs.exe

MD5 cc416fe06d0e1972ee276d19ec90392e
SHA1 8211b6d0963c1309c0b37f19a7245e54580f9bd8
SHA256 3053989c6ac071e537b7d3fbcde76eb36c4297a7a2ad52d470383896bd805131
SHA512 ff832fd72a7dd5b32d6bf841e5bca7d4563392fadd8d65a6c9784db7b8d0cf0913afc84d939782ab1a676bbdb60cf9512d696200fea0fd21fc440e7b215c49a4

C:\Users\Admin\AppData\Local\Temp\wEkQ.exe

MD5 eb9b7b20ec9ffbd4e72626db7ba67a14
SHA1 7ae2469ed631e8eab63de8a978c9fdbfe474b7f3
SHA256 76b3fd8d33681b8dc9c2c4af7b1eada4748bcf698dd9989b3a7bf7eaa80f8e35
SHA512 6291aaa4d80c1bd9b2b47d96b57774e660549f247b5920f2116363aca3436c2ec770351f257f8c4979957a2815b27f91de7c1ea12f341ef509336b74fec7bb1a

C:\Users\Admin\AppData\Local\Temp\IUcY.exe

MD5 d039dd456945c24f72b1e1aa3d66a409
SHA1 933a43252e16f40e41e9317273f41352c65b8b51
SHA256 3e68d0ebb61982b3969fdab97c92185b59a581f2f92aaa7036324edce414c555
SHA512 be92f3a8d50df389fb52d54535eb638796769fc516bcabd5f54c6bf4036630a2cc4fcc944d199d18a0de4a642ac296847215eea9520cfa6f5b0f19df194ad34a

C:\Users\Admin\AppData\Local\Temp\Ykko.exe

MD5 c7f355c94bdaabbc70437e80415426ec
SHA1 6be4aaf4faf3101bb52754e7a161157f5f0875e2
SHA256 205f3b99dd9240a2e79d1355d31d3b03c91b2b3dd2319876b5a37ebc8f500c58
SHA512 eaddf56509bd87670472b574f445c242892dfb00a9fcba9cc94168ca354237aa57f6a8f90b6d3bdf9b624917a5e745fc240cdb13627be88f48ffe8aca133bea5

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 be848ca7761b707f7e4c37fdbe0658c9
SHA1 c9f2f97917ef24ec4e76d02f2fdd99078d675d5e
SHA256 6fabff44fb4c9f9b2709bed82afc1b71641bdfe51a19ee551503c11fef6b86d5
SHA512 34ac2f0d7344473f2abc2b14cc894ec82cb079b7a2b8b6342edb903cdcb143f11e6ff8a0bb8e674b7465d6b4f33009428ca15185acdea76537580c09491a920c

C:\Users\Admin\AppData\Local\Temp\cMUw.exe

MD5 c0490fef6e66c9aa44e2164d19bab4a5
SHA1 2d75dd13baad972401d4a7ac0198e44c83aae7b2
SHA256 498187cba9bd557d3ff6e888300886d79ba488be76e49bfc3d61b514a2e67805
SHA512 42c46761cb1f274502bcc3d1db03758f7024862a491a36f2f570b49f88e111ceeacc6475593e30da277054224f60586ed06f958458c5dd4f98bf9e6bb80dfead

C:\Users\Admin\AppData\Local\Temp\UYkE.exe

MD5 311f167b017eb012e0bfe266ad0d6f44
SHA1 bf5c21a88ade23574528ac0aa7d36da29a069421
SHA256 dfe321821aee04f286f5b3e0230a13814abb05b9d06524efbff63831f3fd7106
SHA512 0c759730e1ff96d5b8521d976a3278bbf9c290f6b52d56ef853547289275ac5153b57ccc745eef5c1c9805980b020fbf80cace294241f52298e775aaa9cb53aa

C:\Users\Admin\AppData\Local\Temp\uoIk.exe

MD5 11918dbe54fc9d59d5832b574c77f85b
SHA1 cbc7dea303d9e07562b05c919b410f78654a6ce5
SHA256 bf1e3967a60881d8f04f665462f2ffaa660a48210ecfbb3602f5c3a0429e1376
SHA512 661c19b232771725cd352785135017ba4dcf24660aaa2a16ee18ee8b7320b99992e14327799e0dc4b247e7ed51c29ebb306be53dca9a756b43c54ab2754f6f05

C:\Users\Admin\AppData\Local\Temp\UwUw.exe

MD5 156808684583a82773c50b1d9baacdbc
SHA1 0344523b2afae429e13a522f0ce51e22882be6da
SHA256 48ea35e834a90c09b34213c6a185074bdbd6b0f63dc53e614332a616e2046a62
SHA512 074f8791bb787b8cb2fe8fcc9418c261c81824d099191691926cf2c9dd84954fc65fed23c762e8047d856c890c127968287c43dd2d7e77326e8b2cded6e686dd

C:\Users\Admin\AppData\Local\Temp\CIcy.exe

MD5 963c81faae0406bb46dc8f1d2fc42c50
SHA1 9a1a6db3e8b5eb3525d600fc32f9eb0f6c1f7724
SHA256 18d270b5c0cec56bd1877ecf5f295059fc790432465073f04425959a9a1914a0
SHA512 c8d3a189eabe650627b637a39d4e821a4130eaa72d04a1aa000edb85b48abc83789ff6d333badae2dd5c041404f7f0b4c03c75561e4437e9415369d37d59d6e6

C:\Users\Admin\AppData\Local\Temp\iYUo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iwku.exe

MD5 3dfc54d78eb8c38fec229f038b0980e2
SHA1 59a0f7182dbccc297b17c28c9623ce7e3c6ea99c
SHA256 74a537a7324643fea59322dfd7f14beadd5347c1fe718da8fa0e844290e1cc9c
SHA512 d10d7dc9b41919a88873f9f5abd6b1038f0304151b78f982afbdf2fe12abd2d2672089f03413ec4937f60781415dda7883d8df79846e6fcad81bf6a54cb8f645

C:\Users\Admin\AppData\Local\Temp\CQUG.exe

MD5 1b9904a0137d52f68d8b02c99a28ff27
SHA1 a455972ca152ca6a00b1912ad014eb2d8768c322
SHA256 97715f7bc98f8b054a15252f2bca34245f869fef59d4bb545a394de95c1c4802
SHA512 e2adb859a8342e14cd8757170faba5f1ca7ecb59f00b2710a321db6a7bc2e4496cdbdda0d5dc37ead18b4da5c3e5d736cfabbba18284b48b011f3503f9cf7d8f

C:\Users\Admin\AppData\Local\Temp\IAIs.exe

MD5 4b656a43fe98285c06c215ae15b62e09
SHA1 ccc7ec5dacd7d9eee8d6943c03b59fc29581e072
SHA256 983c14138cd07b9dc40fe1c2fd797c80ece7bda6b4b21330dcccc7cab83c5cd3
SHA512 b068a97758da9448be9e6de3f405486a6d96e26591b8a35cfc87188e8acc7837934e5724cdfd0c64c094056722c7c351438f9853fd8cba9b87c0936bdba3037d

C:\Users\Admin\AppData\Local\Temp\SoUA.exe

MD5 b106bdee906ea1bc8e76cbbff3fad96e
SHA1 f659fdb851b0cf1d3a8c3fd646f0d8b6529bc283
SHA256 759066eb07bdd64e93582e4d2f8098c08594e91a6ad4ca5a56fcd1f348c7628e
SHA512 2b2ddeeb6016e4d3e39abcb64ecb61e83db3a7908ffa9f0a22c7f191d446d1c6ee7438a08beaa2acbd9afe70db858c0bb162a67cbae561ecd26e2c2edaaf87d6

C:\Users\Admin\AppData\Local\Temp\Iwci.exe

MD5 3f495817ea3af94be888eced12d10bac
SHA1 a4293020d401e67fec9ea3de5da0a7eedf4d65cb
SHA256 880077433c9753f8f5336c8f120968bef928fb34ce2952af8404e3906e4d2744
SHA512 8834dbf97c0877596393ae4aacb0f943ed774ae41f48e8fc8a1b4e993a1384ba24a45339a946caceb3f25191f85ee54fa647bef45ab4fad8a3bcdf8a907a312f

C:\Users\Admin\AppData\Local\Temp\SAME.exe

MD5 e8e82cf94600ef6b0b7b7d3cd582d6e8
SHA1 7c08c8b7cff9c6683894fae60cf635fe6475d198
SHA256 92d59133c4b6162e363d054f0f1adfacc9c660c4325f6ec0596af25e87e0da37
SHA512 3b35e522892221ae53b093c2f7a1474808e6a5029ccf07b10546a67a210b5df5028ed2062d157fbc06b92a3f20ddf2c529f347aff7a36eb943b0b35dab672c82

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 82460a5fa4ea24632a5b7fdeae2062a6
SHA1 02e856640b5ab32f650abb7583318f55016d2e08
SHA256 b65c6c1247a0fabae39d92210f51fec19a1516c379e9618fcb19efc312734fad
SHA512 8149d064b968623a03711d72c258112456902fb80020f491dc2ba61172f840730e8592b469b08189b98fca300c8ddab28a9f5191c720166b8f0a3c325d32da03

C:\Users\Admin\AppData\Local\Temp\kIcO.exe

MD5 9bd1e3afd0f47df662b31186af227ed9
SHA1 fd8aff14aa266627c3c82641efd86c7f293f1b68
SHA256 480d275f1251d8f00f4ea689406eb84674192ff113675715aa69e8000bc3a636
SHA512 2c514156be344141a773a5a3e68830bbc3aaa19286eb8a69f629c0e504c3f71f9fc347880a4c942425a779288f40b025766479bbe62d635aeefcc729a1a4d946

C:\Users\Admin\AppData\Local\Temp\IkIi.exe

MD5 16b43c4cc1a430cc88fa0832699bd46b
SHA1 e75513235646ac86403816c67c6a33688e7d69d2
SHA256 3deedcd14ba933f7e635cb96c94718a46b335e6a92e1a4673cba36ca842e3e64
SHA512 ea8f363984c710efb194fd38d6a40c6fd287feea0421d1a15a5231ead468febb9d6f7e89883e4e1f5404a2e292bd174fcebe02cfe63b9a2896d5dedd4d6ea07c

C:\Users\Admin\AppData\Local\Temp\uYAG.exe

MD5 e500cc39775fb437145483030a0fc47c
SHA1 dcfdeb90a3122db90bb983e604addd0952030c82
SHA256 176e21ebf9f149a87af60678b1a4b13dfe7fff3ed85c507fd7dc875aa7719930
SHA512 6327fe3123ef26fc7c10b1ecd1b6e0dbc1596bded39ec50ae2f129c205ac2d6e5aa34f33485bad3bf63a33b4630377b0cb6ef9e49281e06dec552d85e0d30f33

C:\Users\Admin\AppData\Local\Temp\qQka.exe

MD5 970063d065cf3387c6cda461d26db44a
SHA1 1027d6620f3b38c55111063343ede25f896d8e53
SHA256 7d42cc1783c8e86d4817526f9fb55e0639f11c8ae41b6cd016dfbc1ce4fb4ee3
SHA512 781389201c321f69a4a47d4b2fe4340e367b7b3d321e37eb99e0d549a97603b1e8d9af6df9d76bdc787235cffbf807ace3ffb4affd6da3f950ac5672572dc259

C:\Users\Admin\AppData\Local\Temp\oAAe.exe

MD5 d43b538d5dda893b37a8cca542696aa7
SHA1 26b5b7af4340b8dfaf4868cbe4865db2e68b83b9
SHA256 75d8179320bdd934bc730327cd51d999d2723c7274b4b12e7387ca97834ddd50
SHA512 32981636398169a75683a42cf7798bec02f84f158ed3dfb804d3d8fa88267c5db0274c7fb227806988b41c5e0a3e6b0dbd291a903710808c8a0e20cdad06c799

C:\Users\Admin\AppData\Local\Temp\OMQW.exe

MD5 53fa30958d21c2f7583e2de3ec94a2f1
SHA1 8e2bdd4d278446b69bfc236c8eb2bccc1980533d
SHA256 e395812b4672610e9dd9e30ff7a93777d710455f5eae45ae0fea745586a3cce5
SHA512 57e68f730a3df925defd23e0bf81adfcf0b6ae62f5a96e8775251afa402f3f6efec6694fbdb83392e07081f1677c17da16dbdebdee79a88a8b30b5046d9bccb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 6361e14dc43551fd0e76c6e62aee3dba
SHA1 bfa7319379c5a046e9a162b8645928b564fc4797
SHA256 a584857206da4aa41d75ec2702dffb74a46dbc4f8a56d0c5abfcdb9587c6c4bb
SHA512 e1b128e53567123a452164a8f71de3b8bd4788e4723740675ccfe451aeeba10f4031d3dfe68e4b87ffb7a081e42c99674f62aec64eb9636d2c7eb2d855d273c5

C:\Users\Admin\AppData\Local\Temp\gEMy.exe

MD5 ba62b818728d39ae408d8aa9870c9fb3
SHA1 fe3f8969be0ab48d8c7ea1065081a64a6560e432
SHA256 a7fd2b3d5bb3a0436a888f9ab212b33af952fe4a9ca267f3bfceb423a9bd27a8
SHA512 ce48a8efd6f6d626cfc912e94595ebfc5ca8fc04b9f6b0c184dda1889c3d793a7716c8f944fae6f356308a1aee5fd66fbc22cf0e0fd56ece91516b6aac62a0d7

C:\Users\Admin\AppData\Local\Temp\IQge.exe

MD5 395e34bc38b8e6e871ebdb3240391ba4
SHA1 5cc10532f8e5c03cff1d07a4d002f877e0d4e488
SHA256 f751ac24b430bebc8dd5f464e4129746794faf0c21f4103b682297c0c3827531
SHA512 6b32a945f73d9b6865c8d139c39206b9800fddd0c8a4ad2f4adc38f882ae8a0ba342335a8aa67253f38f2ddd499f7d76828763bba1819873c2680a6a34a2b444

C:\Users\Admin\AppData\Local\Temp\oQEI.exe

MD5 341afa3a2fea5792167ced6fa452aa4d
SHA1 1ee9c59812d24ed895d179f3a4c5d091886bbe44
SHA256 859cc86821f969b53e09c50b2cf2312b92730170e300f7a71a36c43287d98176
SHA512 7bbc0df9e5f2e5edefa9a0368fcf822ce1652a2510315d85744c7d026fc442d9f5c64700def259597dfb13f296a1d637949702dceb997d1b8f9235b4b090d35f

C:\Users\Admin\AppData\Local\Temp\wEgy.exe

MD5 479754762547e5a36c1988f27aaf13c1
SHA1 83e1b4459535023d0bbdd32d6b6a2a820a39cdfc
SHA256 fc9de24d69705b38b93a868ae6b8ff3c8ecfd200a16227ce4bfa9b4cf40ed934
SHA512 82c9a145ae543ad3b49738de4fad51d8f9b0e752fa9f854e5f3d109cf8854494e4d8fa13ce989c2f2c9ad896b7d5be9eb009df8028ee3ee6e94fa1abfaaef078

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 1ef18bd8b4e9213a570621a50c8775e4
SHA1 34464187c7e88eff7c0d490268a034d7ddd48a25
SHA256 6f3c0e188d3f3082cc129f4e2e5f29a26d2f6a4ca6d1253c01900f30c0f72322
SHA512 4d54ed667a099f364944a4088421bbcbaad4cb549e9fb13cc9eaeff792d1bc735bdccb0bcad89b9f9dbfb6d3f01b23e25ac4d2a1d370da3e5df04dbe22a8bb3d

C:\Users\Admin\AppData\Local\Temp\oMAI.exe

MD5 2b2b2d3b5118961b187ad33e4885efb8
SHA1 a0d02d19e394c25141cb1e64c9505a1220a92e7a
SHA256 00d524c1354bf53bae986a04a70f7ba84ca184c4d5f5df83dbac8cea92dd55f9
SHA512 f5454bb498e5abbe9efdb1243847acc766683d896e285e6edbb947cb75b0ca2a9dc244b37bdb687dc9e642334ae8a598db41e20ecf339086d2171a044d4463af

C:\Users\Admin\AppData\Local\Temp\YoAW.exe

MD5 45757d777e61a5c5efae988ac8fabeda
SHA1 2be7725f94e5aa4cc72d9065033115b9a87690f4
SHA256 8cf98788fb7e9dede8753925384492ed187b84bad18ba7c318d55a32c3fbee09
SHA512 3d225153a2e32c8b6b98a590a962f5ec49033a293721f6b7a472593893d5cf17bd2d4e349d6b45c132153e745f23996577264e1a472c81538773185b84aceb39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 9b0486babc09b25cba53ba11628deb9d
SHA1 7aeda2b75193dfa8fe4eae34b8b30804ed3a4eb9
SHA256 46f7f4a0db6fb5ac0730e10cf7437be20315ba54ef92854798a1fb0866f58e51
SHA512 ec61b1a7436e7e2dc646cbca324ca6dd889253ebe39b113255f46590316b7b4cfba406b0cae9d797a640df6a55211bef1953c43733c2e6b74af8706dedb62594

C:\Users\Admin\AppData\Local\Temp\UoUW.exe

MD5 92d80626f70b24a22025740bfa6cdaf1
SHA1 bfb62528e906217502175a4ad06ae861d2497f57
SHA256 b551c8845fe695eb239fe75fa2019cb80ccfd00e665652d2dd618daaf82d7178
SHA512 6ea8956624d8c8cc46c960b1adc94cdbee1642413d31e9ed288f272bd978f5717753c70f17ca4b4e84d0c1f748f0f8d7bf6a13ffb59c1ceeb0965ac15e935fe5

C:\Users\Admin\AppData\Local\Temp\EQoU.exe

MD5 d0423cab8aadfc0aa38d2d5b51e2f41f
SHA1 89f644e5cdafe6e3f890eee670cd5deb4d172c61
SHA256 e46ec3081ec3e832ab76cadbbc5ef48dde991506270d502823d652e7878302da
SHA512 0eb1126323759cf23f889441837ccbb77365c67e60746c7256ea09b70fa9a683ace76bcf5b10ec090325caea18626a44233c7429ebe6a80df664c35ec83e538e

C:\Users\Admin\AppData\Local\Temp\wAwO.exe

MD5 4662622b7c085065eb7457def367b1a8
SHA1 0c53d2953096cdcc1d0d78d47bc1055884b8055e
SHA256 ce5e9e7e4535bb3377ea7eca516c30c51076ff3caf0e131d156983031b583c40
SHA512 057e1d86a40a29aa764e8ac25c1d8405de74421933f7848d717c8752ddecd7127089631216dff8813069be38f31ff881c5e107feb749da17f53bfe7fb3d1295b

C:\Users\Admin\AppData\Local\Temp\esEA.exe

MD5 4889f56a5479dcd2b95020c396a2e0cb
SHA1 6481c131aaebf0515ea0a840e04a8f437bc4382a
SHA256 ff21a472c3f6b69db21cca92fd38809386174bfc51959b44074f85bd9ad295d4
SHA512 7ea87f8795ad69634ed53ccd137c83cec4dff129f6c3ded65ae720bd411acc2fdb8149651eec9d62a5074f20ed8b2bebfc368732dd1b390a2b3f38891a274f6d

C:\Users\Admin\AppData\Local\Temp\iYwM.exe

MD5 30a7f55a38fc2174a967a512b025923c
SHA1 c77bfb5b30ac8a58052a5c90e773620d4136736a
SHA256 dd795d8b9f0e4dcc5c04d61e09f3f5d8474309dad5a48d45a035d5fa38cb6e13
SHA512 a1f8a35ab035b85f3d5f0039d9e68e475a30edf59418c68574fbf51aff6bbe3509b81417c86448687ca8086e76423f3e33ba37271c9658682267e2ea39a3e162

C:\Users\Admin\AppData\Local\Temp\QEgq.exe

MD5 9a01238f5d042e0c221403c6489b8abe
SHA1 55d51cfbef66dff9c9b9e6f63cbeafee988d602e
SHA256 b9d296ac70dc2b1fb1316730d70b86a5b0684c0bb00e12af28656c5ded6dadd6
SHA512 2182e82393ecc1eec31d1060233bffa48e443fb83aca0561f1959a1135cff13c36d548072714f2c58f82d7a98ecd2bb0ff0056df1a880ba16e46ee04b9a7947b

C:\Users\Admin\AppData\Local\Temp\ecAg.exe

MD5 2b59dc6e61c9e441e24c5d62ca1772a8
SHA1 c467913cdf6a75e8f253018fd9827db620e4bc36
SHA256 afcc25ae4397ca662a1871bd8b48243a3d4bb6de31abc71f3538fdbbe237952f
SHA512 faefe632d1f89d7c6703c58984ec876e73ede392e2b21020d0e598ec3162244b21ff89d17639064037db5ad06b230d607cf12edb559e3ce16529edba22db80a8

C:\Users\Admin\AppData\Local\Temp\QEIE.exe

MD5 2e89b0e75a0a3b87d87b326be900b499
SHA1 365838e63a7257017d7776dd42fdc1fe034011a0
SHA256 bfb746303184ff6e72b65e9d066d7d727696020b2b947ed10419b558432ddd5c
SHA512 a023c5f49e4fe52a8e530e11b6cdc76e8f84aaab23c8ccecca8961d5da14287677d62a282917727889867b658f9c682ea68f50fd009158f921a042718977b663

C:\Users\Admin\AppData\Local\Temp\CIso.exe

MD5 d5bc69d5442461b9335965da1e4fd8e8
SHA1 b357433d684e815a671f360a0fcbb0b850f23423
SHA256 cf68c5be1c19f5e67dfe743cecbaf667dd86ef0e237e08965316e052ba34d92d
SHA512 2d871607eadce0aae93bbe75da9c93cc5239377b73b37fe13686d1f20fbb8351b914f067087dacef915bfe746da48bb0d3ad45c8f959d4281f432ed11a72f756

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 0760397cce7cea594fbf4bbfcbc8b780
SHA1 996873fccd41bc1d4fb50a865da345982e88f437
SHA256 0282dc827e326063b8d46bdac60836f3ac76e0fdffe11e71ed7d3753552903b9
SHA512 9e6ab48c120702ed727fc529f42048a6b0430517bb1422aec4c2532df44e278020a11db9c370f92e635ef549612b993428ceecd355b552938eed44d5d02e5695

C:\Users\Admin\AppData\Local\Temp\GkwG.exe

MD5 b81439b215203f0bc9c706871139fdf4
SHA1 a08dd038c3d5180e4399296754473aee6df09095
SHA256 1522bb1ab92cf307b838c1d70805aaa72f35f40408f2600e94670ada62f0631e
SHA512 c87136cfd835c7beb09ca4d96aaad395bd7fd2898b902223509841cb13c928b30d54c345982d0942956c8d4f3628d5d5417f0dce25f6c488c40e3948ac0f62a2

C:\Users\Admin\AppData\Local\Temp\KQQC.exe

MD5 1e7c8d985aea32621e4ba7ee52a3ed4e
SHA1 f070d25c287902d18d7dc07759d6cb52d1865449
SHA256 c3dad0aa22671924d0383d87f55e8447253a37266c561812309c659c79f52156
SHA512 cd9f31698169a9698a55bd60f8c7c1cd38206245359e51c83108d666e10c9acaec87378ba88c1c0375d1c075c3d4f6a9b8b8c0609c7ccfe88f4550f5e10f1419

C:\Users\Admin\AppData\Local\Temp\eMwu.exe

MD5 72bce4f52f12f993a4d177461e6470ec
SHA1 9b0b20246fc0990bb79ff52ce057574b4e3abca2
SHA256 04dd6d6937b2d8045eb900eee4bf7b0628a392b697643dda53a01067f59a2489
SHA512 66088bf500121c104c0dbe2867884a33b82ef2dbce24985eef3d519ee4fa869eb9382821e6c09a02d754ba86617acaad43357cba70e40afba7b8cc3532b99558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 385080bfee9507f42edad66171591eef
SHA1 d87190841078bea443612e87985f9a98b6fd0430
SHA256 8e8181f6088d3a9f7d9afdc1aab47abcb0c9f74f941a2da17618d21430f3e6af
SHA512 ba2ed8dcc07aa3666dd66d04ed360c05871985a06eb0ad0845d54115dc36c972a71cc4dc5b88dc7fc9db06b0b56dd2aea971d381e839147e418b3fe12cac7943

C:\Users\Admin\AppData\Local\Temp\Qswe.exe

MD5 8887039661fb3d5ac56e817df366e7b5
SHA1 726c160198e4f8caea6e8df82eaa463f52ae9cce
SHA256 20ce2708f3d550928fca3399b0db6db7e8031a35d9c0f1a7606218500b586faf
SHA512 7a74f3e35cdb24eaa07751d9f33924ee49d0e1b1ac81410bfa64017fbb4fbb0b39e5924d15e158212a6d3c9938e6f1225f8b2cfd38ee1199d88d01cc85b59f9e

C:\Users\Admin\AppData\Local\Temp\WMkg.exe

MD5 b35c9b1d219ff4dbb91717add4f98ccd
SHA1 c669b10b7b33c909fb43172abd427491fbbb9f74
SHA256 c99bc10310c36093ea7f399fc7bf08e73536c30d83e7a1dd91620d235c284d19
SHA512 445155fc308a168a4a200912a4643b71d26a97eabf5e8076bd915f2565212af39f3ddbf816a850c0ed4fd7c9308e8e684c16444c0f2346c247182e069b2d0344

C:\Users\Admin\AppData\Local\Temp\uIgg.exe

MD5 cdfe1d6d08ade8ef48909761806ed2be
SHA1 37f1d09078957aa1f95eb0ef300aa3eb3a29362a
SHA256 3e7fe0885244da09b6ab19a44ffe91142c1bf0e440c09b02b94972bc7343b660
SHA512 41eb0e9d1c1b5e203da886681141fcadee0b334ef70c1fcc2b40a24c542cbee546c127c28302fda8285411844c1d10d4f1a3e8c47509bf406551abc0d22a54fb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 918d185a5b0d0a2600ff4f33d007c147
SHA1 3d117588fe8b444fe9c94f4d4393ebeeb44dff36
SHA256 592fff1bf4b36619af8d05a126e3f9127a578c466a88443075b011d645715d85
SHA512 21ab731c265c3a111c7cb2da308b50a67c655276b8d625a12038af77e5a5e274fd1df8e4edd8fa4d5f22bd4be14b22182671d3e7761049f1c5e36dc00104c95a

C:\Users\Admin\AppData\Local\Temp\kMEE.exe

MD5 43372b145855ee0eb03e18a3625a990f
SHA1 e116a59a44d9eb5850e5b730b47880e6b43f3e68
SHA256 4fdaa994dd6d0ce54ae86b4edb24750c2e9d86c9bb9c7f596bc3e0c027dd9d71
SHA512 5cdc3b75c05851d8ddf6d783582ac16780fb67f56476f216bb60bbcace74cf12dacc9de28fa3202aae8a15a4749d5766192658ee50a22649fdd50f63dde18640

C:\Users\Admin\AppData\Local\Temp\kscO.exe

MD5 6a7ad2550ce592c836550b1bdd2d526e
SHA1 113e7725c64ed2b8b24a2964e9eeadcc02c214c7
SHA256 6d1d5e6cff6b93be464606ab40b4742e642a3b5d895d662c4bb641b4be03f012
SHA512 4f43a49a7c63d19a16537343cdf1e2814dc1922ae553270ae4de4ac3cd9defcc74c8018482f4a6067fc62506d92a87bc3081f97aa135c4ab8eb8109654ea59ca

C:\Users\Admin\AppData\Local\Temp\UEEY.exe

MD5 0988f8f6ccdd2039d0314256b0f35cab
SHA1 4f5ade3600b2fc514f497cdf4fd0e1d76fc4ede4
SHA256 e55390a9fc3a7d3fc931607bb9042d0641e982d0e38164164c97dc0b32128d13
SHA512 3a5b81e0927aa42101bc8e908e923a68971bdf536679cd5dee19f8e71f4dbf07b760b2c744f7b7fba51f7a85eb5cc71b8c836d24ce7abb335bdd7dbe01264fbb

C:\Users\Admin\AppData\Local\Temp\Ioky.exe

MD5 140e815dadef3800d726db33603b100c
SHA1 de2e352ddb6e5488fa77eead103bddf3e67cd082
SHA256 19e5633ba8a153daa9779cd8d09639fadd2a9c3cd5ea97faa54248652d9fbe9a
SHA512 ff6822682c8f3f4b586a65e36293669c9c0904253590a79014714a2e76bdf27c9343b7fe0513f0267bde7b082eef4dc93702fc9e96155bb24ee0038952fd2578

C:\Users\Admin\AppData\Local\Temp\Osce.exe

MD5 3bc7d1ad696875a86dc6af98ecbb98bf
SHA1 d97526b816ef4c211d4207c9eb41d41fa150169f
SHA256 0279bfcc47996520712d12c78ee731d67c5920fc7007b273ca4994924dd28b7a
SHA512 38738787997e21640b6dfc81327f0c96eae0d0f3aa0c3c2b4b48dc3e43e59c7fdae7528e96a42ccbff7a9811dc747b129d84a5611a5f296ad51f0bd28d007626

C:\Users\Admin\AppData\Local\Temp\IAAc.exe

MD5 5fe810cebcc536468c0b1965162d6939
SHA1 3aa393f116cfdaf3742fce3407e6885857cb7790
SHA256 d2b6ca23687f506ea60c881e3b1d22a34b733a6b4c8b5c85923c7748129ba2af
SHA512 882d4cf362475b7ef33dc74ea3738de587fcc11586fd2480459ded72ab7fe5a09edfb27020c21d517d160a5efa385a9eb92cc56fcdb9fb539a939a02ef4ee836

C:\Users\Admin\AppData\Local\Temp\YgUq.exe

MD5 e4c4e37beaddef394c3fd25fdc48ffd1
SHA1 b0a06409a15c3a710b626121a4eeae9cab301310
SHA256 37c456100c0177d1baab7eb72ca4cc183d117fc3ca1716e1ffaef5a129e10cae
SHA512 54c75fb1fcec2ab467cde8fe12ef84ad6ba94fcd503cc07735b58ca7a05d55818b40497c38715ce930a35f2dbea3cede1f2df434daa5c8153d5b321d8db6069c

C:\Users\Admin\AppData\Local\Temp\mIUG.exe

MD5 dec5fd22737e8332670d4d12ece8e208
SHA1 a4f1dacebd42e7a5423317c6edbd1f7107657b23
SHA256 ec43847a00b9e18dfbad4fd28f4dca12420d6208495c6d00a2f7a96650ab4ffe
SHA512 19664e3c0b3e2b4033fe3ec6bc6130a7d81b65f09d5521e8f1388cec01165801b61cc064741e06deac6996936700518df00653e521b65d40be690b831b949ef2

C:\Users\Admin\AppData\Local\Temp\gIQM.exe

MD5 4d334745600a4b79bb1236ac6c1bb33e
SHA1 d8b8977b80707b8400929043a9279eda9e0c8699
SHA256 41f3eca59cdcdace59c3dab40ce3ac675bb05bcd1ced6356e6311523cc13f812
SHA512 c735855504fb1761b94011dc9e24f09fe5991241f1380fa8f900e654e36f3302ced54cf856edacfd9622496b018553c76b361bad9f76458635ec6c937546d00a

C:\Users\Admin\AppData\Local\Temp\WcwY.exe

MD5 fb767a2d14534fc369b9eeee970c25e7
SHA1 5fbef16cefaafdd00792c69ce332ceab24d6a43b
SHA256 31eb36ec8a816d707fdc849c9a8cad4c5667dcad6af3dcef92ba99a88fccfd86
SHA512 5b0c6b8a7f8b91dc6d903c48f2d63b12e8201681870caa60a4daceea8cc6c44ff1dc4a7af4281ff89ae4f0e6738cde4e949d8d144798134d607cbfddce55f747

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 374d512060e9a8a7eefe29369c988ce9
SHA1 27f22ab61e8070ff83dc173633d630465671f64a
SHA256 0094c5fa7d796daeafd97ef845f0f02bc09d972d2db3ca0bc7f6a69dfb4b7d65
SHA512 109898f94286cc86682946e7a83cd743a1408b1d32cde96cce45547a8513648631fd31960d25c45249a275cf185e3f2bc36b0777820141e4a658e062a85618d4

C:\Users\Admin\AppData\Local\Temp\kcYK.exe

MD5 6ed951725f88f682b7ece30f1177ff9b
SHA1 d6b28727fd3bf5302984d96ee916d262e8b144c5
SHA256 472f88e339d6cedfc13ea0070403bf0f8cfe54b976ca8a6ddd72c1dc78b8051d
SHA512 f82203f0a16d37cfe93e58096000b91efa0614bb1963367e385d00c85d46bc5e2e0214faa63ab82430a9defade248dece72b3c38c3184d364a1deaf9d670990c

C:\Users\Admin\AppData\Local\Temp\asMw.exe

MD5 8213effa3ab485ad448aa82666e3864b
SHA1 9cd0001087486bc46b40fb7746d61bfaf77ff64f
SHA256 0b7b3acaa88c6b1e29c34da7993723540a098536ad553048545bbcc216766e39
SHA512 f2e5da37b5b758a763f0e7515292f77c08cd607fb6610fccfb12152c27c327e43545d6341f62ac44d1d4735c369b41dc1f64c350f9e2b4a0baedb6e406d9171d

C:\Users\Admin\AppData\Local\Temp\cMAW.exe

MD5 f5ce64e295ba17aac286bf5cc584a189
SHA1 0b7ff06d68f74d5c7083395af9e9273a864df126
SHA256 19199c53f23f0505fd243f9eadeae8b10852e4d8f94e49d11f52566ef51d730d
SHA512 04c7d2aa2d6cc14917f85ff1808fdfc208de57feb7160b65969296c5065f66515c77799b85d9dd4e45fe4be57ce1e61692ce5c54deb67364e053731b91f75174

C:\Users\Admin\AppData\Local\Temp\ugIW.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\KMse.exe

MD5 e32171f09363a0d370b9d5f25313873e
SHA1 f9d53136eee7c883a4dfa84a6174b7cc9d02c36a
SHA256 e943daa089fc888ebfc3d05d432dd38d1d51c8188773c1da2acb01142d056313
SHA512 05ce578233369e35f0a07bb83ad23e659089e0332738d698a037fe06a30d300dce6d0dec5b32f2fd2f0d2f7686baf72c621b887595c980d7675b7cdcb6f4c6f7

C:\Users\Admin\AppData\Local\Temp\YAAk.exe

MD5 b6e1beb8a32c1a3f4d3e93b589ff4eae
SHA1 803196f5fc2d1b1576973574a22b9a2621dcf881
SHA256 65197ad81ba150eb90c3592d5508ab267ccb2e4fbd1c8e94194c0e044c69b2c5
SHA512 cde5a45c3531afda1eca6d3ebc101df8ec721d03047195885431739a72e77d6fafa4fa60d15280792346ad7a2b438f513086a245b399e05bb2f36f9db996ee38

C:\Users\Admin\AppData\Local\Temp\mEUu.exe

MD5 852e2148c684a5dac14ec7b04b6c82f1
SHA1 9ba97d55e28e27ff0497c8b2a67ab04fe4747f4a
SHA256 793308a7db25d99a95f11659e2cadd887571fc002768ce600f93e52e9a392317
SHA512 010ab6125f0e60023c3da4073a75ca7864166fade9e06aaed85298bcd2f7d5ee9ce1272cd7a92ad980fb314d7fdafd03ff84a17d1b25ed27d649e5a19c44cb3f

C:\Users\Admin\AppData\Local\Temp\aQMS.exe

MD5 ddfbd05b3e693524f6186272d246ccea
SHA1 bd7540caa9bbc5f400a542d8ebe6c95086e4910f
SHA256 c53236fa3523963a6ec66e40e7955d17564d69cefca658199459aec95c5577bb
SHA512 e91733fce94afa4b88451d0ef5f76316769185459e307877a5b2d383675ee26943b41e64dfc4fae2e4822203ed6eb5c1ce5282f1a72e41c6cfe49fd532d3441f

C:\Users\Admin\AppData\Local\Temp\WAUu.exe

MD5 bc33b13946fb892bf67dd4d1eb3f5358
SHA1 1b08ad79c2a480f57e8a0f0165ece52862e39198
SHA256 715d4e82cb2df1aa6922d0224ab54abf7dc2e0de2a5ba891f593db1129b45a90
SHA512 4714a65a23fbec3bc5bbe5eedc284d82763c3c7d4df9bf323a43bd5a94f55ba1e2dbe2a6f5af4653be43190e65d7d63b407660ad36fe61db80bbd4b7e2406ae9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 eec9a6a042653c3eca9d026f4c73d36c
SHA1 7611bd8c9fdafa77329f358dc68e687d88650596
SHA256 ecb7cf2ad839beeec5dc1f6c10df5b3787219cde876209c1eee8750faa70f67e
SHA512 6da8011e9c056715143cb33a5ada16484eb8daeaaee6a500e7f9d711b85010934b73cb8544a7420fd477a9d166b2759f058d5197a768c2674f3703cbeac0ac9d

C:\Users\Admin\AppData\Local\Temp\eUAw.exe

MD5 7c0ee51cd13e257d9405f3e138e353ed
SHA1 0b5344e7e8665b6ed1791b7fd2508fee517ecd2a
SHA256 5db348f96e49b5191cb27377c9ae3a4d3fb42d995f8c3800fe17f7feffb62ed8
SHA512 64b629875250b1ebfbb8f6f6896f2b95aa6c92be0d0059a3fed1e22ae86b7e6d1ae8869af93eef8ffd31773e88c28a3f653f0004583afd7d3a4bb53400cc0b2e

C:\Users\Admin\AppData\Local\Temp\OMsM.exe

MD5 dc9f972d767103f9b6baf5f4d2fb70d7
SHA1 a21196d45cd39c46044a93dca72f2a9a6dd92bec
SHA256 0ea752d70af4a6208072e984e1fad6062524eb329e758344ae02807ab093a386
SHA512 1d68fd7959c80e8cfc57fe6b6f6044dd13a1f93a1edc75083ad13868649c79790c9a2e522cdfdb123e95a12411e81ec848ab423f6d87bd1794fc9154eba68e67

C:\Users\Admin\AppData\Local\Temp\Scoi.exe

MD5 753b026e7e772f3864243ce24f805eab
SHA1 2b696b18b1abf7ca3575f8fcb7ebf31e6f8f5bb1
SHA256 00d90a1267e188bad129caef2fa54b27d680d5554375fd742881a76c7167c8f6
SHA512 178dc6e559e01fbf7c2da4ee5673f94c59803a174910f42383afaa619c950175ee8c8f7608592c0f86a7ab13e8cc06878e8aab814cba84a65a6fa21f834ef770

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 f8c6a7a0b3989db184b85e0030dc57e4
SHA1 a121dd2e4423e4e29ed750e8cdc54475fd532809
SHA256 61bf43a8bc0c171d36fa5c9f9f93811000c1d8ada99424beb095fcbb417122c7
SHA512 f02551350451b7af217c17f66c3a1f8546c3187b81b2787fa7e593dc3973e5953d9225afde36b7aa70b30c1eeea947ccac3fcbe6f012dd97c503dddf365079a2

C:\Users\Admin\AppData\Local\Temp\UkEQ.exe

MD5 875e9bc17031e50687ca6893b3b165fb
SHA1 9d968fc58f55b93e6f2f0bab16a911c62e5f3746
SHA256 5b9a3cab43f976b6a0cf8a9277feee1a4d82207508d3f8df88701c85e86ff17f
SHA512 c721130ecae708f0cc04595ec7d1a25a82865c55b03862c665c5c9476e4a879af6ee2006d7b05931cb7b6a1671cc77b3407de65be7bd596d8375f241640b5c90

C:\Users\Admin\AppData\Local\Temp\wQUw.exe

MD5 a3bbe9a8a25f48d54c4295c37e38a6cd
SHA1 11ebd4cb0e27225f7eb5729462349285953b201b
SHA256 afe0dbf65625b6b31d54e975d8f8af1a81b1ef889a55f0618f46bdec15141969
SHA512 3fa84465d055cf5312f74f0da2a62c8a01bc43c354f317d7a86cc877870da263ec1403c78059582ed9c9a8ed9f5b685435a3b5549c3c437bd97fc2a33540443b

C:\Users\Admin\AppData\Local\Temp\AEQK.exe

MD5 f85575f90117d3378e078918bf81ea3c
SHA1 e42a27c69609c910dcd12e9aae4c736aa06979aa
SHA256 b37929a84fbc4264dd4b2b3cd664c091bfade547ccf4b1eb7ed96234105e9ce3
SHA512 02969f4742caaac84372361c20f1dccc5b85b04b8b891bd502b9ebb6c1ca18f24b487628549a13da84378a559dd32a5a64e68be336ebbf40e77c3a0574b0a1ed

C:\Users\Admin\AppData\Local\Temp\GwsA.exe

MD5 3fc2b7e8e10d469b955203eb2644d8d6
SHA1 49e6799426d9a98f093d03abecc02bfd15a40588
SHA256 4c29f364c067a2e15478755bd128c24ebe077774a490b6d0b7d7caa6ed57ade9
SHA512 91b4826d76be81aa18a00daa26d7674b89f0dae1a4cc773ed1f1e339df5ef44738ef132f665b615c594c71e748eb06e5cae6a69fab7c33078d8a4b0aadc80c7c

C:\Users\Admin\AppData\Local\Temp\YEMq.exe

MD5 6060a3f22eeb9f4c8c303731d32528b2
SHA1 851d1010d38f20392ae8775693c5e281b122355c
SHA256 2815a212713d869e3e31e3e4e7578fc8fb84a6075702b5a35da4a4261049eb96
SHA512 6af151f1dbbf42578dd73af36acf5fb07f6f6ccef06dc4377351c549b70d9d44329790ff0cd9cd0c0d8dfcf21b3992a5b2fb8bc8554def0b160483ae8b9d9075

C:\Users\Admin\AppData\Local\Temp\YEUk.exe

MD5 23b9eaf119f9fb8aba5b3305b817a251
SHA1 1a227aa6f560b10809551df97fc605f72f84e3e1
SHA256 2a54fe8ba9c6fe4ac7b456b6aa9eb4b2995ac8fe20225993aed82d9c0e7f3faa
SHA512 eaf0bbbd1c60bc58e3a4f95e4ea16d93dfd2af617d4e81a6b1c48daba165375bc43c70bc49b3754046ab607705ae245e661dc647ff3166a2706d9fe4720b7a5b

C:\Users\Admin\AppData\Local\Temp\yUsI.exe

MD5 628c53712c813e69ca808cdf07c56523
SHA1 8c2276a995da203ab8c24f55b2467c31490c69e1
SHA256 e2de2536a8d233812cfd8bc28384b83551883566cee183dacda14c95cef5305c
SHA512 3dc98c807868804b98290cb0532fc89c74eab38cf092925a67062282bba2981ba9e92aa0672b28279f09c9122a14d7f47afd75f0c1182f33540d96b76bd148d2

C:\Users\Admin\AppData\Local\Temp\Mcwg.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\gskE.exe

MD5 47c62f0ad46cda5fc2d42ea1d028a03b
SHA1 73cb19148a761ea1c56f9da150f94a958f6972a5
SHA256 a6193d20e4c9d78b236592a4f30cde1889a7ced5f676b40e5dd74dfdf9ed96f7
SHA512 a3e25da1b1faae74f9992f77b42a698f63ca54d72a8ae1126b065d76b5ba9c57707f4b6826c2181e98ccf361021c6a852e18bafa984b8000eeef91b7031dddb1

C:\Users\Admin\AppData\Local\Temp\UYUI.exe

MD5 7d944e057e5febfeaa007c8589827994
SHA1 7e22f1f92cf2902b082fe2dcdbcc8398ac207242
SHA256 9c997ac31e2f550dc48f120c33100d83595362e5962387afb34c1aad1f3669ac
SHA512 ec1f11580b7a670cb95f7876d385ff29ab8a261551bca78bd76fce86a95d0c5129ff33ea6f4a683d00ece6a53ba39deccf2bc5f85a1e57d6622ef9b05353b3b9

C:\Users\Admin\AppData\Local\Temp\oUog.exe

MD5 acba67e11a7279af2c0da43ba4189c9b
SHA1 da3d90a00b3861f634436d7bf203b5a3489e0a52
SHA256 4b3f450ac89da53d897c49237775e9446903a296b639b699a204e0cc425eb0ff
SHA512 d90de1118caa61001bcf45589cdced2dc011ce11682e176678771083e0299b474dab9484f6ea9625787a782b3420e957efebaf3f38d26496ce4525841e916946

C:\Users\Admin\AppData\Local\Temp\UQMa.exe

MD5 3b8f72f1c730a1ba4ad40bb50510fdbe
SHA1 4138fe80b57565fa91b898339ade13da4f4ea664
SHA256 739e6f5e57f436b6431540c018fa663b390a525f5443a05592a34c06a646f012
SHA512 0d860d4ad221c1e99a6536190c1badfbd366c12047a9dc2d8c1ac76d9926cc34de1fa592fe559a572ac0374939e42ec763019f1b837c7c36a04e8f4e6c02eef6

C:\Users\Admin\AppData\Local\Temp\cIAq.exe

MD5 ad59cc7a06c28ae4b23b3650acfea731
SHA1 e744358b35cba4da80f6d6246833e080fc859731
SHA256 b050f15724a91a738dd39a50f02e7731027cfa6b7977f4c777512f99a9c150be
SHA512 48be1ed20bb9d3a24b9f12a56f100eaaf33bc581e803dc2ab24b9e427f6ddd7338e3c3f39388558d5bb89da806e97221204df966bf9745a2defbc36ff6b59b4b

C:\Users\Admin\AppData\Local\Temp\OMYs.exe

MD5 1571420f4b6e24091ba67ffc264abc82
SHA1 bde946b460fb840a87c576b1eaabd49a1576fb06
SHA256 e093e6a2783eb3d5115b2cb15ba3faafc68eb0fc4517ea454aa288b207928c00
SHA512 dc8cc55e90d09dfde5036ba47594d6885120371543842ddbc47fd142ad4615dc2ffb59b614884b1bc48ca8a3ac4ab905d6ee981ce06613b506aa922f5da32d5f

C:\Users\Admin\AppData\Local\Temp\eEIq.exe

MD5 b16cfc93c6237bdacb5085f2e96b9535
SHA1 6fcd178cc2ade4e79b00be5ee88e832475470c95
SHA256 19bc392d6fd9f13140845e54e53e0aef23dcc31312ee93d2715071f8f85dbd95
SHA512 b4b6db80e4d4786735ccff8e57c129a63df764217ae652dd6128dfcf673c83934c0e4941f6854ebeb47cd68ea4efeb80337260f6b6ba945a39c11fdec7ce3e59

C:\Users\Admin\AppData\Local\Temp\qQkM.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Music\PushUndo.jpg.exe

MD5 1be305100b1cc29b75e32d6d854d7757
SHA1 c30411f593df8de5887aa6d5c31c81de05e9831b
SHA256 81e62785d20ffd42c8dd0d6427e57e5795934e5cc7f942acca04f6e388a3656d
SHA512 d944197014dc7aee0da359280550a4d9c01518df350c381f3c8487b1b8102ef4e6f3861664bf1f8248e12a24a41b6138990910487be6c1c5fcd8e1ddf2296d47

C:\Users\Admin\AppData\Local\Temp\AQUU.exe

MD5 98740b395238ab362430da0db46d3b09
SHA1 83243ff115ba7b91ae2f1dbffc4c17672ba6e705
SHA256 20b1d28f848569415d2c4b2761bdfc5ec6e5f6fa1c0735abac16364ae00f2ee7
SHA512 17bbca6cc1589880efffcffe981b1baa87b83376c9fa0916f78a9191a2221ebb20b16a99e9f85b9a03be525418974f144197b897b69d427a6ff93bf4291e6b26

C:\Users\Admin\AppData\Local\Temp\kEkc.exe

MD5 6693ffbb46feb0f51bbd4d261d02c333
SHA1 87b01f8561396ce8178035e5ff52510114a2cc37
SHA256 09cdefd5d4812aac0e93c938922725e931ef5c3bf8ffff117d15d8e80f75b6e3
SHA512 a31ff6d77157fadfc380e9c88cebf7e8d4b478f7eb177a08b793bd8652990e2faf29876fa5e6f1c2d209166073bbc170c5d9835d412f2928d160b945b92de78b

C:\Users\Admin\AppData\Local\Temp\cMwa.exe

MD5 ab567caf589dda9cd4c7646dcc089c33
SHA1 a45759b50ad611ea0827e11843c95ae37254b9e9
SHA256 0606ba6a749701676b89ea69e2af51d69042790e998932c2797afe70c1da4c74
SHA512 9c8ac2073a918570f38a954937851f1686aabe080394d6670d1ae9605add5a234709ad7f616afe7645e9053b75095362510502062eb3ffcd1a06f6ec6bb95cac

C:\Users\Admin\AppData\Local\Temp\IcgC.exe

MD5 edf4e60b5bcb9e23a9f3c445c8412c7f
SHA1 c364b6ee4587f51edcebf922850015e9cafdf908
SHA256 dab6a21da0afab0b09490e95e3d1ba914fe87cd58d70de4870cb2f77b68cb435
SHA512 3554db7bec98ea4f3fb69220d34919cca9d5f0400028e15bb7531b34a22f9d4637cdecea8ff6da5a29ed8ebfcd2fc3d9db8f30574ddf9cf91cebffcbc6a4847d

C:\Users\Admin\AppData\Local\Temp\UQgK.exe

MD5 e7201951aec6fc040b154614bcc8dfd7
SHA1 14fe435d5ed4e8da87336a7b1028510be47ae90a
SHA256 8d96e4152b1b1f4c79da8736a80eb8999ccf2ecf55ee559e1ca8c7a8f1acc175
SHA512 555c1d62b2999fc0c9af3c146029963af5d2461a1d7e5d1ff4d6e1c116b646f90a67a8680989975b8c630e7cba4dec36f6daf45bd58490ea0241a7218dc32220

C:\Users\Admin\AppData\Local\Temp\KgEu.exe

MD5 316296104ba129850affe2d5d84eddfa
SHA1 e5abfb7f7067ffcea71ab376385ae134ca5cbc7a
SHA256 39e96216814f7778949146a8ced50faec873e3f2c80e9743acb0f668211ff2da
SHA512 cea02ca425b4508dac71536c2ac8a872138c7abbf328cce0a72b95b3c658560cb57fe4661af275be05efde22f26e6f9c7eb7e1012271978c05e32755cd6173eb

C:\Users\Admin\AppData\Local\Temp\AAAm.exe

MD5 52c280d2e51b63d379c3fbf85e9d3ef7
SHA1 b596012620488aefd954ea60b89b69e9bd3611d9
SHA256 3ac168601af2f1ae4fe4e8a598763428f1991fef830fb96d48b75f1762603409
SHA512 03035b3630102b6c4b0927187decfd98c2c4dd0719aacf13cfac7ccf052537afd21baaeaa141af05b486ac0f79451ab01683933271ed663a176dedb34d17c31e

C:\Users\Admin\AppData\Local\Temp\SEYa.exe

MD5 cc71c17e62ae5c594203ce5a1c8317ed
SHA1 ad6d32a53b78350a4d73a117a92e4d8ed66e2ee3
SHA256 292b4ad9ada9242bc6d466794e17a5e86271c7929d8e42c3d9631f89ed05ab7d
SHA512 def7655e3bfaf2d7e392bf328ec123a8b655c4a5bb000680869b3bcdb3a815836d0105732524775b8b555a7f2530baf7b228bff36b76a43a865beca64fa2242f

C:\Users\Admin\AppData\Local\Temp\iccY.exe

MD5 ff208bb32b4fb71cd32ada02e1c91d73
SHA1 317f9c416bdc4e8237abea1ab51452e79289dea5
SHA256 6799ab99999fd3c723757c5b860c3dd1bd9277e98764aef2eade29756ed78021
SHA512 366383f2681f0da54bd8ad4c0f8c8eaefff03623079c44b5925ccfad93ac932af570025cc33976edf7c8962f852ce520c0dc6d8e9c70a7760eeabf7d109fa40d

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 22:31

Reported

2024-10-20 22:33

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (60) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\ProgramData\EMkwoYcY\KSkkUMoA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KSkkUMoA.exe = "C:\\ProgramData\\EMkwoYcY\\KSkkUMoA.exe" C:\ProgramData\EMkwoYcY\KSkkUMoA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GykUgwEM.exe = "C:\\Users\\Admin\\MwYwMYgU\\GykUgwEM.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZEgMUogk.exe = "C:\\ProgramData\\zUosEUso\\ZEgMUogk.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TecsYMkQ.exe = "C:\\Users\\Admin\\nUkEsQoc\\TecsYMkQ.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KSkkUMoA.exe = "C:\\ProgramData\\EMkwoYcY\\KSkkUMoA.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TecsYMkQ.exe = "C:\\Users\\Admin\\nUkEsQoc\\TecsYMkQ.exe" C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A
N/A N/A C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe
PID 2512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe
PID 2512 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\EMkwoYcY\KSkkUMoA.exe
PID 2512 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\EMkwoYcY\KSkkUMoA.exe
PID 2512 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\EMkwoYcY\KSkkUMoA.exe
PID 2512 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\EMkwoYcY\KSkkUMoA.exe
PID 2512 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2276 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2632 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2632 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2632 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1632 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1632 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1632 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe

"C:\Users\Admin\nUkEsQoc\TecsYMkQ.exe"

C:\ProgramData\EMkwoYcY\KSkkUMoA.exe

"C:\ProgramData\EMkwoYcY\KSkkUMoA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqIMcsMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcMUYEwk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSoUIUUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CasscIYI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMcMYUYw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eagkMYcs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MskEQcAM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKwUIEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiccgQsY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROYQQUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKsIUIYE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKowockw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQswYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmAcYIIM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAUsoMMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owYkgUcA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAYAkwgE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuAEIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmoccsMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmsYMQUg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUMsMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYMwcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQIgIYEA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkoQEEAE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEsIcMkY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UukMsoAA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAUAscgY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgYIIIAE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMwMoAUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkEcEoQs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyEgwYAs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEYEwkgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egMIgEMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAwsgEQk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMgQMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQwQUMsA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkUMQwMs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiEcEoYo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwMUsccY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWEQEoUI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwAsgIUA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAQkoYoc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIwwUYsw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwUAoQQs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQQEAEgc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dsAAEIEM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\MwYwMYgU\GykUgwEM.exe

"C:\Users\Admin\MwYwMYgU\GykUgwEM.exe"

C:\ProgramData\zUosEUso\ZEgMUogk.exe

"C:\ProgramData\zUosEUso\ZEgMUogk.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 36

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCwYgEUo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vioYYMsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwQIcYME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEUcYQYc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQEwgoIc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQEgosYw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMEkwwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSYgwswU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bggoQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWMsIwkc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgEwcUkY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEEcAoUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsEEIkIE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWIIIQQg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mekgwkkI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmoMMowY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAsQMcMA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuIQoMcI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUAIoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIEYMAQA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqwsMoow.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gewwEAsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KssYcYIU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOYEcoco.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOUYokII.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaMwMUEE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XesIckcs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcAMQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmEYYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQUMQYII.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOkQcQMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYEcsEss.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqAkEMwY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYggUQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiYAEIws.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmksYswg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksosscUM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgUoMoMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\koIwcsIw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGgIMQkU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VesggMgs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKkYEIcc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOEQUMAg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMAcYkAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmQssEQc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKsUosgo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWockgsI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XeUokUIo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwgMcss.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VegEEAEU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmgEcEwc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAYQksQY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcIMgAQE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egswIwMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkgEIMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKIAUcIM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSwAokQw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGsoQQwk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCQIYYso.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQooQME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icwsEsIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYwwEYMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eocsgEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUMAIIEc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgoUssQg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYckMYUE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWYsAQEc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQMQAAow.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCEsMIUE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWkEEooE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIIEscAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKoEAUcg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWIEocws.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKwYIIQU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqskYAMY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGwMwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqgEwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eskwkoYM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGUEEoMg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyQgYMkg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqQggEok.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccMgwIIo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQUsgoMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JawoUoQA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAEIQsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWwcogMQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2512-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\nUkEsQoc\TecsYMkQ.exe

MD5 e739ec5ae58676f3a895749025a6756c
SHA1 f0676667ed2bbb540feb218d17566ecdbae70873
SHA256 09fd8dc5153f562ef51e3c0112e69a8a8280a2149e59a76d91ef08bdc73a8b75
SHA512 46f7871f44fa3e531c48d8f163a6ba72e43df4abe1f14a11d45ed702f926efadf703a18ddcb509926ccb72392a2b0b42c2d3175e4aae836fa1121916fcd5b841

memory/2512-4-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/2336-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2120-30-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\EMkwoYcY\KSkkUMoA.exe

MD5 dcbd2112f3ad1f419648ef879e157e14
SHA1 2e695c3b1898b3ab59ca1421dac71b51dc97d22a
SHA256 7ded75be6758fc9d2081f3fa3ed56f8b4207819054616e84cab875691831a713
SHA512 68ad9b9b6826347a94b0e511c7bd3244f7e5529fe263f8b3b57165d6025d5dbbe6db45e2c00d9cee412030cd7c14fe248ebb2485b60258528f51c89b3a202a02

C:\Users\Admin\AppData\Local\Temp\fIsoEAss.bat

MD5 65a342a35898184aab26b26198e74548
SHA1 beaec2817fb19f06843a4b5e2fc47e4d8d690111
SHA256 fca64b6d236cdad9e833bb8b7e242585fef126254b42d5c57927a6f10f2b7cb2
SHA512 20b087d8fa1852d8383579fafb8f69b03b6c2c712f7dec6e1563f4269a326b53c4b20e2f6d2848fd26c4aceba9b782575e3798618052fada10183a34be2cf5c9

memory/2512-22-0x00000000004B0000-0x00000000004E3000-memory.dmp

memory/2276-32-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2888-31-0x0000000000850000-0x0000000000883000-memory.dmp

memory/2512-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xqIMcsMo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

MD5 465608ce506144bb84af2ccfc475e15b
SHA1 ad35db7aedb4d245d4151fe7f91a195248f71f73
SHA256 862c779a739524499e4d3ab328d041769417ff471e5eb7b183372c82a408a329
SHA512 c026a6ca05f92fb8b749cb1bddecca2d5101e3cda05c488ac354860cc6b333392780ca4fbdc71c1310500c168623c365a6db80fe9a11e0e5b2d24ca34f098d95

C:\Users\Admin\AppData\Local\Temp\lcIUswUs.bat

MD5 1aff16e63acd1e8faf09f4e33688f3c0
SHA1 e5ffc5d1d3e39fcf6247098bff2ffd1ccaefa3fd
SHA256 9b80cada60e44ccdede56f100488ff899d1d4f1ee4d9e1dbafb7c5924e8cb9f9
SHA512 d67168497180bd245008b8bf89032364dbbd757afe1d13cdfe7668961603eef170ccef9050551109a5e31e1419d3887172d3e9abf3fd9199d643f23fde421754

memory/2984-58-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-57-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2276-67-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JuswQMYY.bat

MD5 720d904558c4e52f58bb874145e8565d
SHA1 b39e594dca2a56b559eea6fb8c6c477f25b81e63
SHA256 6d6c0472a2bf912f0505d3977daf8f0a846966b910c7776c61ff964b18545174
SHA512 ea1ecb9c956bda505a09c75de3873cecf250c5b2484e874aac90c0d48ef000714a427aea09f3abd2d773245bbc947a8581c5c2903430431df3786391e9649068

memory/2984-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ewwUosIg.bat

MD5 912895c2d28edd6ee5d2cb5773cce1df
SHA1 5dd6da601cd9418fe7e12240ddb31bd5c20982e5
SHA256 82a3b340c487985e2923109fcf33605c338d1d0a268ac285152b872d62696ada
SHA512 1a60dec610835f0e5be0bb4e46fa81ead2eb935d83d69de52c7475b3c691748d2ef5454cba916f3da0bf316883a762f8cdaaf72f47336e6531253517258b013b

memory/2168-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2268-102-0x00000000000F0000-0x0000000000123000-memory.dmp

memory/2268-101-0x00000000000F0000-0x0000000000123000-memory.dmp

memory/1076-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QUAMkMEQ.bat

MD5 44e5ca062e876324f319bde234b853b0
SHA1 b9df219f79bc8eb0792b42ccfe562e8b0722e6da
SHA256 f45147fb40a14fc4f686660298ba7a2bac40d783e93b1f7417634c61c44e2cc5
SHA512 f1a804b5b09352704376e23a3be42ca83b29c0df7d4da2140420107c8b524e55e8de3cf84a74933df8ec23d4381d1f0ab76633d779128b29b99c6cdae21e7172

memory/2168-133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkQwcQkg.bat

MD5 17cc471ae18a7bf336640b3f9e21e18a
SHA1 475ea7b36ec72c45b0780675da6c3a6a9fda740e
SHA256 05b454ac30c4b9e96534bab91cdeaa4602dc0b8bc738db6eab6db9320beb7f1f
SHA512 311a89e4d9c79e6f4903737df013dbe32f45239dbadb737ddd8f1a50e4066efed7e1d0dce8874a5fb871137dfaf8741382f9accaac876b60e8dd696c0fb8716f

memory/3036-146-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/2868-148-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3068-157-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUQgIMoQ.bat

MD5 33c7af7ca8ec2ab6a9568dcc997a6bfc
SHA1 896f35f1b60b1f894c7b19b509dfcbc47b713ada
SHA256 7a5f87636acb74468b706e7a30c718e3fd7e1486d5c04b01af5b297053dcb63f
SHA512 819ceae35eb7b6deac7b0bc09618a368e5d18e1662a2a46042d5495cb0da250dc697b5cc898d0ce2dda18a719f1f8f8d6830b8a6be165530c93481e3fd38c6d4

memory/2768-172-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2816-171-0x0000000000420000-0x0000000000453000-memory.dmp

memory/2868-181-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgUgQsUg.bat

MD5 a43fe2300e75affd3ba63dcc9f74800c
SHA1 5fb2cf1602793823420de08722348668809d04bd
SHA256 ccaa78d15b037765f2a67447425cad094780a091f1e7fcc94eb45dd8227d087f
SHA512 cbcfdfe9077f5709d14fd9119d516ac2d4fc4a8ac81d848ab83ef55ee57af2eb3560899700696f0c2c3a34e5d7656ae33be1cfcdb9a0c86acbc256245ce54b3d

memory/2768-202-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tsAsYwwQ.bat

MD5 dab25853fef42eb31d845fea45a1e5d4
SHA1 995c592fdd472ad88175b77151f5b8872d28f139
SHA256 ac232a1c57c2b5e0f77566226d87041511130240ff9cdda9a9a0a833d63f89ef
SHA512 c89f0d7afcf7d14ac967fef23b6ac2efb0888e9e5a94fe7ce5375e591163772cbbb3e8ad8fc1dbc3bb92e028ef0560eb360711a554cbc7a3e5fa5bce635e320f

memory/1524-217-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2752-216-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2752-215-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2992-226-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lUIEsYww.bat

MD5 50df1ca926832ae5942bfb76fea50aea
SHA1 2c697177c14e9ceb8481001549590d40ece2d86e
SHA256 0d1b2535dd34fe9fef9e9b062f98df0ed72ddf56015dec2758c1b79773265f1b
SHA512 367de0335a5e9f7ac26863c4d27ac11d1336d2502afcb362c0c2a4da7ab348c00b83372048755177e311914ab127aa269d606c21f74d6eb14e58643f0ba783c5

memory/1524-247-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fwksYkos.bat

MD5 153df1a20279db9735b35bd56f173074
SHA1 d50578d4ea348bd88d42e8d1219cf04524febab9
SHA256 3abcfe85323083aef3a6286e65603ac6d0fca448d91a38b7e51fed2c53484716
SHA512 1895b5023f8c6563f8b3129d891eaa360dffe480d24e83600f4bdeac4dd537a69fa4a5b6b4ea4cd178a9084ac1b02bb8bdb38178deb702427d24c024778bee33

memory/1592-270-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luwAoEko.bat

MD5 8edca3bfc2c335791df822b8ae4e443a
SHA1 706f5c4684a659f1aaf6d1a95b65ee3b59b53372
SHA256 a09e1a23e2fee8062a75f81849e60c0160ab89ce2820c5a347f75fc1711d96c3
SHA512 384fe386a4ff763eee82244bb50648d33de1b73fbffacf4b50c16ce25874ed4eb6203df39163bfff30d81586438c46424abc65cefddb81137ee967b9b8810fdc

memory/1624-283-0x00000000001A0000-0x00000000001D3000-memory.dmp

memory/3060-284-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1788-293-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ouocYQog.bat

MD5 60c37dabceccbd76153f0b74f6c505ef
SHA1 0f681442e00dcd45677a0d006db694a3077b06ba
SHA256 b80baf5a01a843d36f5850c3bfbba8deecce97828c75ab7bed9b30008daf4059
SHA512 64ef152a35fadabd0ca6ce424a2ca1904fb3427a36e4e8754e42c8b1f881a5f0637a54cae39bc3eb7dbc7f5ba5e4babc8f3f550ba620b42c032b61691dd44bdf

memory/2684-307-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-306-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-316-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUwIsIIs.bat

MD5 f479a9e74e242efaecbf5e97de2bf140
SHA1 fafdc066fab077ee3a9c855c35e164dfcca46a71
SHA256 3afc08f1144b5fc4773aa688364969b1e7a60001f2dce4503b8fa8aaec51ab46
SHA512 9301a6ae48770adb17756b88f0d1143019f2a0791b33496216524e2d23991e4ae3af944a349cbdddb6b3ed70a9e78aced11b459520a830da756670e8915eee10

memory/2716-329-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1308-330-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2684-339-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QMMAYooQ.bat

MD5 fecc43920a8951b44f7d81f6c4a49d1d
SHA1 729ac141fc6c51d13754a6205bd79c07960c22cd
SHA256 d26c9fb6e9aa61847939e0593509e88d77ad79f7ca1618821e55b1d589e45213
SHA512 2c1fd68d232b6930f3fc6775cd35a94d04baa25d1e5084dd62d7ab2ab942580041def5f2656087ddb28d12842e6bd26fe13910439ab2e717223b20f658be025f

memory/1308-361-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYQQkoIo.bat

MD5 9326379a47db62d835ae524b115da738
SHA1 7a65679ba63b8239cc2db25609d723c4df362833
SHA256 fefb143612ab07b0451e5fca65588bca0ba75fe1f737ca5729d8776b52a33d33
SHA512 5e3c22e6a0267cf1b31ee69b7cbdc62835a89bb48508252160c651bb8fc80d0475483ba79a7f2b28912f911247016e3e2391cc58e5a3444732a014b5336e85c8

memory/2452-375-0x0000000000120000-0x0000000000153000-memory.dmp

memory/920-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-385-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kUwwIYco.bat

MD5 a5f322961e94a436068b59e6c3d4b557
SHA1 1216e83a97e58db5ca78233a371bbd779d4df0d2
SHA256 5fd62df92197426877d8f150e8f168694a6ca8c201622145f7c4e6aa6854cf3d
SHA512 e9425d6025752faff21bfe2bac022363689e2554d1a1e388e90315b9382c3c18ba8d4d2a9eeb951f3e5b1d1e53fad1ba1bba4ce69a17003ad0469f34f0210c14

memory/920-406-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LuIokMkM.bat

MD5 445d1b94d570cb3757f770cf91313194
SHA1 fe7049302eb2115cc88052d2ff3c14ca2297139a
SHA256 c732d582ab5f69daf48918c34370b872a7e424c9ed9bcf62494ffefe8bdd61d1
SHA512 4cf9fbe6a8cadb030f7a245d086b6c3e48f660b59013d7dbb1193d250adc3240e5de5fadfe924844ccfb7467a12a27a6db96c7798ff438a48233cf537661511c

memory/1044-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2832-420-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2832-419-0x0000000000120000-0x0000000000153000-memory.dmp

memory/888-430-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pcQUckgE.bat

MD5 02fb5e64300c977cd201462518eaf2d0
SHA1 49b2e6ac213e4307f2f8d42e7b600abca6a654da
SHA256 fdc4d2618388624545b31f6c1af961d050000b6a3bcf698803116b2a98c84e2e
SHA512 0e3668a1f6cb799638320c06ce3ee5d4ccd292ad5b9096d8b7b999006ceb7d1afe40e8d57eeacc904f22d57dc1ebb63294a95852547a12d0504f1dbd42a4f9d2

memory/2848-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1044-454-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fEYQoYoY.bat

MD5 895f7226f7622f573e2a4bd7ecf2404e
SHA1 ca5fe6451992aac82249003d8e815f54bcd8c675
SHA256 10633e2c0337e75e6dfd5029372ed1ba551a1464ea3dd742fd2ab4a8f60b815a
SHA512 ed46ec64a3b389ce062c1d70b501447154ab554c6c6474c4647100999db887dc3a02c0d1ae3a6002f8370d85b23ed4e5c481eb745b8de0df00634dacb24a1f7f

memory/2844-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1284-479-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/1284-478-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2012-480-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZmAwUUkA.bat

MD5 14a2717605b6ebadcbb7561a251dd587
SHA1 830c5b084c6bca2a59e1f1af710946b3583b0cc6
SHA256 a2d01b72fc2f0a2ecdc56392f8d056b1636be3b87261e8e8d2bcda983298258a
SHA512 fabd66b46d6b64bffa249bfbd9485a8e1d546730155d73586194469ed51faa7cfcdb19b1dcb3ab4b1ee3f819120dd8cb14971ae350d10f0b9d85376f8ff173ad

memory/1204-491-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2448-492-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2012-501-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nEUgccQI.bat

MD5 9a6f4bdb760d433fa9c920b14b1f0ee7
SHA1 49cc519f64e1a9ec3c61c9a4205b9248c65b88ce
SHA256 96dd9f2562458e86de78539968a92b7279616eba223a5fc85392d69f36075cc3
SHA512 6d5f20477f28d2c5fed03618d21f97e7188f02502785ff51faae7aac4dc94beb4ba15186e192c258b2e536c73fb72f4c762897a5372c166294246ae02c2fdba9

memory/2448-519-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eqIcYEkE.bat

MD5 a34a6861ee574a654a3c8368d0453054
SHA1 c1e97c57850c9e0559fa156d05afa8a658c484b2
SHA256 95e79221e2f6998bdaddac0b508da1e179f186577115872918fd19576810948f
SHA512 0e117546694aa9911d3f64c7a4aad3f13facb6062824b125c29455dd69ca46b9d0a6168946650bb7c54811eaa769d3fe18e66f3d226dfb4dbb0da4a27ca63cd2

memory/1696-530-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-529-0x0000000000570000-0x00000000005A3000-memory.dmp

memory/1080-539-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YGYIQwUc.bat

MD5 4b202626230e9b8060ec2e91c9ea5520
SHA1 d4e0f1737ed11161e769d5fb3b8e3db7ef49eeb4
SHA256 12f91cf351637384b5ca575e03eebddef439f896c6ae3319af7a6ba9bb58d883
SHA512 6b0a2d814eebbbcb35e0ea32eb411c410d730cab2905addb5543b98f88c869470fb602007397044386a39b319aec42ea3210c6996933377bcd835f2957c41464

memory/2596-549-0x00000000001F0000-0x0000000000223000-memory.dmp

memory/1696-559-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eKEooUkQ.bat

MD5 489b0e5d30a3f4ba23175be6e35e6662
SHA1 6a7c2a208425498bcc99f1250594ddc801e4553b
SHA256 8ca21389ce9163a1a45948c54c23327527a275ce268eb890f557875c1959bc4e
SHA512 638776df75bbf99e6c2eeb33dd4b6531392dd6281bccd2c19552145418489eb7f08fb23438b15eab2819a979472ddc8248fe0c79ce061a52c3a51c48fe58f8f8

memory/2576-570-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2804-579-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIsIkMMs.bat

MD5 e4cc03ebddd43c497a2b446446a5606c
SHA1 9f3b38added6fd0f908d63633d83f1653c8d42ee
SHA256 ba51b13f36b5293372bffe9a42235d568358cb0f982bf254db06ad82ee26f749
SHA512 9bb6b73a1ef6493f994a45a7170cd9d54989f398d89db0002ccf5144c40833f7275e218110ba17dd82b4a9bbeb6cfb3921bdbdfb9d6b1851198f5655d0cf8b49

memory/1488-590-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/1488-589-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/396-599-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VYwAoMwU.bat

MD5 c55de12134e46f9761a0fb3454cecb7e
SHA1 5a6db512117f2bea6bb7ba6ae203563577078c44
SHA256 7f002cae5b672a5f6408d793e6828f809224761c662d8323fe4b5accabc73de5
SHA512 2fe3696c610462d3501a79fa141dc6fded787760e89ed6541deb018353a5b2a78ebae417014a4d23082663d49e254346087eaa3b9be6dfb9d71d95d0f6607980

memory/1268-610-0x0000000000400000-0x0000000000433000-memory.dmp

memory/380-609-0x00000000001D0000-0x0000000000203000-memory.dmp

memory/2900-619-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JeowUEwQ.bat

MD5 52d9f0fbb4cdb071070eba6d9cd3d10b
SHA1 88d9f9e1b7f907f4764cbc0f25dd9d52d81b48e5
SHA256 2af61be542aa3510691109572d6fce9d709927a8ddf6f11e3bf195cc82dcbe4e
SHA512 67afda1cdd3003a0f0e64019338ba7865a81eadb91e07d72be5b2b75b0a3784d937a76cf6f208327cebc544e8f56efe38b3a0ec57dfd343ff9b9f4e0ddc28d35

memory/1272-631-0x0000000000400000-0x0000000000433000-memory.dmp

memory/844-630-0x0000000000520000-0x0000000000553000-memory.dmp

memory/844-629-0x0000000000520000-0x0000000000553000-memory.dmp

memory/1268-640-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BYcwUsIs.bat

MD5 92ff2aa3b424f1161968d5a4a3ef957f
SHA1 e69544f728a9ec9e1d68bed502e832e8748088c7
SHA256 d23b65e79f50f5fa5c1a13e72f93fcf46e64adee4256feda5db9bfcd00e095e5
SHA512 ed76489648ba4e052f11fa8286549ce4b2b570d149d5f06f1101f1b4b8dc1f440d8bc5df4a5116050a87bf5d88c35d079d762d7b42ff3ea42ca6db39e6155d5c

memory/884-651-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1272-661-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pgAQMoss.bat

MD5 a294bb4f94be8c84e1b08726f083944c
SHA1 2572e8e3765e31af6e09296a0c573c38dba36b0b
SHA256 a6a6b56925d8752c9a807ab082a0303ef07bf286970ba5ddaaa4a2dc7d1d2870
SHA512 3bb24cc430df1098634d416fd6aa35e4debbcabb447ef7b5b06c8394e0a919dfcab112c9cb6bf6d3f5dbd5f4ba7808bc290824fefd7ecbd3831fb2096e45eff1

memory/1056-671-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2336-672-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2060-673-0x0000000000400000-0x0000000000433000-memory.dmp

memory/884-682-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pGEEYkYo.bat

MD5 75e974bdb5acb5cad32b2ce4a237ffc6
SHA1 b71fa21540e64a9a477c312e3f451cff7455d091
SHA256 1fd6009e7f3890df832df1849dad1f281730e11aae3a60f104e939d6dcafdba0
SHA512 f87e85e6e1ea1daccad0c30c1bc8a16a98f79858468db17c05d45551f50b05508cd583ad41ea5100e9da07119c7270aab014a38b0fdedd0653a99cf9858de4ce

memory/3020-692-0x00000000001E0000-0x0000000000213000-memory.dmp

memory/2060-701-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iyAYkEEg.bat

MD5 29753638f0f8f2d403fcdb8670ccfec9
SHA1 6dd5cfabbbe20352aba4fd069749274ccb76303d
SHA256 0cbf3eb7955925c07ebf1bebf93f49b5b90db297018a4d6384f39792aae8b3db
SHA512 c60a2fd8b72136097fe168ae94d2638365e402ed1819d3b537dc6827819084f060a46a2957ba5d085ac447ef682fefd91257e9da90af475eb700ee653ad2cb92

memory/2120-712-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2992-711-0x0000000000410000-0x0000000000443000-memory.dmp

memory/1636-713-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2724-722-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WGYYIwYY.bat

MD5 3c4be4c1ede25ef1d5d93b9d8e4a480a
SHA1 48dc077e3e49653149b82a8dd7b1da1be5070911
SHA256 aced9f39e83bad49a07b002cf9f03a56c1d95f2fde1d773700ad275802060af0
SHA512 f97c37bc07ae3bab95b8cb775360f76befeeee13a718e80bfbdd676581741c58e0abcfba1947e47bb2403042bae20894463a9c01da1902e735e4e003a036d44e

memory/536-732-0x0000000000160000-0x0000000000193000-memory.dmp

memory/1636-742-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qkgm.exe

MD5 c94d110ef831dfb3c1e8eeab7741289c
SHA1 ce8223691cd86ea91b59eea91b86243fa20c284b
SHA256 2ee33944e0e27b6744a8055d194b513d7381514988836e5849106749b6641d16
SHA512 f2a7075e2c1fec35e8547b248ae384596af17efb1399534c093db3238e458ac3fbc8f0e9b469f850e3546cbfa30e861d40c7f281b4880aa7f8e9144c7ecf2c3e

C:\Users\Admin\AppData\Local\Temp\WkEQoIkw.bat

MD5 ebe9243bab0f0e4170ea48854823e1ae
SHA1 f6662fd917989a6beca3c175024458a7a8d76f60
SHA256 bec2e95f2357a99a97f8bd6a05910dcc941a6508756c7df0ae3806f049b73572
SHA512 317fdb358d1e116265a78c6d440f191299d5c304ed5ef5b9043d8c73e719ce1b2ff689025aed6cb1850eb982c4884ba456e9570c5ec7c06859cc52e301d0eaf1

memory/2192-768-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2192-767-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2208-777-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OKEwoYkQ.bat

MD5 de48c3ad5d52b9f6cdb162749e4e9e12
SHA1 5a2b8a9188118984ce05ebc0a1627ad01cf07130
SHA256 c94b4323c4dfd2df56c97adb6c4a98b3914cd786766c1c011b01157415b8624c
SHA512 29b3b7c4f299c77d881fbe9e100988353f4ec1035456743d561ff28ca0ff7676e0c7423ab328a89e6431c4fb5d45f09928b9631fd5041a926e1e25e948421d58

memory/2468-787-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mCkcYgYo.bat

MD5 d8e055968021344109631ab63a3eb440
SHA1 423585bd11e63f883f08392748dcb79b594b17ea
SHA256 facae04f23799693c1e613456b627e6ef1232102d5630ad408443c8fcdf342db
SHA512 1bc123e05b5e3f4d42ec91c90ad32bf36cfc6a5067cdbe9356a5ba0b34e09ba727e5aaf95467002a5b21b8243d8585c3b8b8645b9ce45e577a1037f7530da436

C:\Users\Admin\AppData\Local\Temp\XgcYMUgE.bat

MD5 bb29ee36acdc34de00397a949def18a1
SHA1 69ac1783da6b55f6c69f04224195d42fa406dc98
SHA256 bfc877dfc7205ce8481823fba4521f696ce76f621662b0cca8713ab6319b2c2f
SHA512 bd3150b150e9b331f8a6eb0d584817e7712d60cdda23bec7fab272f4903349fb55abfa07adf1bce4b60cff49bedb0a5dceefb7a0ff3a51899cedbb52c72728dd

C:\Users\Admin\AppData\Local\Temp\vQggoAgc.bat

MD5 fb706c52fdc229a90e09fbaf0c4490fb
SHA1 191da733ddc092774d68db768acc0c4bb24efaeb
SHA256 280ae3f62fd578f62fc22b110d406b2917576806db8ef6ce6368d558c640696d
SHA512 65e3a8d474c109cd8192e2527450383fb60b55d67f827fc617fc7be8a906bfa18b6867ac59ec888f829d68c5502d914167a2388f682d0312b1eb6f5c0f43a2b8

C:\Users\Admin\AppData\Local\Temp\TcIAgwAo.bat

MD5 17fed2c18b30315a2b2c7c98f954aa8b
SHA1 b160c048dd404b4c4d8e5c5109e5022061610af1
SHA256 0835dd365d6272aed5f11428753a0b090f1dd54bf516c916621577f0c7e4bffb
SHA512 ecf9fdfdb71b165996a235e54b30c3f370b8b89ba0689288ea10127c4629d6e5d93fe30ad1450e580e4c19a2ffe50a6894604355698b8daaa3a87534cbf5f913

C:\Users\Admin\AppData\Local\Temp\FKgAooUo.bat

MD5 dbe076181ad4ff076783edda36307b95
SHA1 4203d03b0a87885321c7997aae5ff310d09407da
SHA256 a100ea57d1b0c9ff59ed4769be17cda6a589d033536198366ec8388f31e6440c
SHA512 467b3517404d318159acb2eb7ea8db8c5bec43ca01ecfded78cd60132ceb0211cd43fada33d55f2a509ce5f9c63cbb9a201833bf86c434fc41b5db1c11694a3d

C:\Users\Admin\AppData\Local\Temp\aSoAAQQk.bat

MD5 ef14f9be2bf19632822ab55ee0ecd53d
SHA1 4f6b966f36fad25332c1ad41d3f657493906b982
SHA256 8a8a01f689933eb7f9d4bf0db63f62b408f06b79e3bbf893a02a78f8b7664595
SHA512 3bda958c97f9fc96a55fdaf64924eb5b82b9ba8947ee59366953b0d420ba9c91d1fa454096ed1f88f3ad7f8c2e1f74f53c628a2de9e8a736d96b949f4bb913c4

C:\Users\Admin\AppData\Local\Temp\EIscUIkY.bat

MD5 c68328715bb6f81bb54201f2993afaa5
SHA1 573f59c1560e76f9c32fe913ab24c90f2790159f
SHA256 126b2356d37bec644b2572b346f8843c19edd059be3f04aa0bdc50abba731f90
SHA512 6e7d0173db775f12968d02976a936decb19b109c4f7d4a263e813bac6cb160634610c4ad990ad2836c27998df5a27bcee307ddfe2411fe00d1743da356d02004

C:\Users\Admin\AppData\Local\Temp\yWUosUAk.bat

MD5 2b0f6250fdcd489bc0265219224b631c
SHA1 29cdc535409301c6d74e42c821a8c4afa9d59b87
SHA256 273d9034b7d6eadc26f8ca3e07aa8a2c1078fa95625c8b171bf4840c87b33448
SHA512 7a3e8d4c0edb88bd00718b182b9b0ed41b8c30e5af7776979ffb1e875adbe5e100515690e4a35069fee0316266cdaa252637f002bc75f21808496579ce422c39

C:\Users\Admin\AppData\Local\Temp\kYsIQAcY.bat

MD5 fb04b01fe202258234a8ca0fd9816bb9
SHA1 3f2e286a95175e7d7fa288d9aa80ee6dc6f889bd
SHA256 11e4d1827859e67ebf222e52a8e5c8859b7ff1ff8ab254c1b5bce22b2d4e450a
SHA512 ea33c7ee960f5c5c5c0a806524bae300bce9522139c8aa679cab77be3349a2a7e8afe4d59df87a20de14adfaa0cf018117ecafa23eafb5aadbd98c31439154e2

C:\Users\Admin\AppData\Local\Temp\GewQMcoc.bat

MD5 edb03d26e91cddb79e189cb742de6a8f
SHA1 84619bd99f7fa2c9fedaef856fa787ac0b97e1ea
SHA256 4eacbb2625872fc10090b6f8ef9b167275853f811aceb0f8e215fc58db3cdaf1
SHA512 eadc72f8747b15f922aa85617f26dcad1b7a2d779d624d6498fa4614dbf18984c396b4b528a1a47f003af705c1861071b95605b99f3b5fe5e433b477229389ab

C:\Users\Admin\AppData\Local\Temp\ZEkkAkcQ.bat

MD5 9d7e7f92aaa473ae6c0c5e48d1e7ef53
SHA1 8ef681ba36a22572d7208fbb817a81455e6a900d
SHA256 1a8db89e08a89a667c2cfd270bc8f828b4b42a55d38c45aded9e8d39de6d2656
SHA512 9a2d94a24c5ece0ba098f2e79dd15754bd27320aeb5335ff05cd5fb4143331b894a3e922a59dc642f8471663464a9ecc998a08dff56b3783434a577df9def728

memory/548-1020-0x0000000003DB0000-0x0000000003DDF000-memory.dmp

memory/548-1022-0x0000000003DE0000-0x0000000003E32000-memory.dmp

memory/548-1021-0x0000000003DB0000-0x0000000003DE4000-memory.dmp

memory/548-1019-0x0000000076F40000-0x000000007703A000-memory.dmp

memory/548-1018-0x0000000076E20000-0x0000000076F3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqwsUIQM.bat

MD5 0e08e37cd781ac83744ec946ac1550b9
SHA1 7f1d075342151b8f2ef43450e691d1f78e5d7aca
SHA256 3a2c8c1445a21309ea08381337ade4b100a4f0b7c596b4a1796f9047c7691510
SHA512 6462403b15f16a9a5b223309c29af37d0589b843f963224e9ff8aeaf894999ec357bfa79923ba84fe059a6284d055f19f038b3f1a18db187d398c123ca27963b

C:\Users\Admin\AppData\Local\Temp\KYQcAYgk.bat

MD5 ba9b581b52dcb37e4f0b418c2e3f37be
SHA1 a23b35dda0697e58c73416f7e3029c0e2678ef6a
SHA256 3febdd4a829c73e28cfc0c7f629f98b67baec960c8419e6dc89520b4f33ade69
SHA512 9c9f749308cff7933f7ddd21ad2a3d03986cffafad81d59f58e0244647d3920570f728fe516bc26260ef79eb37c0799d4587aac09e783d5910b3c8c221ef7e27

C:\Users\Admin\AppData\Local\Temp\qCMQssIo.bat

MD5 84b73f6b3a0b97ef30d4f83419e9dc6a
SHA1 4042366f880a4e6d48fd6aa57a0a16a633dbbf3a
SHA256 8bed4334b05c5547ca7d8e215cd1327ecceaf8a616df19799bfbeb0d570e50e2
SHA512 d608fe4527d597271024a77705338b55e754876749d559eb66fa44eb217e968f0a314f4dd6867230c9fd264770cab18f14c4a2ac3236b4bf355cbf94d7397ea9

C:\Users\Admin\AppData\Local\Temp\aCEYEQEM.bat

MD5 1bca1569e7de58fa84521f0274718de9
SHA1 e982c55a9ce22f316539cbe00054a74163bcd37c
SHA256 466969e17b94830f209d6976fce71bc4284ffa4e6a421684e31926f00ebc3152
SHA512 500d2099acabab6222ce6e068dd209816a830677b811aa035cbe9c84d39d2672bea580f0242b132891a23af4586db8c6d5838693312ef3f56acafc7c986c2994

C:\Users\Admin\AppData\Local\Temp\aiEQAEoE.bat

MD5 8a4e8ef27f236bb51bff27af7dae3455
SHA1 e269c97aefc27c444b8ef5d7fc3dbb341a5cd509
SHA256 a9f1049048bdb18091f588886a461af22109d40d0322fd313a850b2c21b5bfd8
SHA512 143732c12a92747d8609578895c3f1bce0ed28993dc0de807038fad2f52dc5327c1d2fbe2dca4ad242753dac23d5879ae4b98db429e73cf35bc7ab28703a0ae4

C:\Users\Admin\AppData\Local\Temp\kYUkwYss.bat

MD5 e2b4cd35593554b5b428612d7bd76789
SHA1 c0a13c7310dabfdccd5d0ed598c1e0ddc24fa92e
SHA256 52316c74227786e07535f940a46dcc35d1d4867abbe19fe28d5ec7419a5ecda2
SHA512 d725434ea21411336ab1e5b3318444c7e7ca9233bf12f9f802b04ab8c7e88ce3f2241a3735550deb1aeca85b7048880ee5fcf71fe2466933511e7809875e0d65

C:\Users\Admin\AppData\Local\Temp\FiIAMooA.bat

MD5 217529b412ac4e377bdb8334410f521a
SHA1 897c0b4271ea84647ca893769b56e178baabd62b
SHA256 d891092c808fb00de3a1721b87766a58d08c4c6e7967f2e4d0c6e091e022805f
SHA512 5aa10d6461604387b01aaa8999403af5abc6202e68e72674921cd0185d5fe039451d909a6dacfe17b21576da781616147e0bd6ce401cb070b793dbe016802a30

C:\Users\Admin\AppData\Local\Temp\RiYkscQE.bat

MD5 292aff882d526b6d201997caa58dc6d1
SHA1 4612e39b3a9529d961209600e94d879a21c93317
SHA256 072d6daa7b041afadb3ad13183849d3a6a741d7d375bdb23cd91c0d5658ef214
SHA512 adf7b8db40f603fcc33d413958876a23132464488c480f1a0964c201dd2b9dd7580d16449a83e1015f82560f7a181977aec4918da9ecffd3b17271688258abbf

C:\Users\Admin\AppData\Local\Temp\zmwoMMkc.bat

MD5 e0c8371688410ab543a16ebdcfca4da0
SHA1 c4f0457d31f44f374fa97d28ec2f547951367097
SHA256 8a3c749be03190d0158b0cb8ba9f84496980ca5fb6cdd5e38344a28b7a63c1a5
SHA512 6cdb9c5b4c0182bcb773a08b23e47b35431a7c34215d4b3e4aa5354bc71766f84699949bd587612f1558c7ec7d52c13c9a21f76ca95336b90279891b1c031549

C:\Users\Admin\AppData\Local\Temp\mQIG.exe

MD5 6b9bad9055e6d30c2fee3c97366ce81b
SHA1 3cbdbddb1546a853120c49cd63251c602ba3edd8
SHA256 b71a0d383a1293ea79592d79abc154af39f7c18fb02e10a6d065d417b11febde
SHA512 2d245b13955d0452582a062e38023ec1f6d02a9e0a2110d1e2b4d089a6e810223064691ecfbd854a285394779254900a0a884bfee73e8d9cfb65645500df93b2

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 c2103e47fb90152f306a552e6683fcb2
SHA1 4ddf12d4a5330ec5070fb1f3a7ecd98582d32f1f
SHA256 09966efc2b03fd152415d8ca7f89aed9bd97a63507dcad00a6766b953602fa70
SHA512 d1fdc974a1731dd9be5c93bb066a9ea470e6366c8a7df185b4f9092fb658b06d56945d933ff72a457b2ae82572adb26518baf97d96807a3fb56b469f4649fd19

C:\Users\Admin\AppData\Local\Temp\KwAU.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\ykQg.exe

MD5 106bca83cc8fa36979f77a383fea2b9e
SHA1 97d71f3275df87fbd68c5a322935e1acb7208bec
SHA256 cee41fa58fc12dd241b37107beb65c85c05709f3689fed88146cb78a5d18ec41
SHA512 609874ab17575108cb092d43b3017f35c47e639a6b397a59c07764d28ba2c32ccf52d35dd0251a145a075cae7b59ebbf2d04c00dd61c4a116acfbb3eec025689

C:\Users\Admin\AppData\Local\Temp\ZSMAkEkc.bat

MD5 1d790187adac04c2ae35e48a5762fa08
SHA1 21ce37cc30d6f69e88d3f2a6b00c8916a35d57d4
SHA256 ac580d39b70fef6b98a98159eb7b8d417cc413a0de0bbdd7d25d936849b567c5
SHA512 d94238fc44394b53227ff62d2164b8c30274599e68c514f0a0c0dcc5ceb0db945ccac5595ecb95441c2f81b7720ef7b40319bb2bffe6f65568b1621931363f6d

C:\Users\Admin\AppData\Local\Temp\gUgG.exe

MD5 085a79d8c5c0e695b6ff6cfa2b3f0afb
SHA1 13eb0cf615621d80226bfc14588b0b8ba6b5763d
SHA256 1d8b96abd941460ddaa48787c04aad2989945eef60709781ac67060aa037a8fa
SHA512 3d555e8442b77d218912ad75c3930e24b8e5d50eba46b49e75ee6acc584a16864e49985926f386d4226ddef8fc45b7de1424d92b566118d6cf9c10a4492ef9d8

C:\Users\Admin\AppData\Local\Temp\AgAK.exe

MD5 64993db2fcf60ab28b8e4a89784ad03e
SHA1 322c69ea697c0722657783cbbb6e0702bcf82695
SHA256 87727d05f427591a87d09b3b6e29838cb7dc861ab0f24dcc8cd598612d449484
SHA512 428ddf43c1657833da98797876e6a96559bcea19862f110167f31c73fe517ef438f4dc1f52a9463130448b85ffd24bc6294bc03e748d397ccb9acd4643f485b2

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 ff3a6b5d0c25cb4441ea398c109b9d29
SHA1 6801abb5b3960f0660833a7f19a8d8b13bc49807
SHA256 08941f8edcf41869dea76bea09f31c411dd8bd9937f892d2ab3432d93fefa236
SHA512 e545a242d82193db2fd241dd1bd00fa2a69895dbae1203963e2f237509de52dd7c0895cfae3337ed7c2d3951efed522297843ae1443b96418a03f74bc02e6bcd

C:\Users\Admin\AppData\Local\Temp\IQky.exe

MD5 51bf495241395f967d3e0b65592e6d5a
SHA1 2d74fa481ecf14629da1dbfbec421783d30c17bb
SHA256 226e06f8d6691c7b83e40dcce42c6c3fd4559f0636bae1b783aeb1e4aa02af77
SHA512 fc914581c219884538cb68df799bd4eed1e6a6c6b88ef4ed8b1c892100d9229726dee74deddfa3021157c3cdcd2cfb9ffb86add0ff16f50ef78aa8463b335aa2

C:\Users\Admin\AppData\Local\Temp\mYMY.exe

MD5 b56cd8a53b7a1cdf91bf2fc66744afa6
SHA1 67bc238ffbfd4283cc956de716527dbd3e6d8c45
SHA256 2a3cb9fd6ffe01565164cca02d4cf988024b4f9646ae2db63dea6e80bdb0c48a
SHA512 510e0cd05278b951bef48ef19b82c7187949d576327eeca44ce65fe7086f6590fbc1c7f874b539d53d103a9ad8bd3c52040a79bf94b8ec860b6b398aeac0fba6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 229a596cba2e47cdf2e8e3c84c67d962
SHA1 d11954ac8571cb4afdb6b0a6e1143c2c0f07923c
SHA256 26a9bc0c547056a45dc5f1181e93fa1f1b29f73dec5b86bd78e36ea2aa284026
SHA512 532387d1beb5f0fcd582fe4dad4e18aefe5bccad7de72a4eed06832c57ded923f921c0b0a70d90d4d02d7fb58850cbd7618dbdb35f64459802ea2d9c7b6c09fe

C:\Users\Admin\AppData\Local\Temp\uCwUUsQs.bat

MD5 3192f26ffc584f105cfa07f5b7b26f4d
SHA1 83797c5ce7ceb862a761acab59cd10a63bddd02c
SHA256 c4b37cfeeb07f4c40b5066ef2f24ebc908197afd95df7cfb58e053cd3dffe70c
SHA512 e5ae3ec6079d7c9a553e1a8d532d240004c3327a6cf70a993e0cbcc2010ae8c47629bf7efe8652ad7485ce3896c57aa3a028ee16666c3dea3fa88d0679dd6025

C:\Users\Admin\AppData\Local\Temp\gYYo.exe

MD5 cab783dcf90e728abf011f95e025c4c5
SHA1 01e000fb5d3ab5e39f6f8aa2992a41260da32363
SHA256 ae3678b1069cdaef250449f2e0aa83c18e0686e73169a78864fbf31605db8a50
SHA512 dd8010d07afec67eb90b8eb1bd692f9ad79be82361aeaddf708645a2033f196d6f99fe9e6bf8a8048a01dcece3f024cb58931c0f9f5d0868652c806d4880dd5b

C:\Users\Admin\AppData\Local\Temp\ogII.exe

MD5 b6e12012ef900e2c09ab568be99e0624
SHA1 caa4bc7528c8cff5d7ff9eb1461c36c920f252c4
SHA256 4e354cd3688d0f15df29de1bdf227c95f2c1be4899202a670649ac5d0959f435
SHA512 e49dcfbb8b84e70cbc2f3a665802c23a2e50f5a008c59e9dc606bef834709587f88f4d394e353b99f668574e296522d89fe02086531efa25c43702c61d3c7a6a

C:\Users\Admin\AppData\Local\Temp\ykQa.exe

MD5 b16ac4db163f528a4d187e2509b00bec
SHA1 a648a5d51b7337bec2dfaedb0861f2db406505cd
SHA256 17acf2029f1adc64bfbd0551cffce34b601cac23e461b06e45e51f2b6f30f60a
SHA512 4d90743fc17bdf90bb0d02d3421bd257b3e8554f75a966a131c24cc70f82b21ff0f7d3a337514fffa16ab20d965cb00ecab2dd864080dbbbd8c82cbd10de4b8e

C:\Users\Admin\AppData\Local\Temp\skQW.exe

MD5 91b97948be21bede1468bf6362be947d
SHA1 3337fccb85b00a66f4f38f990160745747ddb4f6
SHA256 8d6b218f677047c740cebb5b77aa207dda6f9aacd46cc6044f255729a972bc1f
SHA512 ac250e921e0a8dc6a581e61beaa80f0b19c859b0e7a1230e04d405dbe546002cdde1708bf74405521f95b13853fbc509b2f59b9db747ef62b2d274c030b6b578

C:\Users\Admin\AppData\Local\Temp\KYcM.exe

MD5 21fa65a62154812525cfacbca84b0be9
SHA1 105bb705a735155c4227eafeb0acf36e049612ed
SHA256 9eaac572ee791555c35f08e029d0328ec4c9133b4b079e487b9b95b5541ce2b8
SHA512 5ccc82b1c8174337b85379245d8418055cc8a5ed23268b4575a6c1b1fe2030b53133b406c5096951639366cd47db1aa4234b71b9d9d6b258fe5a324cf12ee0b7

C:\Users\Admin\AppData\Local\Temp\AAci.exe

MD5 af1e0ad06532bad85c8c40aeba316456
SHA1 e83bada1c2d7312723226792960a8c12ebfaf4ad
SHA256 e1c789e5385d3d374061c50aadf858d2c5e931fb464a4af18015a4b05b171c11
SHA512 024e6c0bd0241eb2ef56d73135349c36393edebb1600d9839170fc2d31ecd76f84c19937e23b26d8aa2b0eaebf4afd90fc4a61c6092dd9a1de383d7d58df546d

C:\Users\Admin\AppData\Local\Temp\gssQ.exe

MD5 0750e82cce69cbf3e599774461abd665
SHA1 b2cf00824914b1d5788d8a05dfa172fe66c488a3
SHA256 6fd6a5e4a64951e563759b0ef7fbce419f55065f0f6d91731466ea2604f7936c
SHA512 3205b4d2dd94866813e8392428e0d28d0c319a275b206634db2e6f0258822aa9f71094bab080f6f46fa2ab279521cabd6d37eb452b358f03c49ed8fc60c70dab

C:\Users\Admin\AppData\Local\Temp\sEQAYogc.bat

MD5 5d2558e9b3024dcb956dfd92f8706414
SHA1 e1feb0cd0c7f78a520554c060116a6c1818748ba
SHA256 2fed07348016e92a1100515623a5844d027d896d45293366006045b08bcb824b
SHA512 3caf32e59262a3bcaae95fa82b3df6663985bae347ce0feae12109a8243887cc87e4b0a0fc716537949503989c2943786a67f4401949964f1f35e92f3abce684

C:\Users\Admin\AppData\Local\Temp\yAkE.exe

MD5 f9b34ac6c9a2a9941f817630ca06234c
SHA1 d0256a53df3c10ff2f2981dcdf9c52a443cf091e
SHA256 88833c660bbd5388fdad07d1524f182d179a83203a99d58781d641bbcdad510d
SHA512 d0d6987429487a1e080f9e3cb14006200e404e221cf9b510d8d6fccc2f09c8871b328e23c46eb48ea28f231e5c9fd9f9b1d6aed4dbe0410e668c079f8f9f6eba

C:\Users\Admin\AppData\Local\Temp\Uwog.exe

MD5 4e1a36ef52409aca56caa92c7402a5ce
SHA1 bfd8ba3862a8a4a0af8ef81b72c7bd238f8b9859
SHA256 7ab69db453378f29c5601689586c39e360550af47fc0a1aa1faf1519f630ec4c
SHA512 00823b15b44f9b212d181ca319a067df28279642526b094feaf3119de01930937dc9cc45f0a4634e77d5aad92c520d04bf2cc888f9ca2a4866f4cfbedab1901d

C:\Users\Admin\AppData\Local\Temp\IYUm.exe

MD5 68240379471f74ba991bf7c5ce539b52
SHA1 0b53fc2514b2c7c60f6e28987dcd565c413030dc
SHA256 09dfee89bb316f89d631977b730a6a6c16775f32a1b0579b1497105a9cdbb7bd
SHA512 c63905014f74dbb5f088842fa698c21e477fdce1a8f734a97c96aaed646ce807f1c3b9ecd8b84da1b28a8086cf067a6734e1693c2083f3b423d2aa30e8ebbeff

C:\Users\Admin\AppData\Local\Temp\YMoI.exe

MD5 64cf978f1d7ff45c434bdc33f3205eed
SHA1 f1838f3456228f6733be99b0591a6b0431d44fa9
SHA256 7d559af89653177fdd7f27464d44564f7a051c15daba3adba7733d0057cc9b80
SHA512 820543741e4af34fcfbfd0dec143a394c6134f916f126ec58c3a784bd61688cbe3537c0c5698680bbec66ce91e7f19cc4abfae8b0de2962486071eac72e0c4b0

C:\Users\Admin\AppData\Local\Temp\swoG.exe

MD5 e252cab26dda8661f8444837f5577a6e
SHA1 e3ac45899eebde4cbe6ef43a1b4389775f6a0cbc
SHA256 ed090aa923e55e92c9d737a4dcf44008e79b15f94a01ceb74b3f6f4f0c30830c
SHA512 549a2b63fe1f98ea49e65a9befb5cfcadbb73ea2e4e90941ac9064baeeb36ad7e5c38c79e2b68beca773c19e0697d96c7ea1c0140da5a951a80f8dd2c458cefe

C:\Users\Admin\AppData\Local\Temp\MqsAUMkU.bat

MD5 42a14a00071ea7c6ef172b411745c6b7
SHA1 6397019a58b7e94600bbee363268f0db0b238fdd
SHA256 445bb281cce00e07aad4bcfc483ab528cc78712ce35e31a41049b18171d3a608
SHA512 a9d11b7e17368277491bf5fc64a9bd3fa00e68fc6dc3f363060453b6cb4510a6343ed9893ed1fe66e620253f9098fe9fe6e3cc83decdc552dc9c52f00517fdc9

C:\Users\Admin\AppData\Local\Temp\UwYY.exe

MD5 a86ab47ed24ec6b7de099a9b42c67a89
SHA1 a45dca6aed18d36df92e760069c116beefa74e34
SHA256 b01fdbbf4caa0abe91567c63128328d6b93627e7cc5fc5c97f208a7042170435
SHA512 071e504f4bfeea28eb82a076a2800a711db144a47695233d00fd309eca7532198bca17f79aec5af5130169fb8f55e286c12e1f51996ccbdf4e5105aab93991af

C:\Users\Admin\AppData\Local\Temp\CsEs.exe

MD5 aa709413a9960a8e25524fca48aa3cf5
SHA1 6e0c735840aa002d4aab8e577bf5e9ee05a7690e
SHA256 00cc573339a3f6054d345d028c1710718a30feaa9c585168f364b521703aa130
SHA512 033680b58dfee17ada46b466d5bf454aff83c74bcb00e2f0616c065b27d28e2aad0a346730bf86a6b31c766ea8ab016ec7f7f1b3fdb584bc904dee1086b8ecc0

C:\Users\Admin\AppData\Local\Temp\mAUC.exe

MD5 5a752b8dfc9774bfc5479fd20e8c3e30
SHA1 506e8d4875f92d3f295738b563ccb8e9c3f6b9aa
SHA256 22d11d3dbe94cdafe0e5610781baef5add008a43a7bdc192d6c57635380e9410
SHA512 700d25f0ffa0b8fc344c66c5d89c14bf2524a28acd0771df91e5e3140f889bbea6c1e0778b386f6c1b9ee94f0773e597db6f5569234cb9a649956222075cb272

C:\Users\Admin\AppData\Local\Temp\aUwm.exe

MD5 d914daa5fbc42829b1b5adf0d58d1870
SHA1 b1317c2d27fc2897cb92b2c19b8dc8ae9dbf9c76
SHA256 0c6e6534557e7bfccca2eed6ce9679f30be4730a4561c85e9d233732684a7155
SHA512 cc0af426f787ff031cad62591fbc96ffff4ac0aa8523c341b35304fd57092eac4ab9de74c1e9c374cbdb2e8676077cf23b6a37b5532d4a299ec671e82b0f5669

C:\Users\Admin\AppData\Local\Temp\CgsO.exe

MD5 baa06087243cfdd16eb0649a292ac83d
SHA1 37a4bea28521ac977b8a5bd4c5c41f246cacfb26
SHA256 e23f48ad36fcaf34ca937e1cac07a4265639bfa9bba910aa90a30f8cfcf6e0f4
SHA512 3c933b330d15c90193e748f6a79141b6fc626b522c58103a5b2f46dc7f67f5670f3ccaad954fe67d252485a03bccabdf8eaa40b56e6269cb4dd82639dd21b39f

C:\Users\Admin\AppData\Local\Temp\MYAG.exe

MD5 39a295078aa294489bf28d44d66d7d74
SHA1 7281dce8347c4b398e6a3f976f058b7c25ee9de8
SHA256 c06f50662aeef623c569db924253f6522e23e4185e5f36320b7cba8b798dd6f5
SHA512 ad9edc5a51f320e8b4559c3ec1840af9f73081a02087f58a41933ae7aac661c13a43786964e630b8f54fd92235dc2a84e5b0b7860a0f673a928dca3fae010b57

C:\Users\Admin\AppData\Local\Temp\kUAu.exe

MD5 9dc86f7528a70c1c9e8d003a45e090a2
SHA1 9b8d1154408beae1c1f622c7b8984d2d468e111d
SHA256 1af48963c489eec09c49e25e73c95d98adc5b18191f21cf5738f364bb970e75f
SHA512 5a1d0a93cb43ef782fbd18502a0a3d652a9230d3dabce1c1fa1f85a68b3ba9cdefd9e09c0900b13ff1b80c935bc7975885a8b4b06045ec7baf651f67348666e7

C:\Users\Admin\AppData\Local\Temp\KMgs.exe

MD5 e526d9fc849793e95b83d79744c03f68
SHA1 5723be41b9846384874d27baa772f748cdb62968
SHA256 00181a089b40840c7227ce6751c1154602c7682460b1830b5b761670f18e7dfe
SHA512 137c4c2b10b6b3f6ffa82e4e83fe13a233b6590e979d380511d1b56baba5bdf3b8f936c09e06cbb9a0d5f4c67d804b5e918f8700c61ebc7f2c4d1d4f11293131

C:\Users\Admin\AppData\Local\Temp\KEEcAIQQ.bat

MD5 36d67f5668b1311e7d5d19a0f9574a1c
SHA1 6f3a888592df5413c7ba64b126caa9fa7b280b6f
SHA256 91a6e61fafa029bdde47db933ebcf6f1477a750f710cebda06ea3dfd8696978f
SHA512 d233a60162281ebba608440d0d8b28e97a98b240646a2d9d72c4298fc175a3ccaa348a8dc80b5690ee77f3ae35a2e86b3a89fbec217cc61c745f3f79ace2c5d4

C:\Users\Admin\AppData\Local\Temp\GUAM.exe

MD5 a66f2086a69c327a36f965faf3a365e1
SHA1 f36c9e3bd6817306724a92c3298abddf09aab653
SHA256 587e0e473cdb91a4cc8a7b68cc092fdd651db19a11515fe3c4844baffa54ad64
SHA512 4ee1c6dd275b8ac5bfa13a3ae116a984790697f912ff4bfc1206b9614bee673060b4e51948fd91ac2a4568ef674f0d706d99310eec44710192cee6b49dbabfcd

C:\Users\Admin\AppData\Local\Temp\iUgY.exe

MD5 82125a488f48e1abbe0f5f04c01d6815
SHA1 27a113f5b80373eee6bafd7f959851e4dcf8d73b
SHA256 12f2f85f60ae4e3a4bef873ff9a493d7a6ad26eef2bdd6f6f17e8feb3a0a0417
SHA512 ec23cb33993db0d15fb3a91776ff727ce5f6d81e2fb6cf697a55472d7e00f5b04cdec06256a5cd6ef742bb2192dcd9224320c7ba279fde89f114c9f6814377c5

C:\Users\Admin\AppData\Local\Temp\iAIs.exe

MD5 689a33a7a396fdeab0596772406ea863
SHA1 329f3555611b4717b6d7f09774c69a7067b6bcc1
SHA256 3965b0054efda420cfe7d45c7db7f347252c0721c44986c2e3894985e06dcd69
SHA512 369022b8dd985a6871a3cc989afa283a1f5eb40917043787741f7247dd0f70aa82fab9922cbcccb3a2820915963e3dd1647de7d146b54aec26a11f9c2da9b489

C:\Users\Admin\AppData\Local\Temp\UUkq.exe

MD5 0ad97247b01e202f16a579dc2f70de5c
SHA1 8103d373c3c378060c547bc67c980ea7081098a1
SHA256 d979d916a5eb077ee1dcfeaa24c222fc5456873cc6cfc22ad3bcfc57cb173b6a
SHA512 53c0672581c8f69b0df3f867fec8f20780d5a25030c627ab70674115cdb38ef2128c55db6d0fb6c5e2c54e43055dd4dcfa35f3005dbc880ab7bc0e55460617d3

C:\Users\Admin\AppData\Local\Temp\Cogm.exe

MD5 64e753b41151c4999578b437cf4d323b
SHA1 e7e117028ad53bacfe8136bad0ba340a5a0c97fb
SHA256 6d65c856dd21ee2e778d41bdf2068f36d775c203c1368903851dc8f92a788ffd
SHA512 0d204ccff6f22b40fb1ea5699057294a212b5b94416645300fcb16631de32fc41a4cd017b41fabab9a45e90b3fb64d75926fc5c36f19a4f81f33d3dd8f6ab18a

C:\Users\Admin\AppData\Local\Temp\HQQsAAQM.bat

MD5 f09dd398bcfcddafc16eb9b98d24b7ae
SHA1 35c49a26f95ea2e7d47e9dd9a61d9e8a034c4127
SHA256 a7d337835e688db5210a5be3fd6d6fc3bd37d13f32c09021efa6b415af21b935
SHA512 f734bea16363bbb87d45d225649fe8cbe51dcf00aa6d66d55cc7d28485d9afc22cf0fdd240bc1f8787acbd69bfd0cd4c8985d5b235349b0cf6c6bd43b70a7b8b

C:\Users\Admin\AppData\Local\Temp\IsEu.exe

MD5 2f8727e25e43938c8ba2030c29244146
SHA1 abe4093437b4056704034205442d7ef154577779
SHA256 699ab541839c283dec5b29ecb587bcec5f7d63a02b467de1324b8e50e835c75c
SHA512 a6609d5a01600ab496e975351f088954fe2c748f10a35ae16567f37b20bffc0f79203a2477ef95acaf05c00edcaea2d45d6de5f67d575afcbf3b8f8ae66c4129

C:\Users\Admin\AppData\Local\Temp\sUsO.exe

MD5 10c9eaa3640486fd5fc8c769ab2a1e9f
SHA1 cb28dfd192e0dbc84091793fa86f39fd9bb87187
SHA256 23fb4e2314113013fb36cbbef0fe550aec635fc7e684f8cd0ca8676585c715bc
SHA512 bafce99c2152b4e9c7bfc6e8a5c48c644cb09e8759dfb7cb029d4c68e6ed7dc58be5a767b215647eb3ae8e2ba93af64be83fc1b0eff432362452dbfee43eeb51

C:\Users\Admin\AppData\Local\Temp\IkEU.exe

MD5 53722d37141da3937956d403794d755a
SHA1 082e648e086eb10dce460a1338a15f4fdd85cb02
SHA256 44ecc878e65d476e43ad80bffb11d9f74472db1218d67c4e75db502c737f91e8
SHA512 397abd84133fe68631f8f044b8dee8d53d02c1e5e84af88164e4d7bd7c0b827ac48a539058c0315385ff5eb4b728cee75be631569276a4116fa0e9c5a3166964

C:\Users\Admin\AppData\Local\Temp\AskG.exe

MD5 3f952464a5afa03754301ab953977dfa
SHA1 c6f5515feea77266a07adfbdc11024c2edd4387b
SHA256 a48cc290e6ae033ce7e6656b36d56273e0d4a5445a39ff1fbf81c45134cb906d
SHA512 dc38aecf14f5babdedee91703b5064da0103c72b0a82bf395225e8c07e4088242f52c05b993c44413e0d14798d74eb5a2e40599c44f2cc809b6851cfc164959b

C:\Users\Admin\AppData\Local\Temp\ZGIIEYUQ.bat

MD5 8269c912416e4d53b2929f2a95a7382f
SHA1 c440e69a0ef3634a007a96b266add05f2956c17c
SHA256 1924008f943ecf6ae44e170b903f7f8531eb62c335c465bffe0f4c3488604f28
SHA512 896e9a37d5f675889a054778aa7ac38c0bcc55c8555c0bb2adc1073760e35a294dca72f547741977b8c33acd07a9f8b330e603cb1811fc340a5848115186e3a0

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 7cbbae44376a7247511c421e2c68e1d6
SHA1 cd2d76a736dafdd9f82a4ae52a343e494b311ecc
SHA256 7dcffe8c259b22bf0adcfb3e2149ed0a723628e7aefbb07a17ed0fa5e411e003
SHA512 a9b2bd15a76c06c4709136a0b9f2958d34170011a9cb6717e0f2ca1178845d5a66f77ea4000db319e5c8d06fca5b48d0ddf9cf4b1d1199e4e951ada17b4b89f0

C:\Users\Admin\AppData\Local\Temp\AcEg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\EIcQ.exe

MD5 70b223b2be065f663795908fcc94712b
SHA1 ce866b6b7664cf99aae3480083a93bd3ebdcebd7
SHA256 cf00059c90401f6a60b94fc4419ac7c56db7e6857b30f4a864bc1a05060c6258
SHA512 654ba8006cd219471bd509f3b68de0d63e415fceccdbdb6b43913028454386400554427d7f8d65d84a4d49b84ed9b73a51934a6452f71d4466bfddad2cbfffd5

C:\Users\Admin\AppData\Local\Temp\AwIs.exe

MD5 8c398edd19ec2fe123356758596436cf
SHA1 4cc5987ba507fade51c04c7a2b4e98bae3cec65b
SHA256 7ddc8bff84a87c991d324702f65037762dbd31bd38d51fac4f3d2be6f61e6e22
SHA512 9ecf31ffcea6ee894694d745bfab15bc39a461b1ded708804cae52c6a85b49d8beb3b92daa043daf2753742b1e0545984cfb267bae20e9bab88f2985f8d39909

C:\Users\Admin\AppData\Local\Temp\KAAm.exe

MD5 d039d2e5a7a98d41a2640aedcde7d593
SHA1 50f22d73d6db311dc244513509d67b03f0c28834
SHA256 b98f83c2c1e771cb1eb33803b4ec841a3cb021111fff12ad7189637d549edcd2
SHA512 aa51e35f542ced5ecd8ee5e9bf409a182e927ceb93dd0b61512c4d39c082c888a00f27805f665a1209ea10df7e192e9ae8e9c0b10d8d9cb194e82ee9f110f762

C:\Users\Admin\AppData\Local\Temp\vyAIkQEM.bat

MD5 b0c863868f52d8b384900e506015b6d4
SHA1 8bf562d89b007fbb8bb20a32c9c0dfe8285e90e6
SHA256 fa816ac90aec027e63dcfd07b1ea2e19be20ba592101e91c5f606f2d1277eaa9
SHA512 4eaca6c932f3d9c3b78118b061c804989e647c3e341e61a0e1a4aa8055977ac523144ca9622ac683f8a1727816a5db706f39fd1bec8baeb0610ad8709654ab8d

C:\Users\Admin\AppData\Local\Temp\GAMA.exe

MD5 9ff7901fc3f5c706acb4eab8324dfde6
SHA1 e56193f46305633ae3b7ec3cfee599676b2fdbf7
SHA256 985babe7668f15411c23319dc89b874b8cac93889e010be72b334ad9fe094a51
SHA512 4ca469899daf4bba9d92f24b6c39047d0f7c357caa1d2cf9d04c4f9ecad1a906bf20d68ff1532e461d9975eca58e3490cd65bf5ab35bb1e093c15e6f344d5b61

C:\Users\Admin\AppData\Local\Temp\NywsAAYE.bat

MD5 ed5e77ac6f52ee65827aafadb378b85a
SHA1 5747a0cc1b59020daf7d4a1444bbae37c7e89929
SHA256 a17c0349634a6c7cbbc4e81e246f7039a1a4b7ff1d501eabdad5f072032ffb9e
SHA512 362cae7015293b5dc3e6b8efef0d0df3c85d7919894ce35ee9b266139a5a592ae81143243a7f187307f1221cc2c61aa738cf369e00ccc91fe06140b9e5a1e0d5

C:\Users\Admin\AppData\Local\Temp\rSQkcYUs.bat

MD5 adaa488991143928bb6fb10e1f804a13
SHA1 e1991c7cfa597abee84e3e491602cecb4361b404
SHA256 7538b6c1014491c338bcf04645a34b1c0cba0dd46cb3fb858561d9a8ed5ba20e
SHA512 4a6cb5daf628610a9542c5ce083e73360454368fac0cb7e3265b5a9cb55ac06ca515c887a987976afafaeeee1c25837e428459a8306055f80274753f91f787d0

C:\Users\Admin\AppData\Local\Temp\UesEsEYE.bat

MD5 900c0918189edcaa762319cbfdcf5fe8
SHA1 5974891cbc15fb1362f66f433041f6d1a487a033
SHA256 db6a4c8935bb28669ad4598462faf1e0a127dd687b4863428bd9eeaff0256ef0
SHA512 5fe551125730644471cfdbdb3a77179ed31e5a2c0f9df86939e2feb61ce46c74ef31fe1ce6bfff6ebe4e7518f506898eef108d8afc94456a85b03bdc599aa604

C:\Users\Admin\AppData\Local\Temp\sCQIsckk.bat

MD5 ba0d0d793d5ec6b7457dfbe6ba6dc8f9
SHA1 8ba61699787037ed00bf297dab360e0f787dd04f
SHA256 231b801495c03f92dd26b43c48caada251a4dbebd12947ca89379887d29282c3
SHA512 7d283da2527297554efcc398dd3e09af6d0ddb348acbd8ab0d4f831713dc0d1a5e2d1f6b28c7ef21a36bb3e5b2d20092ec7c4f8f03fcdd4a06ce76ea7629740a

C:\Users\Admin\AppData\Local\Temp\auEIQwEY.bat

MD5 4b756481033c98b3ec41a10aa436dbc1
SHA1 6826e6248686a3ec9513670bf3b162c79c2099de
SHA256 4731ac5897c559db6d9062894a6f6b9443a25065f1eed4530a1fea204eba36cf
SHA512 aef936642203c2bd2b53954f9c8106e23d581e8205bf42ecaafcd3aa299fbba8568d00752cdf3cf90ea87e02f1792c18abac394a72d6150e6bcf1b39b2682752

C:\Users\Admin\AppData\Local\Temp\SGswQkwk.bat

MD5 e7a1211f47c355c26b82534fc0225ee3
SHA1 3b1c1d8b5cbb31aa60d1c3b69c37960e8d772954
SHA256 a20e2944698c50c8f6d827e20337d142c447b43877e3ddf8c133421b9e5860ca
SHA512 24bf8f747d70db052de52820f36e2df301d8c847ee5a4bdf27591f01090fe01d7fa62eff0ec8c63bf362d1026d02ac11975af733957d37f422d7a14c70699d67

C:\Users\Admin\AppData\Local\Temp\bqIIcYME.bat

MD5 fbab88a1388cc76eca4068dea3661e46
SHA1 4c69036fcdc66becabf590f506d549208bc62abf
SHA256 a0861dd000fd8cf60823f6b617095ad3232c05d082994cc94f02f613b2e82a47
SHA512 5450db55c527ed06d614329b404fe8543387cdd35c46e4235ec4b67e49e11767b65f90251c49cd776e59bbe0894d1dd06bc8d80b2c43efa6c759e58e548e1427

C:\Users\Admin\AppData\Local\Temp\JAwIQkYI.bat

MD5 053f54a4b83c5aa80ebaabc9cb33660e
SHA1 b4d898ef76b5bec888f486ae1e7cdcf2b1062941
SHA256 197628fee1c2159b1ef8101a003b37d6fd3bfc8bff5b6a32806ddb6c66fb8e5f
SHA512 f24e448f2b9bf405bb35ba47da32cd5fd18b00d112e33e78e9bcb0d95920ca7f4bced61e0dcdd90615a7b5129d0edc413c90dd878d55f8073cb391fb8abe6b91

C:\Users\Admin\AppData\Local\Temp\PIkcYQgc.bat

MD5 959544fbddb776c52441d8c4c7c815e5
SHA1 d23e9bed1ac869395d40e812375cd29616cdc6f0
SHA256 a1a744319b96c764fa280b51d9925f32a3699f2bee7ed585fc7ab54927c17914
SHA512 32e92ebce2c9bc687c349c0a3484f94c3d13ffb53b31ef0468b7da3597cef8746f67eb717286f175b37126f00371f167bb199f944c7cffefd3f7f2d0128550aa

C:\Users\Admin\AppData\Local\Temp\rMMkgsco.bat

MD5 d7bd4875bc41e2bc26124cb3d510d348
SHA1 59e4a0ca0d2ffd61b177ed887867ebf8725c7e63
SHA256 dbec8d982f8992aa8e4e6cf00334b473559da2648fd92af9a6516992f31d0ad1
SHA512 724e3fc0925d236c2024bac9639cbbb026dd9a5d5778b9c0614ee84e2a404595524fc7a972c6dea3320f2d2363198246222e86ea952dc2247d16a2ac6dc136c4

C:\Users\Admin\AppData\Local\Temp\CSIswcgU.bat

MD5 3493bdc4e053621842e65489115b5dd8
SHA1 0ddd10a024e3974bfdfb6edc8aa33fe092c3fb82
SHA256 f5d99cb40062afbbd94ecca374fc0f93b4876a901eec13581c3a8ffffa241bd8
SHA512 1b77b1679e3b6a3bf88ee116e3e46be8e795728b76e710a1b61754e1e48a036ddf2f47020672b34991a7d877689f6fdaa026de2fe379f9c1a47a9271a6d3a736

C:\Users\Admin\AppData\Local\Temp\yQMsIEwc.bat

MD5 690bb2591c282b09b3115c79c3710cbc
SHA1 ceb89b012379284d10a89c44071547e21a68f535
SHA256 980c6ce02dafef93381523599ee36496dd35207f73a7d73a0d0beff2378174a9
SHA512 0f66dd40e41d642d4fa29aa91e5b3fbd3b9bb2702de5fc7722b5ff6eb7eacbd74f3b88b66c77019cace68c0bf508d61af126e01974144d818dd7b3e87134cc0d

C:\Users\Admin\AppData\Local\Temp\MMQcggAk.bat

MD5 5b635c5048d41b7e97527d7aa2d6ae2a
SHA1 c5b06506022a8f880ff22219f20658fd76855b2a
SHA256 9450a7cb8ff54774a4fcd3f1a28c8c919ed0333e111aa54de665f8da26a8b6ce
SHA512 d45a0bf2129b6e38b2fe7b3332ed833193c0566ec4aceab2f3c34591a56703f308ee009af5c655d55fb8a355398fe82d0197ac926f8b0f86764098e13cdedc3a

C:\Users\Admin\AppData\Local\Temp\eGwcYUcI.bat

MD5 eaff7ac2c2ad9022454935e94ee1998c
SHA1 10ebbc4385c8f2b9d3f41ece3c50dff09b1d8b36
SHA256 4f87d985576828194bfdb45fe8d288da066072475c1d7c956cd150616f9f220a
SHA512 f7e4f71318786295789dd912308345b71beee5d472b304beaea85b09582e5a436e7ff51535aa6e5e391a8f4988bec8169d25f881f0cc128dd60a31d5646fd3b6

C:\Users\Admin\AppData\Local\Temp\WIIq.exe

MD5 504a3a20157349e65d8850db5c923485
SHA1 90016e63ca5a9e761d5a196a670422fbeede9841
SHA256 08283a3358e9f92162b862865c4d808edd929a5cab505ef5813b8d11164f9fd7
SHA512 8523babcb1a4fb1ea6862591364fd3846564712589b3b63b3610801f9a8a086f9641445bd55f1dac2a510a54c95ee073e96ff8abac67d866ec58e214655247c5

C:\Users\Admin\AppData\Local\Temp\Mosu.exe

MD5 be17004a336805ca87154f95035e940e
SHA1 d149ed2f04111f1407edb910ea8fc28e1928abca
SHA256 25e0aa59c6991b47e9748ef64d6bf3f9d30bf23cef9405b78428543b11dc783a
SHA512 fed90fc90fade6df27e3f8c1a6e634bff4965548d2e828774aa602f18b5429dda3f009e335bc98d4dd13c9beaa806208db646dd0e6c52b743a407593e5d40de7

C:\Users\Admin\AppData\Local\Temp\wgca.exe

MD5 c68ce669c280fdf7f9460513bb1db900
SHA1 ccce0745c4b144fd16adc313659ced45def35e0c
SHA256 79fff99eb0d9eb8f12175808cb6b13ed8282e4a914e7cdff7f43ed7508a1a797
SHA512 ae7df2d8d2ac0fd6d8271b45b1135710498427caa653e1017fea1e2cc5c8cc301411d382fb5f8c48a4cc3a5d900431c41324c4ba96e56666fea9680532011585

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 60411e2349cd2a73fbb8d24544647455
SHA1 76d5e4defce0d40189a6c5e9ff5569b55c9651f0
SHA256 4dd45bfd4f21614e91de64afb653762c740d9bf2a5b3bd2e0d2b3323f1eeb8ea
SHA512 2bd8d6c7a31468e2790fd8fad202330832e7a5f3d049a1eba1a65af01a63fa21eaf195043c6b2fe37eca5cf36920ecc1c072b8b67b8761d0d6522091be29dbee

C:\Users\Admin\AppData\Local\Temp\msEk.exe

MD5 ff1c32572c8ee148e0710b2bc7f22177
SHA1 f81aa77dfbcd4ad256f3a9f1fce32a3cbff5f367
SHA256 f1fc26c499da8229975dadea8620afa580a92d7aa5557bd050e9b741c961dc38
SHA512 ceb562515adfc7101afd5d8843494e70ceefada5172beba0d82a271697603da918ce56878adca813a75db439b9381ed94fa923bd4173e70eebbe884ae8cf0d67

C:\Users\Admin\AppData\Local\Temp\mcgo.exe

MD5 feb9e425172344fb107cbfcb15d87522
SHA1 fd30c8d51d82c497d2a1ba5b2dbba561d848c930
SHA256 ca0806f963a6610a73a2aaaeeb01225a9350ca52fbd99df6b4041d6d476184c6
SHA512 b6e4ce56e0569cea618a989aba9c09f53bf77866778fa736db0ee63e70cc77c5d771e2f210e7dc90319c08e5d83b3a24977826531121c50fc4ea353db3ecbd7f

C:\Users\Admin\AppData\Local\Temp\OsgkcgcU.bat

MD5 3231177b0fcb5d0df10b5d716302d1b4
SHA1 6b8887093d6a8ab7e5ab58e96f5eaef686c52732
SHA256 fb1da1efcb0daf1cc249770bc8f74dc7ff33cc75235d0c8869d477f703ab3d7b
SHA512 ab46447298e19bd91dfbfc81f99dcba18a280a1759e976eb7a59bae3945b8bb20d584fafe1dc20a0075b90dfb7bfa768f4d5c50c9172b3e0bb7e38b83e9efb95

C:\Users\Admin\AppData\Local\Temp\gsYW.exe

MD5 21023099472b9194e396ab9c26833305
SHA1 9e93b0d392e1e7458d3bc22430599de549367fc5
SHA256 916e26d8274accbf1fe47ca68e43a2129e983009977ccecdfc16f833081c4a40
SHA512 512f8bad0f4dad2599eb791be89b8eceb185cd264733e389dc550b0f1dcc325fb0bf14279813bc1fa17e1868cd0edacb106d8d6af6994cae3ed86bb66f4a98a1

C:\Users\Admin\AppData\Local\Temp\YEIc.exe

MD5 291ecf7753c320184d88e35e3011b2cb
SHA1 713cbe523e5cbf7bc22278beb22116baa0386a62
SHA256 b21762a5bc7bdd731b29d87b29b0aac4688aea7d13a863e3a9289a7552a7f3dc
SHA512 b9485dbcf328cbaaf48d7fd6eca2180745893b71d324695fa4820fd1d636e6a22a373e9ac05e1781750453a5795e6dd29c92166c6c24e232aafea0acc8584917

C:\Users\Admin\AppData\Local\Temp\YcYu.exe

MD5 550a7593e8739a447a2d6df89fd9ec78
SHA1 180a6b4bfa8d1941949b73675f2dee2b78a60aac
SHA256 78ed2362d631fb0c67820c000ca26e869b07cf4742f007f7759e75376ac37896
SHA512 1934c6dd540593f188ef92a5b352c14a3a4ce7f854e48351c580cdc524883f7143eef57700d94f246e15f83cc7f080fcc20be17dd8002db6d338672926f6367a

C:\Users\Admin\AppData\Local\Temp\qgcS.exe

MD5 d194d46b1bb82f6f95d6e95529377ba0
SHA1 d7b99b8c853b266b264c648eaaa92905e3b82d77
SHA256 793ee810c7235f59ba25766248bd447764c3372b52e4d6c29ecff9c99ae9161f
SHA512 1d5cee0c08960b195e1b9190090df49300c403904b96830cb91dd06c5e15648580bf1f44068c6327434e62ec55347875e8da6ce9ffbb49a20bf9dfc16c37b33a

C:\Users\Admin\AppData\Local\Temp\OwMC.exe

MD5 4a4f9f1f163e98ba0b1c71d06ae708ce
SHA1 0b50f6785f9f34ceb44b48df806f1cdf62dd1bdf
SHA256 aa586cdb48c71b92c0091ff679b7bf026af3f7eb13afa38a1c422048e27bac79
SHA512 53f8183e8875c33ee06b7f41b73db3c85f0cbc0da99d600b12b76b070c1e26fe1957b80237f5111c4106dbb1cdd68df19c49b27c05012c7ec8d4c4e62a09f0cf

C:\Users\Admin\AppData\Local\Temp\NMsoksAI.bat

MD5 8cc29d2cd98208d228c3ab5257e337b4
SHA1 864638689a7d1ed669bcb4db24daeb6e524a57fc
SHA256 70de1dae335f5e85e630c67e615068647830cf811dfefff24b3805c05e83d5da
SHA512 34fc08a3d0c2b28b55d02969f0abc70d365de685a140b6c7e054e59cc7052d8e1fd398590ece40ae28d03fcf2ed95d9532fcc52060e990378f38fbfc1d24e0e8

C:\Users\Admin\AppData\Local\Temp\EcIY.exe

MD5 256c6243253694401c1acb8b3cae6ad4
SHA1 ee60b4f89352c63f38fc9ff8c82be0dbefccdec2
SHA256 fe46d7b27bfdd202885e3c327d5b82b28ea50e3b726383da99b8ca058159826f
SHA512 6c5302544477ee54ae7a2ab40e08a5b206c94750f4ff810311fb1db28271195244c676a8967ec2413e8872efa864657607fcce172f4ca5e62f21a55ad2add4a6

C:\Users\Admin\AppData\Local\Temp\CkUE.exe

MD5 fe6094473373f1b8d4a086ebf651858a
SHA1 094fbbb74fbbd0d98ab83f847e6a316dbad6b8c4
SHA256 1826bfba22e66cf1ffb4809fbea7cb474d9757245d809be5e6fc65e103c7ac4e
SHA512 75663f26a7b46278893ac1eb1aedc76d34891eadaca8228baf3c5fac77ae78d0dc805fa97b4e9f2f7ffd3a9697f762fcff0220201e6f169602029bea962ff216

C:\Users\Admin\AppData\Local\Temp\AMoU.exe

MD5 fa428667c3138f77a6e3ffe21c4d2900
SHA1 0aca5e7fc953f43f40dad9bda99cd5d8560d2863
SHA256 d62449ecb6fb7ee046b67fba00edfae2c47e52cd48087a5222196f72064dd92e
SHA512 d83b87735e6fcc13ab9434ff60c9127e1b4b5a11a2aae400c7bd871dc08363322a6eabaad4f22b7d52122b2b45dcecd5996b99a7c43370fddd308a098f22bca8

C:\Users\Admin\AppData\Local\Temp\BGkQcIYQ.bat

MD5 61dfda5dc4d966beadb159fa34a4178f
SHA1 600dadb0e8ede528c9492fcaf360d8c3f037d605
SHA256 05b67c8bfdb05053e7b78028f71d45bbf8a8660cdf845eca4b6db1c9132b9d30
SHA512 b086d9bb1598b4dbd96caa08ea3c90f97fa9487c1894b5f486eb386f09419e568fd73e22c9d3d604d8c363ee2fddb9a11d59c6ba65042091bec7ee546ff8de0d

C:\Users\Admin\AppData\Local\Temp\mUYK.exe

MD5 ad5f28ff54d657c491c5ec87b4e78722
SHA1 b97f084b4dd3d44371b8a7f68d6c7f6772c04eb3
SHA256 a2dd77246eccd8f3ece033b7c589017bca93ed058afddb5e99a4af7352b26530
SHA512 dc10005547b44c7d7fb0fc87c92fe6dc1057fc817deadad51aabee52c2e230730d3d51ed405fb582096b965bee53eb05903785b1f6dab785dc04f09afc45ae35

C:\Users\Admin\AppData\Local\Temp\kQws.exe

MD5 f3a9a5b85eca45e4584d2738b13d4ab3
SHA1 83ea1b0a0b9d78dcad2b528b32af5160acf33037
SHA256 457d7501958c4cd5682e1cf4da7d83ebfb0c9d15ee3accf6b9330adaa96e6578
SHA512 11900a89c019a094fd4d892139e0b9f1acbbb9a6bebdb31f8a7ce060de91ba2c5447e1029a580741756e3cd884488b5dcb0f80bcbb36964ee0465c6faed5a186

C:\Users\Admin\AppData\Local\Temp\lSoUMUYQ.bat

MD5 f74da991463948da3a673b953a672367
SHA1 8e2cc83fee7f9b799ecc207e867a84a12be52236
SHA256 0cf1f75b1535f7b7dd023f4604b1c0da69a989900e5b56d8fc6e7dfdff9e9dd8
SHA512 c3e5a5d6116913299b7294964ffe2c22b4779aaadd27856f0003c2a15f707df2b6c82e064765e43242f553778aadaeb0870089848de77aad1aa7b4fcae760ece

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 2c6b3f169c0419da973f1ec350455a06
SHA1 c78df0724af7423433c1f54d72eed2adb958c6da
SHA256 12d6fa005e6b117c08a2f8cfa0bd9b3cb6babd6f1e9da76dbc0fc067eb8352c3
SHA512 2f348271a30dc1d80e37b6df8502b4c56ad1a232d3c47fe1ba6666f8bd13850edd92a6d76f0e2ee5463c550bd3826a46ea695a9e443480a5e6910e2f8dd99dbf

C:\Users\Admin\AppData\Local\Temp\YwEw.exe

MD5 8554ef23aba49f6e1ff0174f02eeea57
SHA1 3782dff97f157660a48eebf9b61219ebc9ef9cbd
SHA256 b737e3b4dfe002c5e765c3cb0240b7c5ef2373a8104affd59ac57fab38610153
SHA512 afc025008c02dec5dfe27b1fde7eb52569bd071484e1cbb3a47cfeed133ee55101a6d5ab947a71541d1a1cbd1c86611baaabd81539388d06608ed66d8602b2f8

C:\Users\Admin\AppData\Local\Temp\CMYw.exe

MD5 5d7418cf6af68f10dd308580eb0aafd1
SHA1 bb75ebbe1945bf3d02b70ba60e3b3939e85d8039
SHA256 97bd29a259c02a414b95f9627b37ec1151d1ddf84bb937926848b2ba85f1fa36
SHA512 5fcb9d0b665672023123f51c8fe630fe034219574ea789b8eb8eecf8494ce2567a5a977331a0f82e1afe1b92c3d39ee90331f40556d5abf90f8270673f2dbd8c

C:\Users\Admin\AppData\Local\Temp\Ssky.exe

MD5 9a5bfd35e6bada76cd65f23bdfa96ab5
SHA1 f4afccdf7eca4dc75a803f93b41262bddd540dc4
SHA256 9b416356de76ce1ac715e8827b04803a0547abca9a72951c822ba04b627a685d
SHA512 62ad53e589cabfcf66a0883e39454df38c5f20bb0ea67ecc0adf63999fdbc498b8b81c12f5ef70c8de53e1c911b5dfdd2f7b9c50dff613f20f8f118f96da648f

C:\Users\Admin\AppData\Local\Temp\osAc.exe

MD5 31dd7c5bab3724cb27102616b519bff2
SHA1 17bf639b57fa7518e3f5b49de9f74ea3b807c9ef
SHA256 fbbd64506f0814b3043e49c4b9b8858da2ddf82a4d45db54dde849d793d87520
SHA512 ded9af4d3f8d623f766feada4fdd3b76a30914b73d344d2ccbdc7efa8a4c2a69fb57795d02a75a0ad186545569736692edc6e9c5d1422db557eb868fa4798694

C:\Users\Admin\AppData\Local\Temp\eoEc.exe

MD5 254f121c8e1f15660377d810168a21af
SHA1 648b38ac95392a5c7bf833256d6d2accdc52d99a
SHA256 037f69ddc4d44ab5a57d45aa873bdcc9a17f35ca46f6797f0b25a89ed77b3b06
SHA512 b2fa0df5d7b607761d408c4b6399d1cfd6e4a149525ef9afbc8a6b4796c145dea45dfea6abb5c27d44b44105cdc771c55f172a034682a3dd8b98e8da89481a64

C:\Users\Admin\AppData\Local\Temp\OMYi.exe

MD5 f1b3360e9e1ab174068dec0bd68059a0
SHA1 190fb1a885ec97992bbe8f189c0398e23c0e7ff6
SHA256 49e662774dbee15fe9665d2bbca1da9256848e5204317b6f2f4e8b7156c633e2
SHA512 52a23371626d4d3dafc511b232f7e0957a002f42418b34f229e6158f19b39b0e373a9f2529f9f2cf6a70561b7e08333a54dc3fd4c81d648b375a4b26328837e8

C:\Users\Admin\AppData\Local\Temp\MuEsgcMU.bat

MD5 450d860c48a31c530a40ecc379596a5d
SHA1 b5afbd8393f4d1c992f690a5250bf7dc8daf9e81
SHA256 15a64786c98294598394fb2122392c1e3a9a0ec31447a04119d5656911b037ed
SHA512 6f5723854e673a209157bf63554037e77dd3c65c4be61b9c947a3d16a243dce6d333cb3fae9293bf7f683175c853624c3a86cc5544a9c0370f4908a9fdbf7f10

C:\Users\Admin\AppData\Local\Temp\Usck.exe

MD5 57af023e259c4dbf9df3684ab1cb42d9
SHA1 2c902cbc11f1b4fe790b6f9462bb2268fb0410d7
SHA256 ccbb54827f3fe2a79cc75b8d546a4902478afe4e3549c37aceb14a732d8b7c91
SHA512 6a0a4a75b504f10c070ae95876efaeaa7c6287bfc9c81c794809769995cdaf3ab8f939b2d42446d1a17d3c919db2820a1b11211e4b6ef07460a9d1151ab84dd5

C:\Users\Admin\AppData\Local\Temp\AKMckYYU.bat

MD5 c619aee2339c59d0e6e364becad62750
SHA1 e358575e9de48e07d0e5c0eb11ece1e691ec807c
SHA256 47156cae92a08ea8c000849b2a63930097b942c0a3e206943aa215be14e7a9b1
SHA512 0828d905aeba0519a4e3eda7dcfc3d2cb991b4023809f1e0140ee96b80f5b62ec4dd8833a4a127692a6bfea2bab89c86b250c23a61528672f91874bb431480a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 f614c4ddbf5622697bf126d9f0c75661
SHA1 6e05d49b1aa3e06f24767a99f4c2d32757eec952
SHA256 286c7767419e37c87e9ab4fa593da84906dc912667451f3584420a5fd938da53
SHA512 4a680ffa6b36acddd99a5481c478c1593d606a3522f9e84cce6b6323993cdaf7a0666532c544f4b9111a2bf780215b5d7df16f91c3f7df0566b4e700687b7d9a

C:\Users\Admin\AppData\Local\Temp\kAcU.exe

MD5 6d033a7352eac5647ff0191d20577bb1
SHA1 93cb3b453b63b08864fc57739965c098c124c077
SHA256 08e53519bece24f26cd6dd7152efb05559a281f628444bf3525c56318d915d6a
SHA512 0fa24b8ac9195ef702773a6bfa103e27764907d1f27d4ed413f23261f3e757e459411cec8706ff32225df375ceddd392f7b42fc5d3d4ffb425654d944e8e3aa0

C:\Users\Admin\AppData\Local\Temp\KEQg.exe

MD5 4d5ec7e68c0d2942364376ef92523d6d
SHA1 3bb0ef3ed16638b16fda9a7857d1d00ebf07a9e2
SHA256 4ef1a3e1fb9d956d954aca159da0a61a52e1310b51b9e6d951c420b302ca4358
SHA512 1ca81fa5c13be5da00e7e49c006bb0c67c29be05af6668eb2c7efcce681c585b098b064cbfa29748760c59d73e4894e7a6d1a1bf549390dfaf3a1a6ecb84ba6b

C:\Users\Admin\AppData\Local\Temp\mekkAAIc.bat

MD5 976a1d1fc546dc5a4bfd3912062531a9
SHA1 3673dafe95b1015058bda96262066de4b35d2500
SHA256 451e62290f261045f40cd9e28aadac55b8cfef5a89fd26e2e842aeebfce2f87d
SHA512 2d8784155b45d7eb99a853ae78a54eb7f685a53049a96e826c6ee450c5daccfc2be823e7ff332ec7af6f6b1f5f37084ca12644dd42ef96ce6c4945ce66bc95e4

C:\Users\Admin\AppData\Local\Temp\uMws.exe

MD5 b62cf1a64fc6810a9a5438c08bf4fef0
SHA1 0299edd92454649b146cb210f761c04f9d3a5235
SHA256 d58f74711dab1d840adef49ffd8ccb398d8c52fcf6ec5236856e0dc303d3e848
SHA512 91d8b9e6464d0829bc971b59fb6e5fed79309c325f8143cf0ef031c32e713ac7d5d96f0bcb3a27d5ad57dfe23de1fcea12ec6ff85eb62460f682d8dfe664e01d

C:\Users\Admin\AppData\Local\Temp\agQw.exe

MD5 87266b68b01f2eb2e033894b56052546
SHA1 d4b8d4d485d0b4a4155db16df342148aa4a866be
SHA256 2a55cdc84547b79ab0b58efac71f6a63a270907f8af966f64fffeadfda109540
SHA512 238d844d111137ca0b6f566629a7f304b34d68d9cdeb8908878e51e1e20a3622a5b30626f8f519b4617f9bb7de18d0ef1617dc51ccb6cee08b78bf13897f53a4

C:\Users\Admin\AppData\Local\Temp\MIMQ.exe

MD5 0109bbfc5c032e8f02f00926558124b4
SHA1 659f4e9e0ef7b1193fac9be6f5a2520f97111483
SHA256 c2b2bfb6c166a423850f1d65c9d1deb278b3011d92400b04b61330f035502b30
SHA512 72f68413882a3db73c4c311b914af975501411138334c0bd956950f72d4b0a1e9dac2c300fb414ac3fba4bdaa7fb296ee9e3953bdfcd30500b5853866dd79475

C:\Users\Admin\AppData\Local\Temp\KUki.exe

MD5 f739a344f7de7fed0b032b52fb4315f7
SHA1 8a2e588258e2b9361231cef34c7dc1eea8010979
SHA256 46d13b083c378d3bfc3cb73f21449510aa5ada9348a83ce6efba659d3284aa43
SHA512 c5536f5b9cbfc1faf2c858571b13b5e6d93b8dcf79e503c8436b68f490168a9bb04a8eb5678c1e1e2bad1fe3353725aa2ae1af1543cd2cb85691b329ce850327

C:\Users\Admin\Desktop\ExportRead.bmp.exe

MD5 b90a763a2cafc8cd6b5bac967c7b9c41
SHA1 8cad4cb8818634817c06fdd8947443c375bc3eae
SHA256 67f7cee7e5892763ab69b8b97d62a88058cdfb93da3ddb138c2855784f5876db
SHA512 a7ccf7dac8f0c6e7a31cd9f64a9296d7f6bb0c91b0a0aa501da6fa374dc54686628e03e78fd83859b858c00c99455d2cf88b7ce7a016ec6bdaa12582c1e6bc20

C:\Users\Admin\AppData\Local\Temp\YEEO.exe

MD5 4769a63dea5171c55ea1e552b2b70ce1
SHA1 cba35f0ddefbc2242e90b2d24bb2d585451ebd0e
SHA256 c355841decaf8b9600531fab6c834b3a89d0ebb2299c5defaad586df5cb38075
SHA512 39cd38a5cd01c96bcbe7ee9e24f106dd6d81079b9731d1100fb7d829874512c1c68594aa7c22a2633ede77f190862dc7b6ae37a1382ab493b6fd47a3dcfec001

C:\Users\Admin\AppData\Local\Temp\WKUgAIsE.bat

MD5 1851a63908468a0e71300e31fdb38486
SHA1 1e2d8be61d1a8d0561a5d2e50822de1dd89ab7e1
SHA256 48f07c148734f3eb52467a53e0c617129767929a0d3d4b171050d02f93adb0ec
SHA512 bd48a52ff4b5f8cc1eb6fbb01f49fc040a04bb833afed7a9790e73c49d24fac7346a3338e860f160202be79acb50df5fdb47bf6e904a9af9ab1f2caba2ccacce

C:\Users\Admin\AppData\Local\Temp\wIMm.exe

MD5 543ca03883e2966f20d2d0c511f1a730
SHA1 10f013c766eb4491bbb5a70d68b70b38c156ddef
SHA256 013b477eb45a77a983a103a20e5f574360550a2cfe9b9a5c27594557c94623e0
SHA512 3650030733422644335bcdd2309f1222a3b5eb8101f5bc7d77364d86582eb813c6f5d4245907526c7e58592a625e3befbd77256b5f31949d89660b5b928d8eec

C:\Users\Admin\AppData\Local\Temp\esEy.exe

MD5 da0f673910b23425c0c1f4e687495f21
SHA1 0ec0bda497b8c49fd4996ed50c35aa433451b256
SHA256 038ca6f90f39d51fc1eafea871bdcfdf3c5cc0b6259c8ae2c0c3e358ba532654
SHA512 a2f71581dbe15b4a298edb838be5e03fad014be0f0d1da0b417de0a50d32d3191d7dc57e975b734cce261ef5fb37c5c7856d3d912238e734acf31b613eb6a3d0

C:\Users\Admin\Documents\UnpublishAdd.xls.exe

MD5 e00edbe7c2ac7f914cc6076a4797b29a
SHA1 b985fd7a8783d3358e89b926aad3e0e1ecf3ce5d
SHA256 891abff1988566e2bd6e3784da26bc1876fde9bc72fa8bb2ae97ea68b31d56d7
SHA512 16610e69a1de7e990f4b9747ddde99d1bd0db53450eb0e2673c998129253563f0b853175661333bc6ed07f4e286c980f08ca10cd57a37d84578b702bf4feb40a

C:\Users\Admin\AppData\Local\Temp\IsYS.exe

MD5 0d744f0b7461f09000d59afc7538aad4
SHA1 bb94eeead3510dc26aa99275280fde3fb724ba20
SHA256 1602eea668ef4b62a0344a508a1ca457305dd9dd632b8178bb09f2344b1e470c
SHA512 e7db7c7f46d38d66d94439a13eceb9118e0d9a77e77674baed3017bc8ab75063e7def6866c82067129e0988cd0a1f850d384deb8c5f9b67a4e0f5cb86f52f6db

C:\Users\Admin\AppData\Local\Temp\MYIW.exe

MD5 529c0658e8f71514beb6ab01e1c104e2
SHA1 9313ebd5f5ba6515d8da4a705ae58fceab774316
SHA256 ec20ac6fb393d05a204b9cc06cd4f5b8c748635f93608cf8189be78bbf387994
SHA512 84f468836893a335c08d5dfb9ed4e0b9753c5f0e1421ad05379fad6b23c643e8d45511bdb846c240f14d1cb346469d12cbdf8badf98f8499df717639fc91f975

C:\Users\Admin\AppData\Local\Temp\ggkQ.ico

MD5 68eff758b02205fd81fa05edd176d441
SHA1 f17593c1cdd859301cea25274ebf8e97adf310e2
SHA256 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5
SHA512 d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

C:\Users\Admin\AppData\Local\Temp\Ccom.exe

MD5 b1c478820c09949c0b7fac6844172ea8
SHA1 b2df666431764fbbd751ad4f4f72bcd7b3198bcf
SHA256 177107898e64cd605c02d72493f0d074655c189b43fa872f3baafbb51e061de2
SHA512 2d8671ee6f5190398dd208678c62037daedd0c71ae94dfb91f08d7d66288ef63db6cf4e9fce1bf74b63bf830c5593ce9318a657860639a9bd59751e98356f530

C:\Users\Admin\AppData\Local\Temp\QsoM.exe

MD5 452fce269b34a2958583b728dd05050d
SHA1 2c3603d6c9579f0f6aaaf6af78b8890ef1ca6850
SHA256 04cfbf9451f715c09328e48a0d6f5625d87e54ef5d5aa0eea32bb2ee12808e81
SHA512 fba262027dc5356d5b1d9126790a6fa187df81cf049965f89e310ae9ffa97c28f604b15b5e833e201aa95db7994d19b71cf1f6b0dff3a0ce2ecc580ef51be99a

C:\Users\Admin\AppData\Local\Temp\kYwk.exe

MD5 d6990e7089e673ef9b0f66164668d9a3
SHA1 e340ad45554b6cd07295fc0e6868c2fa795ce082
SHA256 f011de84e95bd80cfc4a244afe738d28d02c6010e9f71150061c1eb63bb0749d
SHA512 f95fa7dc6d749f3ce2b6faa60adaaae22142b3fd05fb1bb2790c626c753b751022a429d75dd375770565ca782e67846e7766fb6b1075d0956d3a1143ed6da6e9

C:\Users\Admin\AppData\Local\Temp\DgMcwUgg.bat

MD5 ac8bab754c25b8fb7d54a94172d866b0
SHA1 2a1efaff00dd8210d1c1e4a649d9d0874774f139
SHA256 73e8a0ada99e4c212ba491cd7dcc5e21c34b1b96792091fedb5416e12413ba4b
SHA512 a0b94b34d85f365b46b4c804480aedd131001a22888ba222c7078c758315c2568fcbcb8fbe483c1c5277f28ab68dba9d457edced74001d69966c956825157679

C:\Users\Admin\AppData\Local\Temp\WAoS.exe

MD5 acd67e006d2ad23eda101d82773e41f6
SHA1 5911f95d1e7d7569457df74d9e121b965f964abf
SHA256 c4dcc056d71060d439100938d08261f88879f7d752403a95c11bb9b18a65da88
SHA512 8553332d4bcb650fc5eeef788d1c00ed4717972ee27800f3febc337ad2a2c96aafc0f943d115635a90ccecf530f208db33534c1214317f6b9f6a7f8b20907f22

C:\Users\Admin\AppData\Local\Temp\uogc.exe

MD5 6b5705aa4ced1a2f81e8a2172b41c20c
SHA1 8484950b61f9400035ceab79cd20c125aeb95112
SHA256 cc9f8fef228fdc26e531224bda8c470630b7d169ee529b826f11ed792f330afb
SHA512 ce6e1a99bf64df90ca751aea57e5e1401c1741dffd668bb4162adfbf0dfd8809dab3cb237328715a7aa79ead2527576ce8ea6ed72dc340cedb115470da433a87

C:\Users\Admin\AppData\Local\Temp\kQIG.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\qEow.exe

MD5 285a0bd4bd1d36f848bbd454e77d24f7
SHA1 19115df1aca0f2ec130658fc141e09eea996b60a
SHA256 17008b1a38a06523b1ee5249e4bb51e431c94058a802c0c5aa3c141a8505d3d7
SHA512 3841c3bd96a52e8d0d7f338cf8893093c988f0e3107e0207d64c865117dc26815ed9974fbf25f9f28763608c88b4f57094991250d2f1dc6dc1d421e450ef014e

C:\Users\Admin\AppData\Local\Temp\yUEU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\qMow.exe

MD5 26241b8117abb832036388ea9d4de887
SHA1 7469c952b083e3ad733f04b3c4b341e2e1668383
SHA256 591ea4e4a5d000e5165ee5a28012a6ec6cf2d92f0058e5c03980215c3a5b8243
SHA512 177cc014f28f59b196737f0080bc4f216c0ae285603d03fdb1874715ce602b3c133f1034e5460f2b7dacc9ad05a37c18454674aa51418a1d0153a5d2aeeacc26

C:\Users\Admin\AppData\Local\Temp\dUwEAMkI.bat

MD5 8f54806ffa3d1a775682944db17da974
SHA1 6bb68113617764b750816dc34f887f807b69c693
SHA256 af77029233f3dfd1bf83b9b21e8c613291628fde853163b7fa9b7978693569fe
SHA512 baa2346f36fac8723c7b0471785a8b4c69c8b1df5376d1a62ca8860d8ec41f94febbd233533cfcf521510948fe1068e0018ea62c13cd1c6fb268852b7e032ffe

C:\Users\Admin\AppData\Local\Temp\SkUs.exe

MD5 6e2c8e7dc8943b26ac2dcd59375cb6c0
SHA1 be4a2cd7101007e7b6bc7ac935dc590219d2e435
SHA256 867c2679dcfb2ba40dabf2d71d7def5382243a09fcadb7eb0fc91b7287cad3b9
SHA512 c04d569a4d790a48f9f491db4cd64d11a4dd13aabbf0e193da22f75acf5fff1b783d92007c84bb2e93ccc5cf31ac44c712f243425f4f4c281fceddd3ab6c1083

C:\Users\Admin\AppData\Local\Temp\ugYo.exe

MD5 3077da3bae8d0d5343f029cabf158c2c
SHA1 dcc774aa90f982b2cf5c3cf9e8f4cfda27cf3830
SHA256 1a13c928ee6d9cc64027ebc29160a0a3c9f705017e8d9bca403c86151d066dc7
SHA512 c2071b404c66fccdaa18028ff8327d2bb1aa2654b27b3d7fadf0107e3d278659297f4c3e977952a456c6040d1d32f620df33422335636fa1c4dc718e3514d412

C:\Users\Admin\AppData\Local\Temp\gswE.exe

MD5 0cdaecf80b21a3afafe6a998bb1f4713
SHA1 8d9d07cfd0ef67f0470e59a73b7abb4f8d5f9abd
SHA256 a94be7f4712cc46ec3a17f52f7e4f05a4bbe88eafe7390a023e93fa2cdd6bcc2
SHA512 f65f66eb32a5bd8216441c019558a0e3bfd56e15821514de37b67592ae58334c044c8543bfc73395246917b16bc249832082b9d265262c4e5e2f36d106e880af

C:\Users\Admin\AppData\Local\Temp\aAcS.exe

MD5 5fa770016cddd0d67cef27b0d50b2b0f
SHA1 b204d1d800b87bf249018972ef887e71fb5ad190
SHA256 f1574fd35495ccb311a6559ced8d844e7bd11fea56b56c6bf7d4b09df2de3864
SHA512 471adccd59e9e35ef4df2192bc958eb998c90928d6390c0bef482b0c58a98348c12d66cde9fce9bf7f491c642bf69912e5d5cbc23f8fa7257959c0899d34bc71

C:\Users\Admin\AppData\Local\Temp\PaIYUAMo.bat

MD5 56e5075ae6fd1e642f41f40d1adde83c
SHA1 1ee48cd27cd0ad68ee07a6ebd0b4948631427df2
SHA256 bda62945a1f55264660fcb2613d53a5edca2eccf1377543fe3d8995db158be1f
SHA512 9baae62ec69c3e337626bc1a5a2f98f79d0c172d5228a019b15407c1fa810c1e6c290bb313a3777d38a790711c8faad39090383b62220245d6af6e5fb52454b0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 bd2eb4bba392a439cf6f6c1d0ca2a36a
SHA1 af0d10cd547749b03ef722ff142be86a9bf13190
SHA256 96b113fe278c7d2656de072d58942df858bdae29d8fcc1ceddafb7eb961c02e3
SHA512 a850d5dab78f57404e0fd99a14b605adfb9841c36a942e44c64269e21cc798debf82eaac38693f9733930fe5172580a05916ab4dc21fe8b7a69545e3cf534bfe

C:\Users\Admin\AppData\Local\Temp\qcYc.exe

MD5 9ec5e31c2a3b5c4ad483feaf6254f1a9
SHA1 a9108af221eb7aa0c26c9b0083266b34e5f7fb82
SHA256 9873d6bf4e49d780dcd6aac91020f3711d0711e128cc5033ef824725cc162a86
SHA512 4dfb12bf8007f59e00230c07ecf8a05458114db8f16cfd30a281c131560c822a9ea84cfe7bf13bb1f74e35856a3be48a84b3b0bb5a695a0089315e003ea0559e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 a67a2410b171ebf4627f0f47787e9056
SHA1 c77b26802e81f079172340fce745a29f4808396d
SHA256 e64ed9c295dd8e3ee34a8ea4e2f074e4799d9f4889abd20c016b68f14b3fbc51
SHA512 61ce1861671be0015ec55c22c2964834be9b77066d75c17559dee4f02d584a0bdc17d19c6517d40d7d44b76bc6aed8a0c6c779a8e74cb18b9fd5dcf63670fce0

C:\Users\Admin\AppData\Local\Temp\esMs.exe

MD5 213d6c8d310be742466b6e6a0fcabd7f
SHA1 ae3aed34aef34455c55856db172285392366e40b
SHA256 bdb7b8d6309936ee7cc802e015929c192233af80426669eb189fedcf40234755
SHA512 63bbc73e9f5bfc522606a7d3f157bbb80d4fd77ac95219a1d3fd80b5f1632986733f128ff3fea7f3d37773a1f7518b62a9df44b5dfdf9c2934a70809208cc63c

C:\Users\Admin\AppData\Local\Temp\WqsoQMEY.bat

MD5 dcab5ac7fa044b71b85a3afc434fc007
SHA1 2cb981035cc0b35e1926f172ef55f8844014cd21
SHA256 cc87d31ce439a0b717a2ed1e57240f769df801ee27bec3d4fccca410710f3e62
SHA512 32eac84176e59dc07bd0237b3d0b899b80a758ae8a4340653bcf564f167986b55791d2dc035750e255f15b75fab13725b5c48789c50c0e45d74efc1d6c0f46da

C:\Users\Admin\AppData\Local\Temp\gcYM.exe

MD5 b6b6dfd9ebaa69a31e06f55cdbc88c3f
SHA1 e9b2be4d47db32c4e04971bccec9b90bebcac519
SHA256 5f93e82e9fdf4ac00bc3d7ef028f94417859b76c66c72e7c03fa3c1ed97a5605
SHA512 03e4a23acdd79a1b4b1bc890e9f864651f3f5585ba987ac43da4cb54a115086cf895ea6c6a75697f3e27a809d89a4c7e4be0a7b1a4b3d1eb18b96e62e4a5e183

C:\Users\Admin\AppData\Local\Temp\usgu.exe

MD5 03a4e848fc9025ed5806180e0b360b9d
SHA1 754550be753f73c10bc08a5685b82043a0aa60be
SHA256 635d2f566efd341e8d0e80004047a31521501ad332c44757f8c144dfeb602b21
SHA512 450e6644dd3afb141985094fcf4cc543fffdd360fd60041811b725f93c8e75609d7c2aab3fcfe0a6bc92930bea113b4b39922bad0e83d91b8ef461d1f95d852a

C:\Users\Admin\AppData\Local\Temp\uoMm.exe

MD5 3184406dbeb153b79136ca54f318d9f6
SHA1 63b4b0ecd5236540c29ff938ac745d4a03983750
SHA256 20e881cd5760b50ab6f1c46209eeb85ade970762046ec9383135b2f6c1caf278
SHA512 882cec683bab8fda28a48190d9e4d208a06884f4798609d8f349760f92f9c57c31a7a3923e443524e939f8d1ccc17b4bacf971fdb56d0e90d286e1e059e28634

C:\Users\Admin\AppData\Local\Temp\YiwUUosI.bat

MD5 bd49f10100a1be85e876fe597c83ff9f
SHA1 8ff83faa29bcb02bcccef4c61f83243ae7ebb3a1
SHA256 facfc3a592f0825630431646770eb33d68eca176fc15da2a2bc0b5a4a47221e2
SHA512 8d1534974a118535f4a1973bd64dcc33bdf0760ee1ff0cf8fa6a07054a154bcce350c8ab107b7f3722d98b5ee8b4f28c2518a9c0916ae631787e185eb07ec4ee

C:\Users\Admin\AppData\Local\Temp\eYoy.exe

MD5 194d8c9bf702808ad218a181263a1cd2
SHA1 7519dcfc9630f29fef3717d74468a015aa8090b2
SHA256 159eb8682623d0333e4b0acc28d3c820f30f836cff62796496aa1dbed0a33743
SHA512 8630a7fe8ee6250b6535360fdec57b20587fb3b467b6b482f96e03f152f4f9a44761413e4fca62e70dc1e1a1f89c7edc4cce7c54b610ec1ffa5cd7717eedf82a

C:\Users\Admin\AppData\Local\Temp\AkwU.exe

MD5 5dace744f3a282301d727606ef60f8e1
SHA1 e376f217e7ee0f303639eb19fd45ded0e40b0d16
SHA256 74d62451137a23373c788eb1d6cd32a0ff361a06d6a6ec103ab3e8e40f205fcf
SHA512 44c514408ace1fed10ccc067113f4be548c44ab8d82ec7f04b93b0aa766f169573e2f3b6a9a01b61bd0df9d7d86e525df1bdb8ce8559d57cbb8c4f4e81d9b96d

C:\Users\Admin\AppData\Local\Temp\gIAg.exe

MD5 c28a697b1bef6c5047b03aa02e777723
SHA1 09cd4daf07bd5c31bd3a95138462e1465bf66967
SHA256 3a7578ae29a55c17bf6ac84f21c84dba2584f2a6732371a4ac81efda5747d4d6
SHA512 6de7e896c4280cfc93cc518adb3aae2c6c88cf5e3126a54425be68a22e9e0a58dbc9d956d36d2cd10f8d69b5fa2e0f31c768d9d3d1f3cf76f01e3a0d8c255b0e

C:\Users\Admin\AppData\Local\Temp\Mcsc.exe

MD5 b0ab5c878225537b97b56248ce1ed388
SHA1 afe81aefc2236f01adb949e6a0cf839bb5659402
SHA256 27b82be88347a5224a6bd69c16055a05578da9fa34d598c89babb9fead96168f
SHA512 23c7f41ead33b5619408d8ba827a9fccc6eb8c94dd8b26bc6d2b4fad6626b3118294d3c543ca74dced35a4a0de31299601464b0f6c29afa00aa2cbcf5eb7f19e

C:\Users\Admin\AppData\Local\Temp\mOkcAsIM.bat

MD5 bbf22ea5b1393296ddd6ba4fd9638628
SHA1 5c15ee295e817c0f1a9892458ec93149d6bd0cef
SHA256 5c5c87d58a66386a7ff543e965689eddca22c8093c916f96dec9b91d578c8eb4
SHA512 79e753418052b7c1ef1948986229442db6252ef469664534e40ff25e5e10211d19d79f10e055c4d71150d66c717e8f358288a87341c1c243f56b3e66d160e5c9

C:\Users\Admin\AppData\Local\Temp\IgkI.exe

MD5 2776f4260c2c543e94ef861a16334ff0
SHA1 2f99a5cdf3035b71e39540431f27767798d5fd69
SHA256 ad08e34e51e019dba4338345c9a453b7e8a44353af080ff6fe7481394d8ff1ba
SHA512 dbde8aeea23d8066c41629d658f19af28d05a0df5136b2a486f456bae9824832ad771d13b19b69d1cc5c8a1aa3732723ab72a98107be880c69d0bec298a13c73

C:\Users\Admin\AppData\Local\Temp\ocAS.exe

MD5 75d8edb24eab8d506d637438da650869
SHA1 c2fe2dbafd235daf0eaffd395f23a2721bd829b0
SHA256 25913667210c85167b2198c52695b8816bfe1bacafe55cd2789aca340af1bc34
SHA512 fb7f2add38ca6f580f388f988e0ae300ecd1cb56a09edfce3ff641dab7c6410997e5d7d9949ac4f22e491655d7f7b6d51b3966ab61e481ecab0cf61f9f7b993b

C:\Users\Admin\AppData\Local\Temp\Egsy.exe

MD5 d606f1f4ef64b08d64ed4b9a80123b08
SHA1 95286312f1df28f524b1f4d11f59b76bee65c3eb
SHA256 a619d816bbc39a5dd99dfd37a4cc489c7bfd85453cdd81f57610bb5a305868f3
SHA512 626623c3c1ea77f80822288e17cd183c781fe4816e3a21c5d5416fe705bbae9a70a9082f5a423a09a5e9d839bc72aa9002a5e319b59eb7b7e5b4b975c87492ea

C:\Users\Admin\AppData\Local\Temp\iMQUkMwo.bat

MD5 69c72db9c73baa4edad22e64ee756454
SHA1 33759de4391ea85bd1997b333738d6670b356031
SHA256 ab0b6e1da252fa19e8203c1160e4e9fbac96add273ace49cbdc0f152bb78dfbe
SHA512 a950c6f7e76ff4279939616351acc8d1823f86a059f5737c44e86fe238fb15670c1a9eef0c7fed6cf3de1db06812a22e754ed73c309bde592c4747e31940bae9

C:\Users\Admin\AppData\Local\Temp\MwMu.exe

MD5 e64a58ef49330d89c64eb3e789dd5024
SHA1 1b78ce51f8fa813cc85e821aa8f91245c920750f
SHA256 3618bbadfb5087f00d3ac46753a5872058eefafda85692c73af4a31a708ffcbc
SHA512 083fa58d005cc049adac52e2b88706c2aafd382607c11a457a094b02eef977560e3fd4edb5be6fef3f3347960505f12d519a0940d68d6d392f24c10eeb7a6187

C:\Users\Admin\AppData\Local\Temp\MkkS.exe

MD5 2ce99c01edc3aec23525567baca113d2
SHA1 f23fe16849ad8f3b4018daefbb2944fd417c1568
SHA256 3e21224866531a5e66cb093b0b4f1e6afe5f0a04aa71f6658d71960ea33659bf
SHA512 a8678fc15df41a987fbea527582758c93b379567245001f5057141c67fe50bf3628e5e39c2b378729775be69db8ee1f8902608ebe3ccffcbd500ad059e0a8159

C:\Users\Admin\AppData\Local\Temp\sMkc.exe

MD5 a46775af54da6bcb10430bf0924e9a5e
SHA1 455730b53e8605a6209cde6ad3decb4954e120ab
SHA256 4e8807ef62658308a65d4cebb11cd3cc708e61807f72e8c652a788e60cda9ed4
SHA512 4bd2b738958a7bc2427610eed80ae42e661ed031144c5971a719a358863b243806486633aeff2781609fa8d42451e6bbdd7f79ecfa21b9b5b2c625fc3a6f7e0b

C:\Users\Admin\AppData\Local\Temp\nSQosQkE.bat

MD5 ee3badda654cfef86c7a0e08b958a903
SHA1 8776503335aa38677766a79645cdfcb307aecdfb
SHA256 f79a949731193cb781204265b0f738a0cd52e165b0adeae422bd3d48a31af8d5
SHA512 cb49a68cbc5189b6959ba7bf4049cf4267a1e67cb12dcb0599b19f985c6d556d7fc793f1d562967730eb4d2c7d6faee320cfa83c733239301779260da3813fae

C:\Users\Admin\AppData\Local\Temp\yMwA.exe

MD5 e86be2c10a6b61d2844fa0e572c634f5
SHA1 723f0c02ad473e2d24bb799959848595d7771098
SHA256 79fd8c82c15c4baa06148681abd8977d0f3757b74c3c376fb387716714e3debd
SHA512 ba103c319302c0a9a3b8b6c68b6191a3a2de995418368231659ca330c624cb5346f4088f153b41cd7499a85f7d9f0cf68375cb96492170101af90632b6d1860c

C:\Users\Admin\AppData\Local\Temp\koQq.exe

MD5 9f3fdbcd0b448509a38603bf06cf158d
SHA1 de474527b9dffaa462138f1603a0a9d69d5b3eba
SHA256 3371a0df03583de7a0b1850bfd9cace0848d9afcb64cbf7b60b8a7447209526e
SHA512 a4ca3c1533d927cdeac0d743bd9b097970f5febea2af0a09e46c408949d318d6009e302c96f38c9bb669895f5ac6d339dc79638d37d1f7935613aa69a1a773d6

C:\Users\Admin\AppData\Local\Temp\EwUw.exe

MD5 768cf58f4f14d898a948094c68ba95cc
SHA1 9dd4962c7d684c73044ab9395e89784a89912778
SHA256 7306c3d62915869d3a3072f8dc341088e15d2113c1b71749ffff6331fe5b8f73
SHA512 245c1736c3cb640d6b03da446d385d70f376943dc2930b4e70ec0aa94325ae8c596b8576fb40968f64ae952ac67a47f4e2f37b46cd18a83ec98a1e3ba8d7ee21

C:\Users\Admin\AppData\Local\Temp\iwgM.exe

MD5 41a0e8469677922484d92e2765dd1c00
SHA1 bfb9e9a661819f49e31dec1a327fe2e3700e7eb5
SHA256 c083353f5729df0370633c617b8d98695406f25084fa40f98afe4f710336da5f
SHA512 9bc5a830bd6620ed3f84d074036e76afed6ce1255c713d83c84e2d56a78a0a328a1712e84cfcf27c5671ca3b27d1e19e7dc9093dc4504d07868cb6f8e8f29341

C:\Users\Admin\AppData\Local\Temp\lYgAQUIY.bat

MD5 fe861ba049069c5fa17f61166bc51aa7
SHA1 b4dc469071c5775d9cf3b8a9740dc62c77ec01d8
SHA256 35bd2291ac1740832c70f9ece9d7c489ef32872428ddc921400bf31d62a0005c
SHA512 9b8cf2b169b1520385658c3c30328a8b196ba93c9ec064e280b367ce17d8cbf845d15e5798e8e9b7a5420fef8a93c861ec52058b13592d2a167df8362c78a451

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 ce5fb6480939a2ca5988a0da3013d953
SHA1 e0f7245e5c9c314e6ccd68c0031254dd0c4efd9c
SHA256 9b2988caa0dcc65eeddb41435e960a73d7e4bae7ec7ec6d28ff76d9c1895399d
SHA512 3f7c84042ea6f79ef6f8bf62bbabbead6d249dc9f390fe7fe9b88c38e56f122616f2a3a5bfdcfcfa3b672d820a889014e688442a22bdd7512ca3c8cf0b3e198e

C:\Users\Admin\AppData\Local\Temp\iIwo.exe

MD5 07f39590df6c00577b5523e21ca7f199
SHA1 5b6e27ae0588b9dc80a7b22081d2f43fce8d9ac6
SHA256 3634c3f630ee0416211dc2d41e5c3b36ecfe45eb51fe2cd940c605facbe67a05
SHA512 951481ef73fee916e8a7f957e089c36941d9a5432070b9f488312fb30e1da46bf17932e82e0689fc8893aab798a6c129a3b034b2ce20862ed67fd6dafb4b81d2

C:\Users\Admin\AppData\Local\Temp\VAgoEMss.bat

MD5 489854ca8b53a2887a839b3ad862f502
SHA1 0d21eed1be5f3e3ee8b8242e82818a85ddb7b849
SHA256 8c59cd7f8508c3f08b21bc2ff549dd43a870b6b4146898333ce940c27e28f02f
SHA512 79a7e7fc617400e9601d4e596d6c75ca9b9a2ec2dce3b244b8573a96747f6f9e64e864e379363e3c5b5afd408cbc344fb5c736facd043af0cacf2194bbec4e7d

C:\Users\Admin\AppData\Local\Temp\QogG.exe

MD5 5144ce0de6f5f8639ca9c599ddd21620
SHA1 e542c6349edcfc7737658c0e5550dba1a155c127
SHA256 72b88513c2f5c4ae5e0ff1f1ed2f79355e2049d0dd420cdc239b1d53b45c83a6
SHA512 55ae089dd61b5c68dc1ff76a8f2fcf09b839943a2a58cff84686ba3339fc1aed3c6cd34e503d016af803ecddacfcbe1988359874c4198586c9351c7205f73a47

C:\Users\Admin\AppData\Local\Temp\IkoW.exe

MD5 4a8a14150fb011010632b648c8df2df2
SHA1 e1c6254968a20837376e523c3340348008ba4661
SHA256 9faa3a90cedb0e65e57c885adaaa8df9314c5e05add5d88fa5ebe2a1f48a1cda
SHA512 1d034b42c73c16c4d35a29a5f7e4527a41ae9f06d748351d4b5c007b538747ccd987cdbc54396ed528a661b13d6f00f46519fcd2a6b43c1843611dfcdc4aac64

C:\Users\Admin\AppData\Local\Temp\usoa.exe

MD5 8842e8b447b2480a10a53420ecdfdbda
SHA1 3f7c45216c55c346575f51c25769287a8404367d
SHA256 696f60f5e20f4b87f5f448db0b5d72f06d32ced7292dca4248e0cb6ca9d13eee
SHA512 1b596cfeaa412b0fddfaac93cb62bbf301314b414a6aec71122d8597845d9f352dd00c223c1b28f614fd7b4a99e09eb6c5810e9140657eb4685337645eda48fd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 5ae576f1530daa0395889dec2a21e16a
SHA1 5743fededb725b75a9e7e8e370515eb2e744ea28
SHA256 7f916a323bfd42e6d5fa84a51ba26902e29795315805bfeeee0f38d9a4ba07da
SHA512 93b9f5e6f1955dfd250e4ea204e12e927f6ef96f412f168567636bed870fe2e596befd8502094b6f5762db84dcf81552d12e7968a7c48d9c8d576edc3acd4223

C:\Users\Admin\AppData\Local\Temp\PIIkQYcQ.bat

MD5 92c0465a3ab2fea99920e1f938e2c2f3
SHA1 be52b0955b8cc237d87ee2ea94c35a2540034fb9
SHA256 6d73d9abdefad932141ca3ea71f63613729fbab4f7b35c5e65d5c1a7e7bb1632
SHA512 112532886078e521ccd83ba0c469d7cc50227705d0c7de9d7d87f47c5325e3e733a163763113f1a349019d768346cb049ab0cb861dbc57a057433dc7ecea007c

C:\Users\Admin\AppData\Local\Temp\CAwk.exe

MD5 4163e662bf1ddfa3589de824e01ad782
SHA1 62e6a19c9fc5cba2630deacf1a76994d8d509652
SHA256 755cfc4818f8112db3e9192fca55714a8606ca1aab3faf269e1dcfd4b751f044
SHA512 d823b6c3e2bb4e3351a7e4d95962218befedc3b7cb5b387ee9ddcc1522e3c0c5cf9b3d9bb6c723d78b08ec98cbba25d4297ee0f027a0911aa6a5b3df05740dfe

C:\Users\Admin\AppData\Local\Temp\GQYG.exe

MD5 5553fd70331f8a604ae5033ca9d8a17a
SHA1 0aba43b05b955031850fd20f2969e6fc87b0946e
SHA256 1fe2e4bd42224dff345267e2975125048bddd34a4215c454538c5cdd99d7124e
SHA512 1f080e3e82b18f46409368851a4c4ba3c42581eaeb2adcd19120f28e30ff46e48a301d6b8248894ced477e6e0da9e0ba2b55106f0daebf7d642689c988cab642

C:\Users\Admin\AppData\Local\Temp\IcAo.exe

MD5 e0fd5205285d2cdd9e4be23bbd5845c1
SHA1 2bd5bf4fd135e047c8430149061e614bec55d72e
SHA256 2a68e193a50d110196482a9d6f1c5312fbc5da7e14883a67446a46b378f49cab
SHA512 d4f03075ebd061aa2460c7897d0c270095083b2edc0fcd9686cd9cfa336b4f3102de37505366dd6fadd90eabcb18782a276b008c4c1a85084b3ca39ecb16326a

C:\Users\Admin\AppData\Local\Temp\sOgkYAYc.bat

MD5 43bc2fa426a9ad35323d88b259fd56b0
SHA1 abcc31f67e86ba59399561e23b0eea37275d06f9
SHA256 58c22a35e42e06c36d3098cee911cb5374f541f22aa5de5112e3fbca3d575e7f
SHA512 b1cd9cc7783a14b55877943319731e734464e6ac3645672694ca356d244c642676dd391b4a7dc3c93b7703e4ead531492430b555f84018052adefc7b7e56fd0b

C:\Users\Admin\AppData\Local\Temp\uoog.exe

MD5 91b314772eeab6ea6944a18a7ff0aa15
SHA1 dedcbd2f810271048951c3ecf939bc715fcd7d89
SHA256 eaa1b7b24641de86c1132d5374fe894e0f207e0c5c8a82a13d178e9266b44f30
SHA512 33d9c0d693a1303883a471133b346a286fd4ed3ae85ce7e776feefe7653353012c4505cbf4ed91dafd38942063390b61890c234c5bcf792c23d0060ff9c4162c

C:\Users\Admin\AppData\Local\Temp\AkwM.exe

MD5 e81bc3304c9baa171975ec277657806c
SHA1 a0c6571a4e9d2ed1edb980a61f927572dc17a2dc
SHA256 21185601f73ac136b7c774ad23b3b261a94b4b0525e220df7fd2ed660488ffbf
SHA512 70db1ce16f2026051f93e7496b0ed849550f6dca73f9a86cdf540b4224133ce98ecc425f1d3a63e2986df7c02e8f04c17732898e2540a56953a56959df66b8c5

C:\Users\Admin\AppData\Local\Temp\MkkG.exe

MD5 cf5c51ca516ce7cc515ba32658439360
SHA1 ed57a4cbf554064e399cedf0c59eb49626d7ccf9
SHA256 635fdcb966deb318693ccec00bacfea56c60dc9398435a54de399f3c81159e17
SHA512 a6d4d148eadac11584237dcd6c52ff5ccf59424958c5e15ff26e0a86562283e7cb470f4daa3f5655d2a4b4dec96222c7c05f98305ecdec9507f3e5bffa6d9740

C:\Users\Admin\AppData\Local\Temp\qiAswEEg.bat

MD5 90d1ee392d692738fe6295679a754499
SHA1 5fdf877c632bbbdc523593445ffa354dfc02bcf4
SHA256 3d3a78749e285aa6c64771c98544e772868f7fbfaddd701b323e664d0eaeb2a8
SHA512 521b2d6b084a935b48aff59f4a3ee5cc2081fa4adf70969be85e2e6f4a0ff1c606c190dfed5e6f1d084d061fd676d97e3d0f585e5efd9fb6e4a76179c337a321

C:\Users\Admin\AppData\Local\Temp\eoEm.exe

MD5 659af1c2fdf8262d5de9a651a6ee2b9d
SHA1 fee6cd75f740b3b4d64761787611aeaad400c0a0
SHA256 93a86c224b3e6572c47764dcceace4b5bb77a745416b0d9a838e53b775c5fb7f
SHA512 f54b25d7e0dfc6f94157cd123fa3b8e68e9a3e5829770b77a3c68d2be1884b81e9482edf49470110989e9bee4e83d9a4710ffa3d38ecb54306095b2dc44f0013

C:\Users\Admin\AppData\Local\Temp\iIgM.exe

MD5 52a6ae9aec9cd507dc6902d3f33be9ba
SHA1 b7c1cd81c8fcf9ff4d3b5c125d37fca3821d2486
SHA256 ebc1b258ac28dc355f51f4e0ff6d4d835baddd451a20db96d303f1d5a89ed038
SHA512 cbd1b186bcc1c04f2d3804cfb7f0d7268a69ea277c0b5b0a705697d925733872e587cc6b42031ec02825e74b33b8f1075fdcb0d530bb869cf69e5c7376b3875b

C:\Users\Admin\AppData\Local\Temp\moYsYwEU.bat

MD5 2536e9fd1898990163fa6e8b3ca03bd8
SHA1 c63d7c850f689663e756ab02492da1fac490182a
SHA256 de1cbe06a0d9a427d027155100c4cba20d2fba707672ae3a4912381e2f757198
SHA512 85697cfa0da5a628633add680e80f5cf5bd3702e06940c6c6e75d582e245d6e21a375941456a883fe489a88a2b73e9719774a89540dee12b41fde6a305a40c59

C:\Users\Admin\AppData\Local\Temp\Ckcg.exe

MD5 22c98bdb3f05fb8f1d5706c2cb3766eb
SHA1 28322c9f78ecae9731cf4e1e83894191f92780e6
SHA256 eeb8907be11dd3f7ebb25e82ccb577ff6572e17f7bd15877b618932461e2c5ea
SHA512 7f3a8af95d4d31c48a5d59ecf0f2f9f26345b857e517e9ea51a9bca5a282a3559016b4803b817262bf302c6fdc4773eee467082adab6e367070d6c995fd46da6

C:\Users\Admin\AppData\Local\Temp\iMki.exe

MD5 10d7e13e8701391506af38693499bf7a
SHA1 bb4204c3c7d3476ecb5895d5123178e8b1fa69ef
SHA256 73176f6ed17d50303ff4bc179e3d48c7e1b64e5af79f6ebf07bac9d6e38d62db
SHA512 30daf09a40dd9f2235cfdf3899885f66d10b69cbed9f690c4b7386e6e721bc7eb89bf3fefaddd2903666fcc2bada6656afc696e60225296da86c3579ef6268b6

C:\Users\Admin\AppData\Local\Temp\IoIkQsII.bat

MD5 2aee5674ff5f91a0baad0ae9286e3eff
SHA1 1d268c160b951d4e7f4a2f23c51305fed74e9828
SHA256 6b72a771fa034d7a2c5f2e360cadf3ce9018cda3093fd6dfb189868ea05a3e8c
SHA512 1db2a8741b859f517756e42c08a38644dce4a82233b3173090f867784387202ca71f3127e392c6943952cd5ff2029dd9df3b985d2feda823a76006c2d8e7fcc9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 98e062ac909a12e75a944dd4660cfaea
SHA1 ca860c46c09d2cdf4e1e245c3fc575eb1f8d448a
SHA256 03b3df808561f3152964e3eabd15b2fe2d91615db60c6b491098dc41cc5cce98
SHA512 d5d57891997087ec8a29ddf9819e9613ba1149dbf80d7dae8431181242b477e8c98824fcb36f205c8978a3b90a9c0a0236841dd1889d7adb76169eaa9b2a1ee2

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 5ac2749bba9cdbcf01aeb572ce621827
SHA1 697922b1d1468751fe8b7b1ce95f60ef4a584c43
SHA256 1340171c20443abb02fef8cb81397dc82e2b65491f0874a35d27e5038edf8b63
SHA512 784952b2c3971ee3d59faed2238a5c279feae40ddf69ae131b43ba0c78601247caa2ede2dcce1c5d7a9df6a609e4e67c48698ee950ae037b03a9ca5953e80596

C:\Users\Admin\AppData\Local\Temp\rSUggcYg.bat

MD5 83b5e12b4b4499ffd6284b839b420994
SHA1 010cb327976133227f83bfb91c0e84370d79be47
SHA256 d09c09b605fda45e13f6d338225f1e272d744a7bceda11236ca8245c5e72e10e
SHA512 a6eac074423bd3cea267a77cea9713ee68ccb56a02c9d8f7d01db936ee06f923ee32157c117249cc8a41906727bbc41e67790e03c0bad070b66929e39bf518fd

C:\Users\Admin\AppData\Local\Temp\fUUgEQAg.bat

MD5 ef75da27af0a1de5a5cdd4598b50263a
SHA1 ac6a4da9a627e276311cc9b1273a3356b763b2d2
SHA256 f9fc5c43fe4162d1bdff7c5e4d84c1f86339480ab52bba2a475b9f5661075f98
SHA512 d607a6fe158638c8c9ed105c2740d8c5f527a16b0e20d0381bd8e789ced5c28c2a6ebbff5daa77eba5330d8443dd0e0d42c0c142f5c4862f9ea0cf8f7b6dd9d7

C:\Users\Admin\AppData\Local\Temp\kUIc.exe

MD5 ec44483608802ae31224449429adeef6
SHA1 f3afe2fdb4a523a3a9fe6a621382fe50db009536
SHA256 3fd3d70879007437560b9e0b2ac2dcff2a8b50d7310b72813d87718b70854df4
SHA512 f7d01a5f487a47c110121ae764c05e9e8d86981f1b187e7c17b9c8aad77fb82c2bc0be8505c89b6828a603680b401acc3e627f04e34c052622a51922c74f61de

C:\Users\Admin\AppData\Local\Temp\KkgE.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\OMsW.exe

MD5 36d0be5c6a0ceac075edc0185808bd84
SHA1 6844a577071f2f3d0663fa9e151db36ea9864e2b
SHA256 8551d0e3149ca0dbb0888b1adc48c7d06d8db9063eba0fea163e49c3aeac15ff
SHA512 e732c99f506088e0cd8bc635e773f195a2b89146d0a0fd6cb2a803f35c68f03510d618ff7f1e57d4d0e49233078fd09fec7e5600a8b7aea603ca2de478152942

C:\Users\Admin\AppData\Local\Temp\oYAI.exe

MD5 9b01f7094739703f9f36633c6c0e3ec9
SHA1 c2b1762d014f512ab2fb8dee07f0b39cf7f2fb2c
SHA256 81da23bdd15758aaf54eb005bfd2c8d46c440169196e6ad32caa8661d6eef018
SHA512 9f525d461e5af41c5bddeca8902e092ff425c87129a1e47bf14e60e33ea8e768d22c1d1624db7f7b7ee7be732bb6f707bdbeaed61fe43cec9bd53c161411360e

C:\Users\Admin\AppData\Local\Temp\kEYc.exe

MD5 637562c41eec7741c676b32d5522755d
SHA1 7d96699dbf5dcc26b9f10cf065df6c2ede464590
SHA256 365989260915834914020a374c0d952c858d1d51c9badbd9dc4a2434ec5acf78
SHA512 099be21adfe5b31c64681a80cf41ca430bdaa04bcbaec2f41c814091064acc50086c3381dafffd1056f8c2e223324af7152ccfb2b3dfb45c950e0ac7aac0502e

C:\Users\Admin\AppData\Local\Temp\cEAA.exe

MD5 5245232aae42eb679ae446eaaebd0066
SHA1 ced9a28be5efd24be15db11b65d88dcef26f4c5a
SHA256 00238f490627c606a910c0da8ea0c63ff62a105d004a892014fa2de15f984664
SHA512 d2f5d72532198fb99e6a0c4b37576798ff603f12e2127461dbadfbee56bb23d5f1e40e17564bd7efe3aa2538295f3c500f102fc3df948738e72ceb05f818ebbf

C:\Users\Admin\AppData\Local\Temp\EAsE.exe

MD5 fd62cdbc8830f2101992d98fb0ee0b07
SHA1 944ba5e24e68aa79c600edb69d52b45efe84ef9e
SHA256 ef441a2cd2de0a79ed1fafd1b0650eb11e39ecca583c5c36de978dcf05ef9044
SHA512 ada253c301bac5ba9e3c24d3fc77570bc8b8b5176d622d1ac867c5a1ab0dad8eaf6f2573a44be40137df6202f0635ac16b7cf21d94140b2a8dc887352dcf0307

C:\Users\Admin\AppData\Local\Temp\pyUkUgkM.bat

MD5 3cfaab869f4127fd13e0256c420380a3
SHA1 a0b43c522128935eb51614d792dff11b97aba8fe
SHA256 ee6a20fa324db17c254269696ee436606b9194b36480532f1ab3e35efa4f27f2
SHA512 03537ce77d61df8b3d52ec2348876a1930ba0935d283d88e9f39b7a2ddb39f856e5edd006ada65d4849ad60b1b52c36e30b9f5fbf06dc7c6d69b5f2c65f87023

C:\Users\Admin\AppData\Local\Temp\eIYk.exe

MD5 067524bf4047b9068c78aec92c0a154b
SHA1 36bddc5b31ff064bafb97be7c2307ab1f8d1c086
SHA256 432594a5ce148d012c64d973d3d1ef39ff12084ad9efe69d2742bff3e2259140
SHA512 0f17351500131001752ef2a446ac578ac9d9c201077865f01dcef0e7aa5fb7ec8ab5f0c8790c62a0fcf23823b294eca37013b658b59f305fd31d16d869b461a0

C:\Users\Admin\AppData\Local\Temp\eMoe.exe

MD5 8b3be0401fe095bb0134ed8d0578bbbf
SHA1 fd6315e5bd5af52d2ac3edbc8baf3c66bb07e0f4
SHA256 f4430c6e5928fe5355d505155e5ea957f083deb2c4c9f511238d0c729341a55f
SHA512 312fe2f0268712aa26e400763ab8f1b476b5921a7134dc353a7cba25b32946caf23fd86a6ebb331e9a9a9b261ab905c811ebb17c54f61bd6add0211d59826ecc

C:\Users\Admin\AppData\Local\Temp\ZyswMMkI.bat

MD5 cbe8ce3b9dd8e795d70554acea62a808
SHA1 354b8918b4e0ae835858072d02fd0faf9cf797c8
SHA256 49ee0dc202ae2197e35f35d1f778773f0754d4be2a5cd14549d53a6b2c9c44b2
SHA512 f248cf0a3e3707e6b621bbf4e3472334b1c3e7e03c69220e71d6a3b3cf2709c9a36e786874dba78469369866eec960e09ad9d4c9059fa8cbbb8284bf5f97c988

C:\Users\Admin\AppData\Local\Temp\iwAq.exe

MD5 3b4aef3740b990f8662ccfdcfee4d11d
SHA1 d5d1a41c4c36db55c6ac50a6916fcf80f123688e
SHA256 54047d2615ba83820a77aceaa5e8d957fc3948c0b80a86b21e8598625f7a01c7
SHA512 4bf7157b768fff659002fb335c4bb66d5a38792b1cc3aaa2cae736bd0102b6c008901084140df45061f40bdc33054bc0ac8f453979bf25dd982ec24e3d2f89a9

C:\Users\Admin\AppData\Local\Temp\iMkw.exe

MD5 e45e552060c48030401319111353790f
SHA1 835b79f302b329dd4a2cb2b1fd04eb877118ce38
SHA256 2ac5b00a316370e777efa4e83a4541940487035dbd6c38c242caacd1d25702ee
SHA512 41f35ce22b626d980aea18a1675a75720eff36193c6c8746181fc3d9d0cd0715bed74508302f1e6daff0e4f50c86a95881d28b893526f1824e8f7e278070d7aa

C:\Users\Admin\AppData\Local\Temp\UwsA.exe

MD5 89b1af1eeb7826f3a6f41f42e39a9d73
SHA1 690879546376c0a089ccf7ca2374c34e6a09ea2d
SHA256 4124b634389c84087e74fa5309de16f982873b62d17f660cece7e697c12ea51d
SHA512 9bca6195a8d8f928b10b3f1b906a4e01daf1683beb6d12e36aa19f7d7095d95527834a5cad988a94672def43110e7403096a3ff78c892d66531254c43922c931

C:\Users\Admin\AppData\Local\Temp\TKoIEsQI.bat

MD5 136377f2949087c274df17f2133bcb16
SHA1 efc47df8cc00c16e02bb1e0e6a08abcfb0ef7c87
SHA256 2227e3da6e34dff352a3496177a8a36449c0d4eddc16607b5a32d591c7aefe3d
SHA512 8545f9d016c300dbefa5932cd929a715466d1440e7379616411e3cc2821c5dacd8720111fc66f9c233ba63a0de02a2ddbbda92c91aa50b550b6c6dc7c29d711c

C:\Users\Admin\AppData\Local\Temp\ksEUQcEc.bat

MD5 65b9e0e25ee0a4fd58e192ccb91c316c
SHA1 e3e5a5bec7cc07536c6e01a150055c3af6eb2f07
SHA256 02edb18679d1736b51c17a7206ad5834ffcccbcb9dd050b57c64fd906ff36cf1
SHA512 17428adf32d400ad730197933f371f6ee001342724a942410dde875a30cd254c0127e4dc3e4c99b8c719bfcd38ab639bf41b7bd7e68adbe92e26b06270fe1277

C:\Users\Admin\AppData\Local\Temp\mEYUYAUA.bat

MD5 b7965c8428c1ec0df219401defd10a4e
SHA1 2743014f2cd010804cb922534b0888e34ce24fb3
SHA256 4306048b4f8cad7e256f430dc61690ece6aab6e6fb07c8aa33025ed3774c3a4a
SHA512 8ea7bd7aaf555cbef273889ee340bfdcb14c6454f28d4f8ddc10879e74715e0267efaf4dfaac72bff5e60b3daf21aa707a2e8766ff834ee0fcd7a47583e51039

C:\Users\Admin\AppData\Local\Temp\SgUYooMU.bat

MD5 60c80db703889260bcb67f6552d5a274
SHA1 2e670a04ac694757aa7bccc879819c439de8898e
SHA256 c620b552458407cbbfccb3b51f6d45d5f0d8f3df898a09a8fa87ba5cf5e11a37
SHA512 be8415b01ce186b66402930de009ba21dc2c8192df79a9a60b56b85eada920ca31e573c232d70dd089cd173304798bbd8dc15984de05e5615fa0049c03084fa6

C:\Users\Admin\AppData\Local\Temp\IUgoQssk.bat

MD5 86ac90c7f1391b9de5ecbd558fd3dc8f
SHA1 a9038b565cb794a07b594c620dd31c10e61bc047
SHA256 fa9dcab3964a2a1cbfbc63d6ea42be4d1a5c6d4dddc23ca484ee3c8e7af29c7c
SHA512 b394b0b6a3635a3eab8a77ab8db9b2c9dfee443d5268df03240d3c173793f54a1bb4b833f44032f2130f19c853cdccf47fa33d45aa148f114df8bc8692550801

C:\Users\Admin\AppData\Local\Temp\nSAEwIkg.bat

MD5 e4a86ba9a4c2d6b8e3ee302a2e2d3de7
SHA1 c6d178eabd266d1564d8991e0f08a65c37bf7dd1
SHA256 854877965f16a11063a074f68fb2a5f7655344605719412d8003944b8a00d854
SHA512 37c386b6314f757c013118173a0032f3df692288771891608d310f4d035ac836fd1c7f2d1b197106a54279549f81089c3b303a6a67b8ea94063bc035e4612e39

C:\Users\Admin\AppData\Local\Temp\hCkIswUQ.bat

MD5 e2b8b0738aa61264dc2e703be6283dd5
SHA1 2acccdb2b7156f9fa796be3524c9612a46ed317f
SHA256 4b534daa3ee3d82fd59485595639e8c0d3125f5651d690b2e5182067cc073346
SHA512 c84b501264b4b7278c65ca2dbf22a1314f156a9f9025f6d5a28ff40b22c390bd5fd32f301c014c71ac129f05ab4b5186676f6c07e5af70dce93d098f07300895

C:\Users\Admin\AppData\Local\Temp\JGQsMMoM.bat

MD5 60a6f7d8d75c68928194afad5298890b
SHA1 47fa233d5c097c9b50719fb174d3471aac4424a0
SHA256 eb9f8d1db75cabfbed7ca3a8a0b30d2dd967cde521894e893eb971050778afb4
SHA512 9ecb2c6ccdd04be0615946337dc670c717ba01bd2a0cadbe0fc4f2ebd5759e2a592ec650773b263d9e2ebe9cb989b5c475198fddd1fb986f08bf3b1265e5522d

C:\Users\Admin\AppData\Local\Temp\RKEAYsUY.bat

MD5 f9cb6ef8eb0905ab6876b73aad337019
SHA1 069cb687a2980faf9dc70e12d8b7329fd10caae2
SHA256 340805d6d3d0fec8285804599ab1195537b0e48027a5ed7b1bc6315c96cf365d
SHA512 35bd5c82b17f0bc18ce72857bc295c4fe17f1298e61612d2ed066c0252189740a5eed697bd5d4884ccef059a2dcb0641a2f950217357ae4fb4c46d71c155b9d0

C:\Users\Admin\AppData\Local\Temp\UIEksMEc.bat

MD5 523bcc5ec2f40c861db865c2c1fa881b
SHA1 383930e8c08327c398d21c0239a3ac8eedad9e17
SHA256 4e1239203c152197127e1e0cb01a2d24e2d1d5ae9437663dd2472b2b9e8633e8
SHA512 9d61d1066f48d00aa16c936b99f83b6d3c7f747b60d0fc24f05f1a188a2deba7818f83bd259fc2acf27fbcfe06010bb39b717ebd936dc69c1a6fa7fcd3774c56

C:\Users\Admin\AppData\Local\Temp\AQsgAEYQ.bat

MD5 1c1be414bd39f3c5a5cb0bd3d33a461a
SHA1 2db7179452c78bf9dd12a521c130e6403323875e
SHA256 bae353e571e4ef487ab7f2f4a7d39e74f8d217abff9e341822592c6ca7032ec3
SHA512 8f575cf7213199670ecad419c032c0c389ba5e93c0732a628d5228d184ce1e763323a2b60779dc81bdb341aa1502171e6064d6f71f9eae0a6de7242e866c72a9

C:\Users\Admin\AppData\Local\Temp\KYQYkMoY.bat

MD5 e38d50586a0fe72bb46c75b942caeb72
SHA1 678eeb441ef7d9a5604d702c042dcc6f4c1d26d1
SHA256 50d9a34284cd56dfb372aed68aef0d77833a22af6384961451e2abc01ad82456
SHA512 6bc7c89e2d8c94149b277c030a8a47e1ee0a465dac389328516b92286e2cc0a06decf1251b456ed645ac8a9e7ea79e7529ca4401c21d846afde43a3f129e5d96

C:\Users\Admin\AppData\Local\Temp\uikcUcgk.bat

MD5 a26105a7e77bf49b1b98af1068909bd5
SHA1 9de08cd5e053e0e35e8e3138bab6c804e080b19d
SHA256 8dea120c0deb9face561237bab0e12df5ee7407466fdaca0dc6230c0e59040a5
SHA512 cace6dbaec77d15f7da01ba189cb2d052f85aff628b4cc0d03ead3017f5637427f5a78390de85b7ae147ce7a51fbcb224934e3659dd3aedd7168d7e0adc910d9

C:\Users\Admin\AppData\Local\Temp\UksAUwAc.bat

MD5 0ed32970f635265214b4ce2e5d107951
SHA1 c1e4cd164ecea111475c934f307797e98860389c
SHA256 690d925bb0ceb1364c38cef9e758b8133e8b9459941aa61cfbdd2e5ef6db3913
SHA512 5dbf369d956edcd0a97bfceab050a97b2e419b78a9371b9690cb69e47ab5e2ab4279a66261b6077dd22df850a6aa4b6f55ed864fc8f9b3d8b52493314893c8e2

C:\Users\Admin\AppData\Local\Temp\zwooUoIg.bat

MD5 a4064b9fe2de5885e9c828748fdfd0de
SHA1 f2fc377feae4a3d27171bbd545f5b974e86b734d
SHA256 4b3d7bdf8347654bd5ddb801f87aedbc42ef2fdeaf2798ff7cb7022b2424f451
SHA512 5b0a310171e7720b0e624af870b5820dc1f709a8a1270960cdef4f6d3ccd2cae04d864e8a6715390c996a9bc9339819619ef41a4ead625223bd08a2e9195a098

C:\Users\Admin\AppData\Local\Temp\TioscoYw.bat

MD5 e3b6e5692b2130344594cd4302c2853d
SHA1 710157d6dbc077f8125d7331d02c3e6186f4d3d5
SHA256 f8fa58d7c467211f36fe66fea5c29e353d0ab3844efd50a4877559d7d25f8f8c
SHA512 633070aeee53fbad1f20b06298634b23b6e3f07d3b19f309fbcaa0dd47bce2118d38f46cbe635c4b1de25db7ed971c598ccdffe277ab8c8d0ad083865c361480

C:\Users\Admin\AppData\Local\Temp\PqQEkEEU.bat

MD5 3f444fa4fc9e1c6ea1d7418ad33c15fe
SHA1 ab776fa55589291ed97a303ec51232434b6423b7
SHA256 4dea5657f4739a4fd73d46b116b06420527d214307d5b69b91fa0a6274e62a9e
SHA512 802fe19b788124d8a420e0cf6ccb3acf72aec2ddaa96174b613a5312b9c003f8bba21a060bc7d12044cd28a6d066da76dcd71f2f6519a4cd101f3cda1ac5dc12

C:\Users\Admin\AppData\Local\Temp\xCoQoQAw.bat

MD5 a7972231cc0eadf7994c42f2eb0d7b05
SHA1 59aec181393cf599119326cb43d6ba0a78dda650
SHA256 281d66a394e3dffb7f5d6a45d46dde9338dea33b1b138a51a71e72cac4cb18be
SHA512 83ab310c43591897ff0792d54f1d8e79efc82437eb6beab8831e63f8b85d42c27c7086c0e9a7fbca95c65dba9226afdfdebf3855fbfb0d85c296036414430218

C:\Users\Admin\AppData\Local\Temp\MskEEAYg.bat

MD5 63ecd5f09830dcb2df51c212893920de
SHA1 fef94dcf087a9cdea54ada32fd19072f993222f9
SHA256 9970d2cadf2a9e35bf1861baef8abe7a865767ee0464da802a6d643ecfef73e9
SHA512 1b8874b29f2f28f9bff6905e6a67e1a9b508afa988cc9e2468d46efce04d33b47d05bc251b69acdeaca7c7f195df2bf07cbed5a652073911ab9f720489b9235d

C:\Users\Admin\AppData\Local\Temp\ueIEcwYE.bat

MD5 f027fd491ca90aae4452d23af5cc5957
SHA1 44bfba737f30be42db5f503a064e9000486583d9
SHA256 e8bffc3ec9aee3e1f74f78e36343b9869f5924c55fd7169ce9c9dda92f044d83
SHA512 cf44d76349898d829c2a4a22e75af453aef284d1f89ef5e5f9d42ba6cb84931ae92c69a35d8036f520e7bc8f2d8197d764810ba2084cb866c1811aefcfea8d99

C:\Users\Admin\AppData\Local\Temp\ekUMAYoQ.bat

MD5 2c8802629a3a001ba0d1d04a4c2c3db7
SHA1 eba59358cd7c8428940c579881ba04142ecbe3da
SHA256 a524b72ff901ecf37ac4f2bfc2018fa7d6ff1b67528a569b58e63a68d8585670
SHA512 af614ef49fdfe47a5d78a340a187a6491ce19eca6a82f11dae582866450356cc71cc6ca00e384956d0b1a06b7bc2e450457a67c4239611e7c438295464b8fe4e

C:\Users\Admin\AppData\Local\Temp\YwQUMwAI.bat

MD5 617a52a96603e955c1ce0c39e68c4e9d
SHA1 be09c84e28816971cfddc32dd38cce65b8930778
SHA256 67b1c05077f280207e5c684e3d0fe7efb9d388057a0c6bee13c261414e755815
SHA512 a0d5cedc33bd22e2a3243a1a59476d252e718fa653745040116aade91d1bea70a68ec914b2e56d7c7ebfa14d7a94a2bcb7450eeda53d826569ece25716f5e7e3

C:\Users\Admin\AppData\Local\Temp\uCMIgMMM.bat

MD5 16d33328c110c8f8bf6e5ec6ddffdba0
SHA1 dc0dafbb802f997e802cae13005863a58902f747
SHA256 b66b3efde5a3dda15681c2cea1fba0aac2405872fcd97e35ed21cf6a39f6a127
SHA512 697d78a4c0ecc8828459b45d4de9ee532a83cadfd19b6b1ca1de934540985c745011941cade87282f93573eba9a30443c9225a454f4bb9d3d9f9db19679de0f5

C:\Users\Admin\AppData\Local\Temp\BusMIkcc.bat

MD5 815d85ecc39c75376a777202df454eb1
SHA1 efc5270ceaedbee6db70e2bdbcb225460dba9b32
SHA256 26d88fa09421d946e2be2ba5961cd4db0bad1002d104abef8f104d448c25e7fc
SHA512 315f4716bf9789511e571b25e8e7dd7678591af2b7adef6ef404d906744fc7e6b94260a94f57dac21c63402f6f3f60179c05883b072c2f71622dd08c7c2404e8

C:\Users\Admin\AppData\Local\Temp\dEosgssg.bat

MD5 54e4b94bd99ef491029d5107ee402f50
SHA1 b2b288c0334334f1e994ad36593f3e15b2d97e7a
SHA256 d95e099d2a147db6ef124973f01bd96139c5110cfaab4fcc7b4f0d1017e206e1
SHA512 2bd0bd904eb8f557af409bc58271277dac26006e4cdc0323db0c78fbb3e597e698136795d5eb5503a376f4f3630f40c0fbb868fcecd06a6f51cced65d3593d76

C:\Users\Admin\AppData\Local\Temp\tCMUsswk.bat

MD5 6fb62d75f427125fc3c02f578703d03c
SHA1 824aa0d7dc146ac47d3d4e86893c9a96fd8ddfce
SHA256 29b1d6f02bfe8f7db2b05b1636a9775d062cbb5831d6d7e9459aa8d90b25cb41
SHA512 b4dde997676dd4c2f50a021b13bc0b33893cde9ae04b12e25f7f29c42205a652dd3b8cf34efc39efe95d002a969dad54f3305bc23457934b955afc28cf4fdbb5

C:\Users\Admin\AppData\Local\Temp\buYUcUco.bat

MD5 a9baf52d1e189b7d842e1fd2d38ee04c
SHA1 26d6f267e9fbbc63eb0cf75bae59d13b3fcdd1b9
SHA256 5f5544086df7fc6036a2c8d81fc35af03e78aca9741b33ed469559311e357fca
SHA512 d2b34b21e134e08b618b7c60b6e450f0f551bd6855eba8a9e1ab54799865707a4375b97d44018021b49cb658f3f063bbcac0ad64f84bf27c30588dc5f048df13