Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-2h8llawcqj
Target 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN
SHA256 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290c
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290c

Threat Level: Known bad

The file 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (83) files with added filename extension

Renames multiple (56) files with added filename extension

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 22:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 22:36

Reported

2024-10-20 22:38

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (56) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\ProgramData\qikUgYAw\vQsgIMAY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\roQEUEow.exe = "C:\\Users\\Admin\\byYwoUkQ\\roQEUEow.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vQsgIMAY.exe = "C:\\ProgramData\\qikUgYAw\\vQsgIMAY.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\roQEUEow.exe = "C:\\Users\\Admin\\byYwoUkQ\\roQEUEow.exe" C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vQsgIMAY.exe = "C:\\ProgramData\\qikUgYAw\\vQsgIMAY.exe" C:\ProgramData\qikUgYAw\vQsgIMAY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcYAsskQ.exe = "C:\\Users\\Admin\\HYMAQIMw\\rcYAsskQ.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HQQogcgs.exe = "C:\\ProgramData\\HAYQswgg\\HQQogcgs.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A
N/A N/A C:\Users\Admin\byYwoUkQ\roQEUEow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\byYwoUkQ\roQEUEow.exe
PID 2996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\byYwoUkQ\roQEUEow.exe
PID 2996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\byYwoUkQ\roQEUEow.exe
PID 2996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\byYwoUkQ\roQEUEow.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\qikUgYAw\vQsgIMAY.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\qikUgYAw\vQsgIMAY.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\qikUgYAw\vQsgIMAY.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\qikUgYAw\vQsgIMAY.exe
PID 2996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2576 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2876 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2876 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2876 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 2576 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2004 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2004 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2004 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

C:\Users\Admin\byYwoUkQ\roQEUEow.exe

"C:\Users\Admin\byYwoUkQ\roQEUEow.exe"

C:\ProgramData\qikUgYAw\vQsgIMAY.exe

"C:\ProgramData\qikUgYAw\vQsgIMAY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQAEMQUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcEcUUkw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOsMUgIc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsMIUUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsUwYMYk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOQwcUMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYsMgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWUwccww.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqUsUwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGQgcUIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROMwIYwU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqkYcMgs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VacsEUYs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAQcYIQE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYEAIYUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcQMIAEU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAIUwgkM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiosAYgA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWooYIgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkoEkcsk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkcYUkow.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQIoIcIY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uoIMwAEA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocsAIQMA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQokMUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGMkgQoo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAYcYwko.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSYQIgwU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TscoMIkI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DykkwYMA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ooQwUwgE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWkMYYgk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEgYkAwE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgkIEEQY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQwUwoYg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsYIEAok.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmMUkkEw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMccoAQA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSAsgcYc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocoUIYcg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sggEgskQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoUkEwYg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYsckkM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JigQwQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwQoQIEc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiYccYQs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQIEEwEA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGAwEMwA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWIgUsAk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiskgYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agEwkssM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkEIQgIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqIkMYgM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWsQMMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSYoAYIM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKkwEgsI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsoQkgYk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\susEsIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmoIQgMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiIcUUwo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOwgEgUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FaYcgEMc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucMgkYcs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqssUAcc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkowIoEM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOUYYwUc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqwQMAkw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSQcMAUc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKwkMEoY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIEAcUIg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIYYgEMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sysQAoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqwsooEQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsoAgsgs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUscUQAA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSscooUA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgMgosck.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuQUosQk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUwEAUoE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GAskIgIk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "78190026040066798-188018316719621764681931264779-1485304487-1345759813-1034887394"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiYYIwgE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmgcccIo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIEYgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1437363140-1313197581162093838384106660752475740-12442169291868177339-1991217876"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWYUcsUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmkgYUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biYswsYk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIQcMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2049619151317404321-3440897981318262146-2070830949332450222-204076850-121372409"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESIEQEUc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiMUsUcY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyEwIEME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "969751392-6530034561251675273-467030308141400304118823314985939821198486445"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-481102446-16538530571376099444-1223959094-720223241-1305864837814066555-616570803"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TAwEMMko.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCoUoUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUYIUIIw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsYEIEEg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-36364896287752355828489642-11025838861084125592-6335521971511816243242243691"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmcUgkUs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1764022707-1965899194-345095926-14445597511058178504-417232069-1181696958-1577776021"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1614276363-1448423488522501355-1114694441-1200298067-1581755835-13585886042096192463"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWMcAgwg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoYIUYgo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1621136563-4891347151745564808392516323105236243612174100967610039661711851820"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOUoYcoo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUgckkww.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19795245983444459391839655345243721016-1140768498-183881010917634262581494538129"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAQMkUsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6452368651265594882-1985881040697304498-204153520111677912391466984472-116063365"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuMIcosQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1061199401-2039861203-1655996468-521057725-2118696308-1140038814-2798811382055538048"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1051143328-528842034184209910683513727-1928046113-36703461716274796031228920356"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMIsQssI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYMYgIEY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMskwwcE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7575301281443335718-521580901349946651-650010030-11117731341894979989-1025073077"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OekMQAAM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7601880161034146686-140918115519435212514330947596632474991445114613-386482706"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1221133302617346287402219049-1107342290619186833-2131117704468531541-1736816718"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMkwgQcE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQUIUgME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIYUQMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqMMQMEo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOQEMoQs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZmMEwYUw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "140262279912128006401674960157-1138106756769148364667805416-147751044-1497592132"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-270125161282507850-5452029524147635321846693692-1234496633158762169-1299422247"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tagEgAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMQAAIAA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyAAEgII.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAowwUUM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IisoIskE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSYgAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe

"C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 36

C:\ProgramData\HAYQswgg\HQQogcgs.exe

"C:\ProgramData\HAYQswgg\HQQogcgs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 36

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcggYAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2996-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\byYwoUkQ\roQEUEow.exe

MD5 7ed26bc3c4efc143034d8f6f4d76d6b7
SHA1 053efa2c9c15c95d1d5a07557a8a1efd1acfee90
SHA256 51141c8161496b6662198e666ec4136e9ac4bf961739869c6c063da5e91e2c1b
SHA512 4d256fa048ea7dd762adaf20d75170d63bdbd91281ed22e0ad18b3ce41cdd064864ca41705cba5b5ee940aa1465ecad3693661b298b1106b94618c86146c2a73

memory/840-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2996-12-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2996-16-0x00000000004A0000-0x00000000004D2000-memory.dmp

\ProgramData\qikUgYAw\vQsgIMAY.exe

MD5 4413a171376eb8aa5116fb94093fd35f
SHA1 fd67fb29c1f1d1dc775f1a9821c2b1e38ec93816
SHA256 3e5bac5e15589fe5ec9830d8117bfbc975241cb5bb56e2dcf83b1cd3b4c126db
SHA512 1d124236ba212c492872ef554782f97c5daf85e095fd710039ebc632fe9d26a16d37403f9d547a9f6dbbdb86f423fb34f483da15b6680e75608996728a4f10b4

memory/2912-31-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2996-30-0x00000000004A0000-0x00000000004D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MiYQwAgg.bat

MD5 06bf99c34255beec70a5855073a397e2
SHA1 cbc7a7cd3eae93d42aef53f190806c0c044674f3
SHA256 4069a14600c64cb70630ef562571a744cab3e10fbd4318ede1356d4e1b748ac3
SHA512 d8d1502ea923c24feb201179f6362d6fdb824d8f2dea2bdcb389cecfb83be9a31bb5aafd9149165ca525ac6bad1a2ef263d9ac37dcce4af5adb4fc39dbde635b

memory/2576-42-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-41-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2760-40-0x0000000000120000-0x0000000000153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQAEMQUw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\wCgMckAQ.bat

MD5 6d8370830b57032aea61af8633ce85f0
SHA1 7861ad6d88396c1e22aeed7a74bcadf00508a1af
SHA256 66628c9a762613ab2ea4bd6f0dafe06aa15aabd2ff1b5ef3e967fba5d861a3e0
SHA512 736a6402d785dd500ab45428df766135c9af3786940a4894117455d98a69c8e5c25ea9992b783b9df5a55ca4974380eba68bf175c3d7bce1d893a8a12f216a4f

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

MD5 465608ce506144bb84af2ccfc475e15b
SHA1 ad35db7aedb4d245d4151fe7f91a195248f71f73
SHA256 862c779a739524499e4d3ab328d041769417ff471e5eb7b183372c82a408a329
SHA512 c026a6ca05f92fb8b749cb1bddecca2d5101e3cda05c488ac354860cc6b333392780ca4fbdc71c1310500c168623c365a6db80fe9a11e0e5b2d24ca34f098d95

memory/2876-57-0x0000000000180000-0x00000000001B3000-memory.dmp

memory/2576-66-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XMMIQAkc.bat

MD5 06c0557fc51663f26818b7e33de9aa85
SHA1 c986150e2ca6ec19b58341dc2bcc2f5fc23c4840
SHA256 d448f973967c383db58f60bf8a62904724f5e3f458d34db2ab0af094d23efa7b
SHA512 1ab216d598363dba667e872cc99b2a3352ea8f76a0dfd67bd357125054054e6ae0f9b26ed761a89a5fc8c4b143efff822dc9855f457827ff615fea3780c2bb82

memory/588-80-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/588-79-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/884-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pAIgMQcc.bat

MD5 3480cbdb37a9d0bcd7c0e3167a99726b
SHA1 5bfc6c8c875c546479595f842cd3e1ed52ffefed
SHA256 f5fa8da73961a66cbd2fe722298d0118a8caebe491601e06bc46beb728cc7d31
SHA512 995c61bf2c59a42eeebc87a3759c6d76cb949a782cb42d5de6e7f20ffe32095a8ab96a8a3639cae19e7ffdc6f3a7569ceee83dfa75dbc17dd2490e423d165ea0

memory/964-102-0x0000000000160000-0x0000000000193000-memory.dmp

memory/476-111-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xkMocEos.bat

MD5 24e8ea10995c703fd07ac8cb152b6e49
SHA1 4cddf1ba8cdb7e2e48c2aff0dfb62252074d45e7
SHA256 e03b078150c917fc03df2b4c39925b00db8ef857e7f8c2458a4e66215656bcc2
SHA512 69fdbb776093783e4ebd65c34651c3880df1dbb28014a75cd09356a420e5405ea51c01b904af125dc0d9e7019678afeac9fb28b8bf59ebb875bd1b977e7593ff

memory/1856-133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xEYoEsMo.bat

MD5 d897185c2007125233373393dc498f92
SHA1 df5fda63cb65b5032b590166b6a194f0b94d7e81
SHA256 ca5aaa545bfee6e0827ba89ee30a306daf960c714a3ef4f28d9a111f69196fb9
SHA512 559838eca4303088852788890499e0a069550292c2e8f8ac6329bc9f451f8f6242261f4ceb72f348422592df75c24f65e0decce6a7b119dd449c46295478f9c6

memory/1280-149-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-148-0x0000000000210000-0x0000000000243000-memory.dmp

memory/2308-147-0x0000000000210000-0x0000000000243000-memory.dmp

memory/2464-158-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iiUIUswU.bat

MD5 588bb634e9632d9b9ec54be4094c4722
SHA1 95381782805eba6194c75327fd8e9df0e654a807
SHA256 36827bb8c6d9e7135d2591cba78130b6660aa16f15ebdaf00f24e9097c98bc84
SHA512 45d2a8e2bd9ac4f677176723a8856fad528f9cb879b3f7e855bca63ade02208fd289e9431e68bb9ea7d4ac7e179bea44619a389d0c3ba9abcb7cba421c7ba2c5

memory/2608-171-0x0000000000380000-0x00000000003B3000-memory.dmp

memory/1280-180-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eisAIgsA.bat

MD5 d946d5c0c802e8c298c378a111bbbcd8
SHA1 8e0ccb160f6328cdd65e1d56f162d908cec89843
SHA256 b71fe72c78bc819b2ca29e7a3fa67a6c0511b4841a9aa49732ccf60cc0e87264
SHA512 3b8fcc8f40645cec74b1915d2c471bbce5f47e98297b18a072da30ab6d99e59c221e1e513f22de0e1ea5c10581f88fd3d89e892f14a1f2b152142bef49e9ad24

memory/556-193-0x00000000003A0000-0x00000000003D3000-memory.dmp

memory/2864-202-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIgIoYoE.bat

MD5 08586e9bfe8e07439c9ec211e23cb853
SHA1 001c7e95f236002df25b10fedf773cb15555c6b8
SHA256 f95507878e2405ce600a6298b9d5d0f6d7e06b254095f6bb27a78473be21342d
SHA512 3b21244a00a0a4018e9d3f42d1bbdcaaac80a24e5ce675fa7c0b060302a721a32b2de49e1a994a600e9871246e52c0f1b25284e41e41cf2f6093a22289a06d3f

memory/884-215-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/2000-225-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SqUocEgw.bat

MD5 c8edcd27f468d5471dded526ef82961e
SHA1 3852b852b3858b25933b6120f7d140b37d15a946
SHA256 1223881624ac743f662444a179a3ac00d297a1c2981d77390280d96fd8e2071a
SHA512 e6394678aad9d31b18bdfba86004fb3436ed79a5edbbda7126a24c7f10fba3a7121a12dbee0b8a5a47d427e39937a6550fd250d93a4aab7d1d843a55352e5bdd

memory/704-239-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2444-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RQsYgkAc.bat

MD5 41e09343edc2cd77ab70bdb36db51673
SHA1 f32fb095e34cc46e1c24af4a3beea0cbab32094c
SHA256 9c6407461aeab2433352017436cba191efe57b5b16d337104f4f5e4101baa109
SHA512 9be36323301e4d104153b8770f260896c822b09795b581b8012e38172f27457e49a0f5f90986fbf4e3ee00990903be1f48d1e7f928b8d2a19f775c6542e74840

memory/2632-261-0x0000000000130000-0x0000000000163000-memory.dmp

memory/2264-270-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bsooUUsQ.bat

MD5 0f6904751e00f91fbb967b99fdea2048
SHA1 9c018838e50e693cc5ef4afad8dfc6793b488c11
SHA256 82e8480f834568463c4de22e0045376c82fab1bc48a60eee9346015c117876d3
SHA512 f7c7a46b06a2b1906de09aa085dfb1eb9334c7d7e17478e14a3447958b22022c120dd840c7885b6b3d158543d1189fbc6d1eb1ec9563d7a6ea60a04e68c3cf97

memory/984-283-0x0000000000410000-0x0000000000443000-memory.dmp

memory/1140-292-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lAcYIYkk.bat

MD5 d631640603c47519a5a64b9019a77372
SHA1 8360138d884187e71945da566fca7a0634bf8d00
SHA256 a0056831ca9ed8eece84502333dbc2699c1bc7e123baadd712590261a6802fb3
SHA512 d2a71fd9c9d6dbc98a2b84955896591d6436dedb3e2fe4373c0c74a09cc73d8025b6a3a9be63873fa1d27c1cdb66dc9c4adb4a3998d6ad8bd41a25164d706888

memory/1524-305-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/2708-314-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xksYYQMo.bat

MD5 025490476f20a3c04682e07ab71b814c
SHA1 1d3b876f0ee608a7d4e29115ae7db8800ca0cdf9
SHA256 95ca401a1d7982dbad1e82835241a4077d932dfde78242b6f525a983dd885edd
SHA512 b1fb06a27674eb907a3352ff4910ad8db63066a0c6516d2caa5fa2e9eeefb6f03edcaded93b5ef7ea57375e3cd9e80faec570bc3b7d970b6dba476dc87a1fcf6

memory/1792-337-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYMIAcAI.bat

MD5 df5ed38908a36a7855169c39197469c6
SHA1 4ff1988cb2074952ba5fbdda3c5cd37468c53c92
SHA256 2d40147bd91bdf05b9d534d19a7a8c928a1879409c61924f149f27f57862c53f
SHA512 67c178a56677e8b2252a30d5db683374498f6764e4ecee44bf60fbed230736c99ab4b6e750c8833d728a95cf6801e82e5015280e950b4fc4c579d75ac1bb9393

memory/2384-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2060-359-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aKgMAAgU.bat

MD5 5df869d8320cdf1ef48105a07b00168b
SHA1 1d0e3fc0a7c96c179bb491c6c7431b86687e4d76
SHA256 502ceaa83380ebf29e6b0819596efbcd8c4ca1cdaddfe0112eefb1a2b0a9f5d5
SHA512 82ddbc56b7ec7a70d8936578eb0b6cb8fe7dc7b97f4c39d7d0c3dd35a9eb5039ca4e9bdbf49710511f688c9f94765fdc5d17e44b56c3bbd4f5b3abbbe1f2d210

memory/2940-374-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1960-373-0x0000000000350000-0x0000000000383000-memory.dmp

memory/1960-372-0x0000000000350000-0x0000000000383000-memory.dmp

memory/2932-383-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssEgEQQU.bat

MD5 aa75fcab76310c39bc7b9793838cade5
SHA1 4db04eea43413977b0e73a4dd64143938bea622a
SHA256 f78fe449f05424b630e3a4c19596652e99814ddf31f6ab34c16bae638402610e
SHA512 0f94fa85e696eeacf1f0168ab4a25e35e1507bd85100b943448c5aad2b0c732ae82eea3bc659ff479644cc345271c25e12ea44fe7d5fd2bee8b3f10015313795

memory/2940-404-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OKowQYYM.bat

MD5 a09ad67ecf22a0e065c2588025fe36d7
SHA1 7f86c0f866915478d53ae362d5b8d7a96b5227ac
SHA256 0575bb8d178cc5813923c2b7f94a096bec0f406d7222251fd97773b18c41b057
SHA512 f966e74ce62cacbbd39ba526333f7426adb07612ec6e958ce0c1130b6930130f30352de0f42bfa37950a3b7e9897c3347b971eab3a2c22ef851bb1575780436c

memory/2168-419-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/1624-428-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bwoMYswQ.bat

MD5 e90a4568728d111b41425dc52372e8e9
SHA1 0b6f02bb7f47796fc4c9b7fc9d6dc965c6df9453
SHA256 b8e832d559a8d91c74b978465bdda2bc15da473b0554f852b26e7f81294b3572
SHA512 8c95620bae9f12d16ad14b3c8ed25b0a47fccdd05a0deb105b570769f9c79d1b9fb4987f696388ed2da9aa313a728e922294b88f23e47ff00df2d9ecb51fe98f

memory/2576-441-0x00000000001F0000-0x0000000000223000-memory.dmp

memory/880-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2796-451-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vIEIEMUc.bat

MD5 1bd7953df91a63f3132da2070e930530
SHA1 32716280645e0626b604f682e8e33e30a92fba95
SHA256 946cdeffc596a0ef983e55ec9dbba59aae6c38fd6543c4dc4803738b4e163fa0
SHA512 8b6208c6a89f93694f61b1e618d82d570add07c45ab2b011786aa8f4f955f777e438460d23209b50b43e1d6d00227c7d74ab7d9dc2ab52a394118de3ab7e272f

memory/3020-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/880-473-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEIocEgE.bat

MD5 19be7c073fb97f835a00fbb23b694c82
SHA1 2b4e938be0c478383996b760eaa61111c7141afa
SHA256 182a91f48a1f1afb37bc000ed2f985f9036425f3c687693804c244cf35d9e9d6
SHA512 2d4034fbda4e1a09c6e4fb875c6ba645f7201d71c1c17891df816e235a709e75dd0a0b91a9755b7cfc07c01ae7d4519b67c601e0489340caf69ef14aa368c05a

memory/2196-486-0x0000000000400000-0x0000000000433000-memory.dmp

memory/828-485-0x0000000000340000-0x0000000000373000-memory.dmp

memory/828-484-0x0000000000340000-0x0000000000373000-memory.dmp

memory/3020-495-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pscsksgo.bat

MD5 d845d87a9a46e6d640fdc16e2820471a
SHA1 9af5816bb07c3cc47462d98385d09559f598aca7
SHA256 125244cc7c8468a3e95c21997ac9877d34d570daf9cdb62f99556dd83d9f6d2c
SHA512 49ac2cc27ab305ba40523937fdc6ebca14b4e321dba849d3845b1891ec353ddc4fe340d9902a6eb8c1c357e6367aab8694ff392d19c43dcfe68a1c006f0dbc04

memory/1704-507-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2196-516-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YAksUoQY.bat

MD5 db473610192729a7a626ebdcbb39f899
SHA1 2a7bcc26c6fd268518755fb67aeb9f2de1ceb1c7
SHA256 dcd37e08b29ca8005680ddec3a96b0d2a742d6d1753266f02cab28e0d245eac8
SHA512 ec930d4532d961fb935e1616ed6b6c7319dc005022d5b6fbd5ab579f48d08f2f7349e7eb0d33e6d6bb633fb0d8d8b17a0ee37dc60083b02054e555a3a6ba9389

memory/540-526-0x0000000000130000-0x0000000000163000-memory.dmp

memory/1772-535-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SKgQAIEA.bat

MD5 cdd6f8e2afae1de1ce5be0d3b60b524f
SHA1 8dfaf6475d85b198a885de50310feaf5d0ad2717
SHA256 ab39bed9570918930c7a77eeaff71d725cae89e7226bbca4a6326b8ee09a9397
SHA512 b0319104bb7d17baaba7c11ec543563ba6411923fb409f34892e051251da1917375ec0abbd96b895897f0888b978d40ed31b3ea529c48ab8275adbbefaa450a7

memory/2340-547-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1800-546-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/1800-545-0x0000000000170000-0x00000000001A3000-memory.dmp

memory/1648-556-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KgEEQEAY.bat

MD5 d9218d3e5989121189ff10a0d220752a
SHA1 88377c3ce18018642469aacfca06ac3687f19cab
SHA256 e6cfe480500053b6d251e67ad07665e9d4a5dd6deb5f7b33856c27a242dc2b85
SHA512 933c36c52a18a83858e2280f605c7483e9948f258fda4457eb394465c20dff0469bf23c4b788e1af747f6ccf7b99370ff831a0631b4221949b97c96010fb694f

memory/2340-574-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ggIsUIYU.bat

MD5 d30b77ed07799d81e1e246234bc4675f
SHA1 cf95ac7e1f6afafebfa5bb3391d5430047dd8a57
SHA256 2502e657ca669fb36a855661551d52ca09ca63bb03bae2733c0cb83e257f5b6e
SHA512 69ce707d1be4896970068476bd206ed630f3e6e53fd89d9d1219e01ebe6f76272330abcdac9a834cc1e4eae83a72f2522c6cab689d737f0465c914045cb5c6d7

memory/1984-587-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/1984-586-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2724-596-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZgYEYkAo.bat

MD5 c63a8c642a3df476d4cc1ee8f36c8885
SHA1 ced93781e1fc1ea1c17576198004274cb83de1f5
SHA256 2ecce8b9dfa66043b3144a962ca7fef3ced3ba80f1091c8cc8b9383095e4f626
SHA512 c289093c3818dda3aa3b33f507284743d5cbdb806a211f24a290ec76ce0679eaef9c320c78bbf9f0c0c8287d1a586828a2fa3fced8f89799254c30ff4d732aa4

memory/1616-608-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2996-607-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2004-606-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1448-617-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VaUkoIQk.bat

MD5 fa74889222425f2b7a4b1060cfac66c2
SHA1 5fc81dd6285d8a948a761ae7aa182c4b614d4e7b
SHA256 78e2ba09f20cd204461ecf46aec7cfd7f23f8b0ca9f6da026634a0a0d1dfc711
SHA512 fe634a9beee9d998949723169b64b253cbc20acbd8a94e67b9ffc13ef77a45d95425fd0b5d931c409810584ee51f105fc1023d749b27a8022c6195805493159f

memory/840-627-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2460-628-0x0000000000180000-0x00000000001B3000-memory.dmp

memory/1616-637-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ReMoAIEM.bat

MD5 48f66edee44a0d6dad87825cb6dd10b0
SHA1 7868aa78f85e5f755f00c04785c46559f557768b
SHA256 15901b07249b1aaabce1c00446126c568134a344c0789d084b43ed4235754e77
SHA512 0311f04f19ff89ee2e90469d9268e0081a8bf3d2f086e2c703fa5779439f9b7d19897fa206a76c696bcb21e5fc9e86dbb1df6d36e073cb4a5ff2e1a373a20a7a

memory/2912-647-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2484-649-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2484-648-0x0000000000120000-0x0000000000153000-memory.dmp

memory/1584-658-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAsI.exe

MD5 fb33bd86f1c86d197593336793e4c1b9
SHA1 e99b0570b64f3223139ae8c72fb9ed0d012ecb62
SHA256 83541f2686f7d5061f3ae75096066e276e9decaccf938d8bdd1c5e47babbc42b
SHA512 1d4567a0ea3c50016d1fea3d38a2d917e40e1023d9115e907ac09df8348756fb70d8803cb6f2a119df67ed77d71e9091448f577965d5b0d554aa47c5997166c0

C:\Users\Admin\AppData\Local\Temp\tMAMoQog.bat

MD5 b79f1658531b244dbe9ff42ab81730dc
SHA1 5d3b26dcd09b720c35800e0b9f7a635bdf5e7e17
SHA256 6a681e11beee1ed91b0edda057019d2c7d5dcc3fb33123567c635b03b332e2a1
SHA512 2f454f10463ba165522b57acceda79ba32d30398f7cf41183404b5a1fad3149b5456217c74b5f691865810f7f9252082c668804914cc9f3be0b88a31dffd2188

memory/2804-685-0x0000000000580000-0x00000000005B3000-memory.dmp

memory/800-686-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2104-694-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iuAIIEwg.bat

MD5 bfeefee80c5c20d2b6f6da6a19084a6a
SHA1 1048522638cdcd37a2e75387c92e3ab65cf5cc2e
SHA256 0bd33cc8b79a977b7d722907324dbf4d7610dd9a366b26d6d8b9b4c3ee94fb8c
SHA512 958e527fa060e2f0dad4687bc05b50c95271e795e8e91baa182a4ca10f1a76332769f976ae03a04b5a04dd8c4f2302c3ed5518899f65f4da929159dbb76596ca

memory/2988-704-0x0000000000160000-0x0000000000193000-memory.dmp

memory/800-713-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ciYwQkcw.bat

MD5 bdd8e67c2817b06366894602e660a5b6
SHA1 8a9240a2f87de39e5f03f43332596c8848a0803e
SHA256 274f74ff3f2c936030a4807fd3d7e59224c4a637b9bb586bc584c8e2e9328a20
SHA512 419971aab055380d014599b8d4730904ff16e55c657d726855ef9d9400c972df8b4609232b0ddc25600ea3d890d04b7b8686760410e1b6201e37880395d80630

memory/556-723-0x0000000000410000-0x0000000000443000-memory.dmp

memory/1700-732-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AioIgoso.bat

MD5 9cc4a296d2433f9a714fd416c33ba799
SHA1 64d182937b25abfe40a63224bac656fcc97e8c90
SHA256 79ac0d0194a4a1796d6efb75684ca4aba095d7631aba1ebcc0a18cc39aa692d6
SHA512 5ec1500aa947bd8d1b975503b9baae6121f037408e0d5913e8c7b4aceb6f423d1f651cfc82dc7e8ee7ff368aed0b99ea6cc338aae311fb793c6f4b5b3dbfb2b0

memory/2480-752-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UsIsYYco.bat

MD5 91709999b672ebd76346139d13a48338
SHA1 2d142db193e894d9ba90f224b7a23060a232555b
SHA256 282f83740888073965872138a85fcdab44202901f37757cc39a270c92cf0db36
SHA512 982c72daf2d5f094fe6e49e7a5e756b3f1a8e6b32f89b496d0601f2d1f167937e63286c1968ce9ce1bc81b6c19dbb57aa24076278e2a343ee33bcb0fc50b1da0

memory/2488-770-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\teoYcgYA.bat

MD5 5c31223c21fd2b730c8b5465381b3e41
SHA1 a2b9f2449359f862c852b433f7b49d6b29b5e068
SHA256 42c60631c1d55c7e67881b5d859527d3e13fce0cde28b026018e2b6981a77fad
SHA512 05d126b5df9fbfc18024283baa7e6e5e6db9931b3a41cf4985fb9f3ad115acc8c1a6fccc0e3b4b545570b166d82d907b790b564468a49fc18a2388e6103d17a0

memory/2656-780-0x00000000005A0000-0x00000000005D3000-memory.dmp

memory/2656-781-0x00000000005A0000-0x00000000005D3000-memory.dmp

memory/2132-790-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NAkAYcEw.bat

MD5 127b289dc41ec15f8ae8e2ecd17e57ab
SHA1 b36e92020479b3253efd8f5113108830ad390838
SHA256 6a5f2c5a3cb7446a8bf10667d6cfac03bde4eac72deb639416d602fc40938e42
SHA512 710bb27f0b0bfa6bc5992499a8eb496d6793611673619366000fc67bc3f62fe83a96770630eec67c8e1181bbe29477fb1279cbd110dade2a65e1f259574f889d

memory/2232-808-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hEsEIowQ.bat

MD5 102d49fd2114437bed460d26ab5f837d
SHA1 d9ad50b0af0136e44755fe70b30419e170b18430
SHA256 4cd829912793f8dfe31d0cd079269c0204fd48815d11ba721aba2bb835f12a87
SHA512 9e9a6bb31b48a082ee386cd8c945244a05b2e2f94123f281e91f199aefbbb0d9d6dbf357b84a31b0963ad97f013c22d38775083f326d8020f2a6807bc12f4acd

memory/1744-820-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2416-829-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NekEUkAY.bat

MD5 4d02a3b2efc4aac3bbb531178a95d441
SHA1 6eb5aff391cebcd0eb4310b6c00ed1666e3da623
SHA256 8298636ebaf5ca6e9d0e08777d90998d03b38df9611c485e5fcfb15d727399c2
SHA512 2813a1c3e0f910fbb04ba8a1b388f5f3d44ce19c50c0181b296e1929a25134d223458fe98e07d5fd038e29d86fd2694f6704c5c526fe2db04d13fa604e5aab21

memory/800-847-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIQcMIcM.bat

MD5 ad9140b84653927a24db3b62897a0871
SHA1 96b77d4fd52f49e94c102215bcf2dff5ba48011f
SHA256 098224d8c5be60e2a19f11d9fba36c61bcae34168eb3272e4e1a45c8cbd7300a
SHA512 4e7897f789971834d56e7b41ef106ed1687551e6633e1b8bd006799dd9e38d5a4603b563a080fa4f40f57797902e5b0a2b589bfbaaa2a1a750d128a15a68bfab

memory/2252-858-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2252-857-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2400-867-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asUkAQUg.bat

MD5 a05a4d93718cdf992828f8382d997166
SHA1 baf867560e80780f37b11a986dae47de6a7d3918
SHA256 031b83f2e42748e522bf7ef02dc86678c9efff6bc7afaa81aa00aed8f7c026f3
SHA512 f948b358e53aae54259f25623dc93d2f041b00dfec0840016bd3b1f4e0555277e41d05c186df6e8591eb21f6a37cdd2d45c648129b7e68d81b1277940956bb7d

C:\Users\Admin\AppData\Local\Temp\UuEowcUg.bat

MD5 b57df84bc140885454961b0a45872697
SHA1 ee972461fdf7afb892f503efebd6cbee6fc10eef
SHA256 663172ba2278fd576dbbed1e320d263a2ec5dab676748d6f9d6f86a951951c6c
SHA512 c63bd41a17c7deaefb7161d76ef5b78f64d4787ea5a05491c414842a3396653592c9204f459e7ed36313b54549782d1f87ec05ce1db5710f39c6c978b9f10880

C:\Users\Admin\AppData\Local\Temp\WkMMsIUo.bat

MD5 c618d7a887eb43d28f8cd2d20fd4bdf6
SHA1 a9c42f2722db8bccbe96e1a9008ac888588e1439
SHA256 150368c2d0449329e351c0b7bb98d3590c7c05b7250d6aae0319a9e2dc4ba7c2
SHA512 9d79bbe80f7f71d8b6f042cfc7d08391a55ed8f7b821ffe06662faf922f4810864b946d3b51be1d561beaedbe8e87e9f1e79c4cf2774cadaf63c096db147541e

C:\Users\Admin\AppData\Local\Temp\hakoogcs.bat

MD5 8a594b73a458f33a6b8772e5de4c480d
SHA1 f1e041bcfa0dd1845c8cb4d9d11bfac3221c705a
SHA256 f9a2256162a97e61c9912c92dc3379c8efae0311fdcff3689a14b73c3a7250e1
SHA512 36e830f27d5d2c7490b15a0ccc8992232ccdc8b5c34533de51685b6ff2cc51009f8b1f9183f42fb1cea9d0bff94cc9bc2f31d6369371975ff093e8cde297b392

C:\Users\Admin\AppData\Local\Temp\hkUYkQUw.bat

MD5 c85bb64bf55d8606fdfc3829f5241115
SHA1 d77d3d44b21c9017e4bec784df3f4a9989caeac4
SHA256 486b4ab0a05340ac09cacd37d4a8a13fe176c9716758f0d81b9d6157c36a5815
SHA512 2b472ff0f94f93f24632ed746195fb0da7dcdcf36072acd706d6542ae29fee507df0e4d72acefe71a848e4347f9edfb187cfa0d0c84df68b1c0cc0e48d1b4889

C:\Users\Admin\AppData\Local\Temp\jOYgIIgc.bat

MD5 348fd3d97c3ce553267c54dbbbfe69e8
SHA1 f42095c9e7692eb19e52a87a8d542c7d87a8fb0a
SHA256 218fc24a303b789805277fcdfa427d4e79c7f9eb6cb9e806fc28f50cdaf00a26
SHA512 f05f5eb569bbf0609fcab1a7bbd40b45ab5db1e55141223910111bcc64b9543e3f9322703df65a045b8dd83dcd0df44afe039e9ef1e3bf1a2b28d13a63a157a3

C:\Users\Admin\AppData\Local\Temp\takEEUgg.bat

MD5 11b637198be46386cac57429c59be9b1
SHA1 2ef939c9432ca4b5b6df5c4ba3f1749a8d814b1f
SHA256 3ff3057cfd4ed0966b5e67e346d045e3860e3322774de7b94fd6fff855d472c8
SHA512 7e9af43e9e1ff07c6672366723a7cdf715e01ae77100fccf86ae9e54d611f3530d16bf9bb462b8e8f1d916924fb0f4ab33b070b71f65346d4c4e4adaeb3b2dac

C:\Users\Admin\AppData\Local\Temp\VAIcIIAY.bat

MD5 e8b41a50b5935824390276f73f8d64d8
SHA1 fa75207fbb3913b12cdc81588f9e81fc18dbbbe8
SHA256 4513533cd686834cfc09c28da09cc3d0788da9a5931c014f8f9eab6f8a5d1a38
SHA512 b644fcddcc111ab283092190baf9cf43263b427a7fd8407fea326f30d9d855042f0696bbd46dc0165f28143415844c8d790e55f5c6c569c9ff4b95cd147be674

C:\Users\Admin\AppData\Local\Temp\qmQcYUgE.bat

MD5 fb93f591a4cf023c60066437d94065cf
SHA1 b7d82e2cf06ef10d675a2c3d5824702689374b6b
SHA256 f25495ef50437b0141d58033cff9f2964919fb15586c52dc4f310d1f8fb16119
SHA512 81fe6994b7e6bf4d8c799ca3ff5649ba7bbb90959e0c29a1562c6261e62c5d5d92e91ca877ff59e91bca03e4a689e81b175c0482def9806496c4241383e29db8

C:\Users\Admin\AppData\Local\Temp\kYkYwEYM.bat

MD5 5d51ea3e5fea24d780fa7e3d6021b35a
SHA1 a21f35563c8b6c7f5034b0efe4cb7d594c5a1653
SHA256 8d6561ed82e328834dfed2fcb4f96ce472c5755380e06ac32da851d090e9825c
SHA512 38aa43091002704f3aaff73f0b6bc09daab6e15ab28ac644639fb4cebebd949b33ef1396b151a7352f9db2eb9419ab42f4e1d11595a850942848274b4a8294b2

C:\Users\Admin\AppData\Local\Temp\mogMwEEY.bat

MD5 6c0b6f9327de9e71379ceb025f9262ba
SHA1 b79a4d6405855572c703f674dffc6052bddedbb3
SHA256 dd877b2062a7a6a4456694533f8718ccfc929af6cfffb97cb6f1f4f7f594edf8
SHA512 2b2caeb0985c28e80f1e97426a93ffdfbcda74cae07ab39720db35a2478a35fb38d116685e74f1f2217499ea74f47264c5fb7e52b4ea3f928e29f88f4de06f5b

C:\Users\Admin\AppData\Local\Temp\QEki.exe

MD5 42d3716ee2f8ef7f042862281fa922d2
SHA1 11fe04c4c19bd7ccbf57b43bdda4d186c7c8d1d5
SHA256 ffe17e140f8dd063297737199170b1bfa62a8505ea28b1bd17f6f460d70dc113
SHA512 5f0780c5dc81040c3a8a3aabb871d94beb92700994a87b9438e188c231973726bc9491d38fe2bd28ec726bfae7cdd347c19d7d995039609650f87621738ac257

C:\Users\Admin\AppData\Local\Temp\kEsW.exe

MD5 c95a1ea8597fc463f83bd7449dc5bc21
SHA1 15b88c29f0ce63570322bf878fb473d0545b3312
SHA256 73b9a23671af492ab982eeea95c99936d3431157ea7ee432ac568ec72566cf4d
SHA512 6b9b65cd2bdb11cd737d32b047ed768f8b68464c232f95b576c0b423c95841bf197f566fe2a40ef4b22798358ebf710a400781a65aceea62de64f30caf4a3f48

C:\Users\Admin\AppData\Local\Temp\gIUe.exe

MD5 822221dc5365d53fd744352c6c132e96
SHA1 d3a3bb23e10f2102f8ec549bba0718a9243662b5
SHA256 da3cd5cc633cb69d1d8c1040182410149f3ad6db52e3323bf6c82c3175a69da4
SHA512 0308c2f1a7889ae4d6caff024bbee40b5eb93b9dba3880d634fb2d1a68cdb8e687c22f8aebe7d2aa3f65cd52e59c0532933df614211999fca16114113ac2ecf9

C:\Users\Admin\AppData\Local\Temp\UAwy.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\SgMC.exe

MD5 4227ca72087d65565b4438f34697f9c9
SHA1 88900280e91e797771591725aaaddbe76b99abb4
SHA256 bb442f9a9747742473fe131119b67d944a8fc370b61db22be931ef05cc8aee2a
SHA512 f18ae511db065bc0407fad31bb9df575fb6488c45305cf17c3bd10c3f99a4e79bb07222013d2f4a2c936ddc597a7b02ca9cbe86350c14055ca4a9c563681f0f1

C:\Users\Admin\AppData\Local\Temp\wccq.exe

MD5 59c4713e2ecc84e9d5d459234af1a4b2
SHA1 8e72645a0c8852e264eb58f0d366cb890f537101
SHA256 e15580f8a46da8ebece604bb80826244986de04eb30adf6db4b543553ba2d55b
SHA512 efaf4bbffa5935ab9197b81005e6d92ba8bd778de64c880c9f5f7f3726d11aedbdc350fcc83bb58699c4d2bae0979bafd466cf3d1929c1e70b74d5593fa65881

C:\Users\Admin\AppData\Local\Temp\mAswQQMw.bat

MD5 d84dbce9d0a07175540ccd2b04e6815a
SHA1 2883f567c8881be7b93418cf145f1ee6ce26fcbb
SHA256 92209801ec4b7b7534c4410108028c759ff66b018b7b32a4019b354972782506
SHA512 20ba4026e499fffd2567290fed5c31065dcad6bc36feb1d7d90a54a93d89724bdad8b078d4bdbd1f247295f51b0854a5fb429ccdb305df02c25b939749be1857

C:\Users\Admin\AppData\Local\Temp\aEgm.exe

MD5 492de864807ecdbcc4ab5047112fc3e2
SHA1 c70317909672394d030d0a3335b9c6cd6d99cdd0
SHA256 b45a2b39fd0ab66414e49e0ee9c909a4d1208f90c00c0423e2aa8ed46c85ceac
SHA512 06deeef0e5f6f34fd97fef60c5f3474d9c4e2c84d2118a872268b10ced9c3d6337c182f732fb3c39d3d01ec9657e433da1abc540d01286695bd870fa2ea2f732

C:\Users\Admin\AppData\Local\Temp\cUAK.exe

MD5 44d6480de0346b387f9bede24fdffbb1
SHA1 ceb86cb9dc41cebb09f3f9810395831959a6376d
SHA256 475165855d9eb062a8f0836737ffac0a303ef786e827ce64f278a6521a883000
SHA512 68d7e0db396f77dad96c91c3c2461da576e7db2146a090c05859330191d24a30972ad1d9f87db262b7f9bc59bb056574120c101f15916a5a5f73e5fab8cc3efd

C:\Users\Admin\AppData\Local\Temp\oUAG.exe

MD5 293bb66d93eb8fb3b1bf70efc6a22e7b
SHA1 55b01774d13e21ad5c64bc11d3338579108480ca
SHA256 f4e98355c85877d2f01c73b9ed3e17e49331047b296be2614bb62ecba065265f
SHA512 e07e083dca78e6ed8dfbe4ce2ba1b3abead62e4c8b5e7d53cde87c0cf02ea6c7b5cc0078c50e2ca75faad91c267322c1776eeaf7fb87185254d8b49a6fc4b233

C:\Users\Admin\AppData\Local\Temp\LqQowQgw.bat

MD5 ed75ded444b1b8890ebe0cec29df8331
SHA1 58d449f736d6fe415372dd087947ff5815630237
SHA256 76a59cc5bcd224ddf0ddb31b77e52489679c91edab7340f390a8a77c83861c20
SHA512 8340c3cd5e5b1553ba1b4f2ac9539ae6fe18a31b8231d3fa1fb717e0371e6f794d8a5affd21a4c95b06a3b816612e02e10faa7bddb6e368d590c06be8f0d3aa5

C:\Users\Admin\AppData\Local\Temp\yEMi.exe

MD5 b0a279538387add9c1cefe3d03d5da88
SHA1 f1b2f41f9896b02cbc3c9366e6a5c50bf4947d17
SHA256 3cffa6ee446241fd111765169b6be35d77f74ae03fec0757ff3bcf5e699365cd
SHA512 139c5eb78fd32ae87094901bea4feb02f784e174715b0c98c3ab4ec51baf097e1cf0c9e604dec5697a217217a0cfd3bdd67aba05210282a641d9339eb864adc7

C:\Users\Admin\AppData\Local\Temp\yYkE.exe

MD5 1a879446eeb06007b8d4b041d2aac9ff
SHA1 f5b8660e35c9af81bef8796d17dd6c05fb90990f
SHA256 0c1233e2ae5916de6ae0ca26fbe4931c3587c4bd47117e797927f9c5b7b3acec
SHA512 0d8fdef2f20a8c30f0e996fcf12f7cca1f2c0d08df95f54127d9fc99def25cc13a838789bda25c906666a9a920261263809bb2b39fdc0734f15c329c2bf7727e

C:\Users\Admin\AppData\Local\Temp\QIMU.exe

MD5 479ea6ce5fbd1097192a0e5626510277
SHA1 4d8b7bdcca0b47cc80c208c646ae4ffea148b511
SHA256 4e35005c10fac6832093a8f76491ad6175d12e37b451dcb8985dd5fe927ab97f
SHA512 259379124ed19ea7c9cd0764e4386d865e51b57157b39ff261e84b4f2da5677296559ac5d4210a0a9bed578f9c8cf15a87aa44894c94c4d0300defaa7e8c2a28

C:\Users\Admin\AppData\Local\Temp\CgAq.exe

MD5 516f1cbaf20e6c7810a62b61dcee6d44
SHA1 e05f3e268fdea142f2ade7b0a2eaa18208c50378
SHA256 2391c1f7664c6f6cc8b4c7adeb13e34f3c80594cb8149eec24149c53ac45527d
SHA512 264e26289da28b7ff60a7ed986f68e4ccacd8b614ae6174ffc39de1851211a6bf3b3d8427671721bc3efda9f6192be599ba6a6c30a5d9d6b106ba7b0b9640f8c

C:\Users\Admin\AppData\Local\Temp\ScgG.exe

MD5 2ff5d60c0c0cea5bc63a294a40649980
SHA1 dd3dbb78a2ab531f5428c2478db00f5f727964f3
SHA256 890195029c81c55e4d70b9d96ca65b91766ac4ef0a04bcd7f12bc0ccb5678e94
SHA512 7a69e5066dcc80087faf8d5268df0ffa84fb878a147964cf4ddc6e8f257dbc70880a2b3990cd1336b8b6718ca8998d3e8be71b4f9cc3f10f9287c5e2d1f66564

C:\Users\Admin\AppData\Local\Temp\iUMu.exe

MD5 10317d1166d7e94cbde087c86118a8df
SHA1 3c45434e74cb92b6128c462dc46d2715abccfdd6
SHA256 17b9d7f2200c51f965ebde1f2ec43f0e9ca9a3bf827552376888172db4460dc4
SHA512 a28f14012ad61f448a8541b7085926b25c25c32dbb4a2bdf5f61eebb61cd661485851b7dd0b9926c2c6c380883ad8b9dd6f0696eec1fbc3b45caa764c8db8671

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 81c07d32ac359e53f0df26ad1eda2890
SHA1 75e3ad345baa20532e379fbab49ad1c8a7792847
SHA256 1fe706af68e835c303dfb04d7857ed039704b9fdcbefb3b4aa04f8b309b0d966
SHA512 0c6662c94ba24e40d24883e13dd1d4d91115ac91069ef9215b7490a72d2dc7448e1f44d2d7ab2bc31b4494a83d834b010ad957123288e3c30d6088ccb8680eac

C:\Users\Admin\AppData\Local\Temp\piscwIMU.bat

MD5 cd9364d4011eafbcb4093dce9d918309
SHA1 5f33a09543ac04ce22ba7fb7c79e191456cfd770
SHA256 7c5ddea5d89f871c742014f9b0a4ed3a3ed207779efc5191816ef8a896655065
SHA512 bb4f5c1c4cf15bb2f13cbcfdce073cb3a3a3343f932e6525282428bef2811f21093b88c902f67650298e22051a910257b616675eca10df789058b6ed694ddc6b

C:\Users\Admin\AppData\Local\Temp\iwAE.exe

MD5 49551380670d11f7690e139c9df6e732
SHA1 f88f603146b3dd1a111616ed0e28af6629577d7f
SHA256 d6642910a2f694864676af3f6656ff470c90edc4e6d87bf5841d67b3b2512e2f
SHA512 3c2a88cc1658cdc093873a2d84ff6652606f811562755b5cde484c61236f52223f21c61b29b272ff126a66d336cc249d0b26e95a0d2e4955684cfd9ee7878a1c

C:\Users\Admin\AppData\Local\Temp\QEQk.exe

MD5 e9bc9b7403e2d971b2c90732ad0add9c
SHA1 a65ed16aef10492db1ae96c083b4924236adfa9a
SHA256 16ba1cd2c27bfff83312acebaf551c81da8ad227e71c5534ec40b12fc495a133
SHA512 b784c0e84c4d9982d0450adc768ededc1429b0467de9228f03f2b50cd5c422934f536455826c9699a361def8c4d9a5b24c229ce01e89a149c4c475b89dfa265e

C:\Users\Admin\AppData\Local\Temp\Awss.exe

MD5 6e2bc19a853644c27f333c066990016e
SHA1 8103c5989346ec7f7a0c6b0873fc5862a0d9aa68
SHA256 31502e50212d226c7f6771994e1d5bc4341fc1209a39e07ed732207b7b4a5a9b
SHA512 c1efead9d2291bfc517728016101615a4764611139fc651834892240caaf5cc9a9f6a53f90da0d026bd4893ece10853550581ad439b247119f4759bd9a04326d

C:\Users\Admin\AppData\Local\Temp\dwwkwUkY.bat

MD5 2d75fda6bbaefe26b6d30a490b9210f8
SHA1 aeb443b739bccf4ef31968cd8db857866f3b31f9
SHA256 0680374d275ab9f5b2e2077dc1693e15118824a8d24287749dfada7eb9a823c0
SHA512 82172c79dc7ef689042f426b514a17e4ea36638f8dd6a3bd08ea22cc1cdc207699b077b3ce861b918f788c2a42ba6a6303aae2382dc15da6069c617811675236

C:\Users\Admin\AppData\Local\Temp\IgsA.exe

MD5 b33c63ee8ea8952db43ebf5e64915fd9
SHA1 86e785a87718fe7a68a81918d202b0fffb762f23
SHA256 f50b3a8157fefac45342100acba13c296df63342e7627b54014129dd56e4c334
SHA512 d602bff60c8eb495e5cf0e193d42cd8a91acbd84f72d8da3dd9cf88ce819ecdf4ae04f91ac058bf787d3745388945cd84548138eba98dc1799d6aba5956fe315

C:\Users\Admin\AppData\Local\Temp\Sowy.exe

MD5 213050378129ba2fcbda840eddb53ef6
SHA1 9c53fa11dbc8e00de45b036f9a3a0d0f9c8b6545
SHA256 5cc3f51b152c7a9427d61cb368eafe40bd19985dfb2a8f3a9a2fdd8dbf1b21b7
SHA512 a80b2f877649d400409142d199b8ef8f33fe3d105e84fc1ac381f38fe1f3d89f32392bb30c97645c6bd42d59b6f7f4439a5b2314900c1646689c23e8998bf790

C:\Users\Admin\AppData\Local\Temp\qcYw.exe

MD5 307ec93c11e378b1679badbcbe58ed2a
SHA1 de689982ebc015de0a8d354cd64dc47f479fe9ed
SHA256 d47f8c9d072200e00c3f30c6c1649afcdbee8049fbdf2a4584b058b2f7403fcd
SHA512 13f4077a26ee371f2254bc74f5cb717d2bd17acb7a1e5421f92c5ab6460f3cf7539d64f55ed39fa9fda60d8f593842187cafd2b676101365109433a9bde1aa40

C:\Users\Admin\AppData\Local\Temp\WUwe.exe

MD5 fca873f27a32ba69e36989178d222285
SHA1 6c7d88832e306ecd8170ec57d9dc42d5c2a29969
SHA256 83ee01e75944c92933f5a1d294bb4d11a5e645e0a2e9ebacb51f03ea165c6ff3
SHA512 fb1954f58e5d949b19706c634b2a723176f2d0d5e4196a5e1a98d2b026647e4ec47079599ea8de28ba5ff3bb55db25753ca43fe2fe7572ec64317140d5b2208e

C:\Users\Admin\AppData\Local\Temp\nswEowoI.bat

MD5 9c47cd4f936ea9c72f7015af6fd9e74f
SHA1 4aecf91b7f72b45b4b5223aaca40f42b945387ef
SHA256 bb72bac431f8c3f1cf74a5040304f95ba83c953dc80b5984e6a6c398c885c20f
SHA512 75ab4ddf53702d5034a3f2c00b3adb60614aa67a0867e101f42def73374d6bfde51339b3f975a093b48b2927792afcb32305f634b0170028a7c2d7bce68460a8

C:\Users\Admin\AppData\Local\Temp\qkYU.exe

MD5 0eba74155115cfedc5540109c208e24d
SHA1 5162536c86fb718aa9a19193fcaf5ae4260d9c50
SHA256 75b88d5a553a35c37d7aa15a7e6ea28a330a79e50de30690beb814483fb467b2
SHA512 c556131fe202b3d0ded380e0189a7c52fe2526d5f1fcb687dca4380b34ff0961353d642b0057f8d526bc53837691fb1abef9736494d308c4ef5fed3b70a40540

C:\Users\Admin\AppData\Local\Temp\ecMs.exe

MD5 a091996040f9770c53e6c7f93e6e8ba0
SHA1 2956f26ec170df557830344b222eb476bf5df743
SHA256 de10c5aee76c7e3acd5e72f8c7b454608af1e1e52e51025c25ce82e6b491df7c
SHA512 b972c9842485ac2359715f8643ceabda2771210883ca9ef5b20e6d7119314ad4c56332d7bcc39a61b10e602190a3c909314be6886abf4d40633f29014db0d68f

C:\Users\Admin\AppData\Local\Temp\ykgG.exe

MD5 40d18d784c863c6aec2b3f66d482124f
SHA1 9514847af317480a268fa02f896b86f699b7ed54
SHA256 4734bf0233bccc00224f93c7997a1a5eec627f945d9f7e828ffac3a8a8798c0e
SHA512 2123300d5134ad47a3043aa5ee3cd3b81388006fe785e0b8293ef8fcf931997cbe9f89fdc5f9bab9e503097c1b6973d4c923167ef292a1fca4149255ea7889c8

C:\Users\Admin\AppData\Local\Temp\soII.exe

MD5 4c77b83a246362706b0040668d18e103
SHA1 6eafe18a9956de80a2a3bb7d8d76ab8d3bf1f366
SHA256 01604aebe49c2fb41b608ef283efb2ee9fb56f5f49b7562224b0b7fcf608c50e
SHA512 c0c53d823ba333fbea2f00d36022cca817eb136d1b5d098453cc36a09c1b814ea231d253ff2215cb021007d027683835bd9879d4645f8023a125978674882e17

C:\Users\Admin\AppData\Local\Temp\eqIEQssk.bat

MD5 dda2dd9941ce50d1c553b87bb4e676d2
SHA1 0431dd01f05737b6a5df51ca90beb73a0425d398
SHA256 4a9e6ca3d1b050a94e1b31020958115a2ed53ad89e1e402ec99934d1e345f7e6
SHA512 0c621bd214be399f01969241696324e82b1e69360e5b6529da96938ae1c514452570e755b644ff5f6f247e3c555f35258a20ca37d417a431dae8b8d1bd1a3d40

C:\Users\Admin\AppData\Local\Temp\eMgw.exe

MD5 ffc976710bb13925bd0f66ac05888ec9
SHA1 1700eff16e89caf70bb1ff8ef0ae841d6bdae8b5
SHA256 b2fb95d07fb4fbf71243a0dd5533e2c56c27a3e167cbf83158f636354dfff8c0
SHA512 021b30c722e201cd07b648aa76c99733356f05bc773ac1376512449adfaadfc925523c453d1cef2fdaf2a6db63f4aa1d8aac557f9056ea8c8e1572f6fd8277c8

C:\Users\Admin\AppData\Local\Temp\WkMG.exe

MD5 01152e464cddf1586577c989fef9ce63
SHA1 3f7248ca64dc44df3df18273a87df1f252339afc
SHA256 eac0f305b0792a3cec4cf45ac5d5514fc40e47f7fdfaf69c7881dc36fafd3793
SHA512 86d6b5d0353d49dd937a4361965e7f0b358d2950cb199521a20cf42c3e8c10c77a103b41ccb0a1fda3414536a1a2fbd7088980474924cdfc5b485d09336acb7a

C:\Users\Admin\AppData\Local\Temp\QAMY.exe

MD5 285c2828269dfb934f545982989327ee
SHA1 fd40f2d66674c65255f3f3e3608746bb6b511075
SHA256 3b21aeba50d40e8f79feee0e55d7529caa2f69421838a8a727a21600e8662ca8
SHA512 e2b690951fca8dc888943c442fac31b05bbd7554fdc713be825ed1eafabeb1181ab0492716492d069f360d875e6e43f6ff33bac419d9023f130f1893010c8613

C:\Users\Admin\AppData\Local\Temp\oUwE.exe

MD5 8252a4b8e5693e620c63196a38146a08
SHA1 359dce7cd05b8f0373e82377d1f41147c2d996c2
SHA256 5204fad8349aab2a396a928068d3d06fa03254ac68f42356ff51b25e8776b3aa
SHA512 b949061f74e75a095447d1eeda5272dc42c72c5009d627905ccad1be2797be8ae26f1360ad8b6da9998f3f945dc00dffb3d05921842046618cedc9722b0a6866

C:\Users\Admin\AppData\Local\Temp\gIcM.exe

MD5 6aa24ee3f764433c2ee763e6a3691120
SHA1 f0d6b7592b51e811abd23e8ef4ff0ecf10246e8a
SHA256 beacc95c57387c5f838181a0e6c97caac8b7f98dd12136708b7c4cdaa525f5f1
SHA512 913aef0c43c03c3eb254f00524a818f78fa4733ff61fabe2a63a44be23d1676af875354e61405f6f09b387d1f956cdb4129257544b7ed0d94232c572879740b8

C:\Users\Admin\AppData\Local\Temp\sgsM.exe

MD5 adac4f8103e6e6c499e67601265c59b3
SHA1 ec485b13bb1db50b7663725143420d9547650e0d
SHA256 9fe39ecccfda48b08c2aceab4b37bb95261d86dac41bd3d51f6bac83375da169
SHA512 1fc36f07adc89c4af25c4f13a4b50d59c7ec9d77974a6c76e4b7dea3af4e1faa1856dc2689dd78b2c90f9f617cf4a510e82a305c261b5aae69f6da833b696111

C:\Users\Admin\AppData\Local\Temp\QYQQMEwE.bat

MD5 b8eff2d34b2a92f3c015197285971d5c
SHA1 a682d1a8f358f8ff3767207b929448c11e8c10f6
SHA256 ea72b2d76ae5bfe18c6399697f168eb49a573069173cfae3a0f713f183f8a98e
SHA512 cfc98f72ca48f27c6c0fe615e841232cf9e819685a8c350bd21574892db5108417390a530e2444fcb63fcb74b9d97e34364faab86341dad83baa3d2c0506afbb

C:\Users\Admin\AppData\Local\Temp\eYsk.exe

MD5 3ed9bb00a2ff113f0e2211d682a7e70a
SHA1 247961fec39c7a09636be163f974c113c0e0981d
SHA256 cca0cfee4e797c26f25570fba225013be75fad489a911fe472175064c6705d10
SHA512 62424c9c38f39ccf45aef5f043cc844c3a8b55a1ac4187a654edc465447d8dd19fe81ad5ab6695d756218c6656af1d37c16275d1c3c3e17e507a80ed426a1b9d

C:\Users\Admin\AppData\Local\Temp\KAUA.exe

MD5 b6c1dfb80e0d1b8fe271eff52cde1630
SHA1 c587cb8a74db48b2fc3421b6fa1e8f3799d05724
SHA256 3f3c3225111f202c8f2fb265a7c1a26baca7a475e9ff530b5dca89e9416e6061
SHA512 734f030fa5d7b4ece64fc12b5e50f2368f9bad1c630563f2b8165cea13fb4a2a9fff4810a0cf88cb900dbd6b732ecbc71e12800794963152fa51c438e9aebc25

C:\Users\Admin\AppData\Local\Temp\SoII.exe

MD5 51442043dc2df176209216aa448d03fb
SHA1 8f660636de04809522547928793f18ba0a54049b
SHA256 1a01c1d8b1d5c9d47672523e0ad92b7b3bef1bfceefa0ebf8760115d2718b814
SHA512 15945108ed716dc858d46f53c4f8c0cc75a7718194d8978d1cc56dfb9251d48c7507c7c27dce7e6855ad6477cf80d5b71f400f73079ab289b6df6cee22868223

C:\Users\Admin\AppData\Local\Temp\AkkA.exe

MD5 57acbffc40655f98e412228c069dd7fa
SHA1 43dddcc5480e245800d92901eb3cc51b5dea1c88
SHA256 1aca1ae4fd163e5d179ee13b0197911230661f2e294c9aca57791375e6bbbcd5
SHA512 a967e73d3a7213ba241079c558fa5e54e02a80acaa5797d78c3ce865c3ce03e568ee9dfd679fa0ffa62aa4ab59d72f05597dcfa5c175b7bd659a0068a9983e92

C:\Users\Admin\AppData\Local\Temp\kqosooAc.bat

MD5 4cb29cff082dd44da3f9299de5ee0fda
SHA1 44741dc3481bf7e54649a703234cdd06441451f5
SHA256 0f4447277a837d87a9050e2da98a26fffae4f96104fcaec063bc566a83f4e07a
SHA512 8d35b0efd53a6f2385b41948ac716360bdff27a28528f08aa9b38df20bb438bb2bbaa5080f5f45ef1289fe34470f62c80c07f2c4595430b087c3123b3e6e184f

C:\Users\Admin\AppData\Local\Temp\wAsW.exe

MD5 441133402ffb3bb95b3c8e9a5ef8d69c
SHA1 229957cf425be1d63982929efaad0c3b8d6a60d8
SHA256 01b86911955977157bd1270556abe1f3f2ac9cb1cbddc0a8f8256a2e2589157f
SHA512 5d11195971a130a7208c9b1537f3c603c039dc8ca3e5819452dccc5f6c18c55f2070e8401e877af88a42aec2d0c0fe7ba534e70c50423fdaf742ae3e105caf85

C:\Users\Admin\AppData\Local\Temp\UQUI.exe

MD5 d70e1d90c3f04f36e7de1bcf7b3ef83c
SHA1 3a85454c82da078c1310f3eedf85e6979c77a173
SHA256 8a9cc8be5b4aec7a784a64ea10cf61d75c26b48cbd5f599e096d531d3e05e111
SHA512 e5c99f4c83437008d5689a2939eb328de9883851a85a413a64ec0cc381a86ecd30626891da0b3f38b566584e9eed1feb05307f9244741292d1843e0028127cab

C:\Users\Admin\AppData\Local\Temp\qMEW.exe

MD5 897e69edfd374efef73b4e2ff1f1f97d
SHA1 2eb5ba5f952521012cde5fee700e05b5ba943153
SHA256 55420a509a06603cbc7df7c1d029b64b44f0b8ad187a63b23167a5d4d2d6e802
SHA512 fd46df35df583744cc26bd6c419e723c137326e7ada7640d955100427a2986a0b136ac912f85dc9a33202af34976e49da30b842e18eef8d4e28e9f0d1c2ed47d

C:\Users\Admin\AppData\Local\Temp\kMgm.exe

MD5 a957780f92a13f62b669d15bf84a9df8
SHA1 9df97ff76c1a91f7be82acc22411189f8160bc8c
SHA256 090e5c6504d537dcdc61c85162a19620a46b4030477e3abdf347a262d2787379
SHA512 8a3338116095693df26963c4d271c9e4791e091b9b6829ff8819a2d56b2270d26b56a6b46995f43154d528743d68e45ec064e81f37fa9aa08ce966e9f0a036cf

C:\Users\Admin\AppData\Local\Temp\qgYm.exe

MD5 28687ce4f1faffe48d3dc0049471bb10
SHA1 6319dede9675c5e2563d3673433ecdfa1e83695f
SHA256 3eed3ce22f56a0b9735c2e70614fe6bd601eb050fd28208190e7b82ab87b9d45
SHA512 3d23d772817c28c565101b471d010eb23c6fbbe82602259eb74a2bd2a51c2e219e86eaffa035fad27855617f606593214526a56c484383e469c52b726c5e8d8d

C:\Users\Admin\AppData\Local\Temp\GQgYgMIs.bat

MD5 b1c7a51e04c431db18e377b18af73b99
SHA1 e99ab3b8d0a38b9ea86cfc5eed5a8a3770fd2b56
SHA256 fb01ec50d4089f73b80524b4c86ee1a5170ba6011174c6fbebf03437edd95fc2
SHA512 684845c6ba386a5e18f45e5e579d90e3ccca90b2a50dc74c68c69aeb41a1c238f1a8b25aa37f72ef5766d05a36b3121dd27835ae7773c7a749291087a7982a17

C:\Users\Admin\AppData\Local\Temp\QwAk.exe

MD5 b32b8806830258c339c98bbde77965dc
SHA1 ecf6cbd3e6e9f9d3e39c5800ebd12d5c19b2d1e1
SHA256 f087c7349d9453a7c6300ffc75090281a0008f9340550387688880904055b42b
SHA512 7a836f9ca69fcfcd82833730383c7cc1c8e81041e3eb83b218a0f55cd6927c4a9213617f573dcc7077fb24fd2e7abb13c74400fc12043a23aa82165ededf3528

C:\Users\Admin\AppData\Local\Temp\wUYo.exe

MD5 25b7ff756621285b0f67aa6327e685da
SHA1 3abe9390c839417aa9737b96ac71147f7c885e3c
SHA256 261f932837414cf0d9a7ff99d8e3e28105042a25451ae708c6ee8da11bb2814a
SHA512 3e95fd287c411557825d5f3041e38968ac24a3847a51f8395347258b2d33433622f93a98214e379a06b7929ce90ea3887e248f19890eecd00126456fefea3dbc

C:\Users\Admin\AppData\Local\Temp\aIge.exe

MD5 2544a5db9827574f693fae670b15daee
SHA1 15a2153894cb6a59ffc5816d1e5c1c63d2db7807
SHA256 2ac29727ae73c4c1267369876003d9ad7ec97e953885dfc39af60f8c2ad80bd2
SHA512 c928f9282f546dd57c397f0667623ea1e1dfc4fe41c64868280f3b8630c749cf6ecc2881482ab692c1c81bd2136ee4bcdbff13d97db85748e6cf21128bc9bda9

C:\Users\Admin\AppData\Local\Temp\gwkK.exe

MD5 3b7d16fd87058be66958e512f793506e
SHA1 2cfc4e4d317bfa8560ea575a102b388facb751cb
SHA256 d75a538af29b8c3ec8d8910f34235d86157a9a5dca6646a13418f39d20f827a9
SHA512 7425c4dde17c53dec07a7b1f6e3d02328aaec4ea03cfbd4063a234130690f485052322b63aef4ffde7d7f3cf79d25c6d52367e6ed0ecf28542c634e0a223e0ac

C:\Users\Admin\AppData\Local\Temp\oQMq.exe

MD5 b14274c7554456944d1c5c9418a325c5
SHA1 308eae7403ffad2aeb0f679d402cc7294128a384
SHA256 039e2f27c7e45d5ea448a721e678ebfdd06204f94970fa3b5858595ffc1242c7
SHA512 b456c41f544d1aa4c14a5e7a2ae0566750b320b138a83ce03642d067a748263e782b8f9480960e4440882989ffc8a21f278d986903aee508b91cdd26f67d4a8a

C:\Users\Admin\AppData\Local\Temp\Sskg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\QEgm.exe

MD5 2f124598ea95ba45aed3e426c679ad50
SHA1 5d4474d64367615aa53a762e0aa02fae7c38acca
SHA256 94326bd454491ed56efe2fcf6ba0794900afb3d890a4b00723d03a314e178ba1
SHA512 9efe48c5839832e9cb21af3bfb60ae98b26a60eb234986c2e6ce5ad25e9c5280f40021fe4ba309f24e5bdf7e5cbc4843f03537981a532f18aea9576fbea3a4ef

C:\Users\Admin\AppData\Local\Temp\nWIEIckw.bat

MD5 4632db2cf3061718859eaf3d5b01f36a
SHA1 b855c6731536e65f2928fbfcac943f631155297f
SHA256 00ae36b19916e952623f9249b2df527395a5813c4fa2c15d5bed4061c1c5d133
SHA512 a2487608eda7613e51d7cbb4e0d8745ac3a0ec9728a7703d8acbd82d2ee6cfee75e4d3c10518c12ca917bd95a86b860d4b8ad13ddb90f7c0a7aaa9849f4774f8

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b0f31df53af1aa8dde0b7975141c431
SHA1 9ec5a0016d9e8f7c55dfe41f7ad0a60e35d305a8
SHA256 1ff0f17a42c576160e21194033ad0f4c34af920fdb7c0ac2484d61ca6394a284
SHA512 4adb1b86d4760f2839d4ef05bbf748dbb087b4dcc03aa6cffe3fa3dc6e4316f3c23f190948ff2f5d43399facc518b77065ae230323a29b46b555d15256ab06ab

C:\Users\Admin\AppData\Local\Temp\YsUQ.exe

MD5 182ba743a14ba73d755925a3f4a7131c
SHA1 9042fb62baeb7075d63374287a8907705cb5f9cd
SHA256 b97449123dafd9de678a0d394fbeb0dc2606809b1f7df6333e55bbe37be9c59e
SHA512 a45c1d833d7526891adde56a8ca786207a244f1152b964586f18daf370f1c0692ccf55fec3bc146253d2afeca96861ca6398c9922ae634d4889281938b7f5ce7

C:\Users\Admin\AppData\Local\Temp\RIwcUIQU.bat

MD5 aadbb4000998f9172fba3175ff14e072
SHA1 9a034606ed293c22550f7ae376d450bf683b2034
SHA256 fa0d02b9c0136c8b01d33794cc724586771281c3a8e4ba7d5018b08bc66d2c96
SHA512 227ff0dc08e10f1ec5c629ac5de087b60ab13be6ef70a951f21b1b8155f0e6c603f66116dea0095bea4b16d9dc0ad02a32b0f48bda3a3f1aed8c2b31af6b9346

C:\Users\Admin\AppData\Local\Temp\psgcMcUQ.bat

MD5 32125677939bb86ed0b390f96be9fe76
SHA1 dbfa05effe8ff2d5a5f975cc225ecdc3056f7bd2
SHA256 8e2ba79a2534545803211d80182633201c08ca58981d015df546ac30ebfd3b7e
SHA512 74e6b858b63e42ec6441a05f1bb810c4d6f4b2d38a393e624b5411a3f9fc3b9eda2ce29119226594746dca47109c7d630243db22b0d1122b85df9052ce3f0f1d

C:\Users\Admin\AppData\Local\Temp\qwcAUYoE.bat

MD5 156da5087397210e9cab952294944926
SHA1 457f18bad0fd0e68b38faf06ec174fd2931f97d5
SHA256 cce8c06e6add607d2f1e485e0519640c6fa0b8f09ae2a5fee2439b63708d3c77
SHA512 2c4b00f41702d9f662b593af5fe478fd54cdd4ae8ae2bc3f0c36dc15a1441f11fd2e7358ca522c9a6a67ef03693ec89c6567e700ebcbe999f3de3588b0bae764

C:\Users\Admin\AppData\Local\Temp\AgMQMIIY.bat

MD5 ed28e80a6508a4ca34fe94da030949ab
SHA1 eed5c10f7d31b0f840f67c8b2c26052bde66e8ef
SHA256 1e3f607a4a0db81683abaa78e43ab8752cc753cdf0caa09afeafcf49028a5c0f
SHA512 5bf51127b7f6e8177d8dd32a4f2ab094e7fee860463d241092e270e8c7ee37f24aba221f2f16a3ed44965b9682d5b46467253214617b1ca6e69dc559f1e49dd1

C:\Users\Admin\AppData\Local\Temp\uEkIkUAY.bat

MD5 2a90962abc05bae929c9f8cca38f70c6
SHA1 ad1d65a865ab736014ca5267af45460d555b8a1c
SHA256 64988b35832e3ce551fe266679aace80a75dbe2759bd12c391edda2bea570778
SHA512 ef166a59ba64f8a6de81d882532e385fce3900ddf771d30bd518b20531494429409b16eaa658b02200316bb9f2f30a99e8b8811a7062103fffb84391c99e4898

C:\Users\Admin\AppData\Local\Temp\wywkwgcQ.bat

MD5 f40655087a58645226baf7b72c0e7752
SHA1 cee0f7965bf4fba6fff675de7dc36e93fd0c61ac
SHA256 fab561aced2ec89c746b31c16be7660852e8105609794eb95ab02edff1be3055
SHA512 9654018160354cadf0cb8da7daddc9523095c6a5705d72862f8cad7665b0e159334c4028656c8b62e7e070ac707cdfe79b5f8c93f3fbc8316c78aa80d057c140

C:\Users\Admin\AppData\Local\Temp\lQQUQIoA.bat

MD5 74a3b80525de617898d0bee92e3aa2a0
SHA1 70833597bd5e80ca9d138f0d3fb9ce6d845938df
SHA256 d1b4b5c448382cbd7882ba871c4add7f53518dbb128e0b604a020e5844c1092f
SHA512 61c542341c6ac13a21c53de32f6aa456fd8f533efd774779709972af050a9928224bbdbe28fd045abfda015e7b1d9e6b7e0121d82e8a1daaf286a8cd31171624

C:\Users\Admin\AppData\Local\Temp\ZSMcwQog.bat

MD5 adf162fb52e41bd1e916e9417dccb009
SHA1 9a463a768441fd5f9240cf0f347501ec96260236
SHA256 592608120375809e2fb48647684b320c1acbdfb26a55458aac7c01b2e7c8d076
SHA512 e1dcd6de2e51956561324ec4d8fee0c318c02426dd5c6da70472f8e13c1d1401f9de50511ff533a16ef743f74a42491c57621b724e9307aa9562d9c71658c260

C:\Users\Admin\AppData\Local\Temp\dMUwwEIc.bat

MD5 421f3996f57ca1a309d87384ce28f20a
SHA1 fadb67fa41cc453ed44e61fef326feee204f1010
SHA256 5488c71c56db9e3ed2c76b90f5c6be782970f5a031bfcb805f009866d7b339e7
SHA512 2fd49fcc5f78db1b93ec83d6c8ef03de849ec91c4ba59c8f884ad1c90721f05477c6dcd0d2cd532ea1645b8930f448fc97b75321d0ba952ffd0fc9dacdb729a6

C:\Users\Admin\AppData\Local\Temp\ewEE.exe

MD5 4d38027048c54357fdc3558693e4120e
SHA1 c64b4e2873a1c265f86a4f06c80f1cadd29f671a
SHA256 491f51bddeaf50cba0a9d243331f12d809cf33031bbb581d15da059a08baf72c
SHA512 856f81d4aba45a15c4a334f22678d30cd56208a847724601afbbb46eb141022addf5d28270a20215dfb06bbcfa1bbeb659cef0e8a86bd9bc902506d330c9e1c9

C:\Users\Admin\AppData\Local\Temp\GMwy.exe

MD5 1c9bcc38d43e9518a5f471070c50dfaa
SHA1 d3a4c6975dccd85759fde6dabca08d9967673505
SHA256 a43d0c8a4f735789a23acc43a6939e2fa81fb5aa5c8e651cf4e46f5defdd1ee0
SHA512 7cc9c2707ba67049cfb0b5716dbbf1dbf2175689ddfb1942b25839313f8f8469162c569a3ccbe70927b4fec0a8fcc000cf8b9b63b80de9f20f78dff2e4abef20

C:\Users\Admin\AppData\Local\Temp\OEMC.exe

MD5 be980ee07feb4763beb5bedff0719373
SHA1 ea008782dc9a72c54206e076dfd7c2d81737ba26
SHA256 8bb8a78d1aa6e102b89993794a123d8b70783d551c23bfab4dfaba2881e118b7
SHA512 f0b329b651f8a65ff6c0613d1d6d912aac1eb3f7e19ef70aa0de1b3ade6b79e561dc8c1498b16af06c7326c54574223966b1f8af20de7c4d1680e223884b2c97

C:\Users\Admin\AppData\Local\Temp\IsYM.exe

MD5 6429001207e7e28b02e4a24f0087566d
SHA1 ec435edc13af689fed15afa37bb10620e3723fc8
SHA256 aafca4065b88d87f1ebbd85e8d5c228aad5b4fe1c950ca0347950dcdd37c81d0
SHA512 c3fd9a65018faa9954e3d4296506dec243382623d059a3f2732aac901a3087cabb2cf3ffb268ae2c325f4f9c92aff16e2b1427d9803de1fb32453de9524ee63d

C:\Users\Admin\AppData\Local\Temp\AAoq.exe

MD5 c33ee4a2a164c6c50ec2717e7ab78f69
SHA1 e279a4d915f9a97a7094a965e7fe71d00ceb6748
SHA256 b3dc46edb6d9dc4fb6859aa9993981a1d7c4d8ab8b63f6c2a2b05f8c9b75eb97
SHA512 2b9abe41843bf2b967916849c026e4cf79f820716d03df351df7d0c445e437fb81a92e5f256d69db905ac6ccf0a7d4eee53d43f850755fd0872e188872c04aa0

C:\Users\Admin\AppData\Local\Temp\XUQIkUQg.bat

MD5 66dac0e8b54cd74f0c0b698bfdc4267c
SHA1 fcdd99cbf151414b10dbfa2dd609437fbf217bf7
SHA256 d53893313dacf9a592a662bf224731d38d6ed4d844b41ca2c8b6dda94376b4de
SHA512 6ad1cee85f3a75d5e7512643c1e71e4993d0e4b61b47b054868e125534149fd7a8e32a73c20fce4bedb92732a37ef485711271fed2f701b8bd6483829f76f33a

C:\Users\Admin\AppData\Local\Temp\qwIK.exe

MD5 878eb2ab6da427806a3bf76db40fec09
SHA1 9efe8c2d82eb32ca003105bd30a868b79dae6aec
SHA256 a217cb22268d73aa5971b052c265f2a24aa2d08652067ef0b04efb9e6cd0ed35
SHA512 a7ef99dc435a3f20e15a26ceb1d0420659f7e197a44f356b3054d6e709c78b0a963d776fc65f82ddaa03d4272e4d02e937424c1268fd2e5901cd3506528bae64

C:\Users\Admin\AppData\Local\Temp\ccky.exe

MD5 7911a26da532ef523d1a4c2895ff5235
SHA1 bba87c57aa80ff00794e12f2f466c065404a0ef7
SHA256 01010d784c92c27c995e52b376ac3e850fa0652fe8d8f60a022f14023c20b470
SHA512 9c9e30bd059bede926dd94e681a21d17fc1a0d05599c26d9456aec837c1babce74c5d901266cd6c747103372b51682bdca5551deb51d590eb5bc1b91a177bfe2

C:\Users\Admin\AppData\Local\Temp\kQow.exe

MD5 3bf8b39b658b6295c0676e3077ece9b0
SHA1 a58c8b3c72b1ba401d25621945fd512b547f4581
SHA256 de4164c118682c2c425ccbbfbfb542cdf6de73d59b5557e6419d3a7d4ba888e2
SHA512 993cee291a5d424fc03204677437fa01fcd98101f935e2b47459ab13977726a5d5ef0b65ac3acf72b5d94abfea77f06b3d0613db1ef87ca9c569a7001f69f5d6

C:\Users\Admin\AppData\Local\Temp\EMAa.exe

MD5 3def6d6700346b1c737c996d698643d7
SHA1 4a2b5bba2c649bdc86d9c464d4a7256964c110cb
SHA256 021fcea19945089d14c6e176fc9adcc49d76952f8caa87005e2868fbc45b1072
SHA512 18cb0ea3f5b0ceb0d921d2e66ea364747657c42f14dcaa7ff55e55ea44f71d5fcc4ac26388c19109d1be88452f4af4fcfe1d1727cd0dfc8cdf0ed4bfaa49df9d

C:\Users\Admin\AppData\Local\Temp\aeQQEsIk.bat

MD5 a43acbb78ea2c39322baf231a17b7b8c
SHA1 9ac409ae2e26302ae7d24e1eda1f3a25058df5be
SHA256 c17a2709d4b0d2815e1b48f1aa95800f439eed5093bd83cff0bea3697e8ebefb
SHA512 545d6f53b6d77674b5f99482c06076f36330d5399ed4da4709a8c3567b68cee2a6b794e160a1551b2c5661c8a1897211c2c05110b63a9950b8563f9caf990312

C:\Users\Admin\AppData\Local\Temp\qMEg.exe

MD5 3d09aa8edaa778da7123c1d084601c09
SHA1 b7b9265d7b465d372e10f4812eacad9a1ddeed98
SHA256 682c6f762d4ebfad1b628f3e850e16620186d29f2d6c7ff25ffb78a05bae0421
SHA512 8f2d6a1f19063cb8feea65e271156a1e4486834b9ddb893c9fe4d61805cbf63682d94884da056e3add4425136682ec933955045b3454e941d2b6307fa532460e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 44c1ca9eb1fca1f79f8410eb15a43867
SHA1 50d92e0d0fcdbfee89d0661fd345a81f14110474
SHA256 12ce21dd559101a2e4181dd0058fbadb96ebbfee5bda10f5bb2d2b6750e01784
SHA512 47521e39c289edba52b48c97b9cc96fb10dac7acc41072554bd75d4d6c47d344fd03c0abbcaa962e540d58daaea4db5ba093137c82dd7d49728663da2d43145c

C:\Users\Admin\AppData\Local\Temp\EYIg.exe

MD5 e9dd2c25a44b3d55bc1b5777b5387c4b
SHA1 f86020aefc43ee02a05f1750f948ea89ac1a09bc
SHA256 9ce9a38a2178749c9e87cc416e98a7b15d6ac1fc53fadce8f3269b41d572298f
SHA512 3d276c5c608791b3d6791bfd7707ffcc7916bfcdf040172caffc17f0d7200033cb64847c4feb2f5c8d0955a5e86e57ce334571148b9f7ae71e96259b979eabd8

C:\Users\Admin\AppData\Local\Temp\MoMk.exe

MD5 21f4c08fdde4284cc4c13253c7ed9883
SHA1 a6828a4bbd7e2eda4978e5352c8366c915c2c8c1
SHA256 7c11c5413c919a9b55950e8c9321f7def643189b3a3d8866725dfb3203cb034a
SHA512 615e6412917ef0de42e8c692dd1589864599b36a1627aa5d6443ffdf2bb14329c5c462f38916b6ab615043dc528739588a6351cdad72d8d68bf9478c5c7e3640

C:\Users\Admin\AppData\Local\Temp\gmAgYIww.bat

MD5 3b83fa86d5c5feba6a8adbe69d3b8bf2
SHA1 7ca0f281aeb4fc86f0dfd545449b9b6978dde49e
SHA256 16edb059d82e1608c9543eddf21c61c12b07e17a2da50255dfac94567cdb3651
SHA512 d03054074bfb60dc1550d49a93901ff12a5aca14d07f84adc4e0de6965b3d89c34c8910d092c6d7ad21f3bc3aae2f90d7f81e05f09def5bace6325fd76f0b9d2

C:\Users\Admin\AppData\Local\Temp\cAMk.exe

MD5 6b1c2ac2109de2ea6972c117533f0860
SHA1 57e7a7162a95e40c4805b04dc72dab16f7043147
SHA256 a9b78cbc02b6e0961fb2a3abfe4f21aa526152639e274786a0c332cc6b896ba6
SHA512 3a187ff1bf6295049d14645c26fa3e80187ff6be82132af39f61ad437c34b4f198e6f581d757b03d6e6dc694afe2c550ac24ccb47cf02ecec6b163b4c108db22

C:\Users\Admin\AppData\Local\Temp\kAww.exe

MD5 609efa03987e2c77734234db029e32f7
SHA1 3b1e022f5a25c17155deed6337bb27589b3d8a26
SHA256 2f40a9d552ced5058ee3d60d40cc7d61eed9ce78f12ac2d386fbf1858bc8065c
SHA512 d5438fbcd089769ff60b19a7006fbf37e171a140c97dec8290175fb1701c3c5cbe31834daa8e8287c004b8c9a73ad8d67accd885544534e44aba8d85333f0d3a

C:\Users\Admin\AppData\Local\Temp\Cogg.exe

MD5 ff0713cc9aaba181572c83c56bb72de4
SHA1 55fe2c7ab5be7a90d12d6772d56ec991b215534f
SHA256 91c98fc05f6a14ae7e2f058c994f4917188a4cdc3ab16dc37690a58b07543d1a
SHA512 5f0cc4efd4a046af2c305d19169ea637651a38fa1dce17ecb5e47d8070b856b547e944c0a6658cd4af05497d0da97cfb322bde6bde3c6f4e8ebde3ec485220bd

C:\Users\Admin\AppData\Local\Temp\GaAAcIQc.bat

MD5 92ca801584df564e28619e16e65c73ce
SHA1 e50166d4120e5e5dc96812b857e00209c5e32c14
SHA256 f15881455280985aa600014ec5fc6035a5e65d3eb61f913a32bcbf28c6a55015
SHA512 5fde058cbbb1e9204c447f4233c79473503809a5fed3cf592e8f0fb380e9e4c4f96540a71e91c6fbb4ce61abac2ca87fb28eb40ce10b6c4352071391f98b10e9

C:\Users\Admin\AppData\Local\Temp\iUwG.exe

MD5 a815b13319603da7d36734a6cfa16347
SHA1 858cff72b768a48303239238a52b0871a34d091e
SHA256 3fb72b466713703f81708ecf967e1656b0ed889eced90b55e1cc04707606cae1
SHA512 dad54ae32be11c6a4d64221b0c2bb824baebe6b6e569fd72675c463d4ad56163d1daa2ffef0e7ad1c18198f3c1c8232ec6840d9c91b19f9d1fb3459f378fd754

C:\Users\Admin\AppData\Local\Temp\eIQw.exe

MD5 d739008e7b7492904914af862d03d17e
SHA1 00efc9c7c60821dd1cd6e6010901de543544b2dd
SHA256 cd5fdc2d05b2eb8a7925b7635469b6e9ad8b69eefd1d10b9744f90ca996b9424
SHA512 dd4806a30ca1c36469da6076353802fd7bf3cf28304a652e7cec61c1b7d7ad4cd276f7b7d68385a5e910f1c59ed29d4490ab7df9ea94a772b6a01b67efe9a1b9

C:\Users\Admin\AppData\Local\Temp\YckQ.exe

MD5 c057ff8753cdc5d67a2101b5b2b2fe71
SHA1 4289e0a8908498e7bcaeec835ee4dc1b6bf24c69
SHA256 a7e3cd4069af8eca4504d234bb8bd5307d2ab96503bfa76cf23827946d8ca37c
SHA512 0140bda803c04f1a1856a20d9836d9615257129726df676cd935deb4de15e4153cbdb44f9b3af32bb6e69c7cf0f0344b3bc6fef2f48480fb87e87fd32bd5cc97

C:\Users\Admin\AppData\Local\Temp\coUW.exe

MD5 2b0c42a012e1a3fe009258661d22e15e
SHA1 6558c81f101887673d2d54a9a7dc2b7291d24ece
SHA256 57a6694266126aa67c436452ef1f5b564ed8badcc233e3f71c7f263675bff0f8
SHA512 14c94ae751ac6a903e6e33a68a2b2a9fdf65cde4b8898e90666417f6d74174a15b656bfd90496fbd599e3ebe5c9f5f6bffe64594e90b52b385de62b9fca9d877

C:\Users\Admin\AppData\Local\Temp\uccu.exe

MD5 643e03b7b7ebf56846a89cd9d621d882
SHA1 0b097ac89788d0d6c73217517f0511770f50864b
SHA256 d8c42f01b436a6ea9884bd5417e931ed171158064969c649ea1bf041104c1e70
SHA512 2f7c431adc07be154fcc3741ace6a972e675ec9799cf727996f51f872162ab5da61114a577ef68a55323d21a48a6a10dd7322123d89b4af35880d2f1ae4c4d5b

C:\Users\Admin\AppData\Local\Temp\gIQQ.exe

MD5 e2542920bb0a6e10c6744dc33048e570
SHA1 ac5a23fd843dcea7ae8963e6c07ec4edb2427e78
SHA256 30cdcb3e97d7398aa7f1b91c7bf207bf26548a82647f0ae9beb3d6b0d006f0e3
SHA512 b89d9331982dc79f398ecc941dc565cb05f904ab840c22b9ecb853b31a87c4356d6fc9385fbb6d57783d15e4e98195ba2ef0affb63cdcc1563637388e00ac4d3

C:\Users\Admin\AppData\Local\Temp\ckEO.exe

MD5 17051ddba9e949123f900a1eb2f67a76
SHA1 2360ba7f3b4f5657a9f971bc51c6a60adb32b09f
SHA256 9e25df2f8f4d8ab465566f334452d0efa094cc98ae87a3ba3849682d5fe8d40a
SHA512 1b0dcbc8333e16ab54851cbddf60e8d2e474050f6bdc6c2096df02fb8e3ed6938ce1174da7ca58d591bf6e9fd7d5a08827c1017072aae3bbf1988bda7dc246a8

C:\Users\Admin\AppData\Local\Temp\EkQK.exe

MD5 dbb56522b24b7fcbb0c80bd941c34a45
SHA1 a3e03c64dc5eaf6e00844cde1935c96ea9784fa1
SHA256 74a90839c1ffbaa03780c9e87092d0488b6247985b4a914b5234316eae827c77
SHA512 c150fb94e5aefb80e7409bc9282de12a7bb4629ee538b0a5226932f95a7064d2ce79fb9e168402d23ced57794dc6d0f5ad357ebf3daeee3f6e16ed902f1c7a29

C:\Users\Admin\AppData\Local\Temp\GUEy.exe

MD5 41c9d7877626f957989c56825ae17b80
SHA1 fd229eda1ad78bdd404c5420785bdee87086ecbf
SHA256 ad5e5ebc56917be6abbbf4ef72d9f41cd1ebf828b171d0a84376017e53e03c55
SHA512 55b54629ea4024946ac36c3136506b312f4beaa4d625ed0b329546d7667728bce4a3db0aab4788df32f70302d4014efa82c5d95f62c5815ea28b943daedb88a1

C:\Users\Admin\AppData\Local\Temp\GigYoowg.bat

MD5 4a0ea94d2e0f89e05716832d807a9fc8
SHA1 50941dea3c3c8147b29ba3f0c7e4affeda71c0cc
SHA256 1ddde0cbb2e68ba78e5a592cca2d6fea891b961feb109b7c9f0ca0ab5a583f6a
SHA512 b3be36542ea7451c638342a9d1df9f23d77b95a67c08bea9eae4a62a3bbb56364d150f7f996f3d232886d2a1eeed1e21a67ab7e7f10f4c189b9751f203831a07

C:\Users\Admin\AppData\Local\Temp\UUoM.exe

MD5 75b87e3eaea901d5f3a95b3f075fbeaa
SHA1 b23404cd76c036e173bafaca0a6b02fc0aec210f
SHA256 fe2a9468fbee7a27df302abdafc04d06f7233d2f39908ef358bb87b64e100926
SHA512 810198a9e6dc3c52a9fa59006816dead6d2a026a9a1e2b7d9200572e9bb3f84dcc05d33b0ba62ba3446176b225da2ee69f8426eab26f9e42abba4ebde4e23aa2

C:\Users\Admin\AppData\Local\Temp\MEQs.exe

MD5 4a11aada9449885fb07ce1c730f67d8a
SHA1 0e05e3e6cada8336875168626ebd18319fda14fe
SHA256 59e9c2b46fea008b27ad82adecb59795d6e6d67e03298e28b3d759782596b40f
SHA512 84fa98fc8a1d102847dbba335d9bfa197782fcbe70318dffb4e44bf212577222f546035c0331038a2e9ced438da0c751d0e9db59b237c2b43b7165b10ecc2384

C:\Users\Admin\AppData\Local\Temp\LWoswUcg.bat

MD5 8a8630c663f9af7d9092ba3fa356d97b
SHA1 762c9e04c9b4af7f4fce2be260a2185fdea7f4e3
SHA256 38ded39736e7cde74577c0352f1c7441db468c27bc826b00ea6882582c1806d3
SHA512 4704eac183468bc6230dc1a969061fe50691410672ade3648d3d93d082aeda1062ab03e06a66081b2efde0052bff83a62e89a48216c72f6b81ade3e1fda85308

C:\Users\Admin\AppData\Local\Temp\gccU.exe

MD5 d9d554841b86e158e25ba207cec0d45a
SHA1 2d60886fd3f1acc43b32e6f5ac362bf4de780660
SHA256 99e375923ddea9a17fb21450243f853cc762a57b4dd880a627d967ceff0f7f11
SHA512 8bea80b2c7f87d12a10071f1a96ada22b19ef3c3c2acefa9646b44d9783c2648c6938e2e8f870f201a228149d3a04cb28d3cbdf00c1ad45c635bc904c46ea26b

C:\Users\Admin\AppData\Local\Temp\eMYw.exe

MD5 4cff9a3f27532fee1cac28f35d922f05
SHA1 31397ee454d8012eb9791a623fa4dfe1fccc5932
SHA256 6228c1cd1c8a227630ba695229cd0d347db95f10ff6f3d2dc2a016177529614c
SHA512 7164191a0cb6eb1f4fb5cace37e7c6face57c654daf8cbd3c4ae67dee88a1e7a38cf655b34d8891e7f3b56501cbe993d91e8ecee5ce794c47732a9842f9da004

C:\Users\Admin\AppData\Local\Temp\DWcAsYsM.bat

MD5 b0b421e947f202a04f97c309a1debdec
SHA1 c051131af666e0a354e93618654339fbcd18b3bc
SHA256 dd676d913a2c842f8d3eaff36ad7a5b98d66b26ca328406501b34e1d936c42ee
SHA512 49e62d3fea860d3c88d5d016a4f6871d91255ef270fef7347a062aa8de57bb802c33a26821d7dcf38c664ff35b0096c0dc15c4c16ede0a606e07184211923846

C:\Users\Admin\AppData\Local\Temp\isQW.exe

MD5 5ab948314b67b35e6d5ded9fd79a5743
SHA1 1e416c51ede981ecfae8e08e843994bc9030bd7a
SHA256 826ca56337b34ab3bd534b0bf72ca97526da7395376f974c8cc067d5b80afd03
SHA512 6143646e668ab28c5458a3a58f8f426c2064be2e9160bcd9f61ae4c77782164679ea69c2b6ddaba66b2a3af571032ba4def46f317c5cb43fd067e9381cc682f4

C:\Users\Admin\AppData\Local\Temp\qMsU.exe

MD5 554871e0484a2b8a6473a467a668408c
SHA1 0dbc41fd4efb643624ff69c9e53ffc23f9d766a4
SHA256 6a3d9323b10a877bfbad0c3600566731d3e77b138101e0ecfe38dfbb1bcbdadd
SHA512 0b3c4373e8d8a3faf208c9033613cffd022c6845883b5c6345b35ed9443498df564d00285540c60856f8cf90b453535438aba1e11d878f27b0c037abe46d44f1

C:\Users\Admin\AppData\Local\Temp\gYAS.exe

MD5 6fd0e78d69e7e8836f765ed22cafd359
SHA1 0b0e3226d17cc0b60a5daa06bf49f7f254fe8ac1
SHA256 2b693e354fae089265b5e04070c07474de831a38bbbd8814fb43ccd29c12d7b1
SHA512 4deaa1a8354eaf6a6af0bdbab9be5b151279c5f2ea8ecfcfd0f06c1da17692810ab8a6b736852d9e033b0374e5aab88bc659b4ded2e77d6342202a25fd84aece

C:\Users\Admin\AppData\Local\Temp\Ucce.exe

MD5 71f0463894c6bf301bc8047146686f8b
SHA1 e4dc30bc3c584ef801d6fff40a01206e33b9048b
SHA256 b291086c5e09f7abe475e9789bf5de31c5911c4ed93bc800eeaa88303d955c39
SHA512 abe0d201d21a54431a00e55cfb37fe4e29abe90b1884ad4d78b4dd782a050c36371592842160eea7bcc0b34be49ce64b1a8d1faae227f7a76d5e21106242fc57

C:\Users\Admin\AppData\Local\Temp\dqsEoMwI.bat

MD5 93bd694ee9008790fbf36d124915d80d
SHA1 63f8463e2d16a7610ea256a208bf32fe47415d83
SHA256 912cd7f8e6c8170f931f2b8228715262010d7794baa61dae34e2860dbea63b09
SHA512 4cdbfa83dc0fa79f09b11f5b5061c59f6399fe925333bd1f8c9b2f993dbfb7bf37b14e4f2166330a52c59e0168cbc3b02e0cbed57b8f5c02ffbb7f572f9f7b0d

C:\Users\Admin\AppData\Local\Temp\KoQA.exe

MD5 2f79c33ba64be8392fb52c06eef95dc3
SHA1 bd86bbdfb9052ed7344a59f93591efa3b68958fb
SHA256 3d146effa5ace96fc5cb1ea774a28c00a2e38f1f47fb913f9225fd4bdf688998
SHA512 cfa72f703f8297919dc046da36750eac5a2a8680348f32ccfe27ca5b6dca2baa137fff7f617b87d2aa5388fa8afba3d99ec2481fb7670bb56cd5731b60c697c4

C:\Users\Admin\AppData\Local\Temp\CQcS.exe

MD5 9ac74bc866bbed99fe543d84104e1ed3
SHA1 dbeb0825c49fb8936345b0094fc467c4f3918d5d
SHA256 789d9b82f13aaf51476fc7d388bf7190aff5dffdfd6e6edfd17ce38cf07bb907
SHA512 3eb4de3001ed1b4881bae79c57e8cbf5b419b7035e1b3d7a50ddc309cd2a6ce05969be22df060e768edc24c5dada549af2fbec95423e64dcb75ea456947aef53

C:\Users\Admin\AppData\Local\Temp\mQsE.exe

MD5 fdd99e50fbed3a65b8a4d04108f43600
SHA1 2c23105a36e498fbb60537e705f8a8ca33534988
SHA256 790a57d883c2d72f112ec3df2f2f6bf8f358641e76343d4a03f3b11d3453b15f
SHA512 dbfd647b239a07491b247c2cf20b945ce48fc20278c5d287f3a441f13a68a0167d455409bda3c6f671a5fe3d21f2be4b22d2904f6d775e698f0e30b5e342ea3f

C:\Users\Admin\AppData\Local\Temp\cAYI.exe

MD5 b485014aedb7473603b335b168e22a8d
SHA1 360ec211718554dc347a8c5fbd2d79fd9f863ef3
SHA256 2443ede3a9b43ef002126e926891d011b337c8652237be0820571409f399cd9e
SHA512 352b16b25d9acfb345e6636b28735ec4675fea663d353a9c063b605668a963aea2ff294ea3270c7ea902b4afda30373b694a853e66d2bd0aebbbf1776ae2bf08

C:\Users\Admin\AppData\Local\Temp\gQco.exe

MD5 fc9804a4b62a5ee8a04f67072fe08c1b
SHA1 dc08cd41981e5cec436dae4fd44ce5d42501e098
SHA256 dc5d36de8262717865b286845e5f97f848498928462bea3d983ec2bbafbb9734
SHA512 445bc51ee9f1564d7c06316267f23b5ff30e3ce55d3fc218bbd350d8e50c81aab2eb8b1ad01e343a3c297f2ddd29c0ac70fca22490856035e53bffa841a9cdae

C:\Users\Admin\AppData\Local\Temp\RcUMQQAE.bat

MD5 0a43f9220cf40b4f2abf1cc8a1cb06bf
SHA1 cff322138fae3c1f70e145de091e4faf1a2c55da
SHA256 c57ebcc6d63a5ab0a049d8b9dabed5b2108914c910866e58343f47e599eb7203
SHA512 134bec834cb589bda6a1137f589015fc965feabbaf49749c5b80245ac322084e188691efc49a768aaefbf174f7b365713ffae5a80124523d3ae306ab8b3c6123

C:\Users\Admin\AppData\Local\Temp\kYME.exe

MD5 08e55705189b1b182a2e3cc48be86101
SHA1 e3bc86bd6be0c77af41c8d7c7bef667b6fa465d9
SHA256 ef13d131270cb4c3cca27a407715256258ca948720ed2620edf56be50f280c11
SHA512 7aac8810b0a01dc3d6eef3671883d253fbac6202e993cb939b13d05c98a44deb4a80a26c3cb29c580fe8f0a5133bd3545f722fdd4b13ff8f141584c0593be213

C:\Users\Admin\AppData\Local\Temp\MkQk.ico

MD5 2239b3cfdb5b6841bb2dde95edcb306b
SHA1 d027bdec9a533832ddcd54bdcf318ef2a0da8e60
SHA256 ee2532e247bb7274af8769def697dca7b356d65706d3753ee317bdd34d72a6ee
SHA512 fd7f1a89ea4cc76a89542d5b8c1ef6461261e9190d9cc1412cc62437eacc01702b729eb5c951b5db66270640f96608b7e30ac8f88b276f4e79056fe80a098c1f

C:\Users\Admin\AppData\Local\Temp\soMA.exe

MD5 a01c25772874b6f2e9af08a16c34132a
SHA1 c8a2ccc1c986ee6d0b40b096a860a24f7053fae3
SHA256 af884a0d92c9df645e0e277a9b8622d3a3bb990a56606ec0de55fe80a1bc420d
SHA512 3e1e721de37454b9ad66daa89d2d86d7e2023b6a4ae792dade17b9d76002aa0c97d0dc9db7ad30e7d0033f823530afa2e2d088026c74db5d62b2682b0e62d7ac

C:\Users\Admin\AppData\Local\Temp\uEMU.exe

MD5 3bb09063c92e2563916018c4756f36a5
SHA1 8448e7d9868c24e750186743dbb41abc1439a68f
SHA256 fa758197f32115f30564fb025bc379ae6383c1dab6dfa289e31c8f44a498b390
SHA512 a52788abf5911c87e6753c76cd948feddf8993305e4f8ea5eda002b42b4e1ddc6c00718a02b0f4699085f421f042f68e9fdef03a2ad07aae8fed7c7003f7566d

C:\Users\Admin\AppData\Local\Temp\IgMq.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\gAAU.exe

MD5 3b5bafa47deb134b707e81702ce7c1b9
SHA1 59cf75a2d802e228e2eb855f6ca9a02fe3075e51
SHA256 3a71e6ef974b3cab3adf2f7ebf2da8710dd0660f0e97d8d598fed2cb4c7ffa9d
SHA512 d836f66abe53e766739d9381e34fd5f1d906ca34e844ea7868d2b049ecfa674bf5a4ca1a94ad09c6a5beaae4ada1ffc166f81b5f3b4968ed2f0f4e24b017d300

C:\Users\Admin\AppData\Local\Temp\IoMM.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\WIIU.exe

MD5 bb822cec397c653e6d4dff0a2f360f54
SHA1 98289386d0ca49eda9c18a9de40ae2a05ee4df27
SHA256 81f0de326e20cc723a23536a4b6dc1861375c96afd3649952725f56580bc9147
SHA512 6308e42d7e9b95dccc198c5c43ae717a6a703d8bfd0b3435302fa5bbe9b25facac72d8dc4062e605391d14bc3acdf7af166cd5bd8ec02e8c8eeb5da9eb406ac3

C:\Users\Admin\AppData\Local\Temp\YwIM.exe

MD5 7bd2fdb80c7a20f0c1039242eef6ba86
SHA1 cfadfd53347f6fa3d624c4f2140e45f111e8d05e
SHA256 6e331211c7c0d7acf02109459a2122dc2b4ab5881e6198fd6b43ec1d70aff6c3
SHA512 1876cee77b4a8f93e0182ba2a9ed6c90ad418a94e7d50fe26671cc3b332510b95e7f0aaf4b9523c153d8ca1c9cf9de113d0cb699bf8e72acc913780238c70afe

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 983e0c191ede1f89b6e4e8d8b2ce155a
SHA1 1466908af403831b545c770a0c858ebd6959304e
SHA256 a06be90085b3c95127ff9df47bbcbacb9b6baeb74fef8594dd3f9bba9f0d196c
SHA512 d52a2f620ecdd691fe569da7e64142f316b1ccd0989dbf0cc24ebd18cd65f59f7d7f948ea74e31a6ae073f6a6f8d955a6e7bded82da836ee552ce871d07885dc

C:\Users\Admin\AppData\Local\Temp\sqsIAUAo.bat

MD5 2a15b309c5b43eea16292625b769c836
SHA1 d4bdbaaa4dc87132eed317d8a87175639fd01df2
SHA256 37ff0e787835e7f884a4906488553eea04736a60ab1083cfc99ace4e29ef7f5c
SHA512 aa9b4342bc21c5693d7a63b25d63e58a5ae968a5f3705885ebd902bf73da1b0d3bfccc00d09cdb25fff050fdfabba41cda0f9a4ebee9707d9451bfa0c03d707a

C:\Users\Admin\AppData\Local\Temp\sAEW.exe

MD5 68448a4b97190cceaf8e1393120c989f
SHA1 d2e987bf177169855264bd9d121c12a540dea8be
SHA256 bd4c1632167ff657dac90e6f6595bc040c93c5bdfcbf7d066f557daa48242dcc
SHA512 d15a32549fbf0aa9219ff0b279236d6458f4193945cd50ffc38643b16692e94f48f3ed79cbb508cafe926bf1ebd936c9b7a925774af5a2905dd6664eb517bebe

C:\Users\Admin\AppData\Local\Temp\yQYa.exe

MD5 63c22fe38255425ad9347a32ed2a7a4d
SHA1 060ab3adc726facbfb39fcc457e11309abfec8a0
SHA256 3e11a37acb9d62811b6855bb89f75d9fdafa8dc2d1e962a7e3fb631a6cb1faa8
SHA512 afcbc392f5e737c08e5979ede9b7f4b90782b3e4f408db36918d15553a97d07ab0be3eb70ec451bc33c3e4b813af77242b28fb03bed1f319a2f0aba596486b61

C:\Users\Admin\AppData\Local\Temp\uUMq.exe

MD5 eb9257db7b0d3052948134cbe1ca85be
SHA1 78e71bfd8e9d3eadf3033b4c53f3e6c249481c2e
SHA256 d499dcf50ee6dcc1a2efc3e98086a941aa52bc2b7dba9cbaf65c4352bddd0fe4
SHA512 2c1dc67364ada4de1f16893eac78823972d5258d65372f13d99433fe935782bfc6c12aae1bb4ecc0e5f6ba50c8d8b266fbf9cef5e848272f78277c8ff6657e48

C:\Users\Admin\AppData\Local\Temp\AokW.exe

MD5 21eb39ab7f6b411366dee89c3b3194d1
SHA1 69b301de66a381ab925e3c1afd037c442facb89f
SHA256 ce4891b82cfd582f4dc99631b13d036ef9005776e31fff7c2dbde82f9fd03643
SHA512 1703011c8a49ebaa88a075c9ff24c543329cbc466b0a5514d7410bcc3b16077c878e8a25789e98f9678606190a0ff70a6631ba99e8d9cb711aa2c743fcbe4de9

C:\Users\Admin\AppData\Local\Temp\WOcAskUc.bat

MD5 c7f2b81005fdfc5a3bbb834633e6c027
SHA1 ff1fbae9a1815946d25b006db6c4eda8361400b6
SHA256 be1c047f9218cbb73d58a159ac23c6472d8ba6bc82af7a71402ba898f4288437
SHA512 c0473d3cc7e546687ccf131268a2955ae41d4010d6944f12c88ec36a2334dfdb5df2c875372923cb69b93cff8fa5a3e2398dd51c270d08d2b765cc269003f9e8

C:\Users\Admin\AppData\Local\Temp\ggsc.exe

MD5 ccd8cd9d39274d4d29e9b27b61cf5d29
SHA1 95fb7ffd9ea775da47320778209d0b1391876c62
SHA256 f6cd735b39cfe5dced85cb03febebe787ec27dff07c15a88489b4f4ce4bb798b
SHA512 328c96be32c8fdb0a698e756d067d5b014b22197bf5bb646005e5dcf00fb1518b86d1cc0b517bfec3bbbf1f9183fa61f305aecad2485a1e9b2ae9e7c10695963

C:\Users\Admin\AppData\Local\Temp\eEoo.exe

MD5 8abb88a030964ddd65cee5ad15add82a
SHA1 f399ea2d1efa159108d5354d1e751678704d2305
SHA256 73ceca26ca5534face8991bb4f01e9e95124b467fe9bd952b90997f6f8aaa4ef
SHA512 88ffa20f83438933ce58cfebea0a1ccbde34e641d0c8a4fb6afd45e28fc8725d649d43d5b1a54ecc9141cd8f101a590bbd57cb6cfb297a98cb81551bf029f42a

C:\Users\Admin\AppData\Local\Temp\QwMy.exe

MD5 a821edb7c78e03eedcf5f2c226aaf870
SHA1 5f723b6e461fc4b5615c5b8a246d31f542c57fa8
SHA256 0142544bc104ef079ebcb723cb3196127a2e0a1b7f83392bd5300ca7df2b48aa
SHA512 0382c628eec18c499ed86194538a4ae709ae459f9d90b0e4d89c72ac706f207c6cbb9bbe503d38dad8f21a580f538b6ac8ac2d631851a3599a90f145519f4493

C:\Users\Admin\AppData\Local\Temp\sswq.exe

MD5 6f45881533a922680f5074c6e7db91c9
SHA1 8c20332885d3e4aa61bdc8233967bb82790df6bc
SHA256 9080b66ee9fa36bae445204abe277ef60124a82afa9b4810097713a1a8826c1c
SHA512 19cbb03c82e391639129dfc99786010e90a1718e47d546d2bf981a3d3465a6a9a2d36a6d6d7618cdf09cda7282395198280c5469f75f65b9aacfed4648c00100

C:\Users\Admin\AppData\Local\Temp\ukMAYAIA.bat

MD5 f37e21d33dcee30e6783560f3c31a08d
SHA1 7581ef5793c6d449df0f239ba192fc290cd77a8a
SHA256 014e56a2d6c6ced7d6252837371dd56b4ef1549ac4142e5d8d2ec4250cb190aa
SHA512 f7fae99c15c349a09ca2f3f6e170d7f7014608c6703a8f2a06977b4aadef69abac79b525e8e2d928f4ca78e103d10bbd16d792b08dfe7ccfe0f88d23626a3d1d

C:\Users\Admin\AppData\Local\Temp\OYMe.exe

MD5 dab9150eb8d80ee5b93226c7584890ca
SHA1 b1ff3a99aa508a971f05c432a44d48aa51f66dd8
SHA256 3dc093ef368ffd1efd1276cf3694fba0feb7d9ce43b24d5f865fd279e67e91c4
SHA512 a401b53f1c40c114f44012a77643b2d68e88fae42f7664c875bd49847461441eb172032c80f0d3e679b05cb3306f581eb9db000183633b82b9101e594d063ded

C:\Users\Admin\AppData\Local\Temp\gcow.exe

MD5 e695272f8a50ffcdda1dc2e0ea8a4fe0
SHA1 cf4c39041cfb77b5f67fd1d2d0187ff5c04372b7
SHA256 d36e1bb7580f0f19b92dca3c3a3dc204c11917c5c8c026118aa747fbcb332519
SHA512 3c2db7222c7faef6cb38d2ebb1a25c893393457ae3245687d3fb0dae9a159a5567c43381bcb254ef4b0ecb83ebd58db7ea09479aa4ca293175749ca063245339

C:\Users\Admin\AppData\Local\Temp\gAIq.exe

MD5 a2b1cc7a4b89073449917353e3bea107
SHA1 55ee398fdbe2b072cb10aeda7da66c8b292ecbb7
SHA256 d3cb8174f7040611e9a35ed928e0946ad52aaf07904642f4ab00ff879b850518
SHA512 4b70b4f8d654adcbf1c1f9d0ee3abca5dda6e7fd78457847704434c4de500c159949d3fd5464ddb9f1309dfaf4e411bb4e4afc6b135271ad2db202b95bfe3cf3

C:\Users\Admin\AppData\Local\Temp\kIgE.exe

MD5 982c54c9edd03e82506511c8a970c06b
SHA1 313ed251588748da3903d30bc4e48332e84250fa
SHA256 61d9f6dbb2e69c38d3d541ac51f93e825f59f823645d55260894560a97e70f6c
SHA512 4adefce7ba642fef7667dfbe0cb95aed5eb7b6cb14aa303958e18686c0200ba8ca579528396d6440d45ef1f751418a8f95a8eca34d00f6cadb6c033896b46437

C:\Users\Admin\AppData\Local\Temp\UuEEAosQ.bat

MD5 b87494a7cda1dd9911161b29de1624a0
SHA1 4aa1802f51c574f667a0dec64b2ffd40569765cd
SHA256 98d40a75e9ef5842d9984973b268b60d03b7bdfc9cddea52dbe43122b051aceb
SHA512 5fa0e52d60eef467771a64bf708ad6d1e3b385e120f2ba236b9e5fcf59350cad8590634f330ecda7f3107e3de51b7aa2f9377f6ff976b1a9f0a20dd409ef34be

C:\Users\Admin\AppData\Local\Temp\gAMM.exe

MD5 543c4696021b0193fc0979dc5cd9b6e5
SHA1 6f37a9ddd20dcef48799ae25aac2d26331947359
SHA256 12a0dc97bf5344d8a074ec9c31d461b1a99671e0d1de0bdc3316cf06dcbdc3b1
SHA512 7469b5228b7a466d47b5ad9bb7877b9d62ebc432ba2c991ab195392f95a93e5afddf71074ccb2e6a6795838e72295d4dc76c58ee7dd48d843c51537883451ecd

C:\Users\Admin\AppData\Local\Temp\cUoK.exe

MD5 122cbd3ba5256087e5b8fa1d91e27dec
SHA1 30ae54771f2f1975e94cdd307ddeb0c4d0ba3de9
SHA256 4a84b82c9a1364b5512969274e32e1b0ae090945b805b81a9c2ecc42db37fdbd
SHA512 124a71c1f001864ad42de5a3c53985bef7e9e42c5249a4eb21bbe42e0ae6cd15b14fd052d382cf524a9d51fc937649956a1a37f55e5ccf28fa3a44f485f27763

C:\Users\Admin\AppData\Local\Temp\IQQc.exe

MD5 7333035f5d1b0a5d90b73f3960478ee6
SHA1 a20aa792f2a1eb133a1d3965faaf71df21508d1d
SHA256 a86975ec1e8c7e43d313d6cf980cd2dfd159da5534729a122f3ae9f8514099f7
SHA512 809777037ef1a4bc46bfb4b36778756815f4f98f11ed72f1d722ece3d3f3cdaa6f70c2ff324fce56ced740337b8691236a25548038aea8fac7f9900be10e7612

C:\Users\Admin\AppData\Local\Temp\sYYy.exe

MD5 f768586a1240b7378099fb9a700772d0
SHA1 75aecd94db48b8acca3581466baf71997599d611
SHA256 17cb23ef68e58c61c9dd6a02ff7c855968f5996c2253532cef395c2a771c20a0
SHA512 da5ac39059c74d47698ab9c67a1cbd6e3bb590662b2c30562871426da3022b5463736da55cc556f551f4a551261cfe39ac44660f2b708f01128811a09a79b050

C:\Users\Admin\AppData\Local\Temp\jUMscgog.bat

MD5 958c997d258cbe83fffd550342894dd8
SHA1 5f28b84a7173942699a366d5fbb33548cea1b676
SHA256 c9229152988bf4ad857c6009507e0daa022808661ed664cb5973a9502df54b39
SHA512 8a804199ecdc286765058e67180f90a79cfda4e1b53dbf05b06db876e9574572d51caeb1fa020743e91ba1de6971eba064764d513b13bf1ca93afbf4b0b4d88f

C:\Users\Admin\AppData\Local\Temp\aYsc.exe

MD5 1c2add89729231cc50a77ceccb74b55f
SHA1 fbebf17bdbad06e88af47476cd2a9d6aecdd9466
SHA256 86156c921fb5cd0315e91a38355ef34089d67894a393bbdf57b60a2ea0cb21ee
SHA512 774a481b47f2f73ac04876330d0a545a1b155bec3375cb70256ac36f636fa14a08d5828a13706b9f15a94fcea8ed0fd2ad9d9356c382f6ec302d160ed1bff71e

C:\Users\Admin\AppData\Local\Temp\AEEG.exe

MD5 5a7dbca42e6ca447813568c6f306216d
SHA1 f2e97c119d1e1531102dd140702e39431221ab7a
SHA256 25e5dae4cd074e06879f2a2e085d777571ad02d7da85161b9e790f2127792795
SHA512 1a98d3967aeb5de2e2ad0ea33b1e2d6691ad4d93779d690f71dc0225581e4b9047a59b0f14132fc0b807641ec79fc4208abe66c3d57fab5a1e8bba620d0223bf

C:\Users\Admin\AppData\Local\Temp\Wcou.exe

MD5 85b5bf9c7b815aef068e52162da864bd
SHA1 6ff740e42b451dbd9d41d88f4e79aad98bfa92a1
SHA256 e7bed022caa6393cf3797f00330d4e3fe2547e511145f375cf5bd1b971fc5658
SHA512 2ff9ce0bc6d93ceedcf8adea65d2543384fc228771b3fd3a9e1254a8b85ae2dc5ff4b12f0e57f9e20f1ce13a92a52697f161953ef9e84a560775f276189e0341

C:\Users\Admin\AppData\Local\Temp\RCIQwUQg.bat

MD5 e3b7b663548f4a5a5183611aa39a0dda
SHA1 8df0cab0f3d951365dfc598fa37bb69e5204caf1
SHA256 77f781a03f021f60851025c939df49949daba8336e79c67986c6d784c85704d3
SHA512 d9ee0faea43b89f5ff1299c379c8fc6012c301030f2601760441f43d1b2fb0b3888b2f4d578b559307ef401e77f3a89546cc7aa9055499b4fdadcedb0ddf017a

C:\Users\Admin\AppData\Local\Temp\KMEa.exe

MD5 0cee51e86a475c36de571f5e778f169b
SHA1 afc7fc74be9592688af426b86788f377da26fdaf
SHA256 091d912b8c2f3589cc0dd71c2dad8d81f4b85f0ab68c38adcbcded1420326cf7
SHA512 44dd785c605b3a043cded09ae7cc69fc7ebe21872f05b287bf70f4277fae2ba8686779e93504e0406416ebc87f67f36377f114c6d29e55e1bf141605e1e1d6bc

C:\Users\Admin\AppData\Local\Temp\CEMI.exe

MD5 f4c33c3c2ea973ac75e5791b0ec15be9
SHA1 a0fbecda62c273b558c5f25772b1ca6d150c9503
SHA256 100fff170a3b6526f5828d5cffe78ad646f95d6c0bb89a574a02de87da257e9e
SHA512 35525365e4938d25c3d097948d39cf2139adf0a28fd76849e9b6db80a573511e23f8339cad35620c0f774775128559d46b718deeb984abe3a8b636f3aadde0fd

C:\Users\Admin\AppData\Local\Temp\mwMY.exe

MD5 70417d2e4daa7d458d4382d84ba253ff
SHA1 78d149471f9a95d1686b88bc5f6a0ae96f9a2c53
SHA256 10ac828ad715dba0a8c2ad226ae902a919747f7986fd8821cf6d73c9b451a3b0
SHA512 cce1b30b5ca5434a87470c7fc278421a2ff1b0f3764ddbe62b54799d9a1f99584866a0edc0fa88229ed04e69b7a5ea765b251b403665dbbb5f6c490c3e2e2b51

C:\Users\Admin\AppData\Local\Temp\qcoM.exe

MD5 1a5a69bad9efd7c988c9a91a4ce22026
SHA1 60f5910827189d959ed4dcfc3982b14b5953e5f3
SHA256 2ded62540e4a8d6666dfa115da30e185d06fff46bbbe6c4882b253c41665be10
SHA512 8efa19887843a73d2973f9e9b1abf218f53d830c7e79d94649e9188d4942864ac481fa4f169510ce733b7f93f03d202f0273da981247d8ba335cb1a6e276b108

C:\Users\Admin\AppData\Local\Temp\HQkoYgko.bat

MD5 368854a53ba879cb5aa348d2afd48887
SHA1 e09eea71cc162e313a62ba02be623b84dc80d7f7
SHA256 b9f4f7c37c781fd1a557cee3c685f07467d7b2129204b5ad6d961c5e13961fee
SHA512 fb5c710ad1e1b64919fee118dbbced89c73851ed7793148c6b95163c2fa3db90c2a3151f1a5ce4fa4c64eb19e0b3bc8ce6aa1cf13e73f8f160e9c381a7a04c5e

C:\Users\Admin\AppData\Local\Temp\gIQI.exe

MD5 0f0dc43b74a3ab48bccd4a05450c8936
SHA1 a2d8ed42dbc061a38fb09fd2c57427a1854662c5
SHA256 8a840eb462fd0ed332d4398cbb00f2db07b4db28078022fb1c0a75fe08b5444d
SHA512 0b3f6849d9d79f489ecaafd0d3d398d586f806fc704a1c1d705316bef159551238aca0179a8c6a5e98579f48692f3f8278aa1e5cfcae54595144bc5ffb73e683

C:\Users\Admin\AppData\Local\Temp\cQsM.exe

MD5 3a2934e681d99de48dec31caf688d275
SHA1 7ca96fb5b2caa6391b03c960f708bc53092c1b13
SHA256 3ea5b70d798acc478bc9394946629ab871b2a8f6c9715d5bcbdc8a82a21c2ac4
SHA512 9e3782ec5f0db5d01d194022e36255d599d5aaa611bd8cff72475b0953e824de862298691afedafe79bee2bd3546e7df584febfadbf16514799ac7eb7055d855

C:\Users\Admin\AppData\Local\Temp\YQoK.exe

MD5 c1b24cd4ca61008735c3610dafa9b12a
SHA1 a0a5f595e3f25abfdfa315dcb4ee02e454907205
SHA256 d6342a99f9f1e7d2612bbc4c9bfc306ec7e0d5630caf6009f34b882647fa114d
SHA512 a16252dab0e241660dbf262bf12f0d69cf0f83a8f12c8b1d060df46ee00082b3112efc422d05c966dc8ce4030ff1656697812582630fbd0c3a792a4ffefcf82e

C:\Users\Admin\AppData\Local\Temp\vwocMkYE.bat

MD5 bcbac179cb8167136c96413569620e53
SHA1 2b00cb48037e35d195f9a330e65c4b2c74fca695
SHA256 7d47ac02c135aa6a8c6897d2000f700f8fc7ab5cd92afde260672516b69472df
SHA512 b040312fbd4935d592ea14f6f649f4693e786714cab542a885c74b3059de119b5383c2b8b6706c364255a23721f9e496d62338065ac7e5e5cf3e83d7ed0dbbff

C:\Users\Admin\AppData\Local\Temp\OooE.exe

MD5 51051edd1b3a8832040a2fb737a78f27
SHA1 7627a01ec088e53516987868a3c3ae33d5659991
SHA256 989fe305532120561f316ee0cf325e3cad93156078e8731afafc4aaa926b6810
SHA512 40b1903b284f754b74843bccead9c487e8532f746ae0e2cde31e7f3b42402db0f3d7d8489d84068b02287e818017ab0a1ea0e1b13cbe29ed0553a95b7af58dca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 c8ed9123d1690ceee47ca46b6eb3acbb
SHA1 c878f0e5e7a4cd804b3931c4f5a894c63f186cc8
SHA256 a45e85e4e83864bf737a84f7ec79e5330bd5a66db41211f3ea004c389e52d231
SHA512 5a74a3ec24bcc449a032057453e547c14b30f9b291539f12e167a4c089bb3f0727dcef5928bb6d2f1fcbcf34fc39c9a241acf378b92f20c57a6f7082c695cd65

C:\Users\Admin\AppData\Local\Temp\IEQo.exe

MD5 e1e0b4c9445202c17436afb47d55f25b
SHA1 23a3fa4d9d9b12c804b59c88b966ba1d65d61561
SHA256 09a44a4dc0e25237e6aa970cbb3a67e6f49da4d6818de17fac719f4b325f341b
SHA512 1b7cb1db6dd720e33985ef22ae41fdb1acd7ac08b6d0cd33b4ed9985d484c0c5cc3f0e0079b0ba2ff9d87cf29f4c4c1741921c45ac904783a402928f87270f92

C:\Users\Admin\AppData\Local\Temp\GiMIIMEg.bat

MD5 62d5909ad3a79de825e679e402698924
SHA1 0bf4a2f0634ed01904ee5aef7094fc9424d81e27
SHA256 c89d7481435da3cff0f6e3ae510630bd5cd65fd7317c35bc54f40e8c91756e19
SHA512 d07fd1a7039aaa2de3b98409e842c67eed0b4d7292b5e88e078e118f2343ec64e124cfa05ebb0642c7113d64de16a84e8055c0a4a172176844c807eadff7e6db

C:\Users\Admin\AppData\Local\Temp\yUMU.exe

MD5 153ad534ddaf20ad825db91f12b1973f
SHA1 96c596a5190d19ba7e227f7d0467ccc23f77d765
SHA256 9322eb6032829bfe2a909fbb9ba9c0a80fdb2c69d3efa657a7f4b71970339473
SHA512 9ea03de85f1be11ff0c949e02f5ef07679e0cd963a08e0f9fbf666734f37fcdb79d196c2911a677d3d5a180ddb3ec821ea6c5bff66f1393874022fb379d7c237

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 948fb4d1c24cbb6caf442d123e1030cf
SHA1 2d208f737720b489f9df3f3b9dcadb732ffe106a
SHA256 b8affa3a1c25a813c95698a8d772ffa15a4457f858b20ed62b84d913a61977bf
SHA512 fe5c6bdf4c32d816408950febfceaf851b6362ebde94bc01ca5c493ed1a060bd176575c8bba16b741c3dfb1e6c441d1aa3ab565cb7650057154d614a3d18cb4f

C:\Users\Admin\AppData\Local\Temp\EQEy.exe

MD5 bf21cc94c15432cff41c5aa83b4ab0c9
SHA1 5ddf16c35d3e07106e2bb00874f89e7d75705059
SHA256 8c10b1cb65e6f19d0deecd195721de40fb337a09afd8663b4846e5f879a2e357
SHA512 595d8f837b49006baec2a30500fe136da174e9a98252815eee93d61fca83a8be81280c563f66739b43c9e9bf8c3489c85e0c473f20be606f9e03139390ada2db

C:\Users\Admin\AppData\Local\Temp\geEscYkE.bat

MD5 f431a4dcbe378f02b19795e2537103b5
SHA1 4d63f85bfc5bdf12304f7267436dae94296dbb73
SHA256 f59ade432d38982afadfa55bcc46ef3d6e736a718fa57dbae5f5d29deff0c94b
SHA512 e08be867ddad6f9d594481c88c3d26cb85aecbd8b0b6fd4a1150d9dcbd123c5b57482d2e94c3293a59623fafc57a5a249ddcde1db341c2d22bbfabf427c58b35

C:\Users\Admin\AppData\Local\Temp\EYkW.exe

MD5 5cae6d32648cda67582f65958a6602d7
SHA1 f734a18467c526f63b8a368fddde9046bfeeed9f
SHA256 339c95635c6653e3ec1eeda4f9cc3517a8f11b56330a13b9841f397025d6e504
SHA512 79e90261f829185c9de061d350b66b06678d539147c148d0ed7600903d1c54e1000d2c7b71dace8cfaff2156d92cd84ba391cb6a71cd14098df6b79a7c1de787

C:\Users\Admin\AppData\Local\Temp\kAUW.exe

MD5 da82f1d570a5b81e4a3b1b78de74e6b3
SHA1 4ccf0479330701a99f446d0f03756c787cc5d419
SHA256 31cafbff26b054ddcf134cc7691ec748fcff6a110d4b48c584e4bbfacf03cb0e
SHA512 e38ebf5c4a537398884874dd44dc0fc27e1558df674b87f3bd8f1962cd075b3400525cb91247e4fb589fa92728b51807c723fd34a3cb09924d65bbac65a82f3e

C:\Users\Admin\AppData\Local\Temp\gMIY.exe

MD5 0dac4526d57f7f5b70ae4714583116d3
SHA1 72cc95b4f43e5922a6a0a3e45d069e99baca4c68
SHA256 c13d1295c4f1224efadbfc45ff704dba1e455c09105278063171e62c99fff3e9
SHA512 afc07dd68891ea55fe54d7ce0857b816c408147e85e73af7a7f8a1ac5fe73a689802a381d6f864c93cc1c2d464a51c236404701a71b0127563fec6a11a3c7a12

C:\Users\Admin\AppData\Local\Temp\mEwMUksU.bat

MD5 eeb2058a4979a4b74eeadc64d258e65b
SHA1 1252ecfa9e97d62c6180da8c0a4381f7bd877f33
SHA256 ba2fbe31b5c806b4a087a6abd51f5fd01a194fa628ba0efce237fda8a6248af1
SHA512 174c97b51cd79c45a7a538dbee93187ab813f1fa55d344ac6638bb3864ccccaa4c30fe9a5093f35b739cd9673fcfa74c4d49d43b1babe133c5f563773a90fb0f

C:\Users\Admin\AppData\Local\Temp\GAUm.exe

MD5 63938dd058649379da4d11489d83e7d5
SHA1 f9497c86e1e1f030782f6b23bf82315bb1365aa6
SHA256 d3514e832c3a0dad08e6944d84f071aae9596538a2e7badbca3b0147e21e2c71
SHA512 25a5ab25f6fae3284bcd0befb75ea1f2a594695b9e3f4fa4eee9810bf67a9ba72d684f7302aa4d76da7690141fcd8c8045778076a3aebb405658876785a705f6

C:\Users\Admin\AppData\Local\Temp\OUQQ.exe

MD5 57ea4d714a15427640c37f3dfed200c2
SHA1 9bcfaee512c9d01aba6abfe14b964ed6faa1a3c4
SHA256 e7171ec05ffdaa6f0e51ae39c7393e3e301f73516496bb858f9a33c7b911cb9a
SHA512 eb317484873d8b27d50d4e38eb68f6c239e62c012981ea1a2b052ed473dd6f009044358527853fc325d60e18391b4bef1d2243d318a2f6bbfeb549f33bf641d4

C:\Users\Admin\AppData\Local\Temp\aeAEccEE.bat

MD5 51883921a90124e2212df7dbdadc4995
SHA1 891c8596c7ee40c092c39e37f7d3b355e91c7787
SHA256 ede47b5c1b488446d8f185879a78eee5e0a0bfe08e6556db3869b08631ff4cd0
SHA512 9bbf4da7a7eb97609928ba64b19bd626ff017d1f81042f71ea148e55d3a1e74db6a7fda9cf9f3caf2dad945c0614f2d74db6994684c74f4ca0d59dc04f4d8251

C:\Users\Admin\AppData\Local\Temp\WEkc.exe

MD5 8ab177fb6128b23ecdcb62b76e92811f
SHA1 12aeae8cfc62eb639b5d86c53f6180d2a4014faf
SHA256 80a3d0d30efdbd57886b891973f6f1f697d595c9efc7cb55715ad8c6a70ca380
SHA512 4d35fb0eb279f2e2ae3cd099511ea1b67de45ac34ff0aee3f812da1a9661a912679745601f657040321a80d393262ad2959da58bb5de51b172de65713000cfad

C:\Users\Admin\AppData\Local\Temp\UIwm.exe

MD5 ff6e490bb63f0e45fc527050974137b6
SHA1 3da67d5995946243d55c25aede8732caf31cc75c
SHA256 9d213a5b077163b9a69ff0de30fbb9b4744602a988735f20fccfb0d1cc5f9235
SHA512 db1b5261db6d37b2344cf1737650fe067f55cdaf78068969f6839fc9af12c50d073535b41fb0ce50a47420f5dbd223655059e98ef4f09855195b8d508ff72f5b

C:\Users\Admin\AppData\Local\Temp\cQEy.exe

MD5 bde28d5e13989b82f02da09094a143cd
SHA1 5b50b824f6cdc0557aaedd32f046914c0523b07e
SHA256 de0e99f1df83e09376a809614ecb9490f8f32ff4c079276a19502b985b943d0a
SHA512 c632443a31f67a214a70b00f72d4005398c2536d8f53cdb1f8123dab22dadce0209329469df5f1912fb0c3a2b4d6be493e5c878927e85189b7539ff3f50c5189

C:\Users\Admin\AppData\Local\Temp\qOAkYsgQ.bat

MD5 8233456a0c1daff2d00711002ebe0ab5
SHA1 1e51d812fbcf2c2a4fad1d5aa13d03088105ba76
SHA256 ebcf93fb75bd97e3101f994ac52c1aec64c78e6475691d942f45930b3e8e98a7
SHA512 b73c588913cf7304a25f20c362fabb746d4daf916c2c769475a1a017eafc6509a42c0efd62d5474d674f1b0ea8d048e8abb495bcac899e1f091c0aceca6494e3

C:\Users\Admin\AppData\Local\Temp\rkkYoQYQ.bat

MD5 765a585de2233640350d57dbbda66b9e
SHA1 9e12e4447cb6911a9ce7d4ccae7216a4f59808a2
SHA256 947203a17e60b5da3172e31cce016e7ddda60ab3be10f2a39f6af74039082fcc
SHA512 9e594c8afac7f045ad2a190187b7af420d2d9d9815c56d8425ec4284cf16c7ee7f5d2a4955a25e058cb0ceb6fc9dbbce3cbdfa2fb97efff3827a1d9b993e445c

C:\Users\Admin\AppData\Local\Temp\bQgsQUAA.bat

MD5 3419c70204dd2f46d2ff53ab5fd17cb8
SHA1 bbeb7f3a1408b2713c04ca7107b4566ee61abb2e
SHA256 fc50999a4d3cd910788c522efbc97525f4fb6e63c84c9410a9d9b134dfffce04
SHA512 bd5acb1f09e87aa2092fcb3a7fa6808ea46a5731d50f0f94edfb82434deda5ba7cdd32408b51a9df1e258771e2757d3f7a303e3d96e8eb384f609b39a068584b

C:\Users\Admin\AppData\Local\Temp\aoAK.exe

MD5 975c34199217a37f99ff49a5d8be9794
SHA1 79375fbb9d86390c7262f1aac5579663fcd5130b
SHA256 4a18b09af46293865dd730bfba147bb20ce9f4dc915d0ee345f22813ed6a69b3
SHA512 7320bbaac627fdc89bdc309a5fe7b7a9d6015d0fec8e8aa15d2b8723636a28d4e32fe20ad61a5af4715c2befe1ffc5949b9496c3355de4a9de3887feeb09f353

C:\Users\Admin\AppData\Local\Temp\IEQQ.exe

MD5 13755b4945d12bc9e57f014f749d3c8e
SHA1 98a5cb54ff57e2f39c9f97334fa6efae63ecd562
SHA256 0e51dfb77ed31ae2d3ab539ed0522c18747303b47c37f77f00fd6ae5ca32b3fe
SHA512 418864f0477ce4561cfeb5aee43c4f392908a09ff10ae15868e49a51a88b11da2f121381a683dd64b24730a2a57de9e97b36eab94424409eda318cff9a9c7aaa

C:\Users\Admin\AppData\Local\Temp\sYcK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wIIw.exe

MD5 280205e802e585a0fbea36d91fc03cc7
SHA1 44d31917f714f3fb79fffd6771b311003d971ccb
SHA256 4fc1cc9774f0eaadd9a040997d9de8c4334bba98226b2be7bd58760244a8c9aa
SHA512 352fb7069dbed6a72094727ba43e459ccfdbf227adf004f1c675e4d51b85d58acded0ed1c66a1120a4528b157770cb1704f041ef10af27b41ef845d1c78cb01e

C:\Users\Admin\AppData\Local\Temp\uMEu.exe

MD5 7a4656f7fb548b5347f29b8f3b01d7a5
SHA1 8cdc967501ccebae46bda98c4b2852786827dfe4
SHA256 dd3bfd58ccef841c7c4e23fc6ba129ab30fef010681e8ded746ebdc87a4bc5db
SHA512 f42e299a3517f70c0e08e6d1a85796a5cd6c23c7cc50fbf23ae5569b4ac245e26c66bb825545b5e54e49da2c0c9aad32b03155ae5a2c94f0a265e8e98a0930c5

C:\Users\Admin\AppData\Local\Temp\wUAs.exe

MD5 78f23de8275b52945447ee72578d8d6d
SHA1 7cac825b55afa069bdcbb588c305d5498daafc41
SHA256 d5a220a64f32a2d06ac8cbdf45b38a562671d06861ecde72fc08d2463672934d
SHA512 773dd9a3ee6b855cb2148cd12449fd8be53dee2f28da10601a5ad3737acfd9949c8f51f4f21963f28eabba64f19bd25b7b4dd35543465e7ee7b6737ee7ff48f5

C:\Users\Admin\AppData\Local\Temp\SMoY.exe

MD5 43670f5b207e4ff342141e9886d0a818
SHA1 b11812124eb5c06de020ac266e797c663e321a8d
SHA256 2e8567c5909b13289cea5b463d1bb03223e7ff5b6fe0d2b95476778ab5ac54b5
SHA512 e4fc223a713034eaaf7c6dc41220158fe27bfc58b1bbe78aeead271197d21a80dc0cb3843e0652686828b3e5470da72f15633635968cc303f63b551eb8b5e0f8

C:\Users\Admin\AppData\Local\Temp\QAIo.exe

MD5 c8e5f70c653f658bfdec0a8a634d5a60
SHA1 5dfcccd3f33d3f7c7037b62dd3abf8e4d1a1becc
SHA256 4e20d6870f65521ea34065840ed0640daaaf8f4ecccbefd9ee967f871aca45ef
SHA512 f9a6aff153e3b8928f269b7cf880e1bcc3db461901047f131278f680bcdca4c7d28d99e570a4844e96d9be43b3d46397027ccba32056539dd7dafad345545fca

C:\Users\Admin\AppData\Local\Temp\TuMUEkQs.bat

MD5 bb387282f14eef2507f882d81203bb44
SHA1 c21c3c1931ade3b55c4f3dd07ec6c2fcdb94e150
SHA256 5ab53ee2ea9aebe2df6537e792e4be7b44b4a3eb9753fb648a72aa9e46dfc516
SHA512 0e743ba422d4890865c3394ca753d9b2a3520ab8169ca0947188591f8f5349d3cd1a90d488a632991566281e700152ee9bf51dd75c57444563db386f6a44b549

C:\Users\Admin\AppData\Local\Temp\QAci.exe

MD5 c9bc3f5bbc3cb3ae7a5cd7fe0d219faa
SHA1 fd604b18aa3df2102e7ba949194de4d67a41f626
SHA256 383571ed5ce0930d3c6c1d116b69ea25b49e4e31d5b1e05dbd93ef6c19bd2c36
SHA512 de75695614994d4ddf082e61653a5f31b79c2ba2701bc68029fd220f692a811618b3dc2f76161d597cfff5d0e42486883ff4d9128a9dd61f5913acab3c86709d

C:\Users\Admin\AppData\Local\Temp\MgsI.exe

MD5 1fdfa8a40c432b424575be73022a3dcd
SHA1 2ea1f26cb4436ad85b93d99ffdfc23ed0bf2c18a
SHA256 44fb93fdb7f632a8675099b9467a4f771f7bdddd4034d41fb5637a9d25429152
SHA512 99eb8af8bdfad13ec7a7d0fb1223f84ac803b2b1c7f0b3ccc1d07abcf0751c0ba9bce56ae7350c1fba08a3b9c35b45ec620f68058c44c2456d7a92045fe41f70

C:\Users\Admin\AppData\Local\Temp\KwEk.exe

MD5 4361b84ffb2be02c206ec1da2768b86d
SHA1 8a53cd4b5e8fba360876d63995e0d1e5973a3567
SHA256 d42cbeb62033af4d6566cb017a6b6ec2f8b284f7e3e575b3ed6a6bd0b5daeae6
SHA512 209c3fb1b2058fc9badf070fe5cd0050024df85d841151a7deaccf557b1d2fc45b490503c2c39726f59e874d347b9d94d26e2fc52c5935a47df1564bb93451a2

C:\Users\Admin\AppData\Local\Temp\IQss.exe

MD5 2fe035e8d38d992785387495e2af7aaa
SHA1 2529ba8c66dad92fc6c0703052ad5c2bef2411e9
SHA256 24bb5d4a97005903045adc9508871b68646f86d07f9d77201c5d14dc0d5fcc3b
SHA512 87ee6cde37726545b1b972bd4d98d63ab8b4c01973b4290d8b2d3cf0af41293ff99b0fab559b1910576957842773e89a6468a22e6f91a79b80843cf438e5ec61

C:\Users\Admin\AppData\Local\Temp\tWwIMYcA.bat

MD5 542e480ffdabcf56d6868da9b74e478a
SHA1 2f9a99c5e3fbd8355f12a4ee740c67304b5ced0d
SHA256 a85a8de5c3f3e7a67a660174495d8418b0c83fdf8b91b05dde74b6d897c5f0b2
SHA512 e174afbfc1e8b46a7cd15fc53d5d769ead1bc6afff5503d8b1626b0938c8603116f49d047aa7c7f8951ddf1e4b4f602786f190738e28aec4e76d46c5dd6e39d0

C:\Users\Admin\AppData\Local\Temp\MiccAAAw.bat

MD5 cf4eaa61c89f2ab81b930d38b9116805
SHA1 e7a1a1f951436572a62ef57128e81d767cf2a999
SHA256 29ded0cdf05a36e93ad54934c32cb5811e8c902fe8ea232da159fcdcfbcb8fdf
SHA512 9b888a0c8b1afaedf02412a9fbffef53a1233df1e447e9e1c334239f87298e763a9dcd4e820902a7dc90b78e58f665448a25541e096fd836eee65518acecf5d6

C:\Users\Admin\AppData\Local\Temp\IGIEwccs.bat

MD5 f888e32740ff5265f0c4e98b20c80f9a
SHA1 851bd19e3fe741f25f1f0444ba0e5b18baaa591c
SHA256 5f8f41a4276c9d10b3157b5cdaf41c3824478ee9d8db4d69b0aa92e73db14934
SHA512 0c89ee5829597d78b100ea25e5dac0f0ecdbda7621015b80f5042b6f16f27a3cdb87b6c325ec7b3ea1d785011d19875d5fa2a2ea055de2f3c2a7ae509dbb2aa2

C:\Users\Admin\AppData\Local\Temp\AuwsQMcQ.bat

MD5 a8c35ffb0402ebe93430c2c843eca092
SHA1 0550ca6005d22418a8a1249a4bdde326bebe29ac
SHA256 0c31e37c347ae2c055c5c367598671be00b487159bd8f8fe5a3534f16f61a13d
SHA512 f5519d5b1869d2b2a1ba2125ec9cb1bed8935418dd44e6381de6d0129c269a7757418786391b839ff8db0ddf19e4da5d63c4cc919d72eb53d311b678bf4182f1

C:\Users\Admin\AppData\Local\Temp\yUMYskYU.bat

MD5 fedf8662dfeaa30f2cf9a31dc68860e3
SHA1 7e9d8184866da13921ff4b83ba9a165443760241
SHA256 76a82412321723ce4e00f7efb5319d0a915d1054d59ab2aaf4b39df4d9364ea5
SHA512 a07e3c3f0ab49419403bd47287b4c3f4e23735bf96fbe82e245fcc2dba2a963e8138f74d6aac181c816fb19cc24b4b93d94a426288f43f5f0c06793c54bd8ccf

C:\Users\Admin\AppData\Local\Temp\fMMgIQUw.bat

MD5 a6a681ad2c8e5a047462d5055fb251d7
SHA1 ad2a81444a78ecdbf35f027aee32027520c17671
SHA256 7a71b199d75fa772bd328b625e53e1ba89cb1add6fa50edbc1c455ede35f4979
SHA512 6de48c4ddba7a248629954edb0881b6429a42db4188f618fbbfc658d1a5ca7d56a368ea7baee2b0b27afb31ff3b82bfb57103a23e29c669d7913bfa569b11a6c

C:\Users\Admin\AppData\Local\Temp\lqYUksYc.bat

MD5 3eede81483e5ed95a9b5dbd62bd3c631
SHA1 bdbe3478c9db97dfc97d3d2e3489207f572bd84e
SHA256 8cc521ef8438b5d390a93327d7133a76691a845eab325da3cfc5ff46b0ccefa0
SHA512 5eabd1edf61a93d1a538debcd4f27104d40ad31c5dbbc6c18843e955611c12c9f5c03d659fb907d4a526bb003d8ff15cfe80ed2fee4f45a739a30ace463f17bf

C:\Users\Admin\AppData\Local\Temp\JGAkksMM.bat

MD5 33aed39bf308c901b1e12fa0d5d83cfe
SHA1 34361da66d90a871a740bf3ed1eb20f1ed78f76b
SHA256 a2c5c7f491ccfc4233b6ed0b3b2b5ceb2de9b0375618f1286ccbcb1d22c25bef
SHA512 7013b0980a735e683cf2788abade106230047b7b3d6f482ae0a6b3a87298c834f5ca96f2a9d6cc4ef18f886c18551e5f8abd4b8675c24f632cb8ab5bc25eb18f

C:\Users\Admin\AppData\Local\Temp\lscowQAI.bat

MD5 7e74a265e6b8e3f5fee1592a8e4179e3
SHA1 4bde392921d68923ab39b730a9fe2f5e5f985e41
SHA256 a64b7dd1ff09b0536df7c1ea5df9d248dd8979ae0e438ffdcadbd0836c8e391b
SHA512 1111bcc03f32bd58ae4a9ad4768c354908033754856caa56f2e455378c301ec042479284333ddc7781964bdaee7b3407c301c37270789b6fa3a990976118c4a7

C:\Users\Admin\AppData\Local\Temp\DWcEAwoQ.bat

MD5 32cc61790e9c96c11ccb14920d82b1f7
SHA1 7a608ab9d3b725badb848d7906891982544a49ad
SHA256 3c06da9e90dc7308d288254670de1288b2399ef7c9c2f1dd5da0bb3b0bc101b5
SHA512 ec1eefee04b8c3c2ace6ac26b4ecb00ba16b2d6e2d13409c013134fea0a0b5144de8af3f96c36ba2b10b59364b96af827cbf86948336f8ca783a5599ddac3a19

C:\Users\Admin\AppData\Local\Temp\mGUAYooE.bat

MD5 b0f5e2fe27c02d13d3a77fdf518224ca
SHA1 c80d6f9fc9f4243715da829b5405392709779ded
SHA256 9cc745f2a766e5093a1df733c893affbe25061ea5adfc55c78c0345801974e24
SHA512 dfad48d29352105ac83a650103c503b8ce66f081088bd89059e8084500e3494335d1e9d7ddf925bda4dbb3d03dacac048101a23925c0ac3cadf63838029807e0

C:\Users\Admin\AppData\Local\Temp\uOogIgsA.bat

MD5 34a777d1d6010d408ce7ef64b13ac286
SHA1 fedfaa3fab335c41d6355068cb4d68da1b8ac1c4
SHA256 a4ef868760c725dee892bcdb185e990b5929ac103b789748bd766bfe83b04552
SHA512 6b22d409e94fe4f54f6041152e46c99cfc16f69f819aa66b717279e3e68345a83b0f5fb9a7b7d6224fe7a7a86704f3543c473cc49099a8a74aa7b5ceca556208

C:\Users\Admin\AppData\Local\Temp\MOkUccws.bat

MD5 119730f42d0059e9afb42876b88f9fa2
SHA1 7eac6229d2698282c62963eadc9b839070ee7d68
SHA256 4e1d09883a136aea492dbaca1f446979019f43b10e6dc63baa338fcbb84fab92
SHA512 53e6e7ebad0483bca14fb2874190cdd5ac9cc0d4c012a6683e061f2e1130e0f2c9ce56a713fa204449729d4a084fc3c24edc0d80c0130a1db8916159dea18fc0

C:\Users\Admin\AppData\Local\Temp\WmIkAMwc.bat

MD5 430ab4643609f217d0e9e68f96c242da
SHA1 f0f5e5edff6646430889eff077f3df7973686bc3
SHA256 3ccc08bb9231ae9ccf2d1aa28680368e9c52f07a5ba85388d45f0b6237e1542a
SHA512 ab94e2f5802b9c47862286821060cde8a3bfcf989b21f22c98d212f79b6928850a2454250a3b3bdae134610a1143352f7479656dbd75d19b21be82d9d711d6e4

C:\Users\Admin\AppData\Local\Temp\rGskcYks.bat

MD5 28b2addaeba4683351de809882f12f2c
SHA1 2046987ceb6a026fec70624f5b75c59a9df0bc77
SHA256 df60ad568303f4458358936f3ab27c9f8181a7185c60ff088637e6baf3264f0f
SHA512 877fc24624874f68af7c8e6acf961e3913e2ab98f8d9668e83b0ad9f0433a6be29f6bd4ca5b95acd01b87afa3fca9893ddba13c3feb7e7ed04e756d13cc51007

C:\Users\Admin\AppData\Local\Temp\FcEowgAY.bat

MD5 18cfccd448152e3051f35aed04eb470a
SHA1 8383f5c44e99a603f97494dbbc6f9dbfefbb8262
SHA256 762b2b733c83deae4399499e86b1d3bf2c04781d8ae9ded4002be378d27c8e89
SHA512 41124798a0c1d15d2400fc366475118948690f16ad084d7472bbf298bbdf108c04979f59f416a625c68e44f04a201d259ec51738be7104b28a430413bc6304a5

C:\Users\Admin\AppData\Local\Temp\HcUwEMss.bat

MD5 eec23daf35d8647b36b5e2f401c30405
SHA1 2b2ecdf9a4ed1cd8ce5560b6481e4e6d21209e14
SHA256 e8575aa72b170e2965c3f76f32f4206fb921a4dfe52a9df8100d393a45535435
SHA512 23f1107af215818768cd1951fcc2f67fc350917746c4d56bb67a7919960da0de2abe47102a127784e5a75e0d4e14ac511e026d4d244df1fb06b3309cdf232d3c

C:\Users\Admin\AppData\Local\Temp\RMgEAIwc.bat

MD5 c9529356120e9605d636e0af418fd9ed
SHA1 d0194ce4d413ec939bdb1bd4b426ef8729e41409
SHA256 ca588276929253cd5e004bee401d20c48435d7089d51b056aa032d2e8208d2ef
SHA512 069240aecbae8848fb79db9c0e0ac7e2f4b985aab503bfc346ed35fa44f7838e280a2348765f3164d59b6615dc93f01b0e5671757ce02788cd0637df66f73d7a

C:\Users\Admin\AppData\Local\Temp\kqkowkIU.bat

MD5 2564fe99ba3b852c36f2a03d942f772e
SHA1 ae346a9ec38cbcb65a2bf1aefcf336ab10152e01
SHA256 f108dfbdbbbfc3696b5f7a5f3174d261c72485f2f9fc8bcbf8666ffc21232dcf
SHA512 0ff3fddeeae386f7221956c7e12e41a466b2ca00d5be22edc9c137ee3bc779435489b0712b7a482e7f1b30728055b8b7f9045c8a8493fe9a22dc1c5299510e8f

C:\Users\Admin\AppData\Local\Temp\YKswMsgs.bat

MD5 23909bf20635f3a9cf36bfdd2c88027f
SHA1 ff674b9da34c77b56a9720ef3f21c89f70a9ec3e
SHA256 bda24d4f48b3337230f1c9298baf4e04542b051a0fb7e0e7b0b069f1b9b2f0ac
SHA512 6d081daa9ec4761af778233916a6485e5e84ae1425eb3f1f0655147da2d8a14f53d2a879bfd4e83d622413884d623182b64dbd2b23b41ec252e43a917a0aac5e

C:\Users\Admin\AppData\Local\Temp\UikYQwwg.bat

MD5 eef3027a14ea66e00bb090a8f5843afe
SHA1 796b0c17ade6c3d8bda53d09b419fc57a24b5fa2
SHA256 597013d41ece36677f32488a674e5325fe27337bb8c72e701e0d515e13cba688
SHA512 b20e77222901a64613019c0cd4feb40083a3546aecddc1f23696254a82375cc6c6f5d3ecfab38475d1d0cc1ee61a6f96a3c1fb1b31ffe2bf37195b54450aa55f

C:\Users\Admin\AppData\Local\Temp\uIYMscwo.bat

MD5 111d2de57955c0a5951aefa73fd61ffa
SHA1 476144c3023952d2bce25bc1ad0b279d2c6c8505
SHA256 660b44a27f34d1fbc9b1a42cff3ae88d3029fe8dd4fe507466d5a89275a64004
SHA512 79d7e8c96bf5a90fc83979faf9be03971a6ee32cc2b2b248bfc43062a861de574408b70b48c7677b6d64477067051ddbaa7ad075ecf2e276936a96c40d388b70

C:\Users\Admin\AppData\Local\Temp\UukEYows.bat

MD5 923dde2204c30a1d9ad2d144c28dcc84
SHA1 5de2b4aef762e40a1785df4d501eca181cc94c6a
SHA256 df2c7224cd897f2413787bf14b1ae0383c95e3870ff4ac62e4d26fdeda3c04a9
SHA512 58cf00af2812d609150365a9e2f56061c32984fd00a5e47ebccc80b75c6bacb839efa09ff5abd13350afbb4d57a139fe9e73b4f6d99a77f5cd0b02ce5a82893b

memory/2824-4519-0x00000000770C0000-0x00000000771BA000-memory.dmp

memory/2824-4522-0x0000000001CD0000-0x0000000001D22000-memory.dmp

memory/2824-4521-0x0000000000560000-0x000000000058F000-memory.dmp

memory/2824-4520-0x0000000000560000-0x000000000058F000-memory.dmp

memory/2824-4518-0x00000000771C0000-0x00000000772DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 22:36

Reported

2024-10-20 22:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KaMIMEQs.exe = "C:\\ProgramData\\UAcQYIgk\\KaMIMEQs.exe" C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TgwUAAkA.exe = "C:\\Users\\Admin\\nYYQgMcY\\TgwUAAkA.exe" C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TgwUAAkA.exe = "C:\\Users\\Admin\\nYYQgMcY\\TgwUAAkA.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KaMIMEQs.exe = "C:\\ProgramData\\UAcQYIgk\\KaMIMEQs.exe" C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A
N/A N/A C:\ProgramData\UAcQYIgk\KaMIMEQs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe
PID 2500 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe
PID 2500 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe
PID 2500 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\UAcQYIgk\KaMIMEQs.exe
PID 2500 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\UAcQYIgk\KaMIMEQs.exe
PID 2500 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\ProgramData\UAcQYIgk\KaMIMEQs.exe
PID 2500 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 1760 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 1760 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 1856 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1856 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1856 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1872 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3460 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 3460 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
PID 1872 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 1872 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4368 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4368 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3176 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"

C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe

"C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe"

C:\ProgramData\UAcQYIgk\KaMIMEQs.exe

"C:\ProgramData\UAcQYIgk\KaMIMEQs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKcQkAkY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYsgYcIw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmcAokMg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaIowQAE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMkIUsYI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEUAwsws.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEgYUMs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyswcwsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyMwgAss.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMowUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISoYMYsA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYskcwEU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEYYMwUc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAMIogA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncYAkMkM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYQwUgEE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beQkEgME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCkYkwIA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIwUEwsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUoYkAUU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEUIsAAo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQAsoQIE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqkcUccY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NescAgsE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcAYYsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkQwEIkM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMgwUYMs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiYMsEEg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOQEEoEw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUsoUMcU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaQUsoAI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIYwAQcc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYgEMoMs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQQIAkMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMcwMAAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSQgMgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWUwkcYE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsIYcMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqEUAIwc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMkswEIE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IesQgoUM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqwUwMck.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUYooMcU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqIwgIMw.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEgUUkAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQsUcIMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEokgMk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKAsEIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwccYIY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuAcYEsc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCQQQooM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byYkEIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMgQocAk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIAIkIYk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUYEMkME.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQckcQY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWswokQA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HekAAAAg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSAckskk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWwsMoYs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCcwEQYU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQYQMwAU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiwwAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEoAMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMEIEQkg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqwAUMQY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqEIYQgM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZssccUYM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcEccwso.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEYYUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mcgwgcsg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOEkAIYo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwkMssgI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIsgEkU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGggAwso.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUQsAckU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QssIgUcs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGMUsgEI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAEEUkwA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOIwcsIs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcMIkUAM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqoAQUYg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIsYEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOUgYgQM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSIcgkUU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSIMQYos.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsAckowA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWYYYIUE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqUsgscc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYwAkAgU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWQgsgMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cisQAYgs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYMYwMAo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auYgQEMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGokIEoo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaAYUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rswEEkoc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUgooogA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KisAIkwo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyEoAsEI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceMsQgAs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEIAoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMAcAIM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smogQgoM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEkEcEEk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEcogEUo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWEkQcos.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TasMgooM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsAYEYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQoMgYwk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fogkYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esccccQo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkckEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAsYcUMU.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsosQgQY.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmAMwoQE.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIEsgEo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAwIUIgI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igsokcks.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkYUYgMI.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taAccgQM.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOgAoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwkYAgUk.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSgkcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XswwgYUs.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakggMwo.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCMEEwcc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeYIoYUA.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwokocAg.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmwwggEc.bat" "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2500-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2280-7-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\UAcQYIgk\KaMIMEQs.exe

MD5 c67a4eb7f0c14c9de8df00f783d27074
SHA1 f848d76c09946626c589d07a3806a51dc5056f3d
SHA256 758a1e4c3c3568da88a4259aa417c4ca39fe6d1f3aeca963816060c6f2f88ba0
SHA512 80cbbc2663b0feb3ba09d618475e04e09543c828dae15169114c295bda742e098fa9096c9a6ffa586839438bf4fad586b2e476a4beb047806a5d9e6f41d6c508

C:\Users\Admin\nYYQgMcY\TgwUAAkA.exe

MD5 d87e0365e85062e5ce4df7b5ef803159
SHA1 acca426d340d211dd44aeb4efc36863c612535aa
SHA256 b82c49096279ab35bba0818f0911ddb12f1ab1ac8d73bc255af6bbc937ad13a2
SHA512 7d591923ac189b099878d6bb92a653466581136a9e19b72e691c44903d95639d918b482589c2b79de33d0b0f9abe2af3a9f636aee08f1c1bef3d51412ea70a90

memory/1564-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-19-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xKcQkAkY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN

MD5 465608ce506144bb84af2ccfc475e15b
SHA1 ad35db7aedb4d245d4151fe7f91a195248f71f73
SHA256 862c779a739524499e4d3ab328d041769417ff471e5eb7b183372c82a408a329
SHA512 c026a6ca05f92fb8b749cb1bddecca2d5101e3cda05c488ac354860cc6b333392780ca4fbdc71c1310500c168623c365a6db80fe9a11e0e5b2d24ca34f098d95

memory/3176-29-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3176-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-45-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1660-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2128-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3004-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3004-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1508-104-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4084-116-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1936-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/368-138-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4208-151-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3440-162-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3144-173-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2484-184-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1400-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4152-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3872-219-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\nYYQgMcY\TgwUAAkA.inf

MD5 7ef6d386313a45959b6f118faf6792b8
SHA1 878a1c8573dd3e1773b8f4c453522558297628ec
SHA256 9b58265c89092e977796b3d1932d8868c7ec479106c9abbb9ce440a730b2a57a
SHA512 dfe74f289f31507c0eca55a64a1553f6a00c910b8ded44449d4da74b2d0cd2213b88275753a757a8d91f7adf94adf0607db402e633f8fa3e3d3011e1082a7340

memory/3456-232-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2604-245-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1640-246-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1640-255-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1788-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-282-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4896-290-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5004-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2880-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5004-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3528-318-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3528-326-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2624-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-344-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-361-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3724-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1336-378-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-379-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1472-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/756-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3932-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/456-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2780-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4416-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1788-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/232-467-0x0000000000400000-0x0000000000433000-memory.dmp

memory/232-474-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-482-0x0000000000400000-0x0000000000433000-memory.dmp

memory/464-483-0x0000000000400000-0x0000000000433000-memory.dmp

memory/464-493-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2212-494-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2212-502-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2920-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2920-511-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-529-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4376-537-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1040-542-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4192-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1040-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3488-557-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3488-565-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2780-573-0x0000000000400000-0x0000000000433000-memory.dmp

memory/964-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3868-591-0x0000000000400000-0x0000000000433000-memory.dmp

memory/640-599-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-607-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-617-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-625-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2604-633-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-634-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-642-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3024-652-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3452-660-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4940-668-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3600-669-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3600-679-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2748-687-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1332-688-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1332-696-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-704-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iswm.exe

MD5 900b1adfc9ffafa7bc0ea7af9e3534ab
SHA1 525f54d5f95818d9f2d85b6ad8739659e44813e8
SHA256 da5098340044272c926ddd829aaa1b1c945b0e1c06d04624a0969a9dd657c384
SHA512 632682f7e44489b25a1207819c7b595ccd71e2644ef428815b0c5a2e65e23568d39de468ce650c414e6f5d1f033c24c5e48ec5bf212422eb7ec25a1f0c264225

memory/4000-729-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUMc.exe

MD5 648f24a0d8019d3bf17a9a27e5fff5a0
SHA1 bf2d546586f0e93d955e72f508673b84c422f122
SHA256 cd2c789c2f8c7cbe8121175f52ce53a3e74c538fe0f6a8eae5610eb81cb3901f
SHA512 3834f961b32889b65f66956dabfa0e97985721066e1f7db3f55b0badb5aa3c31e9083184403dea6c107d4b4440300df824b70eab8d2e707012a0024e0d196471

memory/4664-765-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YIEi.exe

MD5 3d63c9ee24a9c680fe19ecadb041d585
SHA1 f6ff03790c7344a66b200f83bb87b1a3eb66f0f0
SHA256 cd5fc4027a3b7073a35b9b2e0eb5f7d3f21c5d9d696695e302fc0e430da1c069
SHA512 8b9cb01f06e9ac0562a1b81550d60cb828aa8f24039b28f08ee6ded579599a04d086948f811aafbf6246145504779987328f97cb3e03800435dbae1155dd3105

C:\Users\Admin\AppData\Local\Temp\wYMS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iwQo.exe

MD5 aacde9266fb466ef9a3eb5b5836d01e9
SHA1 4abc2ef6b00cef74201d17c5e850c5120c354d50
SHA256 d186694c868e6add1eb16471fa3d4c551907894c0b7015ef1c93166a0998864d
SHA512 445979c1094bae133213707be75c61770aa97286abf51d7c79a49f5e4e1f5769d0aea86f52db4a4cab6e238e9225256d4417a485a28c2a939657b55f5511be11

C:\Users\Admin\AppData\Local\Temp\Mgwy.exe

MD5 4389882be8ab81788320b7e6b6791275
SHA1 af0e6eb52484ab748b69ac63d1e1a5d16bc98a64
SHA256 7b8747cbb560e903b4cff50ca435a05271e273f7b54ed5f25ce35cc427c51452
SHA512 33118e385120e22a25603ccdc945e273b4a1a8e241702614c276772c800e8daab314b0893d4942f87b1e649bffc6535ae6ec921155e7d3352f2e5f52f848edca

C:\Users\Admin\AppData\Local\Temp\csgu.exe

MD5 e40f6a6082fe8747cee121ef98ba63ec
SHA1 af27b58981eabcb365144d0bacb9b687b6c92332
SHA256 ed1b771e5ae3863e91d01f63a3e393a2a1b3937a6d0927dcfd33ee7bfebbc514
SHA512 bfd798fbd84dd1c1ac5cf5e0fa96740b7118f2f3a219fbcdc79a5f560bd13f64d946f37c153189c08180c6ed2483720959070f77df7026168aaaebb0462d8bea

memory/4876-815-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UMwA.exe

MD5 a73adaf76bd14ee887ba4d120cc8d0b1
SHA1 be4c3fdd90bb864832250a6e0ffd1581425b2c06
SHA256 de721651dd687f6c4e6d9c448dc539bb2972155a02cfeea4a0316fc9404d4fd6
SHA512 1a2d4eb834a7cd9c44e593c26075891ba4d3288e7c72ceafff338f30aebab6b883e55271232521b10b55cc3afba9ca71a0658e717497627a6567cede0ee7c25a

C:\Users\Admin\AppData\Local\Temp\aAQy.exe

MD5 5360e88cb16d199578663e6c043b1bb5
SHA1 6a6acb780948a15aa94f45f5b815a0df7002d659
SHA256 e924620a42a845352b7decb24b43ff987636913626cab7642ea8364399875045
SHA512 0fac04ce3268a4f1c9b801000deb80c0a08dbf09f106cdf57d22db84feae8cf6bb92de3c67cf302e178bd7c8cdaec5e9dadd4c59be9f1a9e08117eb471aaae9a

memory/4560-851-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUgY.exe

MD5 bc0718f3b7bd83cd32cba3b7d923f4c9
SHA1 4ec6bf1480286a425574d73378dd38532cbc0bea
SHA256 deba8cfd7d6da5aa5d24b69a4b5002b8e79b01353e22e999feeee4ae6aee560b
SHA512 ec5b4f7eaf4f1301ca448be1bdfb38399ef7df75f1705977793063155312d8bda4d50a2f03c0e99831d6cc4cd3a6265e7c8e432528be517e51b4387fffd6d564

C:\Users\Admin\AppData\Local\Temp\uAwC.exe

MD5 82d4df7e3b20d8c2abeee04d545de199
SHA1 e77efafd68109af2f296106bc5d41d1ea2d1677f
SHA256 44f40b3db81853e401c84f96e81a23eb22a34c20fa9876516c7d0bd289b6a0d2
SHA512 3c1b3ec98b00583a0bb4717ed4b2f9034d917c36b77eb5b1aed1c0b545eaf5a081349271c74301e2d2b1715bce1ee475be02d28b6d354c2fbb386acee4c27f89

C:\Users\Admin\AppData\Local\Temp\sowU.exe

MD5 b9442293ded1834205e04623dc7bee4b
SHA1 10a0b13a1adfbb4a49693ca0205dbe4cc8444d43
SHA256 bb8fbcb089f0fdc155d4b52f47b7f2fe01b3d908b505054dd7003536e53783b4
SHA512 2f7bc359d5a79de0e0f1de23f01db28905704cd1e491777e2e99894a453d034cbc6601c180f13af83e3d37e9410a9f6c833d09defebf555b3a6bd309289ad9ce

C:\Users\Admin\AppData\Local\Temp\AEIc.exe

MD5 c94fb0ca044d4b64b6d8bd7dd603d807
SHA1 1f3e4104b2a4bc92d4e92295cf779257922ab6f7
SHA256 478a1ece1ebcab5740630963ef68728f380ce41e89622f60901ff27b898480f4
SHA512 e2298280498e4584bc8b10a12ecf5c9b788b6cc93a6a2a9c384702dcb62d617e2fbb75563851cf18330bf053c2580f73a5aaec3b3f4a33f6c62c5d7498d6b729

C:\Users\Admin\AppData\Local\Temp\iQEK.exe

MD5 1969e4158b2f3af619c7c8d0cb6739ef
SHA1 de0db110f82d24e50cf72c5c8534dfaa048252da
SHA256 24ceba04befbe9b4d212e3679088d16e8a52b903311a261c699e18cf28d37f56
SHA512 c598c12a90b2e4392c5ae70b59412ed7046017dd4046c06eff3084c977d6efb06944506b126582d857879ce2ffd1994cf4c36adfdb6a127661db217e2cc161fe

C:\Users\Admin\AppData\Local\Temp\ucwC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\uogc.exe

MD5 7e01b154b73eed305a8116a1a6ed939c
SHA1 3aa0c546456676c9b780042cd435374eb36f7332
SHA256 a645f9265e33851b5c65b54ec947f3b778f7023f36ed267ddbb8904dd5123e8f
SHA512 b8dfa5b27e92e80f8c2f6ad222b9fce02c253ff6bcb52697d3047c6d899c70b018e26033c99ae727e71ed5632d83c8d968f70682b5e479ff31cdc3ef40425a64

C:\Users\Admin\AppData\Local\Temp\uYYW.exe

MD5 9872fcaea23369f2573c7a102ae984de
SHA1 0784f129bce959da443dcf5eb4ed91660e572c14
SHA256 c9d2200e82805a97c6dadd0328985c32a57602fadd38f6e73bb65192c6dc6302
SHA512 2249b64050845b4ca3fd1f2a9c1d6578a37796bb456e8f055c1c29093fa5673d3d0f680156b0ff431aed3cbd1bf421ac652610bec5f097ce78cdcbe0d34b15b0

C:\Users\Admin\AppData\Local\Temp\Qkss.exe

MD5 1a2f8770af1083603f68d7d914e97001
SHA1 2ffbed2f87668229f3dc1c8652bcc2f0bd00927b
SHA256 97abc5f14a8480d5598286009e37c19b82d29c7b7c4bea506c8d87c4728421a4
SHA512 c78f9450a6fcdc300630384792c4e80fb9934d55b3d79f4404ff44226fe93792eb1314f5de6e239a23031b04f23ae9f22df3bd55f045d98b2fe514d233d10443

C:\Users\Admin\AppData\Local\Temp\GgEe.exe

MD5 0234c7ba1a7b678d401ab465a13102f9
SHA1 80faaa26e1d355f615f3da0d3321c946e7e5521b
SHA256 6a90d5a8859c11e23bf60b2cc4ab10676acd297394a8204561c93ef1594913f7
SHA512 661a54b9f21c1dba23463ace1612180c076068825981af9a1c4726e0d195c8a80203f3f9b4f045168c31cba7fc4384561a84aa3fcd9d0d12a528d48872464735

C:\Users\Admin\AppData\Local\Temp\awcG.exe

MD5 2b2db3946d454ecd7a6267b04d707e02
SHA1 bbd5ee5de0b66308ea29b7df0716e4cb397f79b5
SHA256 92f72c2ac819c7d7fda0a9d15df76fe361d97197e16e7e305c54b3bee992decc
SHA512 e86aa4a91bcdb432ffb264ce8f2c2b57e903ec8f48bced73107ae1463b1f4e41c43ca17c2aa3aed5223f737618b0b42c28c034dd5b5c45ea7707b105e122dd48

C:\Users\Admin\AppData\Local\Temp\yAwg.exe

MD5 95b5e97a0d9780d94f83e8c73f5e3a6b
SHA1 ab44400d8e59df9137a1fe6a4812570ece27af13
SHA256 2227be9dc4e4da2e5682d8cd0bf7398ba65f4e6902846e56e203cb6c170fb410
SHA512 13d29ce2fed53864bf62535cc6e796a9895aadd6ce67fa8bd3b27fec2df9701af3325696eb26e0ada758b0f3db32dfd5f51221f3b0f5318dc7a672522d75edc5

C:\Users\Admin\AppData\Local\Temp\IYww.exe

MD5 57ed32fa7041429c4d9880c6239c5e46
SHA1 75c81ae3985ffe0aeefda6f43d2687e76b504fca
SHA256 b9d5423e4b17e0386db0a28bcb0cab88a11bf693b703231bc1107acac809363d
SHA512 96f36d05275972ffba6561d4b784b56c3ecb72c4dfe63b1ccef026420110989a3522695df70ef324afe7d19860ff3517d0021f2eeb780ee8560517de22bdabfa

C:\Users\Admin\AppData\Local\Temp\SgIK.exe

MD5 75aeaef186adc0cf8337566bc57b636d
SHA1 dd6ab51322459fc7fd79e0102d85b18f9e8106a1
SHA256 e43a61949c41d9a8b6a6ebd0effd51653ea26732072b4407aa161c34100ecb85
SHA512 59913a18fc1beab094fbc05d0de08ab7cefef7e2a280c855787719d3e6613d267a0cf38f4f44807234a5362011d0a0461cac6d57f6b3b065749f0f44747baea8

C:\Users\Admin\AppData\Local\Temp\aoII.exe

MD5 276b23000b8952c04a026bb36cbffd71
SHA1 4f6d7e1f1c1a7f3b484f1e0e3e0dfd88b293fee9
SHA256 3d8bb956db3a7726a595368a66aa14724052318236821bee3a9bca7a2a24e760
SHA512 f40381e8fe48f51d51888a348d3636e340578f786577c367750291d5093115d0250b2c9e5e6623470df4a71d5946589b69c47e9180ab701a84d01ff3897c4868

C:\Users\Admin\AppData\Local\Temp\IAAG.exe

MD5 2b8251dba7bb0f7a306fc1972a44562f
SHA1 e198f3e8d9f8ca25b4aed57ff18876edfc8858ab
SHA256 092b47846f1b5644a522eaf4b005ae1fdd63896b7870598a06cbabe661fe01d7
SHA512 a63350508e56723c57f6ec753c8ff7088b1d338926b51e8c1f0f10a23055659da80495113895bd5e0e1e10c150db0e58d1997b1ae8d2b6b2ccc2d27836d782d3

C:\Users\Admin\AppData\Local\Temp\moYu.exe

MD5 4074e504c7a1b4a8bd8f6a1e3a29b0a8
SHA1 fce53626f39a28d2c1b0be53029bff1667a4e91e
SHA256 1b1525f4507b4b92c09c729b40008c094c10c12ff9850db491cbab9a9cac5699
SHA512 381aa4a41aee47d43f9f0b33c414f520014615f4d2bdfc44afa0e7da592a3a501b398ecf8f8f363c20fff8489959bec69c5dda8469e16fd0a610498d2a1b7183

C:\Users\Admin\AppData\Local\Temp\eEEC.exe

MD5 3a73bdd99cd41a36471bb4a4d42a4663
SHA1 72e2ee80c0307ceedb538e2b6c3a78727afa733f
SHA256 2a977d0c7c96e8985a665f5935f666140a01422235706b5bce89f0f3ecad09d2
SHA512 bd9c3142e616e90ee6909239566335985b7a46fdbfb6472b94f4c9ccb19ebe783e1edc1de74fefd552138d75349f3c783ebaf3de6daa78a38c8cbce64cc0bc54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 f69ea398ead88ee9db1cd03fdbbfd143
SHA1 6a5c9d6aec4bcf9637a556afc7f9a88e3abd7c9a
SHA256 481ef257644f47605b6f0e96270fdec2b540d00d74ae46a12ee3fe577f99f116
SHA512 1fb8306511f6bc552c5e3ef21fe955cf6bf6a051101925e9a4b98b91f51186353520e02161127afaef5111349c7bc3ae392ad93aa59d30a3378062f1babe1ec3

C:\Users\Admin\AppData\Local\Temp\EMEC.exe

MD5 7dd8cbfc5aebdd27a8555eec02858844
SHA1 f8f7be513fb14738d3c0b47b28f169713621c471
SHA256 fdc022108b72a0260829a34d3c6de71cc3fe925d961e388526db28903cca574b
SHA512 36a6fad445573a1ecd2b9db5a92f56613d5c85df38fbefd3a8aa409571ece7f3d122881c248d0c43a448622de6c3f8798ca771ec529ffd2d99f1d89a13cafaad

C:\Users\Admin\AppData\Local\Temp\eMAU.exe

MD5 c7bb9fd6d7193eff21553871b02625e2
SHA1 7485fef9b1d9be19197c74edaecbb2a010cd7508
SHA256 eec138bea2aa39556fc6ac5240c40889f2229eec0f90a8cdeb7956592f926beb
SHA512 4760e3c3bd3e304933951b422dbc9733c83a2ae3824e8acc081b5ab1a57ec8a1ca9fdfa4ac2d934eb0f73e09d62068a0fda9bd4d761b00bfe11742b339f05656

C:\Users\Admin\AppData\Local\Temp\UsMM.exe

MD5 36d30f6ebe3d7c3ac3409eb30e737162
SHA1 fd637a73ddb3a6e88750df7df7b668302f5f66e0
SHA256 d1b0cf330d252435565768e0af62435a2c67319376f8c5cf628a489198000efc
SHA512 a1a9f206cb9fee7463e3dd5085226fdf881d84d0b941fc196e82c2e0707f1a07be2d7b2a173c2cf19613dbc76cea8ef17749df359dddada98955544497bd53ba

C:\Users\Admin\AppData\Local\Temp\YokK.exe

MD5 f3795a712eef0b39aed6037a8a590e53
SHA1 db344547cbb55b97c1b45e20aa9e2eebd4a4c503
SHA256 23ddef07b8bada6ac72757a8b2e333b6a75bbfecb6a14f5c01571772a7fcbdf0
SHA512 dadb3097c7aa3b20acf9860b706154206a8d3ff8537e64a315ef5c0ae8229dabaa4cce0d78d427707bf0be3ae8bd051e5ce1199df21dc86e7a884626c57e10f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 70373f033538f1611aaa7d60be85b88f
SHA1 cbb872a7a6f3a8715c59ee32d74e336d8113bf10
SHA256 4eb72163c1d457085593618f11ea0df3e0f2975008fc7e09526c03c60c402101
SHA512 df813ec46154dea234560e7a0419e0c721a67ceab511f58c280e709f16f457ed3361be4218f88428ca999dcacfac6ccd03f533b4ae5b58707fd898a76a5344ad

C:\Users\Admin\AppData\Local\Temp\KMQw.exe

MD5 61a32fa6355528deb80e592db5022bb9
SHA1 76c89156179efaebfcc9ce9e449880a986f112cf
SHA256 08c86c6363ac6a6ccc84c61c3fbda3579314935e55b7969f4eccfe8b45b5b28a
SHA512 c11c6921239a82878467b0214b83ffe8a9e8db49a87697bafed1face90712399ea7952fd4bc505faff59204853243349c13b9815de60318696748240d0d702c3

C:\Users\Admin\AppData\Local\Temp\cAQe.exe

MD5 ec5758bdcf1e1a7447c19e5c6f808ee6
SHA1 989b44f8cc8ab21a69c58978e8b3d357d443419a
SHA256 215b94db94c33e14fe995da749c5e2be2901eb165feab88f4ba4c9b0dfcf7ff5
SHA512 3df2ce00a9f4c1aac3dfd6cad540753b9de3a4b74a1305ab3215313941af3764f5e691e52ae673c3f43925d5afe8413618d030c19cd0db0c486c87e0facbbfc5

C:\Users\Admin\AppData\Local\Temp\qAoC.exe

MD5 17c955848ece48bc9e2fa35e10047f6b
SHA1 158af64ba4783263d4d89b129365b0a904c7e50b
SHA256 7f9d9020f70b1445e85bfaa8ca9af517a0019382499029c59aa41f8cf6d8f6c9
SHA512 951e05525d6c46741013e88f6237145d406041fdc9a8f9e4a87bf63209265f13ce1ac57fdf4d6ccc28e2dcd4779a039a316585731234e135d76ae3d59586422e

C:\Users\Admin\AppData\Local\Temp\EccG.exe

MD5 d230d84b0e1610175ef57d44dc4517b0
SHA1 e8c85b64e581b5f1a357d2c376958114a7998a81
SHA256 5ae487b56ec7e76b7e5a424a4a54f8dabff6ed264ec45fcb5d05e146c554e455
SHA512 504269c9aaaf4246b272d4a2db592dea6e1511748861e9bb272e34ec94dabc8580b32aaedd3167aeb2f5fb9fad9e0bf063f2b906042c7e7136b62464abc765ef

C:\Users\Admin\AppData\Local\Temp\UwAS.exe

MD5 2d1eb93128582f5cfa8ca5fc809e2d78
SHA1 7a45c5ddbdb8b18df6e5ce970a484aec0449045f
SHA256 95b3489c525fce426aad39403a8920786d969f28d6ba1e8a3ee5acf1cdaf2c89
SHA512 116fb3fdea0582662f8b920d3f4cf2e815cdd8b424d4b1a4c18b2510a4c7783ab2239810d372af90f307abf9377e46c9716ad1aca82356961cfded60c865a2ce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 b04ffc51c8cb1fc6ac18dd33c4337167
SHA1 03439557c83014d798d35cd2089a8da8d446cd9d
SHA256 2c7f8a9e181e1dd096b81c9fa8c213b23fa2ea7c3f070e302165083bb0ffa1a0
SHA512 4830cd18e57ca13f3d160207789c451e66df92031269223b67958d4a252029fa950cd0683ebd2f9700010f1c8a3e7a2019f0e17f9fdde39b83419090a306cb4a

C:\Users\Admin\AppData\Local\Temp\qQoO.exe

MD5 5d193839a5e6c25732e20208ef6eca02
SHA1 dda3945a2a2d81e0abc5c1b46e3f799aba5ae441
SHA256 2980f005a82b71e8f752979c2f3acf5abce6039eeb2fb82d031be99262846f32
SHA512 1974908e9f65a5ce1f3694f96c1a6c34763c891923f0b30e58a1fa6935d5e3adbbe06900a93955795de89fdb05b46f820f9713ae18400c4fbb1a90897d551e9d

C:\Users\Admin\AppData\Local\Temp\cIci.exe

MD5 02352ff5c88f03abf85a99301121a5fc
SHA1 17ea119f06df6e37576bb216ff52f288f67f797f
SHA256 7a0bcfdb56ef330951b21e10e9b08fd6685cc9db5356bcf99f551c078daf40e3
SHA512 539cef5e1d4b7b344b41c9db69b38de723b2b384c7b485dafff1f43ddee6034efa499c220b08bdb1643392779f315e1c38f74503d1855cf9deb184f56b66265c

C:\Users\Admin\AppData\Local\Temp\UssA.exe

MD5 cbf36b1f2b0848a83d154eb5c8bba518
SHA1 18ad6575ac1a4116d4c2e71920b7b528816fec55
SHA256 8a05c5ec3a5c08ceccffb2ff1e2a293c4637a45ac7da45adfff240bd15377eac
SHA512 7ee7eaf7d077ea41f68a560f4996d398e82e6cefbc583f01e0bac66c4ef86728968dbcbb313ef10e19115eaa952e51c87748f7451c6cfe50f2a9ec0162c7b573

C:\Users\Admin\AppData\Local\Temp\ggwe.exe

MD5 b0ddffe6e2cef67beb3c5fe841da3df5
SHA1 744a0d4f53020f9970b4dd3b53a96d31a4ab7f66
SHA256 b63aff119fbac39bb6b7629f4d89bcc1c3dba6f298d0aca5b7fb00fbdb8924fd
SHA512 efaf9776864e5853f5afe2595bb2901b1012edc4d850f9d9a2d86e4a27aa47cc43015f2dde99158e7906090ee57d7a426ae4cf64634a1eb8108fa0f778a190be

C:\Users\Admin\AppData\Local\Temp\kgUi.exe

MD5 d1d52bec669e1c85f04ea6ab03ef8751
SHA1 ace6a33c3d0020a093da9991c368da2ea481c94b
SHA256 00e2d3a95e16b0a496f6f945185261fa9a74a787cd77cfb9d286bffb05cc7a07
SHA512 ce512e40e508f6c6c7000276a5248dd42daa89686b6c5832202c6e8dde5c15a498a19cf2d4e5e395d75ec867a2657032d297bf7c3ee4619395521a551a552e55

C:\Users\Admin\AppData\Local\Temp\Egca.exe

MD5 2e2e2bdaa52281996c8961063138d38a
SHA1 f86d8b57b67ac4d7416f393af48e4d38fad6b244
SHA256 3cdd3b3217af0c9570363174d92e48c1a341814c6c6a1b3282973551a9a6ee85
SHA512 ce59201f6f73ad4e4837818b93e2118a5898c88dcede8ea4ffdf1efd078df116179f3fa05a766bb84567f567b8b90ad5f32c1ae81bf6bc449622c2cf10ddbff3

C:\Users\Admin\AppData\Local\Temp\WIYE.exe

MD5 b46f2a814138b1020e15a33a423741e7
SHA1 cfce76130d10cdc7f841db93d270649c16042032
SHA256 1dc773901be25811786e235a83e62ffcc8932d40b841d387206e3edfa866daac
SHA512 dc3e1abf856b75e30ec127efbde21ff066ecd50c1cd82e890c7a210d4e2ded01a6dd52c84d868030789442a69cc0f0ded65ca16f5de75e35bc356ec9e97d3598

C:\Users\Admin\AppData\Local\Temp\Mwsu.exe

MD5 a37f9d77d7c4b79b9eb5c6aed69a520c
SHA1 39673b91fe8f998cdc5d855286d6d3fd0c5750c0
SHA256 514ae2fd9db7378e3f6f571f8e295ae130c02c8aed06caded25a6bb5ac868d75
SHA512 7f5076e93ae6d9f2637ae196da4bdd4836f229e7391f3db40105571c89ec6d997922a30e1b82784444f746e7d10bee0a72ded78f532e8037231a34a92f038fdb

C:\Users\Admin\AppData\Local\Temp\SEwe.exe

MD5 982ddb7d9a83aa464db538f9b890184a
SHA1 afdc2ade597a9aa90cd47db90981cd1a12a27bbc
SHA256 39c4a20ef7b23f0a155a4864ea06ebb788ad2b7267db84f8ddc12aa05bf2e01d
SHA512 19b05748498a0ea24308be31db8b50104abe0ca835a658edd1ecd5c1359130af6eeb16dc9740642d6261634c188b77e84b31d494c3b9dd727a22d2e18b09e253

C:\Users\Admin\AppData\Local\Temp\KIcU.exe

MD5 30422edfb78d9e67737605e0845b44a8
SHA1 8278a203a470702b5616cfc979f1dd4b2fda5d91
SHA256 3ce498e0c800abd72d9c21d04e051a584dbac043f6de567908815da943e22591
SHA512 e23977786a0817c1748c878061249d7da5e5b35f9991fcfe9f7c31865894c13e03604a79781416de4a1f755dd01b2aeea5d945c6e2e830a28195859a00e99a6d

C:\Users\Admin\AppData\Local\Temp\cIcc.exe

MD5 c9cc726c6e978d8fba1abd84551b98d4
SHA1 6c3b9ce49136264c7e0718e9a2e88fb24eab96b3
SHA256 dda7e46c05413c15c650ca3bf781f866f90accefb38978866f23a3443300d0cf
SHA512 25623cb21a6e5a7583f2bc660e139a121264dd987ff3c249e6ae434ec6481475e8f2b181978401a909a78b8bec9550a8850ae3500e0f81021a4a13d0c590bd30

C:\Users\Admin\AppData\Local\Temp\ccwu.exe

MD5 8c864b837f579bb96e1833861bba1c86
SHA1 635735b9e7a6b88e19ce89a1c805bce1e10f4f9c
SHA256 a794d02318468bb98e7be4e728061d4357b26ce61806d138dbefd3e319bb5370
SHA512 26f8c1bd81d6cb88c750616b3fea0041a414af0ba1bcdd8ececf2c6280ad236c68c6e6066f36df1f4fbc0b7bd0c12c43c6055bd08469addc8d026b2f724c4cfa

C:\Users\Admin\AppData\Local\Temp\awkq.exe

MD5 fce472be0f9bf21b5c124524a5823444
SHA1 327bfaebf3e6804286e8f45c58e0f5ce29e3403a
SHA256 11d30aaa1711585c4ed6f3d4bff411c2c2d832b7b51da55108543d60b7b82150
SHA512 8c5f7411ebcc2af1c11640a930ac78079be0d3db5235067351f6674046b6601f6df9fc2aa5761f60f2685864c582b3d9d57064ac05c81c4b911d6edc0a90161d

C:\Users\Admin\AppData\Local\Temp\QAwE.exe

MD5 39f6f1d2f195a804ec61c57b265b7e92
SHA1 cd3bb63a444f898d2948ccf02a58a1969c8fdb76
SHA256 812c59c0a33463f172fc0ebd3a7bf747ebd92ac161becb98137c467c138446e2
SHA512 e92345a8331e6233bfdb821a88f88df8fdc725eda19868bd689f35133fba245a61b76a7dee0cbbe222466d0de1a6a8ad0f17023860cbab33c44be5d5fbf5662b

C:\Users\Admin\AppData\Local\Temp\MgUk.exe

MD5 df8e45eb58318063c9f8e97bfec18495
SHA1 227077e6cef8129c3633d8686a1bcee2a0339734
SHA256 db260d17c08e0bfc600ab94c42a117e40ce8f21662fed96582f5dd725289d233
SHA512 7d82899f676789aaaa84cab3b6529784a6d744879412b47c1732031e202f3f1d29a1ddf818515f3905f3d24c4cd7fdd9d993b9882aa47ae37a4b479452fd96aa

C:\Users\Admin\AppData\Local\Temp\kYIo.exe

MD5 858e100e8a6d55c552d20d332b02a374
SHA1 7d99739871152dd7700dfafe0bd38c762d8f612c
SHA256 0d54a0bf29fbea4b16e83b9781f157c548444ee5c33966316ff36894baa8b1da
SHA512 a43b715b415f950cbf7bb64f4bc0fa3252e591ba9078b8297b18024dec879461da228e15842dad6fe0e28fa26e3704991a4507623a49488d1c7fa258e051beaf

C:\Users\Admin\AppData\Local\Temp\WoQe.exe

MD5 9fb2adaeb1e2519bb499c52c0021ee4f
SHA1 9d2e567019cee711d42bf95a5b5a1d3fad11cb33
SHA256 593d1974b6b03dbe68b24dc13f66cda2e0e5c30b46a43c59fa8cb2abb18bcf2c
SHA512 83a1cfa4e4c0974c1282146f4fbe4f41c9bae2e3d801bd19fcce61e725607c661d177bba1f768cd8c3c6ce9ad385b774b189b21efe6a7dd7a5100a97bc4466d1

C:\Users\Admin\AppData\Local\Temp\IMcS.exe

MD5 a5f2b6e63ecc3675307db2286577304b
SHA1 b3642a2fc8f310e68e58585cb4f274698d77cf19
SHA256 bdff63434347dcf943765b8629a10140da9abca3da5d2f74974e6a6940fe3260
SHA512 b5a7ba2b3ba32868366235d9890fab7ef6201cda0b6a602541bb004c5f69a0d30be958452576ec5f83352c882eaf1d2da78024ca79ff8e16041e1419a85bdacf

C:\Users\Admin\AppData\Local\Temp\eUou.exe

MD5 6910e1523792a9de3339d983c388d356
SHA1 2ec5d47e933cb1588c7d787ba3baa6b7b6bc190a
SHA256 b2e5f0fd0e25fc52afca8cf9a804e112004bffeed0e3d8ea8cc00d078e7fedd9
SHA512 af8eef286f3b832b3acc1be63bfefcd7694be85b9f5aefe67112c0453a78d59a33de078170e78d41d86561ee31805da4f47359c5b43ac7e039cf6b1258e99836

C:\Users\Admin\AppData\Local\Temp\KwQk.exe

MD5 f9f56c80e89052e76bfacf0d363bebac
SHA1 5785438443cc0d714389c085f0ad3d38a6bed1b0
SHA256 3d13365f645577c013c2cd1013619db797299cfdcca4514fcbfeb42296a19d0f
SHA512 58d646a26fb915f42f21462dafeee9f3330cd9517af54a4bf3b997ca5ffbba580b9ce207ef764c1de34e7d9addb7a08b983e73b96187406a3a9d5b19438fb9e5

C:\Users\Admin\AppData\Local\Temp\gkga.exe

MD5 4a40b42c77c5d9b6eddc588379a9f514
SHA1 a6dfefc023bbaa9431979eec5d6775f362380bcc
SHA256 a20812ee19cab63ee8169479edfe45e7372dc79090709bcc4ad74bcff11d5b3f
SHA512 fbaf86bb481f7170d1a0e852cffce309bd6287ee96583755ccdb57e6bfdf032258a3d8ac0c8ebf5133ef517904f3813271652c872c57fdcf0b75bde34ef29a6d

C:\Users\Admin\AppData\Local\Temp\OskS.exe

MD5 4ca8a9702fbe90d1211c628f9d3f25ef
SHA1 c326b31d937ae360c7aebcdb66382c21e237a203
SHA256 542eec41629039e95d2133c903d25e4963bdd647db82314e041cdd131c2a5429
SHA512 8de8e193f52e0b77619e9728894c07a22d3592c714bd0c7229edb5d2e852401ecc46168edd05aaf02fe9e26f2df0583172d88bbfa206b0ce0f496c15f3801408

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 bdf005f4d30395ad10693c5b2f96067b
SHA1 7af3ef577e0e90727b27caaab3a16dd882e3876e
SHA256 54ce323292887a74a6c64e923b4dece228b8ac152707ca5bff694057f254b60a
SHA512 211dd413b1001cc6609d8f6e618e8b5396d08caca5b6fe74d85f17e14477a7cf7f9abf45fc0743af0c0519583f2a9f1c737e984facf84c7a5d7a4a51070cf4d2

C:\Users\Admin\AppData\Local\Temp\yAEE.exe

MD5 3af8aa0cff2cf70fe8df8d4f6f50110d
SHA1 747d8253a582f3d14b27d70039afc45f3ab7bcdf
SHA256 a90c533cc412838720aa9a2e997e6c3d3b158869cfc686d6403237689bc28d0c
SHA512 d360fac4925c9798186e4ee3ea905c14f0efa325104fbc80e0ef24a4af6a4dcf6d105fdb4d72bf86824dcb82590552f67822a17727f6843203157edc9cd535a3

C:\Users\Admin\AppData\Local\Temp\moIG.exe

MD5 daadc1339652f58824c735d618d3d321
SHA1 4d3228c5a53ef8292166279d21a4ff155b470169
SHA256 6d802ddd0b0a997798b5ec94f01e955ce929ed817b9f49aea7d876b5b2590072
SHA512 537e230c2fd5852f89909c7dc9649d06d5e3b5f134f3c1ec7133e92a4b4e90a0b115f0a67d15832ad323959be80a1d65467d1e1968ea0e16bb7bec33b3bb9863

C:\Users\Admin\AppData\Local\Temp\OEcm.exe

MD5 78e76354022f979fbc616006607e693b
SHA1 3ef17740a9bc8cc306f3b7472be165e90a992939
SHA256 37f370dc4ec120b64e21713bd17161816affefbd0d20a38e34e79a31725c7d82
SHA512 d952198dd49e30bcedbe9a2f573942b1519f36c350712ac3f5baf87df73ac36bb432e003773550e57091429f73fcb26f6aaf0ec43c1c7faa5c6dedf2bd67fe35

C:\Users\Admin\AppData\Local\Temp\sEAQ.exe

MD5 4779a4578db5ee1adf78165d41405a08
SHA1 0fdfdc13a7987918521d4db04a9e06f9cc38eb69
SHA256 8c5b55ebd25f8cbdc3e9c427d99e649915a5b6675665aedb71e91e4a4d3993ef
SHA512 410e98f2147087e5fdb33cdec93b9412cca4eb843c43c3508d297f02cfd1c26ffe76e4293cd5005112afcd3a7e782cead9ce0da6378f2c8ed6e9a484a6b53ed2

C:\Users\Admin\AppData\Local\Temp\YokY.exe

MD5 c0a4ff3ba8769927cb0f2b8623ccb606
SHA1 c5a9d7281ccae983d7234079a57007a16b300a36
SHA256 5777083334a5e35de96fa4cefde735f7595c801df98147493ef2ed25173e7565
SHA512 41ae1b89509fa15ca33214ee40ecdc78b4d117ce4f7426371b73c1345aa0a70f5b6c12c1763326970c12f3b787c13910471cb7a30320515865a4d029348759be

C:\Users\Admin\AppData\Local\Temp\EAcC.exe

MD5 c5460a7d8f9b295a0659b314cb5c18ac
SHA1 0d3027fffc81031ab990ef589e70975fa69a2ba3
SHA256 7801a0d1c2094aac8904db60bd5db8c301fe0239909bee206a41360d9701270e
SHA512 e65e4a1e1f6f3330ed2df0dc824488752b89198cc49c36e355fd784730cae62dda0ab015dfc8422cfbf5e68f400f77faa07cca0369d5c89a129232292ecdbb01

C:\Users\Admin\AppData\Local\Temp\QwwY.exe

MD5 d64ea077d63214f2a6b81ecef1ab65b1
SHA1 7cbb689abbf5f2e44441b01795c691a65838b319
SHA256 6431bc2e1d0a17d6705745a6a322f729c8c4f1a60f1b3c873f0666324bab7c71
SHA512 723449c7c570ef91536bf2fd98b890280eab2c85976b3ede01fd30cc215a9760b7f7aa2da29e820dab0930e1dbb11644150e99aec41ba3c77ec1748b57846a60

C:\Users\Admin\AppData\Local\Temp\KUAU.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\MsYM.exe

MD5 94007b5356b4166551db382c7be886dc
SHA1 27c4a2e1c37d72ab0a6f4ffee48f78ccba4d23e0
SHA256 8ed527f6b01343843448bd8305bf6b60c47df7cca44e6c133d17f7fcfbe138c6
SHA512 98553d7c498f1dde5303811eed8afd9b44b45eb185de8896c37fc8fadecaf9760664ee275c511ee18659e699529ef4a4351922e8221d934c1c35a5369671cfeb

C:\Users\Admin\AppData\Local\Temp\KAwg.exe

MD5 6c3e70f8dfa27717bc764f468397b6b9
SHA1 a853cfea30d997dec3f08276b48cafe80917c3f7
SHA256 737687e4a94e06d802136b31ec02701deb4bfa7827d224b1ab8eafb6250eb3b4
SHA512 39620a2af7f42b402c9de942f2c8f6a00c7c6ba83fb2eb01962458af1485809f5fa221adefe5ffa0d7964f1e58e58202ebf3ed25c43d4f24e5b5f6751d883206

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 b8e662cdfe1c06ad3b3609b6d8a1e13f
SHA1 d9e5fe8068d4c5b265f6952bb2e41e4f7e1033f6
SHA256 e8a0099a9bc1f89016f45548c852a7617b05338c7737ded77337269c32480486
SHA512 334274add7032ec87d73bda1852996432ca66e97e6c05d59aa5914a61e89854b42751af3d0fa78026d9170b069c16321baa7dfac39a7740d56fdd70b40de9ab9

C:\Users\Admin\AppData\Local\Temp\mUUq.exe

MD5 da37fc916d87f0f2749418b2cbae9472
SHA1 773520c16e92ef593ba15e9a17e5b6acb10461e7
SHA256 265a9e4deec2a34cde695ee55bc3946b0126ce1375599c021612b18678807fef
SHA512 09a1d342daa3b5988afdfd1d263ef4939d3c21e33f2cfaf4b36016df44122e14daa4a80892e665ce9811040cf1b6c0e2e82754c708c4ec3080c7dac1ee7e8d98

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 38e482cc06122165cdd04e5a427d3fd4
SHA1 adca93b22566da438ac311a872535ec0a442846b
SHA256 c559c9dd52d9a8eb26772df397a42de4d0be931bdec072c62eed3c94a722cfde
SHA512 17875a08e421271e6502a3b3427053d02bb1f7401f06e452fcfaf8c7864baaf4191356acd4ba78cbcb7e2097db5a5a02ae5cb15a6532f7808a59ab9eeed20c72

C:\Users\Admin\AppData\Local\Temp\gIAG.exe

MD5 447469cfc89bfefd2dc449dcf4f352e4
SHA1 6c76db81fddadad61530cc8fe9d8a94fc59c7169
SHA256 4df9579abdb0f8921edbb4c84769457af9b5562babbc93308042f7f1755dec02
SHA512 be13985442de27f25580545ce43f12e7e068d1e72d9964e9ee86fa673f8f7a9859831d83f29b9d25ab144b8e1c05379c23e6ee2c1d5ddb5115749b31cab729f6

C:\Users\Admin\AppData\Local\Temp\SoYO.exe

MD5 3fc245de5ffa8b72c2c0d538633c9891
SHA1 f482a9ea0fc3073d53bdb02fdedecff689005744
SHA256 0f21dc74b509c23c9701dbb75d89b5d9680888c61f0a53665c3ab9b39a4f39c9
SHA512 e66ecedf2b53826613d7fcf798181b5bc58c261fcb771762211e702183cd4273f451a948f4c1338e7be590d4b3687494369dad485deb8bdd42ff51464a5d13f0

C:\Users\Admin\AppData\Local\Temp\yQUO.exe

MD5 a5c1128afed5f2290c69316963201849
SHA1 e8613648331207aaeac41476053b4c5abb8fff43
SHA256 c727f2ed63ba86fc6d7119285ba6b2d593bcab654d0ad6123df7b88dad8f3f78
SHA512 987ca01b2d58f3769242dc0b6ab7f2ec4521ba5234da81c174f9576774a3bea0819940374fc2a43131e4f2f8d16f04ad1772a4f71b65a61dc7d5097858c5248c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 3c069deb1c752cbbbd148b499de4f4b8
SHA1 a1859e949b5edaeb10bbf9bf9ec22fecb72a132a
SHA256 850aa2cd878d8a10acdf5a526936383f145de4d924825167832fd5d88c1e11b7
SHA512 11f0aa5493b2bc368517ad3a609157ac4e8c28b40e0ae41d40a4590a1e228a4f1c8cf53b5587c7092fcadccd5c471514e6221999bfcd5bba459c382158f014ce

C:\Users\Admin\AppData\Local\Temp\MMUQ.exe

MD5 c523cac0e604dfd01c6ba04be26fe96b
SHA1 344087076004183e5671591ccdd15872813e2860
SHA256 98995ab13166fcca2f02693b3b1e2fce720632149f72e74a7d751fc13b16cdca
SHA512 20cba41c468e074cbc70f6f11806c19eceb29e5a99efcbf270e74f843503dfe760044eff4b9f7c0bf245ae6680de5e0a72388e2d38803338242ce11699801a91

C:\Users\Admin\AppData\Local\Temp\AkkW.exe

MD5 a6752cf8d3dc8b66fee272764708b6e9
SHA1 c26edcc433c7dd621c4ed6fd0fe7b19a965ede19
SHA256 f2b04e8f37c5dd3f1c9b07edfcfb512acc9245dc293034472dbdacfc8635d9ac
SHA512 ee2bbb4f565f7ab4835a046b555f7bc296ddf438f7bc7de3b9a6ce65e67b01fe79a8fbba81880965ea1dad9bb5345fc2374e1bc5ac533c904c97a0d83a0d0066

C:\Users\Admin\AppData\Local\Temp\aoQS.exe

MD5 76b6e2e8d0f494f87299d11fb9503332
SHA1 8a7c86631b91210ee4bbc75c6f45574404f62a40
SHA256 5ef8507c8d9633e6a29eca138f44ab41124df9dc541e2c6eb219b55b3888a469
SHA512 b9e349aa922abff41f57410de39b3cf4336c0cce84f2fba011275fd70ca924886c879b7d60ee91098987d4f7dc8a4b980ddf39a64c1cd74cb3913ec1d95cf73d

C:\Users\Admin\AppData\Local\Temp\ykIo.exe

MD5 0aeae2bec9a3ab663dd48fafc0c40fdc
SHA1 1e9ad77b7d7dfd84b0004d169547c7e9b3c5f0bf
SHA256 c27750a977804c058227133374e573e6ef524f01f1c06b14d5eeb48491a5c7e7
SHA512 49dd9eb479bfc0234909df82125619c4a731389c03336247ef82e9f1e4460109aec23519775eeef63eb41414ad04325895a9d7ae05bf70d1186fcc8746184d63

C:\Users\Admin\AppData\Local\Temp\aIcC.exe

MD5 c722cd2a08eaf212b41329de1cf67f86
SHA1 80f1379cd42e15431f8149cc251abede82497f23
SHA256 c96d64e6ea0d9553f885eb53cc0963b400cc80915bb3799b500b43caa0cefaac
SHA512 64e911da45b56331b1df791aab884d2f4d8a201aacec0fed00954ef63fe26882c95511db39665ea270475b83d4b8cd34bc7f90113d350472433163f757605432

C:\Users\Admin\AppData\Local\Temp\GYoO.exe

MD5 a1eb8981e20762cb536a3bd114e6a1c8
SHA1 e5ace9b2afe918b91aae0e5a8f053ea332775f31
SHA256 e0e201329870dc83702bc055c461c1bf5ce85255384e4af808c9c9765a93a721
SHA512 552f4d3596d8848794a22e8b389a5f5396160519a5b173ab52f69ddea330672e7d327be98e81cfb6ca4ff845f00b599756e580138bbfa72404ad2336c6e5a62a

C:\Users\Admin\AppData\Local\Temp\UoIS.exe

MD5 8d4a0cf291d52466dab6233b737e4d81
SHA1 b732695598e71b9e895b411b2fb2e7e11f7e527f
SHA256 166a65c9419f9a21f2053260303f31531551e69d5a84ab6127525e713f44d1cf
SHA512 090a5aab9d004d5d2f66e47b809c073c55ac6494e9efe4fe9c7cf869ae2680080f9e0a011ee9ad84dafc3f741a0fcc9da325e7c0fa5c896751659aefd4ebf9a0

C:\Users\Admin\AppData\Local\Temp\YgcK.exe

MD5 124ec01b3ecbdceca730e77b507b9d36
SHA1 7cf1bcc325ca5886ce1d7881645eaf6adec81808
SHA256 f9ee07d980144f2c221a88ff3241da40f2b1eb82540fad6b59ba9ec5dc7df2b2
SHA512 8d51d5384f26c3ae22ddc63bc83893cdf70178e294496d0fe5652ba10209a44dc998ff9c3997a17f47b574346fb7a7d3c5108ed332f671068152545f4aa6cc6c

C:\Users\Admin\AppData\Local\Temp\qQww.exe

MD5 fd3ab63ebbeedfaaeb9784a81f4c15f2
SHA1 e101944c1e5646fb7ca8800d02aac52b29b0017c
SHA256 cdd2e23809e0eaeb950ee0341e90ecaa9dcae2f685a92cc6ea56d61cbbcb6ef3
SHA512 49c7e8140a41c691ed5dd0e462aeafcd23cf2030c982487e915ffe17196210a0e7df59b598ccf6ecf4eb461ec7cce2e749ffddf9cba8fcc6d10e2efcd100b1c2

C:\Users\Admin\AppData\Local\Temp\gAMk.exe

MD5 2e3a702011c4ed53594a303de7691566
SHA1 18d3471557c07dd8c2039f40269ba51872b474ba
SHA256 2e7fd23ce9ab53a20f06d5f5e9dde01dbf9d56203c8067fc8301fa91b3d56f78
SHA512 36bd99d3e1bc9614fe0242a8d1270e01b7a06350f392931e66fcae23849189d2e7bbef338f41231b062044b50a4a51489548e580f8a596830d42f7030f9914e8

C:\Users\Admin\AppData\Local\Temp\ukwq.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\awEI.exe

MD5 5085fa9f5f90911bc0a3950d3f9e3349
SHA1 483a058bbe19f68390bbb37a98690cf0abde50b0
SHA256 de944344ee20e16f0faf05087c787138c907d5ba16aa1d767f9f6abb5c89313e
SHA512 c79d3c6db6688b7b0e60fd1f41572a39c8dfd7a24519a948d054a4a9077616b28febaef81b824fd1ab4e381dd24a943aff3742224b63fdf49e46981f48ffb0c0

C:\Users\Admin\AppData\Local\Temp\QsgI.exe

MD5 c7a14860a8efc1a77aa1c13c84815374
SHA1 b1a4d5620445f04224bcfd55cf7a91c3bf487d0d
SHA256 032e4c1282bac9f2c8b6d195bab6391e9f9bfce552edd0c06bf72b908194e291
SHA512 03c11ef911ebd682fcc9327560bbab51b62ea937b3ce6d938306d7019b86a5ed7d86d51a42b2916526f9abe370430b93b112f433baac8895609a90917fdddbcd

C:\Users\Admin\AppData\Local\Temp\EwAu.exe

MD5 40ba738a83fbc4b5fb383154bbc71811
SHA1 b09014986a4fe42a42ff6e35e42d1af9a0044dc3
SHA256 606c06c8071a5c798e32f2b9656d30dd48f8963e68bc6b33d57f2cd0edfbab2d
SHA512 61b9012346b0a3d033537a6367e2466ab77682b9d127e559aabc6cd5657a7c5b62f8898e9434eb53d31867e131d78a02e82f49febf7611391c60b1cdc85b4413

C:\Users\Admin\AppData\Local\Temp\sUAA.exe

MD5 b79f968e1062a3871fe406ac32fc3466
SHA1 f1e2c7ee61b72df4a235e26a2b612f667142ed35
SHA256 9209f12738a6820069cfa22dabde1c67b143495399d0b29c9f3ae1030fa6ee86
SHA512 c04185229ee1ff85f48026dc8cadd7cce1ba80e083f580ac98388519230d38b486febcbb41f6dc541c0545152faaf54b70a2f7f746c210e88c5b51ddf50a49a3

C:\Users\Admin\AppData\Local\Temp\sscO.exe

MD5 1c3daca9f84f268a98dbc1c16e7cc859
SHA1 8b97ece554e09c810975c3eb7182a943a0b3d766
SHA256 dc0bac61ac0f4064ecbc40e1913cde29d4b5eaca560400dc917c07e75347df7f
SHA512 fd2ceb142b19a032a8e7f597e8e7976eaf14b41ee545d541e0c31bb5da1cd1b1b8d647b3ea81888540e4faa47b434a5e3e3034a9160e99956fba6230b550bb2a

C:\Users\Admin\AppData\Local\Temp\OwEM.exe

MD5 b6a5adf37d3c8e06f5f6c3cfe83f3102
SHA1 5876e236ce056aa30e4cb78b34832b755d8f6bba
SHA256 c10de7482b21607a5f37691d8acd152efa80470d64851a3497f138cfc5b3bd51
SHA512 d3fab3ec03e62af2a5593c08365faea85fcaedbb851c4fcf843fe1739ba58c19bb3e93b8371b89acb88d05634333dcdcfaa198b0af7e76516394a1b8f97824a3

C:\Users\Admin\Downloads\ApproveEnable.mpg.exe

MD5 fdfc1431f5a9ee8792580c845772e5f3
SHA1 6d2a42608145b4adaf3aa7a758b48f40c8a277df
SHA256 8ab8e92768433fae7044a9ae47ce1bda4be99f565a3eaa2bb91a04dc9d478b0f
SHA512 29a70313da2ba40d9f1d4b4f65258d2a2cc73409ee553359302c525baf2e5bb40d4b86ae957bdca12ebbb4773f497387e21ec91eb7855debbaaafdd1b864c765

C:\Users\Admin\AppData\Local\Temp\uEYm.exe

MD5 cd46806992edded65424bd5e30794392
SHA1 c0b2c3320f7ae2d58f17e66ea54cc479d53b035c
SHA256 352b93154f563c83983dd54e9ab87db8e94b450beb3905e2d0622ce3c7adba6a
SHA512 0f618bc58e63f5be68d5d8421b106f03ac38864e3d2802e56d1376a476227252773af8af939ca9b92e073e8cd618d59f2202d8d663dad1b390b2de616164f078

C:\Users\Admin\AppData\Local\Temp\mwoU.ico

MD5 7c132d99dba688b1140f4fc32383b6f4
SHA1 10e032edd1fdaf75133584bd874ab94f9e3708f4
SHA256 991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191
SHA512 4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

C:\Users\Admin\AppData\Local\Temp\OUgM.exe

MD5 1876927dd9d47270b03e089451f62bc7
SHA1 a9637517149f25ee88bccb93685ce53e8f455146
SHA256 58d9c4d96e40fb8789569255f86a50a02484ea4a5785e268e15e10e390d03250
SHA512 a0eb43d580b5e0b582a38ffe6b60ca27e057d17e8d03acc5fe8c27337b025ea7196f6c8c30866f29044af0468a8bc86e1d1b1df8a89e8787b606cc3a9ef46a0c

C:\Users\Admin\AppData\Local\Temp\AsAO.exe

MD5 006703f520f96316e9c3364032ec496d
SHA1 74ff788fd382f0fca2cbbf0f650e05785f874b49
SHA256 9f874457c5555cd1842354415440dae72fb7fe7aeac9c9e39ff1d594fb009340
SHA512 7fb3e8a5c953c70d7d28d4db2f3a1865baf52cea53e61b5567d2de4d8fa19b261c2c128616cf908b7f944d07c65fc7c515db7ad24216e4be79ad8175dd54040e

C:\Users\Admin\AppData\Local\Temp\KQMi.exe

MD5 9d420a55994f1d2fc7635190fff37262
SHA1 9c79e0307b091dcdce7c5c456cc3313a89af9c78
SHA256 3cbe0a127f9aa2ab36ad83b66f0e78ff8bd34a886fe46fd003a14cd51fa0f5a4
SHA512 6b90901befbe04631fe127ae9d84ec7df10d284033e15edb876f6309fb9223c7722007b33965196bfe5d81939cb2c54327d0045e9fac460acf07478a7942b15d

C:\Users\Admin\AppData\Local\Temp\WogW.exe

MD5 a8619a4f89eb186e30ded6e33f41ba79
SHA1 e7da1d347b6b9f9496e367a939b82212e8a55092
SHA256 5b6816df5d1dedfcea5f39972e0d6a3a8284e446617c209a38b4159b24dc9912
SHA512 f9471c605a3e56ef2c42bb3fa346a57bdd4cab1ac2b93e6600e29d1ae9e09bb03cc617bb6c6e97254b5de9e22f159e5ed570ff5a922b74c134608726f70d5706

C:\Users\Admin\AppData\Local\Temp\sYsO.exe

MD5 024816b4dc7684ebda4cb1d861c6fc93
SHA1 fc392834be9f9069fb9802eaeb2d8735e4140f85
SHA256 189f1e526772f3c18fa01cc7d0baf9992275f1186ded7cc04e2c9b5830165675
SHA512 6d96d87c70fe91e8ef0ac8281a9a7d555df8693b0580f24e87a7cd9c144877c2bcba6443f5104031eebbb6e0e0ce7a94341fab88cee5b594abdb313f886d8181

C:\Users\Admin\AppData\Local\Temp\Cwom.exe

MD5 161e1a85f8571caf15a838cb72924283
SHA1 58f5d24c52ce4f83aa0e3b865514293e5769f597
SHA256 b6f5adf46a7faf8e28ddd6828785c8a860e508bd851f3bced532b98965b804e4
SHA512 e4cfb2e117c08b489005cfa91f05693a4302eb70828c581d589ba03fe20e4f3120ca1b63b77253b7335994fc226b23401267aa1b44e3b4b48bc6645494944bb6

C:\Users\Admin\AppData\Local\Temp\CYoY.exe

MD5 457c95b47e3f4dd0e714d522fc5f0f63
SHA1 36a5283378554b0e14ca03e77215f91aa44e755a
SHA256 a46523c98c25e27d8afe77ac14802547b2840d9a32575686735c094ee27d57a6
SHA512 a65ca1c09a0f49fea6bb985686ecfb9c1a6a451843dd79feb58838f58a86fdfa75ce1feed2b21f31c4606843ee5ed320c65b91058d7de00f97e75a5779ac3502

C:\Users\Admin\AppData\Local\Temp\OwUa.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\EIsQ.exe

MD5 aedd17a758d527e473aa2d306f12877d
SHA1 9e09da8498b9e12982028bfeabe10283e9451bef
SHA256 c5ef2e4f6acfabb1e53fc8be14645fd9b1c7db4c1c5102f8cb2c8f8377262602
SHA512 b3bdb48fb8cb9244864b3638e78a0077ab8b1531a3b659a36c67271de2009757a53edeb882d7e13b671647759ec5cbeaa2dec911cf45b3ea58d840085920c406

C:\Users\Admin\AppData\Local\Temp\wwMK.exe

MD5 155fe0c50e11482e3f8f6e1e257677e7
SHA1 1937087b88a2c02dbb9ec62767533a046585d952
SHA256 c8565f0cab5cbb1e67b109d13792521fb274720bd3601f9600d9704c777887bf
SHA512 21347bcecae144987718828c05c4d7296be082d3e2be12cb427e0e0eeb0661c7b1a36868bf59d7757809496c30ad70636d84b26dd63cf503815bf094a78d9fe8

C:\Users\Admin\AppData\Local\Temp\uokC.exe

MD5 951ad7ed8bc19c739913c599d1367e6e
SHA1 b0f51366288cec13ee68f17924e26c44849d8df2
SHA256 66f2fa47a24b3f4f74e330b75c64516f85cdab2254ac0a60eae22b6474fc8dc1
SHA512 93c6a34b234dfb7e6b0e8fd21f26fa96e9cae43844428315d45c1e19eef5bf566748d07469337601b7a851e496701354f7f92a11ee0564a50cb431a499c8bd0b

C:\Users\Admin\AppData\Local\Temp\cIcq.exe

MD5 eb7d2aeeb12563625a6dcf87ed49c2a7
SHA1 b1561fb0b2ab0bb4c5916767b855e737d2a8ffcb
SHA256 8d45bcd1866d1dfc2464b33b538a4a9ab9d76bb72586d564a1ca4d6c23968087
SHA512 1aa487859feef1523848b29e8909dfc7df90cbc9a5ccf0a697374171497987c191a5a69961436e588d02e4b7052fb4c191649df2980400ce6be08313fbd6aadc

C:\Users\Admin\AppData\Local\Temp\OEwo.exe

MD5 08ea00fea2da46cff32456da0254673f
SHA1 6b68bd3ba79af3afeb4c10da7c49e0aa7a888c0e
SHA256 55e81bca66ac000ef9d6ef12407867f6aaa14c9ed6998022ff33f0ed9fa5d7c7
SHA512 a46841e4e4fce3296ffef8cb9d879ce676c6f44f1f87fa71314cb9654938205f4c9f4eb83926e483ebcdcf58cca6414345cf21dd39a92cbf390be0140c00d021

C:\Users\Admin\AppData\Local\Temp\qcwc.exe

MD5 9537637de58c086e8afcaae3669e4fe5
SHA1 592f4128d374deb68ad60110a6832b5213688ffe
SHA256 db5339febb60409fc4e60d76774520c2c9f5e573136d0dcbb179757d49253f79
SHA512 cb565e30badf5a3c427e7fd6de3768857b412a0a17d07787b4684d8df198c52d4f6c3576635ce3b9440a48e8f313a1925f92e62c8f2f3eeb4adf7ff49aa88ccf

C:\Users\Admin\AppData\Local\Temp\qMoC.exe

MD5 f279f36339483e13ea8d797d905e79f6
SHA1 bae3310352478f4ca79640bcafbaa431993ea547
SHA256 5bcb61b12064135090798a15021eff09e352c29d965dc639f28dfc786bdc01e8
SHA512 a17aa322e23e6c838ee4e6f2bf987b51b531beeef15d8c1ce45bf72f269cdfe629558e0eeb0a154aaa0b2add190c427f4cb7df4e6f4ef78f9bad4e80c58c03f4

C:\Users\Admin\AppData\Local\Temp\YAEW.exe

MD5 8a94f55f07c413fa2e0d1af912f8c025
SHA1 4d92de91ff2386a1d13c1100d0e138597fc4cf74
SHA256 3e988938606ae5a2555ef34c0994c4ad38842202dd2e08645a36559e205c8196
SHA512 638c98557944d60f6b1da7a672b6691005f5ee6ba9f529a17f1a74f4d4cf27f82225c32e2ab4fc2a49bd86c77b0f69c080ba70c1c45b4a556df113843306d63c

C:\Users\Admin\AppData\Local\Temp\IgMS.exe

MD5 79e063927d209d400e503d6ea7b93af1
SHA1 4d49928011a8b5310f317e15a573a562b41d9b3f
SHA256 298f26cbc560b3286b350ce91c9b919f2101f4a1a74407830e97659e70d33429
SHA512 0588a34d403bf7bcdaeda9f7fc891c4678117cde014b078ca5fad65cc82ffc4f98016d2c2e8107b5e4ee31d1e1ca297aacb70535e5a92f9c130c89da122a7562

C:\Users\Admin\AppData\Local\Temp\Igos.exe

MD5 1a2a4ddeecd16513bb1d4a5d00f37690
SHA1 351d544d2770ce92ae294273b74300abdac6a420
SHA256 47417edf79b0d4e4b660763dbe3a0ee33c94888e16401d626983120239e2efbe
SHA512 ab506a81fd0225266788ecf178850f34281594511c5cddf0b646c417913b395bdb204e65c7f7de241629a6032db5eb839329c2b53bf0bd254fd2418db8921f39

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 bffd52b78b2756c70d45b0abea496e45
SHA1 ab1822191b3847687a0db9b4e22a5a21989703d5
SHA256 4f3b51c81612f91a213326f8550373942c497c661040ddc36ff12cdfc1d0bc67
SHA512 a786f6b05f10ff2ea7857cfd5581df7291d59f6ab94a5400ba8ba121674207ef1a50c8571514e377169524a695844c8c2937eb0d21938d4bbf0694537621907c