Malware Analysis Report

2025-03-15 04:21

Sample ID 241026-a4a4nsvjar
Target 2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N
SHA256 2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2

Threat Level: Known bad

The file 2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (58) files with added filename extension

Renames multiple (77) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:45

Reported

2024-10-26 00:47

Platform

win7-20240903-en

Max time kernel

120s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (58) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\ProgramData\vMQAkIIk\LyYAcIUU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMcQwsEQ.exe = "C:\\Users\\Admin\\joQgYIAY\\FMcQwsEQ.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LyYAcIUU.exe = "C:\\ProgramData\\vMQAkIIk\\LyYAcIUU.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMcQwsEQ.exe = "C:\\Users\\Admin\\joQgYIAY\\FMcQwsEQ.exe" C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LyYAcIUU.exe = "C:\\ProgramData\\vMQAkIIk\\LyYAcIUU.exe" C:\ProgramData\vMQAkIIk\LyYAcIUU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A
N/A N/A C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe
PID 2412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe
PID 2412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe
PID 2412 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe
PID 2412 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\vMQAkIIk\LyYAcIUU.exe
PID 2412 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\vMQAkIIk\LyYAcIUU.exe
PID 2412 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\vMQAkIIk\LyYAcIUU.exe
PID 2412 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\vMQAkIIk\LyYAcIUU.exe
PID 2412 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 3016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 3016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 3016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2412 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2592 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2592 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2592 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2156 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2000 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2000 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2000 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"

C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe

"C:\Users\Admin\joQgYIAY\FMcQwsEQ.exe"

C:\ProgramData\vMQAkIIk\LyYAcIUU.exe

"C:\ProgramData\vMQAkIIk\LyYAcIUU.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TusoEowk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsooYMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOMsckIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkcoAQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SskAEkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMQAEYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAMoUAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\toMgYQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUAAMQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAkQkAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMQIMQko.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEcksIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGIIsckE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioAkkUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWAAMccA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqAUsAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgUgkwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyQEwwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcEcIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQMQQYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuMsMgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYMwYEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\juIUQgEw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIwwQgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIQsgsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FykIEQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QowokgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsQwcQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKAQksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgQQcYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VesEMskc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGwccAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEksMsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGQoUcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQswgMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWgcIIog.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMUcMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIIEkAME.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmYAgYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkoQckcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMoIckoA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiMYgsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYoEEkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsQMcwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEcIQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\roUUgAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGAsMsQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUcYoYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkgswUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-26728919-46165044-11943015432050424313227620917192518962118393325151439497"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\omwMcUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkYgoIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQAgMMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1102150012621024566-636749727-120923497721160739061291870401-252701871-307716917"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuIQIIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16035578782105433095-195825585877273784893015752-195879498995605744-1617114636"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCYIAAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwQkIkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOYkEIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMkEgQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3713853621019169956734558897262827681262718511-2087381153729892912743278624"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sygwAQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUYEsswk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1729302193-16294046172014723176-264518364-535671599-84248870-59146782-1356971811"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1510135592-1152830573-41456914617837833346670410835941276221877567391267014922"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-997265813-1582337210-17786799138713761441048656478-987996506296200965-160323846"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqoMocIc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iScoQIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGMIsgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "509050073130948293-6711957301064952568-20929954181584499713-19448150681131563710"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-757654127485285891943926474-7935371221516344932-346087853444579376462056202"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyYMYsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10055103729073351801612463991241610580-2102929009451084998-481767147-1455059140"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1473814112-1095765526-415136240607397240-17398757208642633512176294861078188541"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwYUcEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYAQIUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWAYwswU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgQccQk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12373181611881470156743625981078553204-19298787195506403021222108134946997326"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12745403921459649623-1933668423-74171583-206111197374027046-534008676870837498"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20893184371601455554-548535690-647791583-621343248737752970535534776341205847"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWwYowsg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwYAoco.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "198163460688468016866760488490249361887989781582267361-85460638470127938"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PscMoscI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "572897108210899421-1299785826-1832049060-18252964662270070142949829831880110778"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqUAUEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1091867911-1665075651-740983298-132808012717646459381534720335-1552638542-513608020"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16440877547600630-929723567-1262645582425388791-401057610-2133596987-1711779921"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYAMIwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WiMocQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1443016411397321882-220976298-181631061713581303972034653263-5366349611255239690"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMUcMwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1371568878-588745733-1683471287-1847775336-2007614858-1663943930148179782-907210084"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsgksIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "564829952-17615495431899509113-136199139-37135343930593173-19260617840138911"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkoEwoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqIMIowM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-214206214-653055562-1826798846757443175-204905062512795418441083579323-240164348"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10968801361478907797-66590486325500048517655097571929704936-749413880226439700"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\buEMYUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "50853477-167858395218982061-1457323298464534548938635341-11426837491368313178"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGwwIQIY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsAcAMII.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISoIsYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIkIUkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "403325913-3213566892884305571857071040-862266412-1022699458-851454977-711194045"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymUkAwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-199972283277464511958049468031115895748489538311245507591270204475-854630471"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1949466503-588619328-449390173-109143969713474546671859917013-77872767833413159"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8935948211949087966-1456478090112731215913199072029130688271968511013-715415155"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2594725002940095041309345526-8076001402063537237-20917920761916499444-1547861036"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwwQUUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCcosMss.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1575315247479477155390987868161400076972655184-431215454-1947746190-373271271"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwsscooM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeYEwMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "556118586-1052395094-449662403-1295206282-1882816012-1009215154-1610574023-1958133526"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUIUkEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcYowQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSAoUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1879610405-216618833-176957901525969171606425646-6392640131929243115529136031"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyoIYoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqMcMcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EQEMIIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwQMYgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1481473575-783906451-166391476648077970-1674597620-804618824-309963891-902271836"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusgIgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "37107306145399373711718816856752214921314012822150393302417639708441234967111"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwUkIsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1239256344-2145490306-1539428292-3340451951796055399-404428843100951372232046991"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18666846701474385849-1213699445-1497470846-8915176927816676379615751-756733498"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwksIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-465304230-517874289-10534349988126929581497560644-68466542-2020343655-101608775"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1350808882-5453537421564592666-655852780-533066597752135518-3621755621928470193"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1509122057-1127004567-11312992463108403912496594694389030962087594095893845871"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "852542501564466909-18310009601163528624-11608927471440770230168145602283681461"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwAcEQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2131290201107990077-1650911923-1131360559-918829993824631734-12880879171194919929"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEwQUAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1703757426-924424572-16728616841370153711482732379504997359-138522438-2114709997"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-933210782978936213-16374097711803220092-705442303-9642180492038530291070350131"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GogEMMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkAAoIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\raQEMksk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5909307041696309684-899844256-628867896553729357-917113804-185731855-1234046222"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWEIEgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUIkYkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4720925971578395492470191392-7757764191809803268-16247799811638154368-39982593"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1864478160120170354117585034081884450852-671791664-1594622474556628420628882677"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKoUogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1692756134-1569057401-13706800298290406111475258981095352460-1117208403-1545004288"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKYooYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15609968034984541421543182891133663153495109285117104749679804323001630542026"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QckAIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12509416026927318142096725294204804013-1360375399-92612759011404845761767225808"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcMcQAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwowsAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1816923942-128706800615600672884449482831390631741-1134942364943416911793927858"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2070730173310528321553305838507404257-2003348284-1626594177-9430019261716056602"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14590528821854449964-363393827-164189358120057033981828066381839783982-463241856"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HysMgAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17372263811328108428-130614108-1111064031104328384-2055641230-97107184-1684952622"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeYcosgc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWkgoEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15748874521036243652560757787-1589056108129304940571130264-2059309519668319462"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2194447402772254211918178904-13170180811362977618-1675358952-1263330036-292108776"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcIUYsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-30153622693353212-720710848-1222392454-1213550944-1928254246-5203663601461788740"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-465119026767968202097392115190582870813532480121263696495731340134-523594851"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1290794424-126612602512458308421965331231-1343119009-18588610671788341577823543556"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOwIYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSwwAEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "182106189514912862651685072499480323598-95354480-1769539453-13218315621794768537"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8483015181278256805-205789315614359692602009921662-421554851813953957313155837"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13725605513093354671793382865-427877227-775351463-1974031941-888735851377599168"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSQYkYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-737378151905298435534151276173806448117289973117389908-1173466684-1174291542"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "322053199904661953-524830710-2145414038948353816-1509821651-665611870-729876769"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15482366642042777786-971598928-18659104344422394971396546121518522463-1707775843"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MeYUoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-373605285-28266011325690016-435480548-789220797-1752765473-212586710-1583163133"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agococIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKQsEUok.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "411047244-453386863-16857293477292783896895225821024488203-1190776545657525577"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIMsAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10786200683393231321794657623-1084656173-913152617-1569955745-1037384453393264903"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "115186563-6023816462014974297-8040147041211001917-1864101914794121890-212354066"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWAYAwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2947360451164167800-842800822-629617017-371618529782446067-16909024061967545553"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2365097421232171291915037014-8283345063079574541136196981-50318680460426613"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16076476861813604907-658304186-3104018881357979989-1706914294-221171550988006625"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-595789200266104228-1498104282-2077640553-17138858047112850561534092483-1981441182"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeEwQAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\goQoYIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1217558813-2042585799-1051105949-1487030866-554205188786813793-1999051991-2027004439"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-261773326-2063920912499612001468463338-1828632089718192311721724690-1305919321"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwooQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1369178148-10132475791624796911-2084932193973117783-946134877-969200438-1886409322"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUQgUwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1845070961414756282-190841189810382390611910520083-13716958221787862819544862290"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6383866-515935388-1302720339689004833328383-1937682863-1183171677-92486050"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2412-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2412-5-0x0000000000470000-0x000000000049E000-memory.dmp

\Users\Admin\joQgYIAY\FMcQwsEQ.exe

MD5 4f149aede87fc6de9544671971bb6b55
SHA1 6f37c71d2e9f2f8131dc8e1b53e478570dc670f7
SHA256 55d5702da3ae379e80c46976b0d9e821a702e5cea9d46625c89d4d9688df7d76
SHA512 be51ea86e4e8053a952274bd58ad6a5686cfdb33a8eee354d76d66353d5899f9767c1e82ecdf6c2a5751e652877a1601896eff086d17f95f991e7666236c74bd

memory/2412-12-0x0000000000470000-0x000000000049E000-memory.dmp

\ProgramData\vMQAkIIk\LyYAcIUU.exe

MD5 5f141cb4cda5f8e45a80a931d9f83958
SHA1 caa174e59e956dec0fd6a73bff0ef03f1d3fc36e
SHA256 6409d5151f29b0d5f86b333ee3dc7c8c50fa94e052bcef51cd49c103781b17ae
SHA512 f4869aadf3a7a404fe1f058221fb542087cad9d839475c06b344fc749a9c75d110c61f24927c0ea78ea1b3feacd2c604cd2423e6a685553354e3350c25721128

memory/2936-30-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2412-29-0x0000000000470000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iegAswIs.bat

MD5 ceec8cb0eb33d8aa56d9273ec9b4f408
SHA1 afff6ebdd58380810d52de9fb2061e0f627731ca
SHA256 308f513fa9a34187b233081a8fc78b07dfc10a417ded63d7abb8aaeda1986a7a
SHA512 ad7a37415d5b34dc09dbbdf1a76c672005a88bba683b07629d32b669ffe16bb3908a62c1894ffdf71ef9c79d93afd227bc828857f0d72d974087963c4a5fc174

memory/3016-32-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2156-41-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TusoEowk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2412-40-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\reMMAEkc.bat

MD5 1a35be1f1c25eea568dd6b4ffc239ea5
SHA1 00541edfa06d0864f4153e3b61027d24e26e0c17
SHA256 3fa599e911c23cad44a6c7036a824268ee1ac81d15f1473d9f1b79677e66c5d0
SHA512 867af191947ed8b80bf44ae61ca276f85a3a5b1f9e5457100845fcb8c7f206cb3d5b5bbc88a574be2e513318595dff6c36d2cb28395bbaec9e9a3ee37462471a

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

MD5 598ea3255fb276209072332552903ed8
SHA1 ccd234d34d488634569a4064a65d643e070e80ed
SHA256 fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550
SHA512 3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

memory/2896-56-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2156-65-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HUEYIkEg.bat

MD5 720c7274d3edf0f11ecaa8944c57a08c
SHA1 25e45a353c024184bdfd93a0988394911bd3b0dc
SHA256 e3d850d162f5c9fbf3bccd14c3bae992c72abff32fd7edc0682be31abd82e991
SHA512 fe6e9d4170e9d06671df1c730477ae84baf66abc77cff53188839ff9cd9eb3e1a331001d9001232dad8c0e3a7d0741a6bee1d93f249c93f8d26b2333ac3c695f

memory/2896-86-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jAUsQMAE.bat

MD5 e2ecfe54029100e702eee2660fed450d
SHA1 1880b858ad4471e2ac64bafcdc4fc73c440c1d51
SHA256 ccdfaac67ace23d240e4b78333bfff69d9c27407b017a8dea96b6c751e35d9da
SHA512 afceb41dde22a1f2d2fde728136e4bf383e2a3a088ddc0f730aafadaeb99f39a42b236d937de32f6d2eec518f099bd4b02ab76aac11b9a5ddf40516cdc2c8fe0

memory/792-108-0x0000000000400000-0x0000000000435000-memory.dmp

memory/316-99-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQcQswEI.bat

MD5 5afaf07247110e406b50a5b8db4c80e2
SHA1 718a75673cfa3b481ddf0f3d7f9d68f5d86d68e2
SHA256 1e044bac8ba91d47df67ff601efb8aa281f78aabc056d47cadb65a6a3297c659
SHA512 f4a2247679c570a24e59edc81b50f17cc5b5fccb4e9d0c2107d7732d46cb88034e9406ab583f8a606dbccb69b9ea34275be43f8dedf68837516c7722d18a7129

memory/2052-123-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1480-122-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2268-132-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cOQgwMkc.bat

MD5 dc6018e8ea71808adce616600b40aa36
SHA1 f8cd9ff674613f7f334ca5824801a33dd40bf995
SHA256 b3f548a8c900e2cc10a2b97750383d62cc4dc318e52e392e3c51c7a15dfca00a
SHA512 a03e2679ab61cce6219a79a076c905cd3bcf16f221e60193da65d11b83c516e0cb874a95a42f24db1351d6b500a246872cf5fffa5683d4300a0f9dbba4054176

memory/1528-146-0x0000000000380000-0x00000000003B5000-memory.dmp

memory/2052-155-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qSsckQsI.bat

MD5 132a8c714b0da750c7aaac3edca60f09
SHA1 4f595faa25a1390d4aed1b16140f6ce6d1d7f2ff
SHA256 9ee76e94d9fbd3b808c13416f0c9fe6c78f67bc28a877d249e12f1911aa4f56b
SHA512 299fa7197c372990b72ea52748c053f4b877389dadd6d44bcd45800a7fbc73c6a0a4f6e070f552cf8260da30188a9cc61b80e75d1f2dd4addafb305eb93554cc

memory/2456-177-0x0000000000500000-0x0000000000535000-memory.dmp

memory/2376-178-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2196-176-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oskgwsYA.bat

MD5 9c06e31d4b6d3a86dadb6a25d8851b4d
SHA1 5d43f625bbb32428dc95b174eb266aca67e102b2
SHA256 bcfcc56ee6929de7a27cbfa57f133889f49bd716cac39869634c5e6d20786551
SHA512 1859c75db2b4d02f5dc3790ad0e21fb85d84b0ad33d753d8ecafc80b46e0b94b5569df7ea6815c6a2fe3e73a6e5eae3826b2e9ca57bda648f7f6e986d1de45f1

memory/2888-191-0x0000000000310000-0x0000000000345000-memory.dmp

memory/2376-200-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TwscMwkQ.bat

MD5 c794df9148468dbac0e434d21f36f2dd
SHA1 967e0fa4e5e8ad5f9eae9f7c9ca2063a05cb8248
SHA256 9f55e33b82375a637efbfaeedf1db048a7983af41b7a99a51a6f523f61b4f058
SHA512 1f8a1a999de4bbe9cd2c7b28010db11cfd5c76051f80d222217757bddd4a80588cbabf398af875e1c102135a9eda3a66665ff798fb1a32a87fb5deb0b5491c8b

memory/2556-215-0x0000000000310000-0x0000000000345000-memory.dmp

memory/1976-224-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lCQoIoog.bat

MD5 f88edf542a0ba1218e9b5cfb540bb407
SHA1 3b308dcd5c77e066ac48b0be21db3a33314b556e
SHA256 6a29dad161e70df8923112ea0fa16d930bfb4845e15043abfd653da6bb09868b
SHA512 ae5d80b76e2f452727e77cdf72f6bb4425325c94801ce972feb3025a3f36245891fbf0fa58ed638e4b1c2c96f66b43718e04345b551a2c829ce51275eaf6a705

memory/1844-237-0x0000000000240000-0x0000000000275000-memory.dmp

memory/1924-246-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DmAMkowk.bat

MD5 4d21b1c2ff98d8a3adac672d1814a569
SHA1 b115e1ba8818f7da2cd6cb2d38a54fb16f5bea4b
SHA256 9cd378679ba5f3db159ac7836d12c8467d3f882ca754a192590857fb81d5604e
SHA512 fc26bf146fe0d8b0bfbe4a3bc8be49316b8ae5864552afdfce79c6730987dfc21636f9365349003cc7fcf6099b7fec3f20e2c77ed844988403aebd337ff94168

memory/888-260-0x0000000002270000-0x00000000022A5000-memory.dmp

memory/888-259-0x0000000002270000-0x00000000022A5000-memory.dmp

memory/2392-261-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1320-270-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAAUsgMs.bat

MD5 35fed1c098eca633976b31d75da1fc3d
SHA1 5e8ec73426fd661ae01fedf09ed37fbd4ed1f4c3
SHA256 9fca66f20a2cc8a5bbf6d06c0396289a8a2ad60212c8850fa92493f45540086a
SHA512 837901ed7701b30d08ff195b69bddf593633c7a7188b9490d1729a2971ff8bdfde33a62a1f60b742cbc0e759ef216fe623ef3685dbf9211ed44cc8de5070f851

memory/2872-284-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2392-293-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ykQUQswk.bat

MD5 0f36ebe857f7bae8b290229115669137
SHA1 302a2d7361e541c89574984d066957b9716f7d45
SHA256 6f6a90c0993c085f2c6594256002b4fd9e75ef4d744d580d56ad9bb8cee85e12
SHA512 72d25225f4cdb9cf4b8ec0b91af718b48a6a1c639e020d7b9df7c8dafd9867d236da21cae736cd97a05e2b5b7f675591a7f41121c6ae074b7b720610a76136b9

memory/2100-308-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2100-307-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2872-317-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kEEYEoUQ.bat

MD5 d948d31df7ddbeab5c264c892cba62cf
SHA1 00d761908b5a8e7c789024a95d931dd72d07dcfe
SHA256 16d35776bfc3c23144d23e0ccd4d7a682ab5c7daa050b5adfff521146b6d3aaa
SHA512 24fecc0eee687d311a30987ddff959852e0085979a22f2cc3720686cc5e7216d6e96948e5da3e14df489886f5228b94eb1a4dbd9086e3418cc7c43fa08219cf7

memory/2808-339-0x0000000000400000-0x0000000000435000-memory.dmp

memory/668-340-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2996-331-0x0000000000180000-0x00000000001B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WmcQEcQA.bat

MD5 384bab9cba895379e1dcb25a6e0aa5bf
SHA1 0b8df74852885ad89076947f59ab48242088517d
SHA256 86304ee6a80f04ddc5d1fa256bc574a9b85156441b99b7217ccc3807b3282bf5
SHA512 65a4414ad5f8e2524dd47b24ce0192e8358ac884af96385b31771b5d099cdab2f79a349dfb58b75a2021324ab75408c35349a31c0e306d43493a5d9caf06c8dd

memory/2148-353-0x0000000000180000-0x00000000001B5000-memory.dmp

memory/668-362-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HqAIQwgs.bat

MD5 796d711a8591a49db1a8f38f1b42acfb
SHA1 307ff71f94f1b6c47a6ae63450ddca1b704f0351
SHA256 21e2977c2d748da9e5115332ff7da03a1dd4e9c410dad1442db01338319df667
SHA512 c61980fb577263b6d1faf49b83cd150a4a2a8301861ffd70c1d985c081952ad06c74f5accc87c912f95b266841833e4e84b9d1ee1e4e9bd73a19914e1995dcf7

memory/1644-377-0x0000000000160000-0x0000000000195000-memory.dmp

memory/2180-386-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XGksEocc.bat

MD5 8adcbf3541b64982d5e2a7034297d4d7
SHA1 a4cd8a1099049ac33c33b69050141577503605b8
SHA256 0b38e4cd6193bb56342aedb0e8c8aa3447a19b9522faa6ec79e355577e7f607d
SHA512 e1baf62cdffc534174c900fea296fefe5ad6f8a72652f139dd9276e14784d3fa2efd2d96d29d5936c05b39a0e2aa337b9ec6661f7c14e81d487a7a692747306a

memory/2716-401-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-400-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2460-409-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\takwEMQA.bat

MD5 340eee9fd5addc5d64b17dfc9d4f83dd
SHA1 7111a7f0de540810e2de9f87d4b8fdb3b29c1740
SHA256 8baa5ae08730b1cf77cba3e0993046bf36e02a5a9fb0435fb1b7be7a7d85d54e
SHA512 34c62d9b432eb2540a7839955430952193c29671f9d0bc52563011dd97c7a6083510300d854a74986b0907a574ce620db53fdb918f799819324b46538162d3ba

memory/2440-422-0x0000000000630000-0x0000000000665000-memory.dmp

memory/2632-423-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2716-432-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JAQkkkko.bat

MD5 96a66c4f2ba56fb435f31fd91c0f496c
SHA1 3732000345e4ee2f73b5673e295e46d09c4aa3bf
SHA256 846d17ababaf1e4b7f8ede5386088498ae282ab9c47f7c369e800a2ada764e3a
SHA512 c070e33f9ed862cf950d891f9cf2cd0916f045e2da35fd82a369f84e0405f1fd3b15a438e28f53ad1f456003640e878b25c025e0a4391309ddb0ad5ac7113085

memory/2632-453-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\vMQAkIIk\LyYAcIUU.inf

MD5 4e150ab403015b40e080768f227274e1
SHA1 ea4b7345bc3b76c30a5dfee697047d7a686efe71
SHA256 b69b60097c476cc38dafed21c5895646b453cbb3c436c58573e029e1465d38f0
SHA512 4d2af213116f071dd8c501cd49448ec3e9df69d690f894f7c428c28a8924fb7a59521d49617976b1d2e86046c460f34ee03434c97b065f2d7f93747c734daaff

C:\Users\Admin\joQgYIAY\FMcQwsEQ.inf

MD5 76056ded7b9af86d6ab5d9166f775958
SHA1 daaa98c0b35bfa7c20dcf59f6fe2051a6377ecb1
SHA256 dbe5e0f7d8a6cafe5dacb2d22dff70becb9742b8b0f40fe36264e29968afc15d
SHA512 8ce66101e7cc123e0d2e515947c8f7b1e9335976df8c1926b7e5791fcfb59d549ca8a4d09f87ca2722ba3876feaf5c0d81194352541c5629befd6878b5fd4a65

C:\Users\Admin\AppData\Local\Temp\oCcUMQAI.bat

MD5 90ce2118b4073f2cf7bde25b282af405
SHA1 4bc0700b82cc7012f46356f1e6759a420f8242e9
SHA256 6046e4b3258dbc49d691c7173fe04be5d006986cd6f4827d56db697e8cba8e58
SHA512 a8cb3f5328310e5d1f9da10d9cb12e3462a63c5154240c74991dec21e658533784523b1bb6ca2e45b306c79d04a744c07a957437679ce6b35c45581dde073788

memory/908-469-0x0000000000120000-0x0000000000155000-memory.dmp

memory/2756-478-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eqEwkUsg.bat

MD5 a09077bee1bf047ed7ac5bb613614856
SHA1 97fe079d59d0a60cb1b7e2c1fdff0949c7010609
SHA256 caa58f7f8d75c01d431424955c6a2528b894b0abd86d2ec4c7212dd3ed9c828c
SHA512 5611229203e74d5929527da23e0a28fed6d7ae25a7c226e69ae97595b66a26d9cb23ee59b2a0d5334cb70ff5fab251bbb646e287b6489b98a3b62ea2cb621412

memory/3048-497-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2544-489-0x0000000000120000-0x0000000000155000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkQQMcAQ.bat

MD5 8420fb7e0ce295a671da837fca769e05
SHA1 57cb0f32ca2d0ef173fe6b8113ed71b40390f8f0
SHA256 82e985e0deb24a86384ffbbb3256b29805a68d3e199573caa3db14a5ba294abe
SHA512 dd95bbbaaf63d52589fd9c4f9c8e26484786cc7938a4937414d05c6691813ad8173219e99763cfb5484f69cc57bce3124da0760d0798edaed972381321fffb5c

memory/2508-516-0x0000000000350000-0x0000000000385000-memory.dmp

memory/2084-515-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TSwEAAoQ.bat

MD5 6d5a93f46da3add61d034a0f8201b510
SHA1 b369fd2ae3cfa7b3d8edd0373e401a29280b547b
SHA256 de3ff04557d3727d4f73f1c35a9c20a4388e179a96eb1df8f43afd5406b2a744
SHA512 b7b82a53af50e4988415769f835f4e79d16d421bcac733ffa8a13bfcc8d7432f88467c663d7833b18df7f025ad856e9516a23ed17af98e1e9341942e4c57773c

memory/2700-537-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1648-535-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1904-536-0x0000000002260000-0x0000000002295000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XAowQwYQ.bat

MD5 195094336f46116c3eeb7a617222a0e9
SHA1 8f6a6ccb9cd1875865fcfee36f1e3d6595021d65
SHA256 bfeda2dfcb71db014ef1bfebc18b8e9b11c93dc9916a11922e1cb176a4d086f9
SHA512 8cb11704ffc40604331a3cf6347a0604a7584f3a5e49227c26d46225751adee8f4f91041bca8e008ab08bc125c61d43835db56c18007d4a88d63a2baa1892d2c

memory/2828-548-0x0000000000170000-0x00000000001A5000-memory.dmp

memory/2700-557-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RawUswUM.bat

MD5 f78eed56467c1d15cf747540b0dd33ff
SHA1 918b54d911c534ee2f2c5d18dabb3f72cb75dbc3
SHA256 e75db1b8d958f8612e485ec6fb2374b42fc0c60b3a28ca369a51b472e3fd07a1
SHA512 a5a31b5fe85c40d0072117dd7b7c88ade82f20ae887730e317970ffc274c6fa94ec31d457cdbcb69f9bed618cb251e242c85a8a758bae290c16a5165e147dfb7

memory/2596-575-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jycEskYE.bat

MD5 47b7364348205f2669bed8ce07e0f910
SHA1 1e1bf568539ad7f763f650055a406cd4f0cfd907
SHA256 e8ab2312f80c7eb94eeb3d8f6e36abb8dbfa5743e40d5403c5e33d8a1f79b0d9
SHA512 4ee02343514db812d9fa99399e96a8ea168dcc2c4d0ba919566daabd380b8ef679e12c9e1174644739b9e59381177cbe4323043cbe86a1d3c82eddbc104aeb85

memory/1856-585-0x0000000000170000-0x00000000001A5000-memory.dmp

memory/1032-595-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1856-586-0x0000000000170000-0x00000000001A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ueMwEkcg.bat

MD5 2fc015c8f2937880848362a998aebe19
SHA1 a5d28e736c51e72ee669e1ce81f10702242972fa
SHA256 d817d9330fa37e5b5e11210590077ac45a9bc0b9f327156645b562c0f9205ca6
SHA512 bb1edf8193ca96b98cb13da51dfeb32af73b2af03e3f07453aa8bac64fba1d4aa1cdc96ba3abbe4988f93f359d46c4fcd0850780db5b1470ad44eb5f1f577e63

C:\Users\Admin\AppData\Local\Temp\CgQa.exe

MD5 66b2b1148a10eefb32b8227ce262defc
SHA1 74b0a5548112118f6824ca8e0f438941a3a9e670
SHA256 4279e081346131978c13d49abdeb6a955d171bdef0876772dd37084170b53ba9
SHA512 a7941dc29ac5eb7a4f2d0288feaf61e0a46c741f45a37412cc4c9d3964d55741853145559bf4756696e1b438fd36b31cb225cfae2df612aa11e90459acf1753c

memory/2124-629-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1216-631-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1512-630-0x0000000000120000-0x0000000000155000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MyoYoUoY.bat

MD5 667488904dcb032e7eb2973bad9b4198
SHA1 a1d90b0b4fa66967f918aab4e51f565c42f8dbc6
SHA256 60f199abfe37d1ce67f4d76a9ffb9c8bc0739823a82e28ec7dd99a4dc62f5e1b
SHA512 13cbf38f7d6ef804a51a1fb05bc6a2220266eb5d6b35a935c571e859a92777c2c6b769aeee22f66ab4d9c1b4d81ec1a5a1879e0f4b36937da317278675b849b3

memory/2408-644-0x0000000000340000-0x0000000000375000-memory.dmp

memory/2936-643-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2076-642-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1356-653-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1216-652-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kWogQscI.bat

MD5 2e8042f2c3bf7b810baf502f07fff362
SHA1 e766c5be982e8464cf3a33bb783a41d2f2286a71
SHA256 84c723799b5b5c1294c928786a52e2940492443435c4eaa97a4e788eee5d46a2
SHA512 120dc0a34b19ba426985dcf99562c0fc61241ea07535349cdef89f71d3f376dc0b8a11f0d55d1f583a1280515d72320e4077a43be56ef5f39d448de83904b287

memory/2852-664-0x00000000000F0000-0x0000000000125000-memory.dmp

memory/572-673-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1356-672-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dqUogwok.bat

MD5 2dbbc35540ebdea1b1ba5d5604fbcecb
SHA1 d4f36bc23b72eae80f372019db31012de6158d04
SHA256 73e9d2fcec97989cd78c5fa2b61ee8dc671097af7514918a46f442c96efaf9a0
SHA512 5140ec3c8aaf5a19ad4172fcacac8b44f517c7b4461cba5448aa3ef6e1af175492bd63a87b1a0ecfbc8f020c092f7b7601813e6534e65941d164d512d4b04ea8

memory/2628-695-0x0000000000400000-0x0000000000435000-memory.dmp

memory/572-693-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-691-0x0000000000170000-0x00000000001A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DmwMsgAc.bat

MD5 a4538cfc0001d27d1df01edbc0267c59
SHA1 2ae61e75e2d66a97971d0022919ccc7731eac87a
SHA256 61c2399b86e158b3f6c63fc5426d2c0aa39b331b5ccdeadad81ccc821f9655e2
SHA512 eafbc7021b965630a7e349f9bc9901b1a8945e59d7c2433e8e05fe2dd2d51d19e4c1819f0ccbdda8f9806eda264edfdde460bd88ca4c5aaebaad23366661bf64

memory/3056-714-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1404-706-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2628-715-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lSoYAskU.bat

MD5 ee108d9bd518ed6f5d4e3028fdd42bfa
SHA1 576b37c34ce70475e4e2bbf5a7a50772f6250ded
SHA256 20c7585879020163d043e8ef14123e49a46c374e5e057adb544a6513c715aef9
SHA512 b8864ea30428b31a3ac0540a1b3b19fb8e09883697b3d7ea30287ecaf4a37e6cd904ddf042b8478199545c0a2cfa035054fffdb1df56a72e378f841e73ed393a

memory/3056-733-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HkMEUUQA.bat

MD5 9e784e4f153c0fffa637ccd727670a32
SHA1 376da9de308c67006ed227bb702617996d370670
SHA256 da403e4ad1a6dcff3724244ae3f1a3811f3af249a1d18105b064a42f813b52f6
SHA512 4451e858b52aaa7f7b931fc5e8375d2dc713617a16c2af0bf220f9ba38b5447e256ec3f3c92ebc3f9f8b19859119e8b99a3dfb267224272f1ef39f3736cf4053

memory/564-751-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQocAsQw.bat

MD5 a91980ef1b887d02b2c7f26bc99a41d6
SHA1 27c5ba2a45144dd226f4769c2777ccd2386420ef
SHA256 9314d54e50a8720744e8db1177c884c68fe7481708b2cae3ca5d019bf9065d50
SHA512 9892be612a884d23430b746897ad9a2c0b01b0cd8d4e3ed0fdccb36861203b339aca6f532e8d857fb4e4f1d318634f3462bd6525d36306e8e614a480e0f9e824

memory/3044-770-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2140-772-0x0000000000160000-0x0000000000195000-memory.dmp

memory/2140-771-0x0000000000160000-0x0000000000195000-memory.dmp

memory/1560-773-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkAcYwgg.bat

MD5 5dd43946eb620a712d89bad0b9b5add6
SHA1 da49b6bf61adec57639bc612d44656cce8555331
SHA256 41c6ad3cc691e1e7284977afc537c8d8ff5c50c6195bd4b5c43982b150955be5
SHA512 66ac7e8922fb0e0c48ce66974998237fe3a3d8df99dca5b500d0a885624c5c2b8369d596a5b1696f82ad9412cac79b3c0c2dff7e354943ff502be3c6752aa026

memory/2652-786-0x0000000002230000-0x0000000002265000-memory.dmp

memory/1560-794-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2652-785-0x0000000002230000-0x0000000002265000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ccMEsocg.bat

MD5 024fb26777f53c7a8fb89cd9a03de347
SHA1 c7e4243a41f1d5d40d869409bcfd33eea1ed0aa0
SHA256 f0ac60506eb952116370eb27379d06d8531596af2fd99c356b1f0b48becc17f2
SHA512 b686562eb2fb4ad094d4c85c9f876efb32b2527d785bc294e67b6635ef03d393d6b1d69d37f609aa777e7bc38ba599dc4cf4e1d3614cf64cc80299007c1dc445

memory/2596-805-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2724-813-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osUEwcEg.bat

MD5 005bdfc05463e9a247eacfe596136a79
SHA1 742882b3f8fbf4ad991e0968c21c901faa879035
SHA256 aec292ec5e5aa8e0f4a8e1990ee46906b07d5c1026afe718fa6b2b50b083c3ba
SHA512 6808826fe233bc7cb97860d148911d1e0a531c4759f7b600f7e13a03d7ad5506cd156f046c33489637b426d4923adb0c905ca7f08f740daad75b6d1a5c30d1b8

memory/2884-832-0x0000000000160000-0x0000000000195000-memory.dmp

memory/2596-831-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2560-833-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VQIkQIAU.bat

MD5 f5d1fd426ff1a5f820a72171e29fe35d
SHA1 e9ca76a15e465a68057837735e249baf6c22396d
SHA256 2a19f097b04b6ded6f0bca61c263bfdd37aa6c33d5109512b4985032942a5a20
SHA512 7250bfd805357ef517a4cef30be7f3267c16c8d329a30ad828d53d3e9dd2c78ebff5f3ce872768c272cf23fca75cfde186ce4791cb38244ed23b02938becd88f

C:\Users\Admin\AppData\Local\Temp\BUwsYYMo.bat

MD5 e5975c44fc74f34a37b0d07587652c17
SHA1 f96a23d5711dac5ddc83f1924a61b666ee1b9c09
SHA256 0d81627bd05799f2318772d6b23c756a65f25e525c7a98a35179ad112d8b5da9
SHA512 a4b4c6a605c69814b3f228265dce8cd7702acc51ad07111874c065083235542bebe03c51760d97921065880c877c391b38d0b247178ca881ee051dca82e19275

C:\Users\Admin\AppData\Local\Temp\XcEsEowY.bat

MD5 309b8487e5de8cc95b01f436031093d3
SHA1 2f2d376a33e985f62d4e2113170cc8551ac80a6b
SHA256 06eefeaa5f6c85c378274d35f98bf6cd13ca60f4adf846267e67f9e76af2738c
SHA512 3449d88e091fee7bf12c555df54b681eb50617106e74009eac802fea2c863697668cc71e8d31fbf57de2efa2f7143fe7ae574adf15661c55a7c6075847facd8b

C:\Users\Admin\AppData\Local\Temp\pKIMgkIE.bat

MD5 f8082e7f8dcd627d43a8f7e09b955fb2
SHA1 5c121f4ec266e70c503fe8718cd9aa573ca81cdd
SHA256 8e3992fd8e0b72b659120c20dae5f88fba10f66f79fc66efc56f625ecd59bdb6
SHA512 047f6423e5deccf9e1b27cfee11e8b7e8fd976fbd2f094076c0a036c356ea95be11259846fb0cc7cd11d325adc043dccbcd33fc224d76c6da6410eb718c29a46

C:\Users\Admin\AppData\Local\Temp\OCssEwgY.bat

MD5 8352c5fe4cb8eec0fc39bc27ab741e9a
SHA1 2b75e7fe1275577c11bf3962748d8291caeed84f
SHA256 b425208c30cf8346396b2014604ab7de8709c594e48c95f1687f2069cea0352d
SHA512 812e85b4c29a84939b217684b06ef0e57aafc0225618fc33555c0e03df422459cc177d73473e3931bf40c3fc5490965843371c9cb5a6ad86b7141549881b1a69

C:\Users\Admin\AppData\Local\Temp\ACssUIkE.bat

MD5 25dbfd26a0f1ecf6bf5c954be322877a
SHA1 a1a6979822ccc2532fd237d20e2a4102a35c38a4
SHA256 d140fdab9b9117e9be541ccaf40383df2cedee0982da856c998ba220b9751955
SHA512 13861f34f13a03aa8b1ddf69b645515e568de9497c64e4a624c50450a3746d356d3ea8c391c6b6899577341fe58839b3ff8aa31e84d703363dfdce3e4b70311b

C:\Users\Admin\AppData\Local\Temp\WEgkcEAI.bat

MD5 9b826e3395cb5dee9bcf50d1dd081f8e
SHA1 86f794cd20cbf7bc72eb2f8ab30b56a65fb914c6
SHA256 c9d785a07345cf07f04e264657e1cf36dcea0e5ad60f85e17764cbdb0f7a0dc8
SHA512 ed376b118d155b7557e72781bce9f0382c295011618e0aba6efca5358b901cdee73d68d297e299d9c6e11e4a34d614635341e0e010303d2e4efd658eb8e9401b

C:\Users\Admin\AppData\Local\Temp\KekowoAw.bat

MD5 96e907ede98295e7e1b539bc0d469943
SHA1 138add04d0953bffd601e2dc18ff9fe9607ae471
SHA256 115fa679defc980eecfe4ba30c26903a30cb3c0d488999199dd1b917a0bb6528
SHA512 7301cee47f34962e501f375fb01f2a9489101a300ff6e4c89ee053d273d52371a03faf3c091fc86159b2e0431ec79976d634ba15e9d8e3ae0b9018b572ddadda

C:\Users\Admin\AppData\Local\Temp\QMIa.exe

MD5 2a4357a2700d4be9d6dc9a46162f7c54
SHA1 c05c3bc6dfad3ae03574c21853441a58e2a6e454
SHA256 cc17a18eac6df8449e2cfb3049a37e81996f8ebfaa48ded2f5127bd58ada1e0b
SHA512 0b66d9306740ee0f36b30bf3c69825736dacc640a84c8b9d4d5e3c79a6e7bb10623592c003f14fd5312eb60c92ed0fcebc29a044d0bdcf0a12802999fef1942a

C:\Users\Admin\AppData\Local\Temp\qAAq.exe

MD5 3ed6f2a38e82d21abf9cb4123a310065
SHA1 ca6c92fccb4cd2b60754bf41cdea0f43b8a194bd
SHA256 a90f47890e5a676ca84fc02c9da698cac7b52046268c36e4dec47e68d81e094c
SHA512 a3e3b10c2de0c33c7cd749eba4fb4cd18c8ab6b5b8a3d6408b413b142c013dcd16afb543e41d640e3a305c723e8337bc5e53c020eb09022ea09d481cb189afb7

C:\Users\Admin\AppData\Local\Temp\YoYe.exe

MD5 78c36b809880d781c5a2b6fe9fc48e9f
SHA1 c88048f32c28d346766c1df2786e71a0c9486246
SHA256 73024814e5db26e21a8293b06e7e335cfa3596808ab021d7493fc07aac227076
SHA512 33fb2f4e0eb07cde512fa37344ac1a7e02bf1077d7ed0be3522fae35260592d5939096e2cf1d06f9389157d83e214f73479a53ffc9ad468b3af66f3112ae24e9

C:\Users\Admin\AppData\Local\Temp\okgs.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\soUA.exe

MD5 70722caccd53f856d98335a59dab5d79
SHA1 36471aabc913a100cd5823286adec1c916a7e298
SHA256 771bd7e6c6941fe3cfef5caef8a05da5d2192d80064cb1c7d3c2154302e7435b
SHA512 76ab488a457d659b1d440d17a8dcb504f7116f2b0b373b65d62cdd867f7eee40dedc976b71c74b19667c99fed368f017b640e9f8c2bcaeb359f753a7a70b558e

C:\Users\Admin\AppData\Local\Temp\jYoAcYgU.bat

MD5 db4058ff770f0bd8f985df1707349235
SHA1 c70de41fb2ca8412e0e90cf632b6c069a95dd3b8
SHA256 6d28636187afb6cc44fc9d0806b4a4a5d390a1a1df7a4ad79c3eb6902f93230d
SHA512 90ada62f2f5b002cd042b6b6aa08ebcd4637ec214dccc4e3443de1ff0ad3342a3229189cdea6d4de654f6fbcc56369a7a588bdaf2263381f0c5d6a90e459d5b4

C:\Users\Admin\AppData\Local\Temp\icsE.exe

MD5 62a9279b60999db7c08a2c2ab629b245
SHA1 a4ac0a7ef86b08b9f18e9ce6452803dc9512c47a
SHA256 7c89e83b95d5175cae912f0d22295a6a1f204d9e15bc6648f662c1548917ad02
SHA512 b13066531d4472e824b908d3b17a4becb1bcd129189476730a582ec3fdf3536c8143ffd96deb055d15023de36f78b0797438652b732594010b758836bc31b932

C:\Users\Admin\AppData\Local\Temp\yYAs.exe

MD5 300e17d08daf605b4f6f9f757cca3547
SHA1 7c60de2100024c20e59e4cfd87599623c0b33974
SHA256 506b446b3acd729022f2a2f4d2ce9cb05c03a59a2aaeafce9612d325b33c4373
SHA512 700f67a3212d4799c5efd41a656befba7777575d2aa86669c3f6fe329da9345479d1684e0483ddf02f832858067cbde97c2029bb646639ef41bbbe9c42874bda

C:\Users\Admin\AppData\Local\Temp\iEEW.exe

MD5 bc223d5a2a65f9defbfa0b1977df4c1c
SHA1 ada1e782117fa5d00944ad35da52a0c9cb17cd19
SHA256 745f3fb6e421e5b85c6f1b8591286269e1b08d1332b69f76ce65bd84c815d672
SHA512 2b1f0350177fd05227900fbca912097f3e021ce6337169212334495ebe292cb49e64c4502457753b78a7f4391a89ea695113b86cf55a3b73cf24887ab5f628cb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 41416bd2da4892ec20ed952df2183ebc
SHA1 f8462fd559acac6be6639cdcb94d71d35ff6df25
SHA256 eafeadc2c3522d9fc1cb9b67c47d6285a8a59f8c3e7ae4c542ed9183e38269b3
SHA512 323482c4adeec87b62c9896a977584ecb192f932a03370ae177f34defaea3c8229ab200f2220376d3bd875d34bf42470feeb127f542b02f57ec7e8210c312c50

C:\Users\Admin\AppData\Local\Temp\oEoc.exe

MD5 433fed9b7d1fbbb25e0064c5429d3f69
SHA1 e8658209961a403ad52ce788bdc982cbd6718651
SHA256 f8859261512510f4eefe6d02c31c6e2aeea65db8845b45476419087c79503abe
SHA512 620060ca93bbe6eff5e082ba9f787d1ab7a738e6546959bf82d306ab18f7c660bc05538d3fe6ee31013d22e6930fc6fc08fad1a3b3c7cca4fc9663f2096b0be5

C:\Users\Admin\AppData\Local\Temp\KEgO.exe

MD5 edc1a86812d9aa8006db447734394414
SHA1 8cc422e17bf2da74c954e65f6b2505eb601c41a9
SHA256 c672f0a57d7297bc163a856145dbf70aa51af72c38a49d1dd48a96fa0c6a7ee4
SHA512 76da19169794c201095f830979393d7b7ba96ed12ad627f3c85835ade2e05c5f3db9f5139b759787838c7c134b3b0ba0e73f39822dc87bd98a30f77ebd618d01

C:\Users\Admin\AppData\Local\Temp\dUQooQkk.bat

MD5 286813bcd001d71629220d87c103bf8c
SHA1 ea211c70c52dfd4add03185a265e0945707067fc
SHA256 0da6ce26ed1bfcfd9be0bdd9c815a898b685dce33be53f5069cff55885cd6b9c
SHA512 6185a9f27f8ddc057d6d200a7e87eac037884b6ef36c4026edd8df698bb1d523e8e23fbef4f5a63b62efb3e6b443f547d07a42dffedef495dd0b15c8bdd305cf

C:\Users\Admin\AppData\Local\Temp\AgQs.exe

MD5 090f93aac0fff78dd2a29a2884e18243
SHA1 37651ac26bc506bf9649abe093a331f03e8274fa
SHA256 a76393306a71756af4f71c6d6fbab45ba8b65cd6d22a335631aeebb2ef614a60
SHA512 330acf62f957890bbd882642654438f1dd5393e3887f031229e14c6339de77cddf250bf0523ab78775ddeea903b19f8e679d1e5eaf77e11ea9ad83d2da051326

C:\Users\Admin\AppData\Local\Temp\CsUM.exe

MD5 561201b32ddce1e9177ce3a3c41099a9
SHA1 5d55224295c5ba00859aee519a69ea6c71e555ef
SHA256 413dcbe39395bbcbfec27e39729907295fc0309f677ad8c0827ae2189cbcf8c8
SHA512 11cc8c71be4f0a596a0454ab0e2845e680e121150f8288ce63c757d14a517ec6df291bebbbf2a68e32419a527c2b19cffa3cdd87b009d2a54a1c8f71a8be7f37

C:\Users\Admin\AppData\Local\Temp\kAsm.exe

MD5 de6be23fae77c5a17bf65843bbc2ec1d
SHA1 3944abe11079565fc25fdbc8221cde063775be69
SHA256 4ca72dfedb898c7554d4f345cd22bb31c98b71fa5daa32c80b8652f7e15009b4
SHA512 9d1ee5554cf87cbbc54f7f8138cc88289cc8d77e5b37ddac44a488eaaddbeac83f96c84f3459d7ad1249fddd6e8bacdd8d2fdfc0fa239d48036dec91b184a71a

C:\Users\Admin\AppData\Local\Temp\wsMe.exe

MD5 881bae6e617844dd4a02d11c5ea6fe88
SHA1 b55d022faacb91dae93b72790309dd3292a7647e
SHA256 7ed201cb74db893613f2d651d1ee7617763e8405409f9464e6840c70c22a3064
SHA512 c7f09677798a658c3ce44972e2ac7a9be07457c2a730fafc57adccc3890eb2f6acca1aa695090c6482d05ec6371bb99fda917b21430e144a46a9398cb076c14d

C:\Users\Admin\AppData\Local\Temp\MIQS.exe

MD5 49e69c0a5805d58fe5cdeb5ac02f5f95
SHA1 1256f4afebbd21da0311292b8a6e6c3e4b2dfbfa
SHA256 17e4aadf82998d83b5cccbe4de112c246841e80eee87903689dfccf9107f7900
SHA512 fe9c1a35e4d30af4d13c0cb77f8a59b88bdab41ea6065cc19f1ce417f77a109e8d213702193e33495d5a6a921e6fbbfdf5f2b95a767402edae1ea6331e1ae49c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 b35c7a3e48dbdfab12018a8979159dd3
SHA1 db5775d13d32168a84450a4d7dd1b9fa9ae784d7
SHA256 48c215c539994cba29a3d7ec9007abb3244856432a58b8ea6dab54f35383a99a
SHA512 968306f2498b5f96066d5c4d79d1bf94272d0304131261dffea1a301436fc773402c6630fc887970cb7d3994b32f63e873ee20b8a00cfaec070abdeedb38b46d

C:\Users\Admin\AppData\Local\Temp\VUgAMUsQ.bat

MD5 81420abcbce165f90f3d9ea6ffd1dea5
SHA1 fc77313b6a35e37306d9ae6aac54c8c94273887e
SHA256 a62bd9862ef8295f21b3b5879cf62a3f84caa4d64e221b5b9a40a32ce00f7ef4
SHA512 47690bb725310ecdc8ae58ffe590e5566d03752ecfd16e1347fae486557b7881d62ff555eb593ec8f09aebb6ba70a3c6067f1310f59f2512bb0ec2ff6e94eaa0

C:\Users\Admin\AppData\Local\Temp\SMsK.exe

MD5 f8e23ecf5e2e3029749d1e42560e37c0
SHA1 e86db0f65eb9b8f75e8c611954a8856249398294
SHA256 c21404235a6092182639fb6fc0b4f6f5687c0cec43aae374bbb0f1ae898afa22
SHA512 68a187ad47d5a47b61faa8d69e2bef1ff6d56b52882ac32d1cdd7502b5f82b76bc40027885cc19132c8e8d93f0dfd36df0931c62015b35469295ed1ae91616ab

C:\Users\Admin\AppData\Local\Temp\Ggkk.exe

MD5 61907f21309dbcfb84396af7cdf01b25
SHA1 e92832ef82984abe411e8e054127d37041e38693
SHA256 0a4b2c15b8d9636563d1e22652067be4c5b88ce77f6bfcb825356e59e664815e
SHA512 3791a098e93c525afcd7d350390d9bb0d734b7c631b7971335fc57082d34006c3cccbd2ab1cc48b0d7eca95da134683e61bb4e41a8547999421205db23c3eb30

C:\Users\Admin\AppData\Local\Temp\sMUS.exe

MD5 01891ad0567b5362a0347d5ac29a36bd
SHA1 6a7e6ac2cc2c03cde7a63bd53a6c4c8508e2269c
SHA256 a250572fbbc60761fc89f3939d7ea15f9a270fe1d33044daaa4032495141b8ca
SHA512 84adeb37b257e436ae4aa72128925a6e494c01703f21b5b5e490602c5f050ee96f0d95edfed6d5319c4f7f4bad2200671d11971a54c798d1cd3a609a99372897

C:\Users\Admin\AppData\Local\Temp\EwAq.exe

MD5 fc9b6351e9a7b1bb64540516dea0b29e
SHA1 beffa60c087728696a73a3650ef3acb2a744c317
SHA256 eac9033c682a21ab32b322d713eb5bee049f8c5a10ab0f22ddf14f95fe2e7d26
SHA512 fd235f15184c6c652a20ca2ef074c54a06a6bc66364eb6aa298788e63050d45fe11af196fb5e996be3abc2c4a76ab3c9e25c65baba01558d860743ce17d94965

C:\Users\Admin\AppData\Local\Temp\EkkS.exe

MD5 f34f24083a6e634ce94de91533b02c30
SHA1 b1fc7df3bb5313b378572b47da6a14801832a4b6
SHA256 fd99d77cb8562638c0271fc659fda0c1eb147c36951b619be1d551282868bd1a
SHA512 e84c500a9cb74e46f603c05eb4e4af22619b7b9d4d1d721bba9d283c8f86bfb6913a2f94485fe8813399ff6e00498a87d208c135b9d034ccca483515525dd26f

C:\Users\Admin\AppData\Local\Temp\swscQIoU.bat

MD5 89fae872d1c4a7e8c9baf26d5114e58f
SHA1 3b4fda669c768ae44cb5035a6ccb2363c04411d7
SHA256 03438f7d9e266dc9f4cf9e420960e1f29d0be16865efd78636d26d511cb17209
SHA512 f40c91ece85b0b0b6ed79fabd65f6074aab848ff69865ec781bff35594301f3535ad4f3aa1d25e62e8b1ce4f4eabcfa121f1785c748398e311fb295f6b563a76

C:\Users\Admin\AppData\Local\Temp\eMME.exe

MD5 5102874a112cb7f8aee283e275afcca8
SHA1 0e2a310c5824d7a4463c0ab67b0c7777bbf27293
SHA256 0ef807c282abf11614ae30a722201921c8e8eeac2f658f1f596b24f3206abbfd
SHA512 c02169d0745df0037ad36243fa0a98492fcc23b0ca5543c28614b55ac5fa2b5a3d6c1f671cfda575d9ef05cd6219fcb7b10089cccbdba543b0ddfe5dc67e0875

C:\Users\Admin\AppData\Local\Temp\ewsy.exe

MD5 5f6cb4643ec38f78bd4ff434450b70fe
SHA1 22f42360b0b27d82f5a9b806a070a830e0c027ad
SHA256 412bf79aac096fbf413d239bc60a82b59a79804ab4524443df2d8016dfe5db8d
SHA512 bc0d11e9176f39438d40c0a59d381b6b2a3ef4b9eca4ab6664610e1255a26bfd57f6c8e0bdb0da9acea7a86f616db31ac562306a50fee4a8167a198173a14f57

C:\Users\Admin\AppData\Local\Temp\uUoA.exe

MD5 20d090f344548963c0ddcd42747d84e3
SHA1 b3845dd87ffb1a9b4334c8da0b67cc75391e4893
SHA256 09d9a5ad1c91044be5dd09758ed91db3738e2c36e8ac1906ce532f36515d2ed0
SHA512 6ab998454b414e956714b9897a5d997c6a40aa2ed2950d23463a0c19f092d318def895c3ca7a0044b6ac37be8ebff5889743ae5c5305d15fab4a0afd958a70e9

C:\Users\Admin\AppData\Local\Temp\OCAogssQ.bat

MD5 23b6eade36929ffbcdf76e762f0544cf
SHA1 a3cb0f0e1fb5a6804f988a79a25ed2f8bff3595d
SHA256 4f3121c62025e4f79f29ec3c8f660c66261e6f309f1d80c840acb22e3cedf372
SHA512 10518fccaa5f13549af685387bb6593bdb2247fcb117d2e1e8fcc562b8844b7a6024ab779ef9cfd2a89daf1d49aca072c453ab47eec8861e96a538f4dafc9642

C:\Users\Admin\AppData\Local\Temp\qEAq.exe

MD5 aefacb2450585588e1534da750150e60
SHA1 5b5d5d80872d7ecbd58ab35a4f62cf6f573ea515
SHA256 a03e309c5cb30ae216c71a9422f720ed8881f0db1499f1f06ed8c2e6bfdc3f9d
SHA512 b43611925ddbc09f37e4d8ed6bbf5b1a35a2b5ddb9b9cc565df730f89e8268fb33031c531c2c92dd888358617e89777528387d7695d26242f3617378b56ed833

C:\Users\Admin\AppData\Local\Temp\gQkI.exe

MD5 80fd1b753acbfea6f163341ebc5b0ac9
SHA1 fa2ed001de018d5876474e07b5adfa9d56383c2c
SHA256 bbe8c4fdb1a55fee67094a5c6adf6e9f175ab6e6ecfce029380cfe44a84b75a8
SHA512 915c43fdbb2d688ed4d820ba0723c558dce293a0640167c8e960134e5a066d8d5966d0730faea00a4c4a65063cf3a37565abdf104880b080337a7f55dd5389bb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 10ae95ea6cffd0ca35fa8a3431923096
SHA1 622167fcffd8c80465ed4a894a116cf1c723a2ac
SHA256 91d3a7b564f0572f08fa7cd4e25f41d2211ecfbda9eb58c265aa3d32f7a5b282
SHA512 ca565e9b5c72eb15fee6cecfb5c35eefa3d451fafde7d963f7832264348be3e59527236729233ef4ddb3321e2db58361c0e2cfa2791f83a876564dc9ab1f0f12

C:\Users\Admin\AppData\Local\Temp\usMMwwoI.bat

MD5 b4156b5eb80a29ce4b9fb39b843f8a50
SHA1 7538f293b2a562120ca203e35140c2b0fc399a71
SHA256 270b19a4507deac44766158c358efb05cfb766f72d75729f1317344579383fe5
SHA512 bf320802af32f76a1466489b6de03bb176115f4b0f5519b62f2ae32820c0c12c7e5b46a774ca5ae0feef803f92553cdcb2eb5dd2ecfafd2b25ab1e4d6124fdba

C:\Users\Admin\AppData\Local\Temp\osYc.exe

MD5 28a240ceff1d1a984e2e3906b523f518
SHA1 89db531174b00bfc8fce4bc5ddee0fe43424307b
SHA256 399fd44d0629ecddadebef685684802544be2e23dffbf975faff84003735b07e
SHA512 5a4bd4549a502f4d74415eeccba5c4b39bcd620cedb6f4fbe5d8fce42548edeb7dff54416cd1a3cf4ea7273075303ff26084223bac8a56cf446b7a8c894fdbb3

C:\Users\Admin\AppData\Local\Temp\KEAi.exe

MD5 4b64847b2f7b1b06b0f444cd8727c613
SHA1 4b27124c6599c5effe6fdfaf9e83546cd0dfa7e0
SHA256 2c997ca0ceb1fc87dfd3c7b39d8504b9c37ccf6f2d58eeee0ea6e277e0a0be6b
SHA512 bbf3631a24bfcbeae1e49fa6c1b422b304f31bfea84b6e300c95ce9804219257bf1863aa672779dda03327356fcc74e0fb5b432520e9d4bd888e37082878ca1b

C:\Users\Admin\AppData\Local\Temp\qsMy.exe

MD5 dc51ed50288a950e04f601b1fd1671c1
SHA1 6f87c6995be63950ac0d56cb314810bb5ee3383b
SHA256 03e1aacf25c53f50270b64a0af0cdf6a68fde02671f225fdfdc832095550072e
SHA512 36a27b69d7b41f76993f574d247d4017d5207d0449ca133e32cf3f378f7a58ec07ffc6ec546347c978bb645a1a1fd846b089e642e35b81015c20001bee445bb5

C:\Users\Admin\AppData\Local\Temp\SYUA.exe

MD5 8c7bf69b5d41f61ff730c703b2628cac
SHA1 83f196ec74f7647957dc006f57aad0adfe385b4c
SHA256 d835e21a5f59fa9c000d1d3dc51dc8c30357e6cece81974276fe6bdc2ebbb1ff
SHA512 e92c9b69deef2a128813bc98a80fc36180dc91bb24c7ba854023f61c35f9a6ea483e86adabe3d863f89f4a904ae6d622e64bbeeeb537a7465632c157e3c9836a

C:\Users\Admin\AppData\Local\Temp\Mwke.exe

MD5 04ff8deb77f984cc17a47241922da290
SHA1 30b3a5ba1b2b41b7b23600aca07869265ffc5ce4
SHA256 9cd93ff7c0384cf754160def3d4db42b1719132e89bebf335cba8f1c79dbd4c2
SHA512 419ab933f3ec4adcd4f4a5a84c5f84dfdbe6f06f6a402d1f16ff0cfd394228f76dc442274b2930a5fbe899fc8406d2bf28ba34f13d324caf51b45be7c53e6158

C:\Users\Admin\AppData\Local\Temp\UCosYkQU.bat

MD5 e2eec9059c43955eb65d2008cd3bda22
SHA1 cacb6536113e0f390009680e2aad0017fc8272bf
SHA256 1feafba930a21ee9077ca5cf9122066711765d33d1d23bb1a1549fe9852526c6
SHA512 68084c35d1fd2e72d98a1f5e5564c4293e5d7e00174621665025caf95359f44836127b8e28c035332962bdcf18ca834e6c48182fbff994bed4bf73065da27ff2

C:\Users\Admin\AppData\Local\Temp\KYoG.exe

MD5 3885c9182854730c76962f031d58e922
SHA1 cbce140caf6ae8d26a0bcfcb28d3b6d643f44dc8
SHA256 327f078057494233ff4cb8b301252c6a91302ef730f08382e0dc73995424e72a
SHA512 5648659fbc9e1440b06058fffb970c6eb0e530a71f98698f32b50e8d7aec28d018c6606bb248fedcb98121b0575800f4be916b5731c47cde30727dd61de790f2

C:\Users\Admin\AppData\Local\Temp\AEgY.exe

MD5 621b87e0a4f99b8d176c800508bd9c5e
SHA1 d1f388e3eced35d88a0f665c8eec7996e282f475
SHA256 80adeb058078e5c1f76e09a87a41ec0376372053ea7bd46af393bd7bdb310cff
SHA512 d041fd97b71049ce33311a3c96c2a190b1fe037957743528fae78bf9d46c3d7f00ac7a6957a41f06d977b8e77aa323aee8713333dadad62f0ad6f06d105d6d35

C:\Users\Admin\AppData\Local\Temp\MUMi.exe

MD5 37b229750dd3d06bb1946883fd1b354f
SHA1 5b88eeae1e005612a909f3c7c42d86a18173ceb4
SHA256 d402e7f0661623274d77e37bafc0f21008d37461993f5896f8700d6c13f649a2
SHA512 830ddd4af987794f0991e608a5cecbd2486a100a3f050dc836ec719b387ce346c51a1878ba26a34dc73cc856f489c7713edc767652e1b459fe037ef7af6d2dea

C:\Users\Admin\AppData\Local\Temp\akgk.exe

MD5 498b9a5a8c341b661cc757388ab2a9eb
SHA1 7c9f32c23252c1987dc7083fdc851bc5d72938d5
SHA256 7c200ee04afcb8aee0a9442bd787903f67a4a7e5f3f348f62547e74ff50a99e8
SHA512 cf1b340d0d780ea2c84bac1ff0f8d38d05fc88b5e925870d7edb71e8d6500dcf4f5a4310fc9fc139ceb24f3a56866905baff14ac492ef271b5b862459b939c91

C:\Users\Admin\AppData\Local\Temp\SkAK.exe

MD5 7e92ca6c2e9367e407ce28faa5fe6063
SHA1 77eadd3dd83a85d1f9a1efac7c1996b81d81591e
SHA256 7ad02833a4dad263cc3b6bd4b3f5b371a972f66b32485bcafc68a6659ea22c37
SHA512 8e9f07cbc64a89d3716ce363a176607972bef46642f18dca0f7ea1424d53626065702cdc823daf0300d0b98d2d93a77e3f28473cda0a3c229e170534a58d0c3e

C:\Users\Admin\AppData\Local\Temp\sIAQ.exe

MD5 cdbac7ff8910cc1ce325da81dec457dc
SHA1 7aa29c6ad4db4f0c1cd7face4309ce91812b8d0d
SHA256 9af97ddea8724df8fbce0e746816464bbb0bddf92f963f0efd3dae8aac0a9831
SHA512 5cd8cfc48086364ce75bdb94a99e8923fba214a76eded827b09261aefb5a07ac7900fe837db2b9c6bc46bc77017f87a53c35faad36d2ecf255b581dff2fcbc8a

C:\Users\Admin\AppData\Local\Temp\pkkUoYQg.bat

MD5 9255ba74fdd66e340792f31d8d3fe008
SHA1 0faa988d2fc1fd672836c8659efa9e130a699776
SHA256 e308e4687fcfe94ecc3676b5ddc0b8db8ea780499cad8c190cb69a00af3cf9f1
SHA512 c3d7f2c4c8add2df9e54252cb059955e5caf2a61e1178ff264caf7ea15ea9757b60d83cc5a5a21873bf5d4fced4c95ec13fb651da4af7ad104d669da9482961b

C:\Users\Admin\AppData\Local\Temp\kEQk.exe

MD5 924c0f1524de64f04357024360c8fd4b
SHA1 d89ca92d366d12f15fd10e216d37f9e6b14642c7
SHA256 f1df3cd7f340e6a9f01b43a079178d23d9e68fc74b7439a32d032afcd078e8cf
SHA512 b0f190337f54f352756d05fda37aba6525e365ab9b8b7c4c29cd3213792e48ffc038ecc1814288a69a51f212ed37adfd100b2a6d6ce4a65346f001decd43dfd0

C:\Users\Admin\AppData\Local\Temp\UwYG.exe

MD5 7fb1c22ea2785a4b029e096f14b6324f
SHA1 46a192d9cc48ad2cf6014d3f8cfcaad3b4b86a60
SHA256 ef46aae8fc5c6305d15e0b3cc0a0998fcfd6454ac599ae4639732ac05f84267b
SHA512 192bbf86adddbf1a501ec77ec94b98c23c7364564678c4ed3f1fdf003dece75431799e0f8502b21ec8cf91a98b14e597452f7f81482cb233cfc4234c52ccd175

C:\Users\Admin\AppData\Local\Temp\EYUa.exe

MD5 6b5da5d3b65f4d3a7caf550d02ed49e2
SHA1 65f9ae041be6c26a3fc964852d167ad92e4e504e
SHA256 6a941e5b32949f0fe8381fd13711d56b380e2af268b32d31afee023dab5ae246
SHA512 d3a7b92b672e111683ee7ea58e355e5a22e50fc18db547f2ad5f717f98382ecc71237f6c187a78aa7e8624767775b2d59fc6dd4c4c15e22c50cdc3eb389e0047

C:\Users\Admin\AppData\Local\Temp\kwkQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mEsk.exe

MD5 b23dd3681161a4fa4df54e157dbd31a1
SHA1 780cecbbf8043d7a62ef962465a6cfb922f46463
SHA256 cb625b34b1762900265a2b646e1fc8ee38c1d522666ec7bac36329605a4df2d7
SHA512 22cda8295b290b73509a970bf4c78b2e444e6d7b871848c7b5fec4827c8346a621b438c5150bf638ea52989a2041bb636c0cd4a1cc5d177a8ada6deba0892bcb

C:\Users\Admin\AppData\Local\Temp\tgwwcggo.bat

MD5 816326ddb7f91a6ffc3f78aac3bb0a8e
SHA1 6da708fc8fa5ad997c8ed784a713be15d616d9b6
SHA256 3f6d1c52fa18d9d221c8dbaaad2446b70539d6545d312d8131c82e179fab8a2b
SHA512 60682e8e1b733acda884cb2b95958fe1c6634c7ae8268a0877fc99fbcf97529a0abf2b524dd1d37238461e988c953c510e4f95ac2815b363617490f9db8c97d6

C:\Users\Admin\AppData\Local\Temp\egoy.exe

MD5 dbf2182acef8a75ae274364d8d48cb38
SHA1 dddf4f64f1c01834cdebf379eef3d3420825e31c
SHA256 00aa49a9ece0dfbb0a4fc0bff893f612ab3be4c25bddc3630cce713d9dc863bd
SHA512 d6ae86c591ee2afd015b16cb011968764571d95d3160fec6acd65cda7b7ee49b8c454a3152f437b2aa9eb4452b02a6609b59df3967fff2a82657495d662022f3

C:\Users\Admin\AppData\Local\Temp\Ocsa.exe

MD5 052923a94ddfa60aaf95f2936ba74979
SHA1 641b7b436b628ff5196a7085e92b46d5f2321391
SHA256 002834092b7cf4d8095ca1c18e1ec43fb2d58aa6dcec9a663c4da422ace6a02a
SHA512 f89056d6058f76a83f03d46f415825d926c3b678fcc01e72460046d975a8ef60950330b4306567f58834f07bd358d4573b1c237d9b87e23507077595dbb353a3

C:\Users\Admin\AppData\Local\Temp\BUkIowYE.bat

MD5 b1b928c048669bb4feea41fe2ee8e73f
SHA1 392b543aead64e817d2afe1af19d139f30b068bd
SHA256 0063ef0ffb3f67d62d589162616145f8b24bf2d7e46a6717126e92301baf1ac0
SHA512 d861ccaa15daaa12372bfc9d72b2e4d21f7f1b360c0d938651e1702ba15de2c4f6c89f18956bd8d3b4555e27fca3b3406504dc5e325579140ead44b41edd58c0

C:\Users\Admin\AppData\Local\Temp\pwYIIMco.bat

MD5 34565ec61e12c50f5a43d35276c42d3c
SHA1 e5eb648e5037a5d669994401bdee9fd51cdd9452
SHA256 fd64fc3dc1b422831848631dde025e22043482fc5e79b1448a7eb9d0dee2f574
SHA512 d628fe79171b7c8091974fc0a58805e214f833b8a23cb9aafc9e4e25e2f321971bc0ed9428bc10af1790b42b297f8ac02922d9ec72c3212af95f48b8fe8c3ada

C:\Users\Admin\AppData\Local\Temp\buYkkIYQ.bat

MD5 c6c5fce46cd2f22b3db34b7efe485bad
SHA1 d7f039bfec4fd5d6996cf957e93bf7870d219875
SHA256 c8ccf4d596738e5e60c99ca3a5dd149f56b1918e0f3dd4a4c1122221873a2f46
SHA512 fd68eba8459f8e3937488a6c5bae3aba6c8a2b04d0c75bdf0841eeb94b3e3e9702c7e5dc37d38b52f4c39c56541271f536094236634da4e78779662965473b12

C:\Users\Admin\AppData\Local\Temp\wegwIkso.bat

MD5 040e4b47c1e0da2101631ce9e9f362d3
SHA1 149ceec7c9eff974050ed68fe218970f7ed87252
SHA256 0fb150fd30ac482398fb80e05642f865567dd126a874fa1e39d597601f8ff024
SHA512 37de9da8e4e2dc28b0201bccca2a6f1f7deca58717d1d3e8ecfc5211cfffd96d00791417c50a78b8b8d73bd27be90de13a567e0e05517d4fc598836252f7ef82

C:\Users\Admin\AppData\Local\Temp\EmswccUY.bat

MD5 7ef37e122c32167820c6132f220cfb85
SHA1 0733f436645f8979d54c83552e69d9d4db893711
SHA256 7a32857ea35a2ae561ec187fc05666d2a18db967cb6fa4ce3d7d081b117d757d
SHA512 2a9168081bb04493804829f1824264a6c8e00fe42b6902b1b69756aa3b80b741b615cef2f5ca42c48e2016bd3195051a4863a0081c8437b86bcbce1dca8f592a

C:\Users\Admin\AppData\Local\Temp\uCUIAUgE.bat

MD5 0c53425352646fe1fc5e4bc1f9264bf0
SHA1 90144f25e845a86df4bc5bb4d7a4b5e045636b95
SHA256 7931f164663cdf1fa21200540b19cd404d3c07abf94982d9eced5fa916e095bd
SHA512 ed6801ff22d25dec52e3fd0b154c53512bca0380805aeb335c4f10115c653354b9f84a7dbe69889ab255eeba45c4e48255bb1a5ac4ea5edcaea9e4b8a8a7ad4b

C:\Users\Admin\AppData\Local\Temp\USAssUMU.bat

MD5 95c305a979280d030bc03ab747fbd891
SHA1 db37161ea955f83a48ad7084eff1317874190e28
SHA256 471d971b599f2c7bdb5ac6fafe5991b109c7da18072b2366a4f40f60dbe0c5eb
SHA512 1701e1dce7c5938d72e64da29aff41d7f21e60da60e604ee249712e143984bb33646e7e7f72dafe139ce1717caf002b53b7e6e594596538cb54e17e9e1e57551

C:\Users\Admin\AppData\Local\Temp\jqAQgYoI.bat

MD5 9942111cded3e12ce4a585e98a9b7a0b
SHA1 c12cbb24721cd0e8ece49d0fa216ddd89693c242
SHA256 e1570b11b2a9682fc8f2f7fca59e30ba6878c41d41bdae8f1338d25be37e1a76
SHA512 61217b26d394d452ab3d52599dd92aaa01807c58bbf8d20e7cf7bc2aa8ff912785f915cc180f28c4fcb5ce26fceffe33a6e7fe6cd809122ce703218518942a82

C:\Users\Admin\AppData\Local\Temp\VcMoYssE.bat

MD5 3d7ce9d142d5632114872165a5100da6
SHA1 e6a8f315200e6ca5577845ee5150828f7e9502c8
SHA256 f027f39e6252de31c21530c40cb3701c3469297300b2ea450eec56e11fc01fcf
SHA512 6d3d799549b47291e431bd10e7ff876f0489f3bb60341511ca2c56796cdfdb3a08a408e7d17cf3c310deaf73b358961ab0f0a2e21b344c35b14255598fd23c8f

C:\Users\Admin\AppData\Local\Temp\lGogMogQ.bat

MD5 5e6837fe6aba622c8f873d1ad340073f
SHA1 c11f200813b2f5a556fc7e7fd5f2cd0bdb3e96db
SHA256 e923ef0f05dc429b999e6140b8b049b996b27093b3d4aaa155b343ef36b1acf2
SHA512 df8ad6f8c9c56375b4bea424eb809270131da0b1fc17e1feafe64ac5bdbd9d1fc5de1054b1222cd0535c2288c285c77cb53c4c8b9983d8798565e807f6df34c1

C:\Users\Admin\AppData\Local\Temp\FOUoAEkw.bat

MD5 dfdb6a36fd4e17e0535e0836568665c7
SHA1 504bd7cfb3dfadc8fdaa90b789fe427745ae77ec
SHA256 e5dc1864d178c744cb93497b9415f8e73c69078bed23156b51527831e563d473
SHA512 9264684b107066850070a79da191510879006d70a003eea34b57df850edc7ce9f939160fe3a4e7c7d19603bda8260277a7ca105d3f7764b50b4c37a9dd2d6f8f

C:\Users\Admin\AppData\Local\Temp\qqAQcMYs.bat

MD5 d8babe98ca854a94212b34b5ae767713
SHA1 602d1a3abdac7f20de70c3d32fda2517cdf10f81
SHA256 820ac3967358e9281d8d29ed93efe2885db6b7fce28ed80d2bcc7e4bcf2b09fb
SHA512 8e42c81addd28331be4c88431512b90f0bf5a3d52906cb75e119c92d2b14e413ad584b92b924c0aafbc860c8d8ffaea56c13ef20c5a04befc1a2869b523b3dce

C:\Users\Admin\AppData\Local\Temp\Wsso.exe

MD5 bdd4a547a9045d8af21a51572435fad8
SHA1 dba09f622f292b1cf30bd2ce482e52b28c7a8b52
SHA256 a57c421f7730ae34f7a9019a7c48d6cd7d072af537c7decfa585d1dffa38b948
SHA512 59a0093eb9fcaf3cee7563b24d37774430979b0ebae08cbfc1f1282c4830909a63e58b001e8c1a66f6df57aa32748c93aef4cd5461a79020d05a3960b3ac1584

C:\Users\Admin\AppData\Local\Temp\sIMS.exe

MD5 2ec21826109a63e487fd41d9fe47cca0
SHA1 1075d07e1d4499db083b433cc30b4898bce0778e
SHA256 de46d75a3750f8b9c110002e1adb4d270e82c5324a42442389a7fb14e2854448
SHA512 ae3340183c06ec138d74047835e21abfc99bf3fe94d050f99c3f324dcb44fab70eba6749d9487c4c3884afde8508e73b7fd71fa8a442a8b26a67f6f361f5a155

C:\Users\Admin\AppData\Local\Temp\uIMe.exe

MD5 3fc5220811851cf4f7f03d430fdaac1b
SHA1 b07a5bf3c3f191df416a22b639b1daae67bd95ed
SHA256 a7982615326db03cb01c7cf358abfa25288a48a61b28ba9e3ed1002690e75b35
SHA512 74968f573f3c81fac8cfc3716b97bb6a2af9edb0f40dd733eb88e4929258e50f9327e771e97bb341daba533f5d2f0ad6923ab1a5c8d6a918752a7e67911c414e

C:\Users\Admin\AppData\Local\Temp\UoIu.exe

MD5 f0feb4bf2feaf9fa58bdd4cb7068de61
SHA1 39b9fc1615e8cbbe27b14aa5fb2f1d98ffc5f089
SHA256 dac2da7811385002e08d359ed4eee729651c5083a91c024cd6a210761a4160d8
SHA512 141328c7da7c9a09c0cd5e4dbe1e666665c8c890faf7882773fcbc1d5c2a340619ae04ab7d3263e30c30632a00787487f86a1fe86af217c58640c5cf40de94d7

C:\Users\Admin\AppData\Local\Temp\EwIq.exe

MD5 0394b0d953dc815de6d2f692d8a3518f
SHA1 57d92219947b263d0e9b8c8fee1da8ccd7da5c2d
SHA256 296bce8618cabef51eb388103f581fd0d7d73142a6b0f16011d88a29f60fd816
SHA512 3bf9ba86f1b37ee4fb18b9d8eff30289890b064d5ad3fb027c33037824e5c63f81ef068f6f5ed2d41fd38d78f62152e31f3e94b1255f6337575059bc346ef70d

C:\Users\Admin\AppData\Local\Temp\awAa.exe

MD5 3e7cd1921b6a20c9ae428d747ac454f3
SHA1 76311eb96a4f4058dd18cb28ebd6996e03c06164
SHA256 61689c6141a874cbe3d8e6937cf9e1dedfb9d1dd4c655a260c92e50dfe807ef3
SHA512 176ac034b19af3d51c2ece8abab4a15155450575de5a4f555914ef4841ec9ccd844d1c81b5e56c01b481f92139c6b1e20b99d9e172315e4a7cce634960e849f4

C:\Users\Admin\AppData\Local\Temp\eCsoMgUI.bat

MD5 db1a0602892493e96033d1283023afe2
SHA1 f9014884a85ba2ce0bc42a3394d318c801e55b54
SHA256 a7aee945851113cd0ab6ebea6294500b43089e8841e6385c0e4716bbd1c52517
SHA512 4149271f9889644456cd401f8fd1c6d2e9d3a644e96285fc719be21f4a039265432364a97bd5263b2fa086dff3a2c7cc0e2138bfea29efb5e96ef52b38179871

C:\Users\Admin\AppData\Local\Temp\CsEM.exe

MD5 156c6fbcff3c9e88d5e0ecd969740e42
SHA1 6d414dd1a21725c3d9d175f45b1280c820326591
SHA256 5b7e6114f3375ef17dcdeac9acf5bb01a85e705fce9c86b399eee7486190b319
SHA512 055104104778b64c2046e44d6ea692f505aadf878801e4662de52a9c126798203b238e98e8ea304af70778d0c4adfa2ee741c5fc54827f7d876fb286f4e39dbb

C:\Users\Admin\AppData\Local\Temp\MAIY.exe

MD5 e4f996d10b33db68633d1454979c9783
SHA1 c0ec325b818ba6c5a3826c402ab517a0ef9d0e4a
SHA256 2599344f021e9dbd5bf0041f8716117f5f1a4903334ce73861552fd42b515a36
SHA512 6f92941c2f9808cf5d7a0d39a9321b53cc364fbd549721a8eb59c620f74ca7c159b54decde9c3a4e734f7cdceb9398cd32844490e6067fc949bdab7429259daa

C:\Users\Admin\AppData\Local\Temp\uIQY.exe

MD5 760cfe44f04292e55594f1392a576a32
SHA1 33c4ee1123b5b52ae7c00cbd7b94427669984b3b
SHA256 4eb231d3564acade8532e6a01fef5593ba257cd3858a55ac01f48466be14698c
SHA512 0a0c21819a98d2089675545536a776d4f15cf42dd2e07c182721b6e272d97eb1faa326cf5e8c5a7654fb2a9514f3589d5dccb81efa189a363fce971519cd00b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 7891aaa28678ba11a8b2b3642908188e
SHA1 191f3494dcc5a2d2614217a2fcc188ebdcb713bc
SHA256 d778825ccda414cb36cd56ab927547b4e7090f72c199de96d670e722ae7e775e
SHA512 392b0aac62601da1411f8a7b84384a672653a624809a6b5bba30b7d57b28ab3282d54822877077cac98a2b42d19a6e9bf53a08e2577174e694380c6a4d111edb

C:\Users\Admin\AppData\Local\Temp\qAQa.exe

MD5 a6845c43bf9c01d2e3e2d78c43fa36a0
SHA1 c6fa8cf599c483461906c6f19d3f4f505bf0d38a
SHA256 84265b1c6f32239cb79e0ce18077a02c173cc4b3abe444258358faf75feda1aa
SHA512 5a8bdc51516b4655b8f3d1e8a4574f15188d9f75d1d885d47c32ddd4330dec26ae09c2dcf71f9dcf58bf95ad864c2185a24f93b4613e83cdc2fa3a6c6a072bff

C:\Users\Admin\AppData\Local\Temp\uCIcsAcw.bat

MD5 1f2746c3962ae4f82cef8ef3790f3846
SHA1 0270a080a4baf4169726fb00ec11b4f9dccef90c
SHA256 7d4db17e29c59f63336e7e4082f5c61bfe051ac79e48af732ba3a4986c98bf58
SHA512 106ad9ef5b92d8347684421e29c811a3e720bc23ac5a66e7870b65e705e93f34e8ce38dd3a8fbd1f35c6fbae1c14da2c288c44aa4d3c74072c255337c7be86d4

C:\Users\Admin\AppData\Local\Temp\iUoy.exe

MD5 297fa5f47dcc775d7e0eba3569f182c4
SHA1 b727fdaab6f92701a44485e07037b680d57642b7
SHA256 f6eb0f7cef8303916e3e63c9bcfdaad7311bbdf156afbd1dc8155f1c2349ba9f
SHA512 f8142727ad687b7ef4b0dcdbc39cfd10d23f59d54dc44d669286c83fcb80b806671e65d69bc332884e1757ca7b6ed21e901ee5bc8b946b841c2b12487d8f48c4

C:\Users\Admin\AppData\Local\Temp\kYEU.exe

MD5 ac627af4e4497557628f926a300e67bb
SHA1 580504f56af7daee99be52a361cba958a5e5288e
SHA256 c2e85aa240cfd4fd3bfb35ed98dcdcc7facef73d782c64a76db36fbe40f5af68
SHA512 4a9ef88ac4bcfd9c9580b67b466f79fa3a860de621bdc55270a0f13a7c6c288b6da344e18c100ab4c5186b644af44a83eb911934b353054fcc556daf3702ab63

C:\Users\Admin\AppData\Local\Temp\OYIe.exe

MD5 f9eba1871c6aa66137bbecca5029706d
SHA1 e5c9fed10e1ecfff396194a20adbd20750766839
SHA256 b48ee4f9304922031aedcdb28bab02da5045ec482aac2e78465f459d019ca309
SHA512 7fa3d39225d7b41a72e3f8bc476683488e0323e4f7dca3aa5f6a2e7e74f7adef11608ed0ffd9619d47881502384d6a9be3420dbb1a83f6be46fe8476d76b65bd

C:\Users\Admin\AppData\Local\Temp\IIkU.exe

MD5 e979cb194010a661492d185e93baa84f
SHA1 d75391af3a6fbf51786d921cb2136f454549ff97
SHA256 4ae5f34b123175b809dcc364b54816813ca666fe17136bdfb304b5fae5b29427
SHA512 96a8fe96540da20be6472adfd35f45937a8ee4dfde2c22c4a5b3b3f5038fbcf32bd7a32f61b9874094a06bc80d4699e2ec0d97b1222ab66f0efc3d8a34776595

C:\Users\Admin\AppData\Local\Temp\kggogUcc.bat

MD5 7018592246c848a31bcece466e3c1387
SHA1 54b5d51fa1a693c52109c862be55c362af775f6d
SHA256 f7b0f6a9915c8274bc435cd7e75207a673ec8ca643083dda4c657322db9bbc26
SHA512 ed94d07b4f59b4f9dec08498bae49f94f13cc39e67d7f0835b4566ffb5ac01a0af2f1cfb58c1d5700aa08aae5c2f1067fef6ca782a5757ed4489471b66d0355c

C:\Users\Admin\AppData\Local\Temp\QEgs.exe

MD5 991825ee8ae332b43f76b66ddb72ffb6
SHA1 c6ca1ee79a05777bf2baed336a8bfdc2b011b3cc
SHA256 55e292f4948baf96cc0a2973de17e64b84616f05945383136dc0d5ec4c454a29
SHA512 f0455dbaa9fc18682451167511aaf0e8681848f6c51e976888d6f996747618be2a0a8fa32a7148319ebd21a02020f60bfc339150946d9c64b3c99f7a41e546b5

C:\Users\Admin\AppData\Local\Temp\ugkS.exe

MD5 dbfd8a9896ed0283d35e2456204a2735
SHA1 0930785b2f9b3dc6799098ac3699dcc22a3bcd84
SHA256 ab4385ded8fcbc5929b27e88747c924ee42f6e5e5aa672d426530ebcf2729a47
SHA512 2d64dcaaeb457271ea8eede589067df0dc3d2be31f2e5a11143c5c821a5ce1d84e112fcfcc971c5cb342ce37121698b830aaba89275936544e2c7408e8d3d742

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 d6d37a39012bc840e495c9a4fe09a294
SHA1 47e11c1d646a80923e6ac2a44e0bd6f1e5b44a88
SHA256 436d75d61d773d0da1c592b823dc8300270a82ddda7a2850505c9828ab87be0b
SHA512 98eb15e2e874cf83ea59869db48557d3ec40c2f21a7264bd015d633c9dc3ce638db08cd938e3e3874eaa22dc7f60d720d57abfdfb60b9f7855278b5a6efe5403

C:\Users\Admin\AppData\Local\Temp\IsEs.exe

MD5 c60da71e7f4af4ef98b853aee0b72722
SHA1 085611dee6aa8ce9b24d60726a3a0b0273318203
SHA256 816515c9ed9ba61e12894b0535edd9b89b4a91fa3548fdfff5fc11bd84293fe1
SHA512 ee8651edef1cb848edb6dd599c33054f48d1b940bda90fa8559bb25072fc5b5f38ddf834267976dc5b2765b917b168b387e8d621a6842c54c419fb898850ca87

C:\Users\Admin\AppData\Local\Temp\HOIIgQMc.bat

MD5 7cafedc3241957182c55d4c2f8cf9469
SHA1 3b2011e7dd2d23262d16643ccb41271a2af0d955
SHA256 9526f5614e9674da2927f71d6bb3433aafc5c009e4538e6f5a95b3553a08a2fc
SHA512 eaa3842cc9b56612053b3e56e08f38d3b310ebd5bec999144068aac2003b4dc3bef04f3a7d638fd94539a99884fe432560bac22dfe02c56558ef8716d7f82a1b

C:\Users\Admin\AppData\Local\Temp\Wwgy.exe

MD5 d9778d77105333cacbebaaac777b335a
SHA1 3b2bf2bafe85a66637ac3ebadc55fca08822107e
SHA256 8ba566fea0cc0e2ff4c2552c98c713a22088a55347034b503e4cb027f8e5eff2
SHA512 37487fcc7580fbc8c3162bd5fb5cf9abcfa49a1aa9d64311e729ee3b081031757007b78134399b457e3edc11de0171d845feda97cb7980ed6ac001c4b15379b3

C:\Users\Admin\AppData\Local\Temp\iIsw.exe

MD5 9a1ca3fd0a8571a9e7d61c10198dfa0e
SHA1 81cb6c30d0e1e43466e85d6206f77759d040cf99
SHA256 731dbce12162dae908c89caefd132161c7a6e090aaf4e2fa7b234eca263ef154
SHA512 e27e2a554f1dcc517c5b6ecce268f4f6354157e33958c3dc6fa258a88faf583a5fe25c52bc8fdaccff1fd863ad5eed409d03bea2966961472ec0ffe521478273

C:\Users\Admin\AppData\Local\Temp\igsc.exe

MD5 f13af11dbdc971002b86d833ca10a26e
SHA1 d2ada5d39f7f571ab5287ef682b6b3ff934964b6
SHA256 c3ecb13a8cd790deaddbb80df89696facf43243d6726014914f5823d6577964b
SHA512 b951f2e1d8dda6e471a63133f7d95352ddda93f6d88025b9cc55188870106affda4910e9932fdf67fea9d6f305dc6293c3acf6a25762f5acfd78e7b0b5432681

C:\Users\Admin\AppData\Local\Temp\IEUm.exe

MD5 c16f4e4526a110ab6ea7f28080121dca
SHA1 5fa8f10eefadb65bb85264c6040aab6e49114fab
SHA256 40c4de35a0a54ff234d171f1173179bc64781099c6e6d99425ecc8e7dc6bfde3
SHA512 9f978666c60ebc03227a27fa2c99bde1068ca2bffcf7a2f7985ba8baadc6a242249c6f5b9dcb388f4db16459ae4f0137b751920d63e26e364edaabfd0a1bcf82

C:\Users\Admin\AppData\Local\Temp\kAIu.exe

MD5 4e887e0d495957cf60efe578c0977d70
SHA1 e576361a34479ef4ce3e6756b154ec6069db256d
SHA256 070a023b2c8e6d34fae6f8ab36a0734a8671077d7461ca4b3cfcf2eae61e4ca8
SHA512 de09a7c54f6344f6ece02c7c8d5c646965a8882686301f0631c4012d92badedd69193b6c084c448d89946e63853c633f783df60c7f61396de1ed3f43e8691752

C:\Users\Admin\AppData\Local\Temp\nAwYQoAE.bat

MD5 9e38091a961e201a11d3f86f7864b0b2
SHA1 32f5ad72b003229c3c992ac86e851378ffdf1c48
SHA256 b228b62c8757f8c9a642a3d9221585298e4fd1ef73e68269b917d9d3766883dc
SHA512 df0696d8026873d6c5a87b85b7bec52b26ec32d1cb1b6802ecdd3b82b3193a0feec8524b5a9d7ac2d7a2626531904888680568faa684d687a6d194da5d0afc80

C:\Users\Admin\AppData\Local\Temp\AEkG.exe

MD5 0b500c708c8baadb93c3bdce8369270b
SHA1 647d42a5aebb33c353dd9168c167fb91bad1c000
SHA256 9ffd8ef3b9a1c70808347bd03e249f4c67bb2666445698e2bc387feab3b004c5
SHA512 9e171b19cf3ae607fb283015dcd9853e053d61ca2b2c20890cfa6c655a4632946c66f52588cd5b0c6703babb1b2b132d0096aa0ab825e0448027c9de35702fc9

C:\Users\Admin\AppData\Local\Temp\pyAcocEo.bat

MD5 801f85f2466f980cc889274b6f19d12f
SHA1 340c536937bdbac4174b1dc1d7dd71580434e985
SHA256 5a3744dc9dd6980514b24fb71cb190dc0ede65c81b1b792b9a16de4da6a3eea0
SHA512 018d6adf5321f028b8e2a581a262a652fd391d63ac55ad33b92873d0a5ab200ad9e412dcbe5aa70da66c09ba5408fa90c7031a8172c04ac3095bc17846422b28

C:\Users\Admin\AppData\Local\Temp\eIMe.exe

MD5 b915133bb4161f0585d6121bca14c1b0
SHA1 7cfb9d7fc1b0926db0a9fae28a3a97821b047214
SHA256 b4e1f1a991fe1975327b49b8f8f69bb725bcd56f5790554f7718626fd45ae7d4
SHA512 924bb67e2c0356664dcd1a8af295426d87954e64ef5e983afe1788c8cedf46534118e07d82ba0383f930aea50d367963380759ca1a8195185944abf613c431fa

C:\Users\Admin\AppData\Local\Temp\wkYO.exe

MD5 a71178472354d62411965f850cdaa3f7
SHA1 d4ed72e8749425b86bec1e8a372e2afdc77c3fa2
SHA256 4e01a30788818e09d5e3c310004cba189c78ff179e436c3e38486d85758abf94
SHA512 6401b6b5a184c28fbcf69c17a1a1228187402f7e8d3da1c5088c6fdafeb988b8f2c5e7def2eb11fcd0d80bf6cc7e304f1cd6a694cff953931d889650ab391b66

C:\Users\Admin\AppData\Local\Temp\aMAgAsco.bat

MD5 8de7d2b9b1a1c56c542a1e57515f89b8
SHA1 d3e5d5a199dd8188725062f7e660b48ab3a2faf1
SHA256 449d490c5098f9519c7e38c63437bfbd826d2a17790fcbefa445daefbc759b44
SHA512 99a6a2bd888793a9250b7080f77d347a76afa29d48270489c9b33504a15b843686edb1994b9f4764c20562874c4b08d8764527a328bdc347d1dd1667a7b3a4ab

C:\Users\Admin\AppData\Local\Temp\gUccEMIk.bat

MD5 1078dbaff315425f98de716585e052f2
SHA1 a01f0fb3a48aa98a5b87919642209f0ea160a13d
SHA256 86adacf5ab2c0902c466963ffe138219ec9b30abcc2bbc81f59a855310ad5d04
SHA512 83cc58ecdd4ceca66725093b04828e4d1035c49240175393790f4e57fbd33a657b0e6c330ab403c06a97d8811d67c98b1f103afbd1bce08f53ac4296a5283dd7

C:\Users\Admin\AppData\Local\Temp\EsoM.exe

MD5 632b37cea7b2b8448169a7f66221145b
SHA1 8bb897d813c7c190d702dba853a8abe9dffc7b3b
SHA256 f403a7606180164c966ced4721ff9aa075b28680b22cb277ed7708a61592276d
SHA512 e1b7aa0cc59f736ea283c17bfe079f25c7629a0de106cce3dd74d747deb9803f19726810c854bf1a070fc16849682b7edaf2437b07cb54fa4457e32be5df92bb

C:\Users\Admin\AppData\Local\Temp\AogC.exe

MD5 b0ea19df82171985993ae3ffd7c039bf
SHA1 ea3e42680949d131b7ea21361bd4e7804ed175ce
SHA256 b4a49594c6d57d6c7f0d0950267875206405c5324755cafe5cce55a0bcbbd952
SHA512 e3eafe043de160a04a313157e637c124733d73c1d06b6b6d80f6c624db4df1dcad9f8e91f03400573fb9316f72c9afcab005d8c67ff6a4c7a6715aa49678fe6d

C:\Users\Admin\AppData\Local\Temp\icgc.exe

MD5 233c90f457eb52f8d0ae41d90d72155a
SHA1 11a0f151a34194706dd07ceb221b559193e0987f
SHA256 d6067e284c95f6010e4db17747868272bbe4cc4653c6c8466d8cb645ae9c74d1
SHA512 c02faa9ef4c2afa28c8696bc20f215e9b1e5d0559136f99bb1f41dfd70f4cf322fbe9df5de096fc4467f733c6bd1eef13a4461c98c6f36e4a88d629c28745b4b

C:\Users\Admin\AppData\Local\Temp\wgAa.exe

MD5 40000f576c4013b3cc172521099874c3
SHA1 a04fcbedad95c2df79da81d57c27d67f65a3e0f5
SHA256 4350e62324113a881eedc8b966e9adc9e89a2023db6c1fa1b5db933353839db2
SHA512 452cb66a9532b935f14a8f6c3bd6dd5d55198a23e666f6fb12d7105799693347e4abdc798e249e799fcfcf87125962149efc7bc7932cfd88b089c76b57a40043

C:\Users\Admin\AppData\Local\Temp\moUk.exe

MD5 3be806f8d0ab379b9b7dbc51712e4c17
SHA1 90ba9372c6b3f2c60adbd962169cbf2050258cb1
SHA256 edc7495493c2101fe4079eedb6f908637219257c5594bd2b7bab3f3dd78678fe
SHA512 4b8472f2c532bec73a0b27ada22a2fa558ec32d42d606d163a26722fb67738ebf13d4c91c751c0cc65a499692dcec2542ccdcc663e28eecff7150431a44c1b68

C:\Users\Admin\AppData\Local\Temp\ieQAcoYM.bat

MD5 8017ffab8887e23e7973174fd57d415d
SHA1 954e73d5a1c6236be7a922513762829a4b6e0014
SHA256 3a1ba3e8536493e77c0d95a985d8a334b369c232fbd32c1a75f797e91e88b9e9
SHA512 4369b2673ec4bf6dfedb8527332ece675f9133378cba3b296b23730aa4fb40972426ce0ef9b7a704f9e3e75e4d30b33346b084807f6a1dff70558abfb0ae8305

C:\Users\Admin\AppData\Local\Temp\WwkQ.exe

MD5 63256a556cf1e54e01aece04e601ca48
SHA1 06eb510e4a5fbbfeabd70dc4000ab1cdc89f6839
SHA256 d696740a123a4037a21cfd2a406168d4d3663d84f2166f7dd1f57e5f1ba0add8
SHA512 733f8d4e68cce288909f9ec3842af2eb49a57b421a52ba85d355b0b9f6305f73a93e1d69037929674a0045372ace023f72147102d550ac228bae9171a8c872a9

C:\Users\Admin\AppData\Local\Temp\IgEo.exe

MD5 14fa770ba3fa893cc1c9b903501a46e5
SHA1 820bb4d6f13cfe08ae0bf85d7308336133a8a5fd
SHA256 7a2c2e0d8687c4f1dd304703720f9ace4c453d2737aa41f9976e93d755bea02d
SHA512 581a234ac2e5204d416f25039f1d541f1681db5c96fce10c6206c7ac726fb2e7439c4295f1aecaa84862d9e810e275a8b85d5e721b9b31fe4d7923e629c0b6f6

C:\Users\Admin\AppData\Local\Temp\kAMM.exe

MD5 8ff20b12e66a976d848b5dd5eacf41fd
SHA1 ce77a1c55b082a84522432d9bd190ad2be6d3b31
SHA256 58be40833bcaf3bc204a0bbb3617510cff22dfcedca84b77875eadf01433a72d
SHA512 ae294957e64117d5a30451c06daaf54ce59d2b1d1a93ea67a12f763f7ae14ee80193e55d29e6408a9f9d95d78746426e8c059237827c85e8865bf5c846fe456c

C:\Users\Admin\AppData\Local\Temp\EQIK.exe

MD5 b316b206d5c19d4f91726ce9bbcc50c4
SHA1 f23d710e5721ed73dc804361dc4b9bd6404cff44
SHA256 e75c47df7e90a929a84d9e86e49319d3b299b26d167df656aac9fa0b8c0f3251
SHA512 68dbe6b6e6185e0709f1b2ab8eec2a19d64a96f184b667a4fbf8ab811f4985a5d53a92de3ab5b9ab9ae8011c30cc3168759200e9b3f4d70748709982f8383483

C:\Users\Admin\AppData\Local\Temp\QIQQAMEY.bat

MD5 55e47ee705da72e351e4c2bc0aa5737c
SHA1 bed9a5326d061270a3481a11b5a7d0cb430401ff
SHA256 90080155619147cda18af4947e3fca635bfad99cb5bd22dc215b4e24db9d0285
SHA512 74dd4be00c96cabddd0e481247525e2f4615bfbada87b6befe32b6712bbecd47d4febddc65db312f22e381bb58c81407fccf36e7547779d061a092fb0c45557a

C:\Users\Admin\AppData\Local\Temp\yooI.exe

MD5 b1fde9f557494dd97824542831e5420d
SHA1 297192095b3ff35ddf46e757a026bbc90217b52f
SHA256 63420200dd54f464247d54d7fcc90d7a92b891496b5e5bf2ed673d7c45f878f4
SHA512 9cf4f0127cf3f0604018dd9e27074969df7762643c8326730fa422a179eea351ab63ac500b8bf3e647e23d5cb29a1b981d1690414d5e9bfcacd6d678b58e597f

C:\Users\Admin\AppData\Local\Temp\IcQO.exe

MD5 77a18b757a6ad3f5f8f2817eb2307aef
SHA1 91280a201392e2dd007ef2a3c25f572b8257507d
SHA256 0938ed7f4d5f5ab924053bb9261f9c673ca224734e8ce24ec61eb4c659aafb08
SHA512 123b388682058ab168df526d315fc41c29591f79d57ff0d537aa8734994f979e33ca472fd85599206ba89957fdab1b3d91b4c88e9a46e15b53953ecafd98df95

C:\Users\Admin\AppData\Local\Temp\owkq.exe

MD5 0bd71aaa22ae7628365bfcaf4da1cd51
SHA1 b53c82d9326dbf6a8cf5c744a32b7d92532f889c
SHA256 8b9c90d8aa19c0e4dc0f31b1272e697e43f83c64274f23875c431cbe32a746bd
SHA512 54e025fec7987e474b947eb5f680725534e7092ad86b8f1abbb289484f9379db370bdf835f03924dab0ce3569c93141c8208898c612cb6f9294c283b593e9acc

C:\Users\Admin\AppData\Local\Temp\SYku.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\mEAO.exe

MD5 6150c6a622fca07c95bb738ca20ab720
SHA1 d94d78e4483cd4e7195a70ebd8ad787ed8768cc8
SHA256 fb78002579d5c0fbf58e52d86a6bf4eb18ffff43f7592370353f39154a349c27
SHA512 698c1264765d56229c21a28ff49543ffd57d5ae4acea122ea79fd0dad303a2c7469dac32e51ba8af2ee50dd78b3a6dbe2f40921dab6b20aa8e601c380299b856

C:\Users\Admin\AppData\Local\Temp\QoYu.exe

MD5 b43de1b8efc0f22eb2838dcede153b33
SHA1 6213780530db44cd2519abb5540b5218e431b4fa
SHA256 e5ecdcb646169af0fe46fcf70d12c22e6fa3c0464212f259ad52f9fcd9c6e552
SHA512 8f397e1e66a301b37f88e8f98589f02feb943f7dca9c04eddd9333bc3b23954c928d8cf7c2c13bfa626f00ccc155da623c428a2940088c0b02dac46dade04d77

C:\Users\Admin\AppData\Local\Temp\BocwkEsA.bat

MD5 2103c8d05beda0f8800c00a19f0182bb
SHA1 f146b5036bd70d675028a870433bb16446095c2b
SHA256 d56dc4e83a9663369cd3cb65b2c72a27fd7c5822d242966206b12a7a4b68dca5
SHA512 a5fc364859e3390d761a0393d229320ae9f582f53e4e7b6b2580289d0b9b0babcc6f87254ac68c18a6cffdc865ed204666fb80fa9cc94720d9bb6c37855d8c6e

C:\Users\Admin\AppData\Local\Temp\IMAs.exe

MD5 7adfb4cbd84a4d9c76326fa047154d4d
SHA1 c099a7323c6a1390dc8f7893d16ea296e3439e2c
SHA256 229e2b81354e4a1fdcbe4ab0b578ff2c6acb76c3ba2fd7b1d2a11e9ce5b63afb
SHA512 e939d2e87910bbcf203760fe6c12bc5b765644c690535d26daba5c574340c5426c550d7b1267ac5308802b55d767a2b36346df9a984b076f9f7e5a803176297d

C:\Users\Admin\AppData\Local\Temp\sMQE.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\okUa.exe

MD5 a337c6418a8bef7b5f77ffa48d9d2f80
SHA1 15f9d261f11aabcad320c2cbef3dd9e2e1057d38
SHA256 91842bfe2c3bd3acfd065e8f7876f4f9c9f6915f52691cf0ea9a06104ffb9de6
SHA512 724777188aa7104963b2f641aee1a74de1eadaf727cdff30ee1d0ae2c795f2f2477c3f1bc4406413ef0f4978e192de0d47655a8e890f26d8b9a5179f24902703

C:\Users\Admin\AppData\Local\Temp\Ykks.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\igAW.exe

MD5 310c9ec92d77c4fe67c33be8ac0fadab
SHA1 94c04bc6c92a872026cba7f91654214452222195
SHA256 62e2f4b40b8dec9082694f11fe41382228a54c6eb58a21c464f3ac5e7a74bf34
SHA512 c43d70d5e0cc5dcbfc7f656eb7fa0a6524016c2f12cad0f7a47dcf2e98cb85e02820d0b3b44fe0a71dcd4fde196536bd7c3ed8324ef5b51f8595f35be20c1dc4

C:\Users\Admin\AppData\Local\Temp\uAwS.exe

MD5 b8a66ae7ea17d28d2e94b196858f2065
SHA1 22b351e3098f2c4029336711ba9ff0a951d38c25
SHA256 948c8f46b82efb083a6687ab6493bcfb4e3aa74c9ede62645dadc02ad86287c0
SHA512 dfff1fd0ce419831a7f78a551b52bbef01f024e5aedc4fe47fd543dfe2b39a4ad2123435f4e56f24fb4b9a5db4805ec4882057b1100ddd052c24c9437dec0820

C:\Users\Admin\AppData\Local\Temp\eIwC.exe

MD5 7163eb2527791f0189dd483d30f7753a
SHA1 c1c8cd6a0da46e74dd53909ceee4530730588575
SHA256 ccc329bdcb548a31af67b3742babc0011699074ce9bfe5484960f4b8a100ed65
SHA512 94d6de72454fcc05bd794c5aa85339cbeb670db9ba8fb30f1274487093748a216f5b4083da2efb060e1533fe4c7c5850da668b7acd9cdf7a36fa4f918ef5a5ac

C:\Users\Admin\AppData\Local\Temp\asoS.exe

MD5 c9f3e633f1a8eeb90344df0be1148179
SHA1 f6a163b6d664159f5edb9d24cdd7faaedecfad9c
SHA256 63b7e5e1fb86f61562d13e974989d448b80d2afbf75abb9c436297a519f82308
SHA512 dcd08671f47ab2b7df267caedae91eed237e9c3ebe3354f707bc0242bcf99f280473a394be596b550c6dfd0dd8fa9b561a50bd77973fcd8575a6ccf49d798046

C:\Users\Admin\AppData\Local\Temp\bYowYAQQ.bat

MD5 bc59f4c45088428345dbf0a3dce72ff3
SHA1 8ecacd4795782c86a995e393c49b75d60fd93af9
SHA256 850110df52473aa468c3284fb952f3c0d6c19785d42e8e9616f5220ead9ebfb2
SHA512 3b905e9913f6f159ee1556532e4e4543a068163b2188004d01c1c15203623f827a35eae3cae3505340640defbbca0664ba2afe8ef65416143b1ba43dc8c959c1

C:\Users\Admin\AppData\Local\Temp\mQMY.exe

MD5 5135dc0222bacc949bffe970bbbb31b0
SHA1 00a7ac48cf4b1ae4fac18462e4d5d9c80f45ab87
SHA256 76b78d91a761f4d73506e8b032f7380cfdb32c71b9675e1f6c17fb071f5bc77b
SHA512 adcc55a8d28a1733fa6b31d0064777c89fca0d6925a55a98749ebb5dd134eef59149478bf37eabce0634e42dabdbb4f9aabeac94b1624abfff8c14a253473c2a

C:\Users\Admin\AppData\Local\Temp\QIge.exe

MD5 120895a9bf8dcf57794a5fd6d590fa2b
SHA1 caf84743c08bdcfa85b1b58e6f5aebd7e27ee2ec
SHA256 484b75b4f2ba40e465753d3b835fd6d1021434546d0e0f2622d8315e3faf410a
SHA512 cba1630998eb0c6dade607cdc2f32d63df84641c2e1dfb6314587be42119e3ac9b7cdf2e34f3a8c465ab75898ffe418f0689934b850af92969ad94fefcc75ffc

C:\Users\Admin\AppData\Local\Temp\YgEU.exe

MD5 08e1adc4c9d93559e5e4dc353e3dc8fb
SHA1 34452728f296d755c63f1c0f55dc32d2271c8da7
SHA256 9ae7cb6d9ec9bdb75d8a21a2bbbb891d092b9fd224e297756fe7c9d70af785ec
SHA512 62aa1d1349090c78f6ff74d1089b7d8b9d5979d9255aed6d708fc4b3374d37059244073da84f14ece6408f69e6ffd502ec858f0af72121f9dc0156ee9478a4c1

C:\Users\Admin\AppData\Local\Temp\EkUy.exe

MD5 a4f8968bf1ce969db84d78523e3bcb3d
SHA1 1bc5c3318a265791830628425c4f7efbc092b5e2
SHA256 b2fd04de705eb63cc9f6a415725f289f4732a42ed14e1d71fa60f32694876d93
SHA512 886fc9f42d8895858915d7724cc8f101f158d765a3b2312cb3974c84b6062565ae5d77687dec9cad9c9968df82209aa3de9fb006c0cb4945ea771e87e1c01f95

C:\Users\Admin\AppData\Local\Temp\laAEogoI.bat

MD5 7e02ff861f1222fc30414d8f0c0b025b
SHA1 6b565c1983ba8e8e415f243cf8e875540faceb21
SHA256 bff7f951a90b32dcbc23f5f7eddc74b8607b36d408fb96ba11b261ccec782ff6
SHA512 2afd5d79fbd599913351fded10cb7c6a63d225fd8a079e627177b59093d3d11378f0c86d50b3ec200879e44ed05b73faf90d99eca69100b3f5a8f5564ec61856

C:\Users\Admin\AppData\Local\Temp\Ygou.exe

MD5 be5a93dbf0f5a0c6395c35dc19433fa4
SHA1 62bfc064f1cbd87ec1963ebcec2f84b9658764ec
SHA256 ed226da092cde488d6f249d09db2e91bf7ff737336bf710b40ddd692e65bed5e
SHA512 369e1f913f90510b507b6c6eb14941a6d2d1642dac528b363c24b515b5542c2717bc75a4d784e2c2c9ab687bf9967f9606d712850f853c08ef0427f94ec32285

C:\Users\Admin\AppData\Local\Temp\cMsq.exe

MD5 8ec31bf2d9151246dc2c6a4d17530ef6
SHA1 d1022a2f1502db3b981bf2d3a8ca47a274fc5089
SHA256 19e91fa5670e8cff04fe00ca90b348a1614ef6bdf2aa5f016c68034da7171f3c
SHA512 bbb0e71c5a896d9dc932ffb264dea2d873a432a081737235bd8af1ce95265c24c36ea79c9d46264111fe43bb6ac606f54d936a981035b485eb1cf750384619fb

C:\Users\Admin\AppData\Local\Temp\TOQMoYcY.bat

MD5 8910dedbffa29a4c2813c5455288b308
SHA1 185b0d98dda3ce65eb9094475103762583b103e0
SHA256 efcbb52391ac7266ef63c6b3e4f7e50d5c90ae64173d44f118822f47c059294a
SHA512 3b1b2dceb19584a31c59e5736e0fec9ba46f2d87db75067ecb531862365d902ee29bd77a87ca7e8e71ef818861185e2402e59b7d8cc1734e8437ce999795baa1

C:\Users\Admin\AppData\Local\Temp\ksMU.exe

MD5 0585029b9a21d97f8ce123bbd96a9f09
SHA1 8f9f85d11ebbf7d04b0eafea898c06d7829f3468
SHA256 b6cff245c297667099767e9b5153e9ba4619472cbb25726631af3aa9d3729203
SHA512 a5af3bf75816ec74b8b1b38143511bd165519c339d4db3cf1fad1d789767b985e9235e4ff0993912b743fc3ec3cc344aaf36c0c25c72b380c93c5c9fff69be2c

C:\Users\Admin\AppData\Local\Temp\WEkw.exe

MD5 7f0e699cfe135b0079124332322c7497
SHA1 9e9993942ef9ad0bebfa3b0cd7065f2ef0be5ef8
SHA256 7d04e5da71de9e6aafff41785aafcbd1723771063e63a29123c77f49ffa14807
SHA512 f52fff22f09765c727a9bf4b3d7965bfc6d017a499301f418c879c72baf2f01443b6a1c8603a2405b16ba42eb32d32a4100308a40b7c97374187391c5fa5be1c

C:\Users\Admin\AppData\Local\Temp\mwYw.exe

MD5 2d3c15b33fddd3c1a348f88599cbfd23
SHA1 48c281036007c5e239d3ee761ab92025bfddd59e
SHA256 b8566ce3e1b1a59676cb28bbf2eacd83c79bb28657e140e0fc29e1f5e1c4c33e
SHA512 2e5ccdf4a3e8437acdc3799a7c226ad7ef2264dadb7b4fcc028b19a66ed2c3a8d879adf01f39963edc483012f7112d1be9ac0fa4054dc6e7986edff0e03403eb

C:\Users\Admin\AppData\Local\Temp\SoMw.exe

MD5 2fdfa9eb264e9278159ea3fac0d8d714
SHA1 3e6e823b89cca28962354e3e76e1b1977ef74912
SHA256 31477e03208ee52373201b2335e995de24a862263f7071731834505773486fdd
SHA512 d7688fc365fac41fc8e8fbe5ee78fe34045bb245dfd58793caff11febaf6d77c4dbeec389688cadd6ee67e9052c56698ac9146af71d4a12aa57c5ae060c3aaf5

C:\Users\Admin\AppData\Local\Temp\ekMg.exe

MD5 6df9c22474b6161b2818a3f0defe6b5e
SHA1 c32001a8bd2862235bf51dd4d00a65580607959a
SHA256 0171f6e2d033c76f01b0c88f3dd7bebb18f097a3a447334959a9b88e4996bee4
SHA512 7bbb84d8311e849e674f95f6931784f16a28fa84131ff5e8a172efe1e3f280c22bd1638a7c772b25fcc20a757f64a02335cca27ed14777b6861d2d7f8f39747d

C:\Users\Admin\AppData\Local\Temp\mcsIUsQI.bat

MD5 314104b2e0151589f7d1e66221a4cc9a
SHA1 3cdfad8790e2c5603b59884f27bde78f75ac498a
SHA256 24f95ae061a50f4cba280bc5a9c6223bb8ed3f2156fe885233a32d425eaf8608
SHA512 146dd0b1613acdea51c30e7dbc69117ef8672cefeec1124591446f48e913a2b916250e687f3f09d8f79e182d085ba239e5305d4ce97ba333456cacdd8946010b

C:\Users\Admin\AppData\Local\Temp\UAwM.exe

MD5 03bfd52eb4ca24abf82e101841110a3f
SHA1 7b7795ec3211c2155282cf03de68b6bf4fec16e2
SHA256 d0b69b79beaa5295f0e1cbf6da2964cbf705890b5ba629f2a1870a87740bc168
SHA512 ca0cab5cd956a158167e928cb79865e3a4b9bcf661e68843fd7cd64d08b51dfad3f5c5b4e36c6b44852d68f200e1f808b5f9b7068c0edd7a6a8aadafe4ac58dd

C:\Users\Admin\AppData\Local\Temp\GIMo.exe

MD5 f838814b7b7587ae1fdad6d5ec3dd2b3
SHA1 0a59536eec95fb086c8446a6e4771df9a02961fe
SHA256 c8be8563a403bf2f4635959fafe4d697f631f107f6de382839f335e92f83250d
SHA512 4a38671acf582dea754c6988875a829d2a3acc86d69e7d5734d5ea5ebe11bdfe6b1082f77d1d06a02247ae1967edf1632477fd6622fa7efa227ed05d8421f507

C:\Users\Admin\AppData\Local\Temp\EYQc.exe

MD5 d7b0394b3781e43da6b22ce7999d83b8
SHA1 51321eec3bdc52ab1a238fd29795dc8f4d709f6e
SHA256 7aed90076fa228f6bb2dfff3dc6aec0c5f009b4e96e2a8bde561d62b85db42af
SHA512 166240bdfbbbe87ab6c839506b3bcbef62c8a9c229d9e6612700a58e7502a788b189c8c2eb7d23330308e18f37e8c1d7abb070000c71782fb9fa2a4c39235cea

C:\Users\Admin\AppData\Local\Temp\IgQQ.exe

MD5 12def7bcc068b23e0b06221749097340
SHA1 16b847e08d52a355dc962504194f8115cf269bc5
SHA256 6a004e3f056c334f2632658483633cc52b42ab2b3459119b02e173ea33841b3d
SHA512 9dd6359865a63e3c72571fafd9ccdb1d8ed05f241a0142feceb67ed48a554098c207bef05d5f08c0ec85dc2eeab5f7da3f334981c16dc490bae1b4e10d2711bf

C:\Users\Admin\AppData\Local\Temp\QyswIMgQ.bat

MD5 aa41aa3fcb22035e00f8209ff45cf0ce
SHA1 aa2603e575e94e3972f3c15e5de317291e78e09a
SHA256 93bab33c3bfa448754e92bd166079ff7a34dfb76e492368a9af0398febfc1d77
SHA512 8a752f7557e5a6ccf78b90466dfd5f6a6304c58a07a536fdbafbb4e5d1214fb2255d81a2f7cc53457608bf4454a0d96ccb0be5db3639d9adee85b56a7a00bd1a

C:\Users\Admin\AppData\Local\Temp\KUII.exe

MD5 16ac9b922ee93e8095b8cb69dba34fa4
SHA1 b12a9044b803ade144365a32515e3681d5b72a88
SHA256 529cd642f72630810f24549da0a26f6332cb51a213a4b560f7df7da0caf8ad8b
SHA512 10bfb0375bae27066cc2ba1c54fa6b6d63147d7c556e891a6150748b01fc5459d164111d0dc674ea46a2d8ea78f17f945ff6eb2055feb464bd33cd652eeca912

C:\Users\Admin\AppData\Local\Temp\KkQm.exe

MD5 9535ed9d0aeaa8bea8038f98b33934fe
SHA1 d1d9f127506f516ebdc6abd99107fc4bd605d745
SHA256 fcc128eadfbc3a956ccbb21c4c56377d4ce0b7d68c3a328fb0ef29fc74c1e1f9
SHA512 2c5b64f2009171bc894e5a851266f32e02b9903df1b4d42bb6498f22fdce834682e06cc8e69363585fbc3ec750e9fa3038c7b291e0a0f05fefc90405452da324

C:\Users\Admin\AppData\Local\Temp\CUQA.exe

MD5 2ea213a884c6233d0974c3e64770c6a0
SHA1 a7524c8d4dda4dde32bd553d987514a12c56aa85
SHA256 de19173e0d7d7ffc2cb2f1376867ed5e00413ffd32cd6ef0f66b3c5518efc971
SHA512 92aefc54219a0aaacb1bf502229d499cf0a612da860183687ae2d0259f888217c82aa356273ba7d7a7c7fc3d935ddb3bdd3c11f32c4bda9ec7ebef71873fb5be

C:\Users\Admin\AppData\Local\Temp\UYEk.exe

MD5 6180a59f871238d0923995b74384a503
SHA1 6fcf91c43a72ecbaa7486a0364b58517f7c162bd
SHA256 1cd427aea972438555d0b2c744e2449d326b2a2076296c4029d1ab00e290f99a
SHA512 629203897f8b3a9c330334760b123d65d21414e5ec2be3790fb8caae1efe20b246e6df4e80e68afb22c056c62c62eefccce1914f76f41aa8a05a94862bc32900

C:\Users\Admin\AppData\Local\Temp\GAscckUo.bat

MD5 963d8b2f99e266f64e60b24991f96cc7
SHA1 f8593f23db2e1c08126fa6d427e83e2b2f2d7872
SHA256 08acf2163a41a1237e5a2cf5bbd323bf72518561246f89e0ccee23c1f192812b
SHA512 cc5e741fbbca852e5e29de4eed47b8a2499645d7fd4369947d6dbb224e47715309b04de8d97f5a11245bc06b6cb824d3a2250cfc0ccd0c8f2505f404e82356b7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 b6902063191440dda9bf8f2e7473d4ef
SHA1 5e1da49b84644391bf38a96a990f824901d6d8bf
SHA256 1e4b77d58ccdb33ae108ef14d4e488bc1b75c64fad3cdd738c4efb94125ef31a
SHA512 911a64086a7d0279dab27e7f98d8f2fe50347403dc7ceb117efeb34f063e4d630df1362b137f72789edb62630e339145a5e4ad7ecda496407b962bbfa08742e1

C:\Users\Admin\AppData\Local\Temp\UgoK.exe

MD5 adedd73ac312f79a1ebb9e841997ce3f
SHA1 8cd2b9fc9c716ccde09c3932b62f7d3a1e10c17e
SHA256 0cb57bd325862f6510ab0983a93211439c4a3e56ee99f10f5239a65d230c3b78
SHA512 d45c91212bc7696e9a5f469fcbc77fadca3b3601af2030d83bec8e011eab54c7c1613d26c67c88d8d899a1bf8af664f5bdad5afdccb83adf4ff87d61379693dd

C:\Users\Admin\AppData\Local\Temp\Gwou.exe

MD5 42404712912558ed2af4e9d28c0c24aa
SHA1 c88132457b2ea95f5f61990daaffab663fed638d
SHA256 e98a51f0b2234484bc19cf90f67864fc6aa2788a3f82ba09df019dbe0a33996a
SHA512 cea91f6fe2f73e281e39b74c6752e9bc89db3daee9fd904ad9b9e80afdc49ee5e38685de278ed552328bda0c20c1fce871ac72b80dd2febbea90bd2b77116cb8

C:\Users\Admin\AppData\Local\Temp\iqssIEos.bat

MD5 a981ce3cb012e071be2d3b8577a23c12
SHA1 03a7c47b21237dda6e2c17443fe22b5365f9575d
SHA256 3946288bc156322c7ec276511c62a79ca32d1b0db19e4cfafae4804f5b7696cd
SHA512 8679700de383805ebfaa574977e539a2f864881d1ad5b8d15cdcb0618e5688700a5641c2adc33688451e4fc9a794b2fba7f57d647809c828dab7b637b796bd0b

C:\Users\Admin\AppData\Local\Temp\ioMG.exe

MD5 9095d06a4fa70c1f2b914618c9d2d22e
SHA1 a85de61b4f720a5515579913f808083ad60c7326
SHA256 b878fc8a8d13c860228925c7b775809b2220ef19a818ed9742343712a9cf0de3
SHA512 745119d9d3fd1798ded7bf92bb5d285c342a84ea9892fcea1eba4e4caa56932e1e491405f2088ff540e661e8e6f9971fd25f9c5a2b58dac460047d9d0caea4c8

C:\Users\Admin\AppData\Local\Temp\AcIk.exe

MD5 d83b7c813d6836cf92b2bad0c508a468
SHA1 fbe968600d94fdfb5ab08c3b156734b241f75d61
SHA256 653a519bc4a2b26244a5b4b8593637afee754cc26692a30a79a2d1db089b7ffd
SHA512 822ababc002bb171c7475914026e852febcad22c089c3d0421a9cde0856bda8a7ad892d3e47d16086fd945eef04815d81f83fe7926aa1b1f37441b0269aa3019

C:\Users\Admin\AppData\Local\Temp\BUQUkIUg.bat

MD5 7bc9f4cf581cf09d4c0060b0e5965178
SHA1 a439dd032106fd130f7017b24e97c990bd81a6a1
SHA256 c168fe70b3636dacc3a2cc2e00c722bf3e8ef377b329eba660b96122734eccae
SHA512 6da1eb05bb78345f6b9e20854842cb1108af209208279b4fcfebae5608fd339c91076ac4bcfd73a77f15ea099d51593e71df819d2932589b9c31bb78264f973f

C:\Users\Admin\AppData\Local\Temp\sIUw.exe

MD5 0f6f56d9b3f303abb43e68f3427e1dd5
SHA1 3bc669e0dee0ff7a89750485c9ebe35d77e16022
SHA256 1bc1061006682b046837b2f51f7956a5fce4b448e311fdf57c4489845f3370b6
SHA512 91cfb652393946882d2bf325902386c19622af94468fe57c9a9bb3d31a3626cee3b5823a716edcdc8c2815bfd7a839cdb1a8d08264e1056b817ded78538cd0b5

C:\Users\Admin\AppData\Local\Temp\EsEw.exe

MD5 61837f6bbdfd07e9aa7f04fab2ff3b1c
SHA1 3c4b97a0af00c15f676d18d83a56b6057ed330bf
SHA256 7091aa8f053f4bf6aac615b4fbe4a0738b4743a502135360cc7a97d3ae42e9d3
SHA512 b30bf81d3131bd958a124c7556616a27c1df5f221d542fa2ecb4b11b395f85a4d0a5a5b342582225de423fec46eb198cef5e9e6775de40e301f58863e9ad40d8

C:\Users\Admin\AppData\Local\Temp\gUUK.exe

MD5 70aa3288057644f9d71aceac99563097
SHA1 342953982d250fe2b00c2b00a3c5db2c333589d7
SHA256 2180a96d94d602d719b7142bf8f39736a81a400d90a863264d3b0ac757509f78
SHA512 5553c98c818a708082a50295d774715f73442baf4fbab29fd6f2ea04fd4d2cf7e0491b7ca205ebb511bb92f1435ae7cf4b318e009d3171eeafeff26f2e563471

C:\Users\Admin\AppData\Local\Temp\HGEQEEwg.bat

MD5 b2abb9ed1816bf03ad927abcbd6db74a
SHA1 1f14bc7294dd34165bc2685f8e9773c2cdfb3c92
SHA256 91e7f39bcdbe5a051487fb2df0553607cfa9232e925b1073df074ba6017138f2
SHA512 1c056ae3895b5e7d2621d8de966842c4759276b279675733f95ccc92963864e1560d63ff985b7338249d94d5a91aea3c51baca0355bc0f0df38c4758d6713c4c

C:\Users\Admin\AppData\Local\Temp\AwkM.exe

MD5 769d56bf162761704adeb1567a1ff1bc
SHA1 dd5b5db537174012fa3ccfbe1a5381cfe484efe8
SHA256 f338cffe8f08f1eaf581cd4b8cd3b2d45e64454d8a0a68df232c4af8faa3e94e
SHA512 74cf8a33f92ff2bbebc1a7679dc51386671973a424a54d483f5734dc645364e781d9c4f8fae494fea955f756ce55c02c9a4ce371daa360625bd7865d5b3c6a2a

C:\Users\Admin\AppData\Local\Temp\UsUM.exe

MD5 6b5a9e56c41ba76ba1b18d4efe0187ec
SHA1 33ad8eb26cedd8984bc059d4537e163e8ac7508d
SHA256 f40b5e22a8b37a26397c8974b0598046771e660b83d4e099625faaf6da5f5855
SHA512 985d53de977d7f60d8d482f59e0b00b43b67fd866104fe3556b2d3eb5a1382cdbceadd57a1d50277b2d09c65780484d52ffa6be8300856ed8641b6f85ce28e24

C:\Users\Admin\AppData\Local\Temp\yIQU.exe

MD5 8feacd77ea3f6e9ab2e733442c6ab1a4
SHA1 9332573d0d67c707a8ed709bf42d0882d49173bc
SHA256 15227228919cceb8c6b45053ff1f2c5a335ebcd73c76f9ba5eb7890ffde2ca65
SHA512 e0000fae89687dd30016ce540a03c85ce3f6fe39e1857edce34f650ad8a938885ad4d2845157546d5ae61df5adff1c72dce0dfd1356630740c3c8b1c98e4214a

C:\Users\Admin\AppData\Local\Temp\FmsEAYIE.bat

MD5 699e71c598d36b86ad3190d366eb8fca
SHA1 1fb4bd5dff29e973e3c01fd70e17a01671fc39d4
SHA256 510754b408da1ba7dc167b509ed4ce474f1f2cff9be905314b2da50e3492bcf8
SHA512 bfdd1852f4ff5171f7953e096350464fae2a1731c6a25110c938d03aa5af05b8b44297b7c7ebbb3176370258d690edc2f0789e7e3437eb3d07b0e7acccb08411

C:\Users\Admin\AppData\Local\Temp\QUwk.exe

MD5 fb6ca447ddb9cf7f15ed6634a6107562
SHA1 65d167219a5c2e3ac469bd7f33ad16a9dc2625a4
SHA256 ed321be3b4b422ad22c379e80ce1ef4ee6fd9633c1e53ce7b2dfa27993c1dd45
SHA512 ad71d25338a391f88489881858569071d4ceeef66aff0709cc984721d0169caf6b9f7fd1dad999a97cbcda42c0ca1dd352d520bbe2c71ab88cd209ab09cdb93e

C:\Users\Admin\AppData\Local\Temp\iUEU.exe

MD5 b0a5c82ae40378c0e4c95d456ae59f83
SHA1 ccd35a7aa3b1a3a38a6b05482588e6ca946ec097
SHA256 ae7825b655b0590fabf450c34585f8a7efb18976721ff9c973294ebd1be04e58
SHA512 a6ccb6a3cf81254add6f105ff15b7d0eb6bb02c7360239d3d3657734c31e27e6de7e239760cf4540b095b80b4d50aea1408592b88eb88b1c3c0886a3b54c9a19

C:\Users\Admin\AppData\Local\Temp\BGAokwUQ.bat

MD5 23e4a2ff6d5aaff0ccc3b8a81270faa6
SHA1 3caeb22a2b4da93e7418a6cad657bc51ae0c5d3c
SHA256 fb12e4fe67710c6e0d63bd23f275134e0da49c9cfe9cc38b454818225c2bbd93
SHA512 b53f8523756e293a13740993a949c59b13660275b3c498cf307c5e6086693cea97df6381cc329cb4b4a4d57d30b14f16cbd531a7a33bce9c347e4c2910472f7e

C:\Users\Admin\AppData\Local\Temp\kcUC.exe

MD5 a06422aaa3f275c578237dfd087272c1
SHA1 3107357c1ec3b1448ce29c5891e735ea6dfde13d
SHA256 57771c6f4add6b3100394584a6aba9361c2acf3839997919c648a1cf6bc2dab7
SHA512 7e8727679270bc561a8ec6ad75beb610c0e36dfec409fd2ad714c1b5d3ea39124b3201bf3e96203f695fe38189f54724a1af4d0409ce835add9433935b71b7be

C:\Users\Admin\AppData\Local\Temp\CMkm.exe

MD5 040dc7dc677a8b170dfd1fd7f3b0acd6
SHA1 f262d6f941c886babe36c1e65c9f4e8301734b0e
SHA256 8cdaf4c949322dbdb2430bcf9984b30112322ee998fe9c32e805c1de81134c9b
SHA512 d4797c0c19f61769bd0390fcfa70eee2aeb725422e8381cb7075d56ef279c7efbb52c016cc9a15cb0226efe793d04c045814a011ca8694e24bdf4d4796fe4b4c

C:\Users\Admin\AppData\Local\Temp\PkUUsEMM.bat

MD5 04cfb59a00bfa023ea8fe4908f4a8631
SHA1 68817901659d7332894e53e6d1a46ed62085b1a7
SHA256 655e58976e140e3daa93293e682c90d7748a2bea18d4dcfd13211167d8b78092
SHA512 6b79836dae0c1cc41f12e805444004112c1e7fb73c939d43147d18b75cd44e65e7fd2f19cee4b8d8f99962f3782c22e21c1fad288faf9071073c721d5465ed9a

C:\Users\Admin\AppData\Local\Temp\wEQk.exe

MD5 d9e61d812e61caf37f5ee74ae76384fe
SHA1 4a4ac8868d79f4e5bac4266f413eceb2e945893b
SHA256 eccb266f3264b486e2ab08d489cc12ea848b24a7b69eaf67d50579be4771080a
SHA512 6625371a4962935894be2c7a38c14cc1b9e620ee2c178d8175ba47b5805dea5551249e646d0c185a96bf11eefe03c78331895cafeae690e859b278ef5753334d

C:\Users\Admin\AppData\Local\Temp\gkUu.exe

MD5 9e5df1d64742eaa15a78aefcd3e0e42d
SHA1 76aec5d086bd35a3b1dcc537451e6fed6b042ad9
SHA256 1cc5fcfcc44e48899b3c5f364349b2e9ce7f3a39f557e9d2129fa63f066720ed
SHA512 f30d3ad81ef2f576d4d6d9a8ee6871eee51151df1f74ed4c0dc046dec5869fde6785dfa4ce5ff751bd11e114d4bc3a9afa6046e10f5a4a231560e870c226798d

C:\Users\Admin\AppData\Local\Temp\ugoUkgUo.bat

MD5 5bac55b639ba5e13d214b1a6461c12ef
SHA1 faa21f075cc2ba67aa76f477ab99a18d18ca082c
SHA256 7e093e9b5e3e65a54ec0d3991b04129b9eddb08fd00655b720304d05dfad91f9
SHA512 cc147dc51bf710a8b6cec77a13c02049fad9985dd77adee80b47217e66ac477743287ee9fe917e3beab50b6e60dfd9a2ed3cd83110eb476b7199220cac53687d

C:\Users\Admin\AppData\Local\Temp\gMsC.exe

MD5 a2aa6a3f9ddb07fbe0b9c7c6add84fa7
SHA1 a5a25021cadeb964bcbc579afe9a32e794574d21
SHA256 372d608144596292996fccfa8c0ce0b2f211195d889d0ca4c402638bf12e4229
SHA512 065a0fe03b03d5878959855a6b6b8aca05f7c74d3e8db3305c746721731ebfc70b80b3b55e2f6f823ea56db26ba8d5e0b99edd40cd31c0a93db34f4cf4e15369

C:\Users\Admin\AppData\Local\Temp\EEgI.exe

MD5 5e154e5b91abacf2d10ef758f07fa639
SHA1 002294d520648d9a752e771ea3f568cf0f773d9c
SHA256 30aa721c8ddfa9f06dbe712570c5b036576ec877004a402f8fad2be34866c9d9
SHA512 4e57d7612ee8433a2226d71fc9acfeac5316225de3cd7f984a0e34c7ca517f51ccfa77545e3d768515d73162867c27a386068687262e1de688128e200aababce

C:\Users\Admin\AppData\Local\Temp\YaMwcYAo.bat

MD5 2987ed2972daa4e167293cef615f3c35
SHA1 33bfd022ef763eeb8702465f75cd9e371879ac45
SHA256 15dc2e7f677a948c04eaabb5ff26077f04c0f416851b0e4ebda5035ef547ddbb
SHA512 6a06094c2d0bf22e15701d24bac41cd0350287231ab3719fc6c02554584f761c44915580194f0dcbbf42a2780fc57f30674bcc41621cc70c524958d2433f1ffb

C:\Users\Admin\AppData\Local\Temp\CoEs.exe

MD5 8601c8d492e8dcf9a69055cccd560ecb
SHA1 01b61e9beda5e2c5eb0b92a8f5aa49ae5de5c0b1
SHA256 6dab85761c42909aa53b678a68d1310a1c60313376bbaa553bdaac560018f219
SHA512 eb8da65af603b0d783b14c18af7e1743a398eaa34166771c16d345f300e53a4c35cc1f541ad5591ec12688a8591d05b18af48ac07c31d9f2e70caef11193adc1

C:\Users\Admin\AppData\Local\Temp\EWsosskE.bat

MD5 56213f6c301eaaa40b0844f77fdabb34
SHA1 9d2d835bda8c789a507e0907c7a6855f5853ddd6
SHA256 e3a9903071e1aae1bd6d93e2abf506164594724718ef2c92e3044e4cabab4b73
SHA512 307b37eccec9a6db5c9bb9aa17e958e4c5f6be8653cedf6baee8d51be472a556854104c4a897035c2ab0642e58616f1fa5d808922f64e444fc9e98c34a2e0a02

C:\Users\Admin\AppData\Local\Temp\aQkE.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\IcUS.exe

MD5 3a88f5023f036b253b88dfc90493cf38
SHA1 be102f2902f906c7203f4fe1840724a443794d80
SHA256 74bbef1c5ec4622990d448a8947c6327b88dadd0bfaae2373d1bb2f17f395fa3
SHA512 0fd9d6689d75d17da3625708ea56d8da4cc145bd276c25d77e8595c0a7b80ce7f9f85133bd070277514f31fa7a9e664edf1f4c4045c0927cd15546c592c1a5c8

C:\Users\Admin\AppData\Local\Temp\IcUQYsgA.bat

MD5 75f6ada0a6e8a419edf8edaee7d813e2
SHA1 2ad70e579ce12d0e4f155d73d71477add2368dca
SHA256 f7dea8afabf534d738ca193a4da16b9ac24d0b1bb5595ee9f49c8ed5d67a4782
SHA512 b48a7959b8c27516d6d5b7f71af2853335991d22f5f60f8416c6dfcf48bd6128da1a6ca0b83d046c1f6ee841a291b3f21276e04ae9239413b6421029c05eb646

C:\Users\Admin\AppData\Local\Temp\aIIO.exe

MD5 7ef667779e40092aa575fede54db77a0
SHA1 2e9f9ef4155519711d22ebb5704e3990e5f589ce
SHA256 48c81b6139a2147e7e5d0ac689bc1bb47d1654b99b9077e3902b067de77963a3
SHA512 f44841f281df85e6d6812e30af01fdaea2a9a1910d39c1062f0dc7064a29a7d6e5bd53a05d0159ff9a08798ef484bd475642d9d563759ce257c83d2e4f2b8ce0

memory/2472-3908-0x00000000772A0000-0x000000007739A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CgoA.exe

MD5 de8d4c51b2f746a3d2ab4a81aa1bb576
SHA1 eb9a5acd6db61ad34f62747702f9fcc02a62f0d5
SHA256 2de177689ed61fe104bcd0c8a9bb76fe503cbbde2210569200e417d814c66d29
SHA512 af764b29de3feae7c480a07b6a3491a50213d976e57681d685e43e95bea6778cea440114e39defa00df2a31fb18364b774cba75735647965e29744f8fc58ab91

C:\Users\Admin\AppData\Local\Temp\UUUs.exe

MD5 1344c876a065326f8a89e1621270064c
SHA1 082b6bafe72b22d64c0d7e8ad178683379cb8e68
SHA256 b31e5e9abbfe0a26591817d0f9ec0e1fffcbc927ca675a22b008c719518bb5cf
SHA512 6224a56280956d1720a3c93396df3a7a4f17862a0a61fd44168343c4ddad6cc3d23ea41c5dcf4f72b42e9cf2f4d24f9efbd746d6832132635d8b5913870c4712

C:\Users\Admin\AppData\Local\Temp\vsoEAgwA.bat

MD5 b273c6528c57a4ae06d730d29e9cd684
SHA1 f898b65f22f1d47dc19923c3031e1d190359adf0
SHA256 2fb0e85710aa2938b5a736a28fa891017003d02067c177603e319fe06292558c
SHA512 f8acef910e344562fffeeacd9feeb0adfcda4765c2344538403a30b25e02cfbae56cae00c62d480aa6345bf0d4b3d16212fb60f052c1c8aea7f922a30a7bd572

C:\Users\Admin\AppData\Local\Temp\uQcW.exe

MD5 f362ac63da1c3ab482340f7d79d4fae7
SHA1 e7e67d5aef570423e066e97f6698f5a7f91cb4a8
SHA256 4532a5e3098af31c95ca9e914edcf0c1613f5b5ff3c5177573d758a0ff787bf0
SHA512 1a4fee7b32a830ec16783296f48959b5f3e42e72ca256580a3f33e786633e8bf30a3d2a337e3ff8b01165b60725878cd3943fc724b16670c54929623df518946

C:\Users\Admin\AppData\Local\Temp\dAcMgIwE.bat

MD5 ee10b58a9839628aef13ded3ef5505e8
SHA1 c05b07349267f2f0df6d8df01e969f49a531c154
SHA256 ac724dfbfe787312c883782430fcf009e7f0f60442dac3bf11fcc3f679bc1ba8
SHA512 304bb1d3331b70988a662b77f71c661e8a8af77fdc155d296d9a7476af399b126bf603e7c5914dda4e56d2d50e9645627160da3c2dd07c81f7565cf6bbe8f954

C:\Users\Admin\AppData\Local\Temp\YAYq.exe

MD5 b2bbd04ff3d92dd9c839f58375f69881
SHA1 3f8805e6ae2841bc7314295166e16fb7f450276a
SHA256 84ad4d88c105cf32feac4d6b2f7d9729fe43410ef6d084c6d6343b4dd3a41fae
SHA512 87207c4d9a47c8c3e68f7653b28f111746081210ca20570622c8a17d1f58a3065542d6b425819cc6268017e154d6348aaf46d3c414ab98315346fb0a4dc37ad4

C:\Users\Admin\AppData\Local\Temp\SMIe.exe

MD5 7a945dbb1d0143f31c1384b155f0c379
SHA1 67093aae65f640a4d8a78a52c5b6f64d90013fa2
SHA256 e74ddd3fb1b229ae9900bd428fcbdc86539ebbb25ac852c24f126fe0f6fa373e
SHA512 e5445eee8b9c15a25ca1494c9aa0b83f0593f5aff2b8eac3ea9d8c2a82e83a11a372e299e061bcb273340a5ed5793dfa0224814f4d1849e12d874bb85f1c7604

C:\Users\Admin\AppData\Local\Temp\AcEs.exe

MD5 19371f05cf772d7b2e700ebf1a96faf4
SHA1 21539d791e3b8db8a48ee61d949acc7610993f0b
SHA256 ef59c8aed75c2c9cee779e437d01264bd141b98b286327617a126ec118fef0a5
SHA512 a5ac518031b5cb192cd166037dedea0bead663907e9a377f1dfc8fdf6aca976391a3984fc6db30778f37a98f9fc7ebe32f6fc8ed96c059f285a78e16194f52cf

C:\Users\Admin\AppData\Local\Temp\QEQa.exe

MD5 a012bbd363155ad0d86b0d2238aceb3b
SHA1 023f82ec8589f53df62042e1a5ef7d993d8a3cda
SHA256 22eb70f3c9500ce5ac50751305dc6a89af4d64f8550b88c5932aed9338d6a750
SHA512 8c9ca7dce5a2e1ba756befc178acc34ce37158d0cfab481341f938fa9a9c46f43bff484ac26b60922e5bd5a797a3b4864f50806a9d3f6502f1962036504d5bc8

memory/2472-3907-0x0000000077180000-0x000000007729F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NCQQAYgY.bat

MD5 7b1e51d20189411ef71b6f9b7ada7e36
SHA1 adfafe26ca500f727a9da2a9889ee626f1a2cf11
SHA256 f55f92f07c04cd4ab8f10423bcf988613e8d5525e2953a44c96c24f749271ef5
SHA512 dded4f1d3aaa61d94b5e4e16d616447cf36d8c40dd7a55dfc70ae75588da3d019ae3f50f19d809e284353f5e6887538559321aff1314f04f4780ad6217416d9a

C:\Users\Admin\AppData\Local\Temp\YksS.exe

MD5 2b96edd02d99da986e1cf37944cb5599
SHA1 d95f6ab016326dbf8107da2eba94d47ee663ebd2
SHA256 1312e4b39bf0b427de9e49375936207f2e5d833f5f38782ff7719b2c60f89f9f
SHA512 7252a7083bbe90db25b7f0cd73926b51237ad635f86e0cbbc7b5e0f1c81a206ce33da2f0f3255624683d1ceb0f058283c2c7d4edd8903a11f6668b5275046f7e

C:\Users\Admin\AppData\Local\Temp\iUMi.exe

MD5 c37d0f8cae6eed525618a4a8e3061f36
SHA1 aca3fa9010dd6fc2f3b9b82133e7bf6c18a251d3
SHA256 fd139ebfe37d017d1787c5dc0c8b6d8d15d5526fe3af2d4dcdf2ed0d5d72031f
SHA512 41c2870c1ba491914427f56bcdade6c91818833f04c9d9327078170337a095ddd0f0f44a238a07f4c614b9910173c95260f710badaa6aa61aade114b6dc705c2

C:\Users\Admin\AppData\Local\Temp\gIEEwUcg.bat

MD5 3dde7dbb475dba57dd710a3e594d3693
SHA1 720a21d5f243435f42c399e0bf9d3c4550d8be00
SHA256 ea50afe6a968b7422e3b29192c6ed435db15e895b148cbfb0c3df84bca4c807a
SHA512 2656d1106b8cc97db051dc95a35dd7f640a6c89aa5bc13b7dce471d0d943c27a29ccf4f213a3c1e6780775ae7fb5bbd2f85d2af774a04cd6087d0ce4606305d7

C:\Users\Admin\AppData\Local\Temp\cCMYkEwA.bat

MD5 28e7be9c24debb46b23c998e3a50fc48
SHA1 a3e563bd129a7b74e571af2d90ec64d66fe8fbbc
SHA256 5a582ee4024fc815126aa7b45d0d91370c27b3041fef7d5bdadf6808b8738883
SHA512 6db5aa25563b1e31140e3dc542e1e323c74a72179475aafc8deece58c1f0b6e36f5c62e7206a17ac57bea3f9bd410e88dac4ac9f81215631d39ebe2425e7c4b8

C:\Users\Admin\AppData\Local\Temp\gcIAoUMA.bat

MD5 32eb588228f196c28a2cdb2f2dbbd8a6
SHA1 6b50299053a5f21fdf1a13b0a6e07fa60f846ac9
SHA256 0134777178d638e8d40a2bfc7370aefa12f6776c2404bf2866ce6a409c5838c7
SHA512 a269841d6a57ba1aead36b6ab518b70e529e82e08be166f623628b6ac02351a3ae9cdfcd917f57022425b2246a0bceaceb5c1cedcc63ce0d10b5262319be561e

C:\Users\Admin\AppData\Local\Temp\KygosgUU.bat

MD5 3163477472ec725d0f0d7e3b37d002e4
SHA1 7596abf25a0a27a6b98a7c6e0568ede38d951358
SHA256 0841facd911e0df5e0451b54920cea1e2199efa9ac309f6d1deb3a91ce1c3408
SHA512 1c9a6a00cc69894e03a87a0e3b96a8def106891915058cb4e57841496a93be45f647b861b70fb1dc1f9ae8ea4787affa006e7460b4d4865586616a383309aad7

C:\Users\Admin\AppData\Local\Temp\KeIEEoMk.bat

MD5 24cb237b84a9c5f53faa99c5bde562fb
SHA1 319134cad3c7d9585c401c51f40161835aa46674
SHA256 0967b4dffa9b3a25644626f47d6340f0c344d8845542d3596107b18e0f4c4ae7
SHA512 c33e3eeb441e5fa2e7c7fe2f0f520f81fe24c6b3488bd49c47dc8d9eff39c8b92637e76794619f152e761b77977f410a85af186de6326937e9d183f7d88d25c2

C:\Users\Admin\AppData\Local\Temp\jeogkIEA.bat

MD5 f47a58886feadf08cb5cc2118a7cf881
SHA1 80f1230adc091f777e86dd57317dc6543d2292f7
SHA256 74e03a7a26353066a927bfd62db182cc1c8a51eee01bb9e3be47592108b441f2
SHA512 3149947b25cecee1b3e60c7c2b20e7ae7fa148075309b52932c475e504c44791776abf351474230c5f2402cc6a321427fae04ce684ea0c21263e22f0f6100d63

C:\Users\Admin\AppData\Local\Temp\TCoMgQMs.bat

MD5 f0edf5a8fa51a5e9289f40bbf0ef5a4c
SHA1 ae880629fa7e73a469eab85e9b075bcd57906158
SHA256 90dd2c45830bd3d03c60fbf1910c858eddacfab779885ae0ca6dbf5a7800fa7e
SHA512 80cea914a4a1bd91ce076583a03c1db8bf08ff2997cb87e0b0bee66ea58694a0e847c3d9aa79f12b9b3c6c30c4e56842e80c358fbd03eb1c7595d02e2040e9e5

C:\Users\Admin\AppData\Local\Temp\jIsEIwYU.bat

MD5 d2bf600d2a4d963b22eae491294dd1bb
SHA1 d3a7391ab058eeb813247c0b6e9c1586f5fa2204
SHA256 d292b1768eedd8367a8112f42e5c4e275e8e3e7797fec7bcf3e428df0ce9e191
SHA512 42f5d345cf22721a1d6b73cf22c6e014dbbef82096de1024aa6c453600c54bad10f3019a643c1bf59d61ce657bc2196e1934d7ea1871480cbe09cfa0a171bc56

C:\Users\Admin\AppData\Local\Temp\vykYUYQk.bat

MD5 ece96e0b0a031293726c504cb3990a40
SHA1 357d11fe634e2ea5e2ddca5d33dee4f5de0d8188
SHA256 b53402ad31d60f0c4d434bc178c16739b74492a890156e2959bddbf3ba4c952e
SHA512 107da89e31f7e4c405a6dd87514473fa41d4bedf3c67046492c2f9325ab67e424ff2f45c2552560cb49385255f7d80c6fe40502968d1ab9f60a809299ac7e108

C:\Users\Admin\AppData\Local\Temp\QuAUEwQc.bat

MD5 533128a912f53d077fa38078fae63248
SHA1 45a75e1f4884c72a245dc1c5287ed5fcb01de430
SHA256 1a41a6e652e3fa96e9f01c733c26e62316b54a3348f7158767270aacac6a7730
SHA512 5eec3a9999cea6988593c8f561d571a78e27ba0b99c63aeebbaf392f47fede56a8a0a920275b472886e6462c9a8c3174c686d03e1deb94dd24700c0a1e69acc9

C:\Users\Admin\AppData\Local\Temp\EIIEcIkQ.bat

MD5 6255d36f83d091fcba88ab7cabc905a9
SHA1 9655050062ebad57688d241868a33f7f70a189d8
SHA256 f73def85dd788c4618e2316c71096e6db03ae58dbc6c0e9c2a49058c1ce50b23
SHA512 e23ce8cbc9e86c5c7034e99cf656433b61b57a3ed6cae99dfa1cc778d115bd4e597c2497c8cbb9e42fb1c5df0ca0e50a5e064a3617af07cfc1434e3318d3a00a

C:\Users\Admin\AppData\Local\Temp\kmAAgEYc.bat

MD5 02614a1ad71441b253f5772084444223
SHA1 8fc9ac5777ece233042431f9c7c6a6c2c880e8cb
SHA256 0b7ce75a4a5cad1305b7ec508e1dd6395a944021ff6458620a478ed823c959c5
SHA512 4e4c077b9ba07457eff2e2dca9b553974361a466331025f38aa5201f3fb086859c57ff742e585cf87fc13ef2f3073073cbe148e0ae7f6048be958f1573975ddf

C:\Users\Admin\AppData\Local\Temp\IawQgwII.bat

MD5 673b15c6427ae3e6f454b01e45b9e4ee
SHA1 5bac5fdf91a749bb6d55f8686dcecce5bcb752c1
SHA256 b1364caa04d98ebb8fae89d2df0a1b3b9daf22ccc71095dfd631bc6597bf0bc1
SHA512 89ad34005a6d169fc86a6a3112588bf22d74f8cc56377b2a4c7164d9c2e790ed10a8c9f8a39a3d3786e0ebc294f89bb11883ddeea082da5182278621323031f5

C:\Users\Admin\AppData\Local\Temp\TkUUgEAQ.bat

MD5 f6d46d20a85e41ef3c789567edc466b0
SHA1 83265d49b4dd87e0edd24f330c425baa6c90cc96
SHA256 319c64e87a154a63d1f79f2523f179f97c690f00fd1f52d2c164b3bcb3aae549
SHA512 88d787bd70867e3522e55a2dbc2b447459f1aaed90e081917291aaaa5adc0da739774b79780e3404d09e0db67832f45dc818edd8ae29e1857dafbac2eabb0903

C:\Users\Admin\AppData\Local\Temp\dQIEokoQ.bat

MD5 7d3c847a2941b349f5cbb1dab55bf02e
SHA1 a0c6afb18039c964ec3ae0d45be13cdf2b1a4031
SHA256 20f49b6de49fc94f5c2ff5e0be9c721d593e552cb88c29366cc455e337b02d8f
SHA512 0aefe604783371719d1adb320b5be8b897db16a2911e7e7c253590cdca768e92db697737b445fe558f98524bae1683ad78547cca0b461effe47a9423b8f51f85

C:\Users\Admin\AppData\Local\Temp\FQUQAsMQ.bat

MD5 16fe5338df4e003c31b6607649a67909
SHA1 409050f2ab57911455fc0dc583dd3eee187c23b4
SHA256 c0983f404a4b3a1113755684bdb12992e19665e437db72b2b4c301d257595438
SHA512 e7dff56cc9b47bc5452ee1c0cf49164c8c44331507beac296e1a3c2240b7863aea34c03443ccecc6064e049be370e0ad1bfb0c11a7de614a0a4628e17173a48d

C:\Users\Admin\AppData\Local\Temp\hcQkQgYQ.bat

MD5 3fd91e71a6f5461501f882399f0d4246
SHA1 4577b8487eb4b5560ab391063184db2b341288af
SHA256 cad3db5348a5edb95fd553a77ace21d046f134e6d1e6be47892a80d056797d41
SHA512 a8d6acf49c88c74f818520a51ebfecb493e8ed78eabcc776534974b13767600fd5e24f89c44e800978b27d19df4bf004e5b35d9c11f613c1a8bb3470a1b168e7

C:\Users\Admin\AppData\Local\Temp\jYcEIUYQ.bat

MD5 a34f4bde3324e911f363f4d04e2d3d33
SHA1 c36f800a2516b8c72b5e28ea43a66db595c27691
SHA256 d832927be29ef4a0e72ead53a072768c876ffbfe97efe64344044f6f0d00f73e
SHA512 5cca2323231753df8188db19a5f7d73b680e398745bfe618e9bc43c8824952ceb8e43525a7fdc92cef525e1ceee307c41262e1a6cc7117fe19f1ae5be140d351

C:\Users\Admin\AppData\Local\Temp\qoAoggUs.bat

MD5 0f4778651a377a59f7adbc2bdf8d9a1d
SHA1 525cd78053fb4a615b6518231216d73e951c6249
SHA256 6aab257b622175618222150c487c289da936206b4720a86ce87f691ce4ad3d14
SHA512 d17931adc8fa8bd09eb8548f771e064a2c2fab6b577f1a8117868e0b7614fe3da7b6ef799ea180adabf00a265d627effb32607995c6afef76d34c3f48c97af07

C:\Users\Admin\AppData\Local\Temp\MOsoUsEY.bat

MD5 b0dd93688b36979a13a10ac0f009279d
SHA1 f3846552ca977f03d30b8329023f363c4682b1ab
SHA256 9eb84508f11aba615a29a252f8b967b0bcb0248e0450520194f779d840de7659
SHA512 235cf3834f51f03178bed8354212b0243c6bad03306991909e2acf440c62ec29b6aef704d62b003b1781b8b46c58b64233c172ff8bcfdfa242fe916ec530de49

C:\Users\Admin\AppData\Local\Temp\yOAMAMkU.bat

MD5 9cf4759b2091a7d519bc3a953843a928
SHA1 16539526b731e89d0a3463e3ebde3d5dbf75e285
SHA256 d3e03194b780c6a7a60288285dea18e41d72ad4369eb00cec1f511831da85986
SHA512 0112e9912e06432e9c798e8fd44da0c32deaf8e458b1905584ed9c99448ec8d91d777434065b4cac98b7b15857d30bdf728028f601ed1f824d5dd47bc9852f9a

C:\Users\Admin\AppData\Local\Temp\eUwYoowM.bat

MD5 ee3c7d685f8c7fd8239e4d8913e8b49a
SHA1 992b864f6b03924a47d8a46c982dc2c0d61c3408
SHA256 bc857e729c00282c19ca6d3dc634a6c532ca35d81a62e20ca429f9374850dd16
SHA512 b9c8ca953c9e8b1076f3c4dda820b237fd7dd2a9fd1110a8b3979ec86d925fc536cbf92f0715487e9b3362b8b1890b6dfea0b3fb103a912a9c30d3dd785e3813

C:\Users\Admin\AppData\Local\Temp\VIIAMIoY.bat

MD5 c0e61e8b5b81ad650442467b62751b01
SHA1 3ff529df558dc0aa37e4115a790500ac526ebbd2
SHA256 155f65b627946fc26eecb2ce35733e2b9b84adf8ababfe02e529bc9667ff43d5
SHA512 fe97c0afb198d8a5150439bd8baf9bc0bcb7a1ae31512badaa3b09852cfca11f61e7d3ff2fa52e9236dc9df759361773af1e1e1105e2bf452d98372887a2e84e

C:\Users\Admin\AppData\Local\Temp\JQgwYokQ.bat

MD5 9f12a2c28003687f3a3e4be49b996269
SHA1 051075b71eedddd18ccd3edbd874079522e75b88
SHA256 7ed427968041dbb97e28b867ab39dd5f5873172fac6d61f34466e30f9f46e6a6
SHA512 1bb334774142d8f35546635f757098211096022f660a897f6c5f13fe549e851f93135cdd7aab070f88f5149c927575383343deaf98894242c917f2e2789a78f5

C:\Users\Admin\AppData\Local\Temp\ByIMgYkw.bat

MD5 ce74df1a65999c051a8e5d565f72b349
SHA1 c2090f4c07384e0da077f18c73280ae4bf0b5237
SHA256 18f561cb60208c929904b3d065692b401b16b9574db0702a8edf950098180416
SHA512 736c3174bb7a87abca5e57e6556fd4d63c08da945aee35e9020f74a4435815383e92171ec2eb0df0ca8cc1c83824ab176f9eae4c010ff650d5246bbbe27260a5

C:\Users\Admin\AppData\Local\Temp\JmcYAEUU.bat

MD5 7ddfe0c0669f230206fb44cee8107e4f
SHA1 d7673d7c0f8290b4d1f2947dbb5c5caac071c293
SHA256 f2bad7b4f8206d89bc6ab097f723312f8ebcaea53542587d090b725d632483e5
SHA512 de06b505731456cb84dcb194f63c670ddae0ca4fbedf8859725ffc7f98a0fc0e93b59140ec7aa042b4b4ae24415d9a482f5f12ae3069e747ad379fe4e85ce061

C:\Users\Admin\AppData\Local\Temp\LokcIkQQ.bat

MD5 b92f86d0de62dd7d3c71798eed6dbd45
SHA1 eb32a48abc05f3183432edbd084b6c35be7acdc0
SHA256 f41247483a7c9cc4d7d229279dfb1b15500a0d6917603833db92223ff1b2d01c
SHA512 838e170ab7bca0a4924d0fe211c6d9db063a6f2906068a39402973e4b850062c2b8a577dbc6a6fcb85f78acfd98cae1dd24540b0d44a2b433235dea1317725f2

C:\Users\Admin\AppData\Local\Temp\SeMkgksg.bat

MD5 23ebb2705a9bdca0462b54531cad48ae
SHA1 48719048a61ff119f05640591ac2c02d407facde
SHA256 5e1d4f8a0082b2fd1ed95b6b94d4b83e6694285ca84e808a0cfc5892b65351a1
SHA512 4a123033843c2f5f61239690a5523aeb2c79e99bdea2f99bdf1c8ea5d4ba68bf534c81d7d62ab104fc1d5edfc0143c5f23498f97c8573e37392a9a11b4c6732f

C:\Users\Admin\AppData\Local\Temp\YWsUMoow.bat

MD5 c3dec9d1f52b61eeaa92761cc28bc9eb
SHA1 82dcb476e83c6a335ce4bf865cbb083d66d9da82
SHA256 1a8407ad3c87ab453812952a03f2338934b425160cf36a7051a63f334c2919de
SHA512 30451eddc6bc610603c4fd51abe1e60cb3b3e862d4dcf5d48cc77f3ed4ec83858e78642bbb40833f613e2e88c6319865ac7a15cc90a8207a287b513bb6c31267

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:45

Reported

2024-10-26 00:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (77) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\ProgramData\UsMEMkgo\KWgYYckw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoAYYww.exe = "C:\\Users\\Admin\\nWIcMoMM\\teoAYYww.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KWgYYckw.exe = "C:\\ProgramData\\UsMEMkgo\\KWgYYckw.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoAYYww.exe = "C:\\Users\\Admin\\nWIcMoMM\\teoAYYww.exe" C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KWgYYckw.exe = "C:\\ProgramData\\UsMEMkgo\\KWgYYckw.exe" C:\ProgramData\UsMEMkgo\KWgYYckw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A
N/A N/A C:\Users\Admin\nWIcMoMM\teoAYYww.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\nWIcMoMM\teoAYYww.exe
PID 1988 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\nWIcMoMM\teoAYYww.exe
PID 1988 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Users\Admin\nWIcMoMM\teoAYYww.exe
PID 1988 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\UsMEMkgo\KWgYYckw.exe
PID 1988 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\UsMEMkgo\KWgYYckw.exe
PID 1988 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\ProgramData\UsMEMkgo\KWgYYckw.exe
PID 1988 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2440 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2440 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 1988 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2800 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2800 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1820 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3920 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 3920 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 3920 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 1820 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4792 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4792 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 4148 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 4148 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe
PID 2796 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

"C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe"

C:\Users\Admin\nWIcMoMM\teoAYYww.exe

"C:\Users\Admin\nWIcMoMM\teoAYYww.exe"

C:\ProgramData\UsMEMkgo\KWgYYckw.exe

"C:\ProgramData\UsMEMkgo\KWgYYckw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIoEoIg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOsUcUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQIsAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faogoAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyUscgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcEoIEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoYgIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyocQUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGQwsUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsUwEEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUgwAoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rukIIkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqgMcMkw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jucccAww.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgscUMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gggEIsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iysQkQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoIwcUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMEoQsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAsowsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQMwssAM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUYMAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMwgQokc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYscQMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYUUIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auAIEEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACsMUAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWYoocYk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYcwgggM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKIMsAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGksUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogEQkIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCEYAokM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgsMAQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYQgswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIcwYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceAIYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIwYkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csQkIAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uewksEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSkUAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYEkcsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYEYcYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWAwsQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAgQAQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEAUkEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMIcckQg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQYwoUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xicoUwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bygQEEok.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xusMkoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGAwkwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIMMMYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaswMYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYsUUsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\YGoswEoY\eQAkQcoo.exe

"C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"

C:\ProgramData\qIgcssEE\Veokogws.exe

"C:\ProgramData\qIgcssEE\Veokogws.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4372 -ip 4372

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4052 -ip 4052

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmwAYMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGYswwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgIMcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcUsAokY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEoYoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaYoswIM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMowsggs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYsAgwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEAEwwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqUcgswE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEEgkYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaEEMMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwQcQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcoEoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIwAgwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEgYkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMcMoQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGUAEgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWMEcQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOwUgksk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMgQAAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAUYAMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZocsMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEEwEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEsUgwYc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIgYEYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMwoccs.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkokIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoYkgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lusIcQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceEgsAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYkYswsM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsQIwAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XicswMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOIMcYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUEcsoQw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqkUUwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsIAEccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkAAIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZakkwQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGgoIMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viooYwoc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsQEIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkgEAEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMggsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv iJMzznUMmEynQAb10pZU4w.0.2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIsQMYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQMYcsU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeQQMYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUUkMgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkwgoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqYQsgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuEocwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOIIYwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tewgIUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckosAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQokwMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqAgAEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYQwocwY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekkkEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgEEYYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIggEQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMQIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIwwMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQcIEYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEUYEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCcwUUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqgIQEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QusossEo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OagAQEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceMoEEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWEMgogo.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PScgYokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEEMoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taYggoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyAQcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COUYwwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOUAosgY.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiUUQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqgUoccI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYIMUgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiIEEQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N.exe

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/1988-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\nWIcMoMM\teoAYYww.exe

MD5 dd1656eeb474abc1dcc6aac4a8431fb5
SHA1 8ec7ec7c886890d8b6bf00ec45742d41b577cf49
SHA256 924f5094c51268d96d10e27aaa61f5db4bbc3791afa05938136892c43d64905e
SHA512 49b20d1b0633ba3ab5c53b07747b28a6ca46d18b5d40f130cf6be2da17a592a4b096ae6841b5de1da1da2d0d3b79e4a1fcf8ad57d8b8816cafd6087cdfd6d744

C:\ProgramData\UsMEMkgo\KWgYYckw.exe

MD5 91a02b9e7f4412e539d6b2c397292808
SHA1 0aa7aa7fd1d3edbe2bec08bd64784dbf915a35e3
SHA256 93aec845bf8c02f467792fcc45c0149474339f876e45272447784c57b7421029
SHA512 db190f256616ec9262f0b17d7675c13dc0e2db06cb6206f25c65ff7f924a84bca2cad3b1a8e458b0935d74d38990288939a72f5b862769fe3e93e29f2ee3228f

memory/1624-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2636-8-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1988-19-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vyIoEoIg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2451f9d4132d0a7bf4861b3f3578e59ea737f0905884f1701b549b2268b317e2N

MD5 598ea3255fb276209072332552903ed8
SHA1 ccd234d34d488634569a4064a65d643e070e80ed
SHA256 fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550
SHA512 3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

memory/1820-32-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2796-43-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4060-55-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4516-67-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2012-78-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3196-89-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3416-102-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4764-113-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1864-124-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4320-135-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1960-145-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4588-149-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1960-160-0x0000000000400000-0x0000000000435000-memory.dmp

memory/632-171-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3712-182-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1596-194-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4908-206-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5000-217-0x0000000000400000-0x0000000000435000-memory.dmp

memory/264-228-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\UsMEMkgo\KWgYYckw.inf

MD5 76056ded7b9af86d6ab5d9166f775958
SHA1 daaa98c0b35bfa7c20dcf59f6fe2051a6377ecb1
SHA256 dbe5e0f7d8a6cafe5dacb2d22dff70becb9742b8b0f40fe36264e29968afc15d
SHA512 8ce66101e7cc123e0d2e515947c8f7b1e9335976df8c1926b7e5791fcfb59d549ca8a4d09f87ca2722ba3876feaf5c0d81194352541c5629befd6878b5fd4a65

memory/4048-243-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3144-252-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3552-260-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2264-268-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-278-0x0000000000400000-0x0000000000435000-memory.dmp

memory/916-286-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-287-0x0000000000400000-0x0000000000435000-memory.dmp

memory/916-295-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3692-303-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3328-313-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3756-321-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3464-329-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-339-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1756-347-0x0000000000400000-0x0000000000435000-memory.dmp

memory/692-355-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1616-356-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1616-366-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1580-374-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3144-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4828-392-0x0000000000400000-0x0000000000435000-memory.dmp

memory/32-393-0x0000000000400000-0x0000000000435000-memory.dmp

memory/32-401-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3116-402-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3116-410-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4456-418-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1200-428-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4672-436-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-444-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1168-454-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1200-462-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3600-470-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1484-478-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2324-488-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4144-496-0x0000000000400000-0x0000000000435000-memory.dmp

memory/616-504-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2920-514-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3500-516-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3500-523-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1536-525-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1536-532-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1484-542-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2872-550-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4372-552-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4052-553-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2248-554-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2156-562-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4372-563-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4052-565-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4688-574-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3144-582-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1496-590-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2440-595-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4336-599-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2440-609-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2908-617-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5080-625-0x0000000000400000-0x0000000000435000-memory.dmp

memory/916-635-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2932-644-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1032-643-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2932-652-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5044-653-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5044-661-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IoEE.exe

MD5 20eadcd32851654336150ed3fde257be
SHA1 935c02c9075f5d225e8764e1be3aa50b73ea7ac8
SHA256 a62d3fb35453e21dd72533a65e6b128ab7f17640e1f0280a4f721d9d25ddf973
SHA512 f4eb6f210d636734f68e6c2ed30bb0e14ccb440e6ef39a000c8cf4ec9ae9a045d78f713dd7ba55e64d40b127aca429a8f6bd07a14033601b2d34daf18d1d867c

memory/4764-683-0x0000000000400000-0x0000000000435000-memory.dmp

memory/244-687-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yQAa.exe

MD5 a62fb701762b1885deba6d6a0ab76eaf
SHA1 d98c1b4a2033dde9659ff7d2cfefc0eefd5dd53b
SHA256 980da8592caa42530caf8388d31b6a208e1ff80c5f4a11ba0657c1ecfdfa2d35
SHA512 e606432e8caa47b391538614045da3ad4be6631fbebcbef003eba624fd9ed63d5a597752b20a9e1d65bbfac2de766ba6cc046e225a716527faed58c560428b26

C:\Users\Admin\AppData\Local\Temp\WsEK.exe

MD5 6f6d30bf76dd7525b585648c2537d017
SHA1 7f65d0865137808d22d962b71f9e73acbc1b20b6
SHA256 ec3d8ed1637d3d860d01b0e190876024fb1ab85bf2b2aa23eed2b8d62221321c
SHA512 9d4743bf3ddade7a271a5e98a1cfaf82ea26b5065d647d076eb8ed021faf46dc00495dd400290f9c4db457c9380c22e4c0536f62ba849fe9c279004235dc2122

C:\Users\Admin\AppData\Local\Temp\YkEc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\Ikkg.exe

MD5 36384f75d512556a1f110f17357c76da
SHA1 c70d8ce7ddeb2ea84b708765a086b225f623f805
SHA256 8eab6f88c6f052bf7225588b83eda071128737429b7ebdb45e218f72047dfaac
SHA512 aaa810ed12c9b7c0eeab67b02807f593a486d8be9812058d3e7d3ea3ffcc82b23f8faf94620eacb71ac86e60653d14b46ec033b1b42ff4732dba0418f877ece8

C:\Users\Admin\AppData\Local\Temp\wAcC.exe

MD5 eef41e01265f06d6bc9fc376e66cf4e6
SHA1 f327df29fec45ef54bb5f37bcd0b20695ed622d1
SHA256 f42ba583274f8d42f929dd9f4ebb325927c92f592faa13845dff7ddf64c12df1
SHA512 5ef552a84402b0cd24ced474156553629f3f68ac5b5a80d19d533995ce5b7dc915a693fd9c7fd6abb2e67d19e8da755c68f84d570d5759eeb7b73f1ff263b608

C:\Users\Admin\AppData\Local\Temp\mAEY.exe

MD5 b205570f0ffa8afb3fc00a4650c8cc62
SHA1 765f839a42d956c84374ffdb4783216fd3860b5a
SHA256 1cfcb670ff7adaad67a4e9170f92592462ef0f38ebcb20d36f79290efd4d2b05
SHA512 f91f03812f48c6364b1f0c602bd0176fae47ea8168661f64d566358e98ee723223a9b06e5dc0a9130787760273a2c0754233d8ea2804318b478a2a3e02d8540c

memory/4764-752-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4852-780-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qckU.exe

MD5 947170c08d191701e07e687eb401dcee
SHA1 bb440c9c43f1d190ec54aeee4c5c316c02a1d6bf
SHA256 7f523984f1c9394af91ec2404dd2574f314cfc8e4d7e633253297f1704e69498
SHA512 af825878bcbc7e7452fc11f2d3c3409c0e724179504b09c1e5f1eb23ca8e1b1cfdee7a089b3d8baebc4e6008a3570bc2562c56391626fdf9b8265ea8376940c7

C:\Users\Admin\AppData\Local\Temp\aAgC.exe

MD5 c2676e6fd538de372616d0e32da94ae8
SHA1 cd9025c30d7ad49fdd23af0db7ab141a454cc9d6
SHA256 70583457febe99c16e68f2881edffe783fc983b773110924f52612f0c9b80bca
SHA512 b707ffe3a7a4c66d01cd32d4b1da56ac6408dc81a00299c29c84d651e9d82d49bdfd2891015aa2691934d1647be37eebcd8c4468f1a9423809435dac3ccf0870

C:\Users\Admin\AppData\Local\Temp\IQEc.exe

MD5 f4ff9fa871ff3689bcfc258a17b60781
SHA1 ad0035db3130a40d985f2fa2ff7aa1085432ce5c
SHA256 4a7bef56e16271fc0c1304d092c16c123801a8f3b2edb48696cb54ad12740bfd
SHA512 b3ce89fec6bb866309bf1def89e26c0dbb00bf0206ed7401a2dd6680be493b43c38a74a1b3c019157c841e5987f30b496a3a00ea16e17d183dfb97a4ae7e1339

memory/4852-816-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwkK.exe

MD5 bbd339d88e423920501b998703cb3724
SHA1 2ad89850e4197e72321f9e278883bed054715f78
SHA256 b13c59d26aa361ac6f5caaa470a489fc3b4af8aa06ed5d96ed0b02b636c2c36a
SHA512 59b0acd207726eac873df0e4c10adf4f8617347b82ef8746721a883c084d7ef16c3c2a64f7fd15376f32cf0df5c08e6b098ded7aad7c4ec04988833cedbb610c

C:\Users\Admin\AppData\Local\Temp\soAA.exe

MD5 643efe8a896af5a257133156391598dd
SHA1 5fe3be483d6ada7ecaa49ae477ea21aa8dc76a56
SHA256 61fd0837be01b9e424979677365eb1aa0dbf8059ad3123db2feda996ba74f3eb
SHA512 61f7f94ee772f5b8f92269c401540035e34d375ea812ab2010258d5611506e1be15b8f6baf4b6dab0199847ff02381d2849bfe4bd4147e819a62fb774e1398ba

C:\Users\Admin\AppData\Local\Temp\QcgI.exe

MD5 319ea548b3af195e0c1aaf0a73a3b0e3
SHA1 92ae3f48976361d1259a9d39f1b9f37c8ba77e23
SHA256 74be5167d68ee187824a68fd3dc2180d6814d6e3f485ecaf70ed83093e472a31
SHA512 2e4c42eb46259cfce962aa851b41ec117ad2cc484b895f41dd9a5b3987ccf12e6a63a711a4ed86695e7669fdbf67edfe0ce2fc7b8ee74675eee8de02d6f0d3a3

memory/512-868-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SMAe.exe

MD5 3e7adec5f95b57ec6c89ec05ccf9e023
SHA1 b7c5f6bc5667b5872cf96c1ec3db12a8c735350f
SHA256 3247e55fa0364c9d6039c6d45c7c4518a0d194e95fdc76a245e3941efe4669e6
SHA512 f99f8ebdbeccf58e710ebcfca634ebfe4f66fc76b69592c3c3b32b6c78ec11a854aafc5d9679cded6f209a0f57cad9571db29af341771c588d3713cdf894d471

C:\Users\Admin\AppData\Local\Temp\OEgS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\QIkk.exe

MD5 1d6239e8e7fd7e4cf31436ea8f7b930f
SHA1 053a61c8cfff5534511abdf2c02ea5713c721d27
SHA256 17419fcc2c3fd5359fbbe74cccad31442b3284d6532af2e6e6a0d845632cf222
SHA512 4afe2e8fbfa96f65a24a6dd3e4e176bd05fc7e5df9abc47948044c802c542341f1fa65e335aea54f7c19b93ea7bfeb914e9fee315ca0732d7656b555841ec340

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 8e3e13aad76739df8bba94549a13b408
SHA1 022f6fcb9a0e3fa888181134bc9285506a3ca5dc
SHA256 062028b8529bdf559bd59d90c96b9c729e462ade15a6f907ea6037a3c6fd856c
SHA512 0a969dca81ab0ebafbd00fa43b300c5225af754b9ce782b99dd2b71e61f36d0f1244324cde2cc8ebbc96739fb385d9d65bd407e3d93c19a662ad8e256529e1b8

C:\Users\Admin\AppData\Local\Temp\uUQG.exe

MD5 85c4d7077f6f0c9b74c41def7684125b
SHA1 1d6dec888c2e3a8c75ec4c6076d1de1bb7bef299
SHA256 1f8530d303379baa93ccca59d090509dde8824c3961e2b6c963c917100b0cf4a
SHA512 9a5f4b728cf0dd7eb56cbd01539724df10a8934e8004bae4f26da8b5c3573e65a3ddffd17bcaa3d0e16ce9c7bb55f3a4bc56f68d9b8fa650165f0c0d45e41107

memory/2240-932-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIky.exe

MD5 9c40325f447de1f0449f7d48fe0f8d40
SHA1 e31f44bffc415ac6d6b4fcbf84a4db93eb1484dd
SHA256 7d1acb61f990e414fe5868c2f2963465c1fd594444aa19dc1e51d655a3adca50
SHA512 7de48c533cedfc6fa72106c74f62fff7b183cd34e14656c2fc8303246f204834f6ca0a73ad826dc99a6df1fcb175b967fcbdf36b87a1b981985356f494c2606c

C:\Users\Admin\AppData\Local\Temp\Cogw.exe

MD5 89dc4de17200ee64d5000b95f27c3e41
SHA1 ea10a2f261cc1ce7b34dc80aa7265551932f8a2b
SHA256 aa74e1ce122eca1fffdfae09ab085788a4f7ce3c1ec00f05117129022fb6dbf5
SHA512 ee9916739b3dc98b9dfd061776c5edd603b945485fc405e7825f00f5393d37d00f4a9208bc448a4f519ec584eb56a552e7cd364f0a24116e810e62b6e2cd7c87

C:\Users\Admin\AppData\Local\Temp\IoIQ.exe

MD5 7474c070fadea452be1942d9ae4759a5
SHA1 01a3dc04be4c931d922d01c5f24f9384ba9f3697
SHA256 8a11cb436aa4ab932f5bb2dde5043be7efcd9133739873e245bce8ef09e3509e
SHA512 ba49aa634ea3facd97756a9b40c6d7d2f7383dfbe4a4612b78c08c3e0f30307a75d1f1b036a3f7e540b12868a03deb5d935f56e16ee7f2e84396ee94ab70e40e

memory/3416-982-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KgcW.exe

MD5 4cb4cc7e775a27d3b13d9145d0979dc8
SHA1 301f053bbee62b9aca8d5dace24f0dde16499b91
SHA256 e7ed37aca30965e061dca2e21a350b78496fcc7b73429f70c02e74c854704780
SHA512 8586861b45e41b5d5be93ecd5737cce67edef2213ce8724cf1bf1851d741318f9926dba49241724bb3b1d3ce7bb46f5f657b4a553e43497121b95ff92fd26d36

C:\Users\Admin\AppData\Local\Temp\EwsI.exe

MD5 d986ac02e0bd600f24397eed094d8c57
SHA1 abb09eb1747d36804016ed460168a29b291488cf
SHA256 e2e056d309122fa9fe3a45981e97d336b130b0e7ff57c4d1e130b8d01a021384
SHA512 0af108925ba332b704d6a90bcc0a9669e63092a1c357f043e11940b6280c5dedd0a6a7ad225e0ed3e4bf5e2abbf935cd70643a6c7fb55d7f67d2eae49f21ab92

memory/3712-1018-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3884-1028-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2796-1029-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwcm.exe

MD5 a529528e6e412fe41aa9e4a97fe89ae3
SHA1 09680e78882d1233a465b67d268ec70e9b116050
SHA256 115dedfda81f762ed285cd0c654af51c15af3451269c32c57c9f47eee3f910f9
SHA512 6f0384a9e0e97da7a844b3f5bb6ea9f222acf9115b97dd79125526507067ba8c8d23fc92202ff5eddfa9663720b11f0730b8feb9e3e38fc316ccd3ce22c93c40

C:\Users\Admin\AppData\Local\Temp\Ksou.exe

MD5 8867c62125f61a356c53d30bcd7ec407
SHA1 92dfb50dbd8d066f0290275fa39e611ff3d3970b
SHA256 29808ca576c06949915f8a7196e9acd59727b5b141bf248b7f1dcc5c6eabf348
SHA512 e6e792c70fb816117b778bd5cf85cf561934e1c5df7df8ae365b351a6db09ca63447fbaafb81fa1107474c5081f68aff4a9e0f572ff1fd53b3842ce04338d96c

C:\Users\Admin\AppData\Local\Temp\KEQo.exe

MD5 8086b1e4b5880058a688cca6e89196bd
SHA1 0eb2d98dd9ff234a663634e6d93c98998d7126f1
SHA256 54282668a28bd8787c1b81a987e9e8b552bc957d1fd12fdb15b00cbf20347056
SHA512 e6e7b7cdaa7324510b9d2a676b57515ddb3533825f298464908379caadeaf9ed637e83b51a0070c4662d0dd5cd98d58197c314cb03710320c9e3ae62dd6e57cd

C:\Users\Admin\AppData\Local\Temp\UwcK.exe

MD5 9a1739f5c363d75d5096c08d044111ad
SHA1 4c9709d9f13a5964022374b260f637e12a1dfe0f
SHA256 ad33c8e61fc1e064f769e825c02cf3614f73b6350adbd5e5e35784d28710d337
SHA512 dd68dfbfd0fdf788cc732bd77ca3c1d73ff5c5927bddfdccc3a813bb141c47bb595e5a41c54c43f30a0f581ef198d49d627f3b145980c40cd2579c4495ff346f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 0c791aad33607fb49914d29924f05f37
SHA1 edba7c903e234593ee843e6652755eede5707741
SHA256 c965b433185411478f32d252e0cc1f599dd55eb9f565cc48c2eb9e0f1cade576
SHA512 be6b716b4c9fabd19f935c2869bebcdb950f2b404e649e126c6d05fedbf55f2c70dc7509deed4111897c0cce6b187ddfcf9338bedd0ca5108e6f0395a3d5b89e

C:\Users\Admin\AppData\Local\Temp\QEYk.exe

MD5 fcbdb0b71c6f27027d3ed5f338aa8415
SHA1 58e1e9d739dd5951cea8e12b2cce0d32b34c6014
SHA256 e4d9dfd15c88f99600e1b3e463f02ae66462c8a06998e693288bde175b7b0e4a
SHA512 b4aaf8c141eb2144498d5066771927a7e84c90ec5702513128eec5515c3b97744cef96b49257273aa4c1029595673b925b068aef578cdb42829d6b82880267c7

C:\Users\Admin\AppData\Local\Temp\esQW.exe

MD5 86cacc2e456655e7200d6f3de5a4c473
SHA1 22618ebec48a665e78a7f4f718c75d1913870d0f
SHA256 3d0546d72032ec6c119283bb99fcc0c0734c22bf5b18817db820d5478d07ccb8
SHA512 e79fbdadec716f9fbf440e032926c8d0c52ed004aad16b5d2a56abc8114c3f52689cc69df299a3490680cde132013df83d38829b3488ea8ba7f7563ff9ae3fd7

C:\Users\Admin\AppData\Local\Temp\kQcg.exe

MD5 a04532c8bd109ef6374f98f85e1f2373
SHA1 0b32de089adee16b8776fdb74ed22ea250359fba
SHA256 5f3bd71f7f22c719e9f239bd17da0d2a669da2dd3ccd5140fd8885c2ad3d63c1
SHA512 cecb218ae10794deabd3725b761fc09056fc8e3d1073c8aad0e664d91bb6057e3bf96d1594a03bec6b7db6ef15ed2228709ef6f80e48edc83e4d2460841cc557

C:\Users\Admin\AppData\Local\Temp\sAsg.exe

MD5 99c0ebe61e3c5c0150b2c64865571607
SHA1 efaa4ddcba6076f16c81e78934599b0a1195bf1b
SHA256 519788db73747ee7c27bec3ced782666ad2b85bc0628c6364caa0d03d60d4897
SHA512 938ff73fb40c426b5601a0d1722a44c9bb2b9d7b4aa085444f6a2af4fa470835e8cb0b7be5f841dcf46e9a588b58e06c0d085edef5229e64f360216902556984

C:\Users\Admin\AppData\Local\Temp\ysIk.exe

MD5 707301b2dc441207f0d0ebed518cfdbb
SHA1 7a00cf727c00b14caad62706f974e20ca6516b15
SHA256 135cd20b1dde621ba80430491d0cd88726c3b87524c36491d813121d23da5709
SHA512 c9f66a4efa7e3d0f08e5a0ec23aa079e9e3d77f145a697db9b87060846cbfbd96b4ac9d66664850c533ec5c8bc4bdab11b0b20a4784979bcc821cbbf31ccdca5

C:\Users\Admin\AppData\Local\Temp\IoQU.exe

MD5 2c3b8edee24b4694602d80b6365ab9fb
SHA1 1ebbd251410f08130f22e6a4121b62fca87fc3ff
SHA256 6de393a8fcbd19c0d0b4c3c33718e81df69ba6a1b90b22b4b56ef8cc12c8cb3f
SHA512 004ed6cbd44ca66ed6bcb16a6a5c1c5f74c74ff46601489de2c4c3ae87c26eeafc8fff535ec59c79da9a605ef944fb104dfa4657b36a070c74b00e9ed1aa7340

C:\Users\Admin\AppData\Local\Temp\mkwm.exe

MD5 c6b5ec9a6c89ba4e74a45c06e440eb09
SHA1 03538a7d577ed390ad9b76f6e44c39fbdf75a3a6
SHA256 21205e73d64ec72d113a93bf08ffc970e7bacd17ee8e8b7ba2587fa2452b9a18
SHA512 dd4c09b623339715002d2d39168976f6e37d0b1c8bec4899a0fedf9271eb417d7a2bf07b34e58cadfd1158c13468e90a69c381ade8de78dacfb626516136ee38

C:\Users\Admin\AppData\Local\Temp\WwoA.exe

MD5 36f9da4af6b706501bdccbf84908e3c5
SHA1 1497da555fff27d07fd3dfe2679c1309eaa5093a
SHA256 6696f60fc16e1a95d7bea55347c5b4272df4aa39405f94a042177ae254096ce9
SHA512 a0cef52dc53e92823ef5669dc2d5f00860303089aec0b6879713f56b302285299f8672728613995cbc6781225306df3f5bb712d94927d67d3bbbfb6dfe83ae92

C:\Users\Admin\AppData\Local\Temp\wUgk.exe

MD5 fec337272c251ccfa569c2c269a0ef9a
SHA1 510af1d137b1ceb06a5622b91adffe1d6fd1f12e
SHA256 1b26c3f458a4da9f5ada1d0bf81a12ba40d649ba0c4e6798fc2cad8a5471cc9c
SHA512 49b14b2086c1adca9092aa8fb2c496a75c03d072c3fac48d21a2f9e72508a1126be9dad4ea06b9e8f2b4b27ec65d7b0448b17bcf42beccab96dda9d81e776680

C:\Users\Admin\AppData\Local\Temp\wIIQ.exe

MD5 58d92aa9c5b1ea158652882a4bfc714a
SHA1 0f97c59450042b88f3fcc672261946322871e083
SHA256 5d87f4018305798f9edda43cbed8f1a75dba2dd78ccc179c211a8bacea028854
SHA512 401f0602938f1746c5098fd158dc552b54a129b157914d41f0cb61d9883499c0768525a740693f22c522589606065195fd29de404c6bc060adb792441b529cb3

C:\Users\Admin\AppData\Local\Temp\ucAA.exe

MD5 3aa1a501f5991e60514c87e23e6c83ac
SHA1 a8e4a4b0cffe3903da863d10c244090066d00f3c
SHA256 19e94a25a1d28a3464217df1c40c818f795783c75386365827824f06bf9d8ee0
SHA512 78552e290899626e1f9676cbb4eb77a8adb4a8bb13a65eab5819616aece303f17c12aef3a049677ac29a0fbb53b3db4018b034fc632da89d5667a377cd647f13

C:\Users\Admin\AppData\Local\Temp\IAYa.exe

MD5 54dfed7f4f9cabfc19cb55c0d1d1e30f
SHA1 36e09cf8f0f12b622012c31055c1b917a0c371ae
SHA256 1cd8d6e3d87bf4373f7620c4731abcc40039a152275cf32438e2d328f7973449
SHA512 f6ab8ad4af4c98bc308c352caaf738acd764bbed5d1bc16314f2b2045c61f4c6883c289a869e770b3ed288efce1f7bdd45dd740faa1cc4940d1f58063c12cab2

C:\Users\Admin\AppData\Local\Temp\SsAK.exe

MD5 f2a2e0cf69aff1143ab4a1aa8db1edda
SHA1 d59a6c935c3fdf1c0f002a8255b37764f466712e
SHA256 0d472c9e0b8db16915ee97fa1922ab3770a0465cff76d48e469ed90344fb86bc
SHA512 1c4a8ab1070c8f394e315c345fdc1a420808a6643d9010f9c0a04a03a1652d254ce46893eb888c1d50dd5ca07bae5e03a7bc804786956332cdbddfad7416a1a0

C:\Users\Admin\AppData\Local\Temp\uwsE.exe

MD5 e5eb798c17033ca1e66cdbbd2e9a88b2
SHA1 3bf41cda767ac5ac18560d22e8878bebf2789d1b
SHA256 c99dc847b7d436e74cb45cceff536e577ef0591dbb34ca561abec97569ca06ee
SHA512 8d6c33ce929431a682cb76daf7fb2b24bc86c17db5a05d62532a34afaff9ee1646480615e846acfd2ae21c19381865b31cbcec767703af37b07bdd43c129330b

C:\Users\Admin\AppData\Local\Temp\yUgQ.exe

MD5 c597278c655b186d3c6a32692f958bd4
SHA1 1719dc4fa3161e360249fec4612c8eef7ad9eded
SHA256 18011b5fa0979de35c8b23b44b24321eee1ee730688f6d7d25909c78e59b3d30
SHA512 784489072004dee70f2b7d3ea396a34b76ea95d5f5ee101b139e1d828de527eade2557be1dce219c5f54853a865082783432482ba9132f20c691297ff2544f65

C:\Users\Admin\AppData\Local\Temp\KIwG.exe

MD5 92068202566ff98e624d223a7458e8fe
SHA1 4f9d45c2775bcf3b9ef9c6e9514ef022f836ca37
SHA256 9743875395a47a0ab9a1016cc94885a18a83783971c9d413bf1d7533460d9633
SHA512 8bc9c7ac3593e863df22f42844658f5013e69ebb5a785110d83bb8a47f01f71bf6b032c3c432626c25765699faa9ed5fb41633bb706385256f206fc50c801726

C:\Users\Admin\AppData\Local\Temp\IIEk.exe

MD5 b87a4df11ca3e2c8a247da7b25f03961
SHA1 c64aac921a7a952b5cb6494f4423bacc8c578b02
SHA256 618c3c4790433712f7644e4bad0e3496d4b744ab1eaf08b81cc7f36eefe0c775
SHA512 9ccea3e3cf94b3ccafeec0b0fd5d399a7d975b458b99b1072ff51fad21bf9999b1a2f78b4a16da2d8dfa1555bcc008e56e843682e245a1086bf7487e1e38e8ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 177ebbe1646021cdf19218c558cce5e8
SHA1 9f87fe506a46a609a5bd0c54d1729e54289d75d7
SHA256 e232c452085fb0daa97192c3683c26fc341910ed6c90e56e12ee28c50b0835d4
SHA512 2c1d6ffac50c37af564261395f1babf6f9c3171267cf8ae2efbb159a7b5a119656b2b757d60b0dfaa861977c0ed06591224ac8c0e1ddbf66641afc1e07596930

C:\Users\Admin\AppData\Local\Temp\kQoE.exe

MD5 4983aa5bfe58d72d811b865d00073d57
SHA1 ea412318f8459a30607d184ee306f458e2189821
SHA256 377793e6e75c3815edc19a8881d9c48fa9f2e2d0c455405feb32a85e6bb0734b
SHA512 247d674a63f82f03582e44e5a0091469d5af6c65d152451c0270e53a98cde68306abdb3e34b12ac7d25b82651af9a82bb2f917b1a664adebd30b8e59044cfdd8

C:\Users\Admin\AppData\Local\Temp\Coco.exe

MD5 34478a754828f0532c7ff4603b40dab4
SHA1 9619245aacb50430e6bc13f18b54b9d0acaa6612
SHA256 fd743acbe653740bb0eaa9948fba3467ca8f3d9bb5443e7bc1caeda12f356344
SHA512 da3aeb9af7a15fee7906588fb775c6394d42eba78e45f0201d7ba7a2981204b64d89b0a39d76d1ecef635a31fe2d7162a8d1f88d43f6e4c10ea53be409cb3c80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 34cc9ea9d17b9e3ac1795dc24243b4ec
SHA1 f3756d7f56b47e287c7357627ece1eb3fa626341
SHA256 3d2bfa5bd757903a866b3422488de8a56169e52dc0e1d8c19f1b034cd64a7dde
SHA512 0f41fab412f12658201adc8d9be01bf9caf6e73cdb8f41fc2f557394e4b933c4b37ef65611d9cb4dc4130b8ba162f8e867d9b54f7856235c031932e82860323c

C:\Users\Admin\AppData\Local\Temp\SAIS.exe

MD5 f8a0161053331a69382972080ad2f4c0
SHA1 344b85550056b6333a722d4c33b84a63366e7d59
SHA256 e78226d799f9b68d100aa7eed3a8857f3909d2e2e95051786201dc1b3c0f0336
SHA512 3158d7d33594c7d9b55a3e612efdc94c82e9b5c978db845a34644b15575de98b352da6f1ebc66b7455157541e08db514e5821283adbcb0f2454ee385593ae804

C:\Users\Admin\AppData\Local\Temp\ckUE.exe

MD5 fc42fc7e60f88b58f9468f8d216838f9
SHA1 827200c943897edc5d4fb44e174d814fe509cb65
SHA256 e60485aae53baca014252b9bffd7d2177c6ff9bfecf4cdf85e644e3bf88e5fbb
SHA512 f3834e86e5324e144a42419abad8b928501e516ef6b06f6b612afabbabb31b4fc8b36ecb932eca0ba89d888518e97c1d31eb1c12283db719d99f5c5897994f4b

C:\Users\Admin\AppData\Local\Temp\ccoi.exe

MD5 51779b7208a07fab4ed75d402c4384a7
SHA1 e5bae6be0d9dac06fc302ce70e2f96eb0b0f9db0
SHA256 b684e466c6e66bd715fa6e065a737048fe610fd8b6e9fcdb2c9574851294a170
SHA512 f6d64731cc1434a3e1cafadbb9f70561192a14bbfd9152cb899318017676d9ace7365d68a69bf959f9b641addb6a0969cbccc979a5be65dbf9bd05bdb4fb3a79

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 b6b50333e4802ce0e0b9f372c0809d23
SHA1 398cc203d30a9e6734e225d38391de6ba1047ef0
SHA256 07b0bfec8bb1accac8dcb86942b9b300375e6840aa1c56b7d5059af7bfe47e9d
SHA512 e2b21938b840ce43e6b0b3f317c02c77964d44da7a7f49f36c7b9b228c95356fb2ed6ec3e60bf04e41c9e2c1ce0c4d1fff8bb1d26f09d4f6f0083211cb837f78

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 be952ff7609223f39e87f2c172e8b872
SHA1 941b03048baaaa6114a7e6c188a9a5508cd45944
SHA256 879031a25f8cde12785ee153b0823dbf0e023a92ee3904fbb1b0e292268d5f5d
SHA512 90fb402ba3da92567d828efe1c5fb12db05eb5c1df1f394efe2dc23735a882878d5b3758648fef3e43d034ffe2424b0c68dd59aa9b2bedafe0a22d8a81116447

C:\Users\Admin\AppData\Local\Temp\UEAe.exe

MD5 00dd2b57e20c61fb88ea295a01dbd9ba
SHA1 c397d88ce748d913234c61f3af5124aef456b213
SHA256 9651c57e34c0fb4f3a3214320ba1c193ea91e3cf7de1ef4b84ce1469c1677208
SHA512 77d5eabafb73824040035b96b1f53d14a4831b691844bc68ce3b0304b0dbf7f6b596809f96025934214d53ec23e02289f53c426eca6aee6887c922208ec06ca7

C:\Users\Admin\AppData\Local\Temp\SAYW.exe

MD5 d4b178ed607836a4330543189dfb53d4
SHA1 0a804d198330ffa20c2031b1acb5cb93806537c2
SHA256 dd6c2f85256acd478223ec6ccc6ba3445bb0b11eed2af69c3f45cbea1554536f
SHA512 a7abfd95edf73a0e585c68e8853716057b973969cddb4189c8fca98fcd237839efddebda7883fd5186994e17280dcfa91434ea4f02434fccb95097086be364ee

C:\Users\Admin\AppData\Local\Temp\awow.exe

MD5 2387a45575da2f6302aa075dc9b1cf51
SHA1 ca1cffd6381cb6a73bf2cc876be662e29e2de07e
SHA256 13b92e75cb5756950f4790170cfec4fe8179cb28d7ac2513d63ebf910f89cd55
SHA512 73f9f39bace588aa57c3ada0d9643c03ad51d988d7b2f0cbdace33640584fa2500fd8ab80d5574876b23d65e3ac6ffead39cab2a0d7002c0ab92b1ddccfb121f

C:\Users\Admin\AppData\Local\Temp\qUkc.exe

MD5 58b994b8bffe9f19ba29ce59c797b210
SHA1 cc659e26d37ad39d3e2ab83710e5aaa5c65e8648
SHA256 b8730b3a42bd3c7e58c66a77d8a45b3802d1ba25f5e7ea6e30ccbf4c1a0c9347
SHA512 e5df5a9ad75e3f7c38aa2339ca8546225691c84af19723f7a095404c87e2c3053a5a7551b941361c1cf778dbba55726d094c0c66e8c0a3293d483145b49a9aaa

C:\Users\Admin\AppData\Local\Temp\mQgA.exe

MD5 4e33cf06834043462109e7ce438e5d2a
SHA1 f9643c307e04ea479606fd1c1ae86ef021b2e1b0
SHA256 b6a3f79750a3902a39f85e5b7d1eb0c8aab59e9cb323241629d10a26a13a6323
SHA512 40b5819094a4f28f46be72eef03bd11bd31ba08277cd6ab13a8852ac515b2c4d4e30b792011deb2538ff6125fbdb48e08ecf231724f2103e39508f906a28aa57

C:\Users\Admin\AppData\Local\Temp\OsgE.exe

MD5 bf730e3067a8cbbaaec2bbd97e44f2d8
SHA1 4cf4b2944030044af4b81788409569d0c6b48787
SHA256 f4a2e75a16f9f10343884a82bd6f0d589393c88a9235cd21bfde2f997d6e9d56
SHA512 5c7b1073796c6eecd1eec7f8bee4ae9c5146b6fedcd1f71aea39792a54be573b798740da5b6c5e9c3caca62afda02f50b2bb6a64acd4e468fa024e9b18cfba5c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 faca1464bb561c0cd8f7144f56de09c4
SHA1 abffa8d639a1646731ac99ca9e000ca515ba9d07
SHA256 c5eaa5331255e776f481e6ccedf5c0aeb2dd5db0b27ed421002a6ff98d390208
SHA512 72d70393fc179e667630a4f504914120026d7f6722996b012a6d3468a3379c135c7367528ac3285c6ba8254a5b07e5944f24d6fcebc5cced98252943058f5796

C:\Users\Admin\AppData\Local\Temp\IQkM.exe

MD5 302c6956d40875b0403dd7718cf1f91c
SHA1 94bad0d665d76b917661085c6bbedc8fbd02e4bc
SHA256 f1d6661fc43dd390ae8a5b59877557e4d0f9d4d38a3ce396844702bc6f254c26
SHA512 de602bb0783a778ee71f7e95ef0346b73cfb93521eff7beb0605d22ab097d1b3a1c5537ef2e20bc5dfad721f66e0bd9fb87a1ce99643723d623eebf358db4eab

C:\Users\Admin\AppData\Local\Temp\SMYO.exe

MD5 497304d2b8b22e39b1eff69a372116be
SHA1 eb1ab17311bbdb54d7ae2882096f756a8a936e6e
SHA256 7e79603da66bf317f2ee1a6025ae10d95274fdf18e02c4d4afff65a7eedaa836
SHA512 41016ac9719e47ab78b6538be121df4ca53b16668346ac5d9a42c5e2d49d6dd75a65cff41f917aed625b0a91264524b62b3e70cccf1f1269c1c203f14127d70e

C:\Users\Admin\AppData\Local\Temp\YMMi.exe

MD5 53bc88c5e96eb990b486c10943c3d152
SHA1 826621338fb73b5e17683cd3281e4cf2ad4797ab
SHA256 fa6a57419925310eddf252e363c729f004062e9ed6e1eaa6eea00907c8931338
SHA512 31909d8b522d6a97d4d0f1cff7502016b972302bde5332614f68a425171d2ee7d12aa47c1219788c72965637033e7f0a44a6448163bb5e4bd2ae2e180065093a

C:\Users\Admin\AppData\Local\Temp\OIsc.exe

MD5 e85265a7c247cbadbce4c070b8fb52ce
SHA1 bf125a335f36f372705066dc11071d92cdf00b22
SHA256 b7f1ea90ffb9958f733c2062a4851249efa0d7fbab22bbd34e76abe6f59703c0
SHA512 f766604abd1ce25485fca86f8a1aa613487ee07108630681a2236c83697b70e8df983878141bae7127a391692be6133b4b4a50fe709965a749d2b16b66b04d38

C:\Users\Admin\AppData\Local\Temp\MEIK.exe

MD5 783bdbe4903015d6b1cb64a24f8ec10d
SHA1 269a364c25cfd6958f7a80b248735de9ae16d330
SHA256 be1e76e0211a445c31f6c6cf43111bc53eb90095f06562cb1d36142e88c96d34
SHA512 1c970d4803421ac676096868d1db8878bcc14e69b37bc59d4f5bbfb186c886cbe81019c55984ceb0db6d2f7d7ba79c1369cb674fff05ea7d0ee18cb6f6985fad

C:\Users\Admin\AppData\Local\Temp\EgUm.exe

MD5 31bf87192e91fb8e879d4764ce587988
SHA1 340ea2803068415f6f42c6f4d197914ed9135ea4
SHA256 85211c9b014147975e63b895db4da875e6e4e390effd766b8b289a2dd1647660
SHA512 8088946d8e51acae9459dfe2b499ec2b598eca165a06e8d1b63710bd8f19bc1907a3a7624067bc794f8b6c2c8b3a6757518e7a23f826cc079d8aa6a647baf9b2

C:\Users\Admin\AppData\Local\Temp\qwMw.exe

MD5 681f1fb238471714318deae8bb9c9641
SHA1 b1c82cfbe2f38b2d8fa654eb74a4f0a2c853624f
SHA256 c24ca1215673026a8c3806ff9b96f7e2da13cc62ed689211c024b9685cce11ce
SHA512 397950afc5d02fcbac1dc1b57054b0efdcedcd721fe9f22fed539272aab661b04e1d9797eacca2da7dac10090cd3b300ae242b981c51e88bf3cac3b5708c510d

C:\Users\Admin\AppData\Local\Temp\Swsc.exe

MD5 e9dc327acaf801976a3742b2c297adbf
SHA1 04a0e264819ff9c684c51a3601f32514d05b9717
SHA256 f69223fcff6b08b74b37ff1009f773a24d3e6471085aacec61281a02f0326e87
SHA512 5ad22a8f83a09b446c81cb7a9fa8c83bca3f4128b9b25cb4cc1777bcc0bf2cb9cf463d1138aee47377be295334b168b908422602e1fe6df32b75e7904d992b1c

C:\Users\Admin\AppData\Local\Temp\yokW.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\yIgs.exe

MD5 79b7d7cf9cb18cb5940615b1813499e7
SHA1 55594310f338a008d3628911befe117ab348cfa1
SHA256 7117f3225e04edcb815d7ec8b4d7d458db7e9620cecdc0a332e1fda21ce21f45
SHA512 4d5011acc073317f5a0150e5cce554d1048dde3204b950c5f82a66216c145314e9950dbb96783bb5856e3d2af1fbbb83ead633192f45bfecdde5ac8dfeab4c00

C:\Users\Admin\AppData\Local\Temp\gsUk.exe

MD5 ab8014f5d5f275e88207100aad15a5aa
SHA1 ecaa3784fa88d53cfa15ac6ca8a181a122b3cfe8
SHA256 ed715fa42e0a9d1161f0b5bd66f91e0a8df219bd22cef85bab2365f3049f68c8
SHA512 be06f5b7a04eb8d13d3ab7442d542f1e89d8ae49ae340233daf4cb31cdc63e1e8b5893ecf688fe3f6d2ec73fd4296b51c191ac5f9ed2dea8c3fddc1abd0baea1

C:\Users\Admin\AppData\Local\Temp\KIMs.exe

MD5 badc8fd95c58aa15d69e9e3e395f086f
SHA1 8abb6a10897fa7c0e5f163c5f23a419569e8dbab
SHA256 903aa4c7ee2bec036f846c8f522baf8c7e07cb8fe0713c7b666dc1da1cda18d4
SHA512 068a3b352ec1647374bc803826ff29cacc85796bd263e4a0b4d4ffbfc2f1d71d1526510b1be95d0727c507fa508f8a6a1244916028c146ee7cf263b612850e59

C:\Users\Admin\AppData\Local\Temp\ogwk.exe

MD5 8d0495f105c50e1db3dccb357156d322
SHA1 2376b4ccda4089f8a6c9b511c1f1eba64d9b7221
SHA256 b157f0a0f6576ffa4e7f54eba0c20d47593c93a1b155853ae38271a4285a2b2a
SHA512 336dacb985557c670f7e35f704249c17b9bc4c71a19f688532edd77297e6cf5e6ec093ba714dc16a46e90e752acf240e6214467685306683d9ab1dd7d672e6d6

C:\Users\Admin\AppData\Local\Temp\Eogm.exe

MD5 5079d56d5ca5b3f767972e79a27caade
SHA1 3320f39258443eb80afa3b40b37c7cc918c65ece
SHA256 9bac12fcd4ec78e5f68c488dd162779bba07b7e87d88a6de2fcb2820794f0ff4
SHA512 7a1768cd2c69889802ef8e7ad3454a39eee3092da37bd97f2bc8c0322989218a9d1ad0e1929ebed1369c4f48e0513806c56e896a4bd4aa8c5c97375034302b97

C:\Users\Admin\AppData\Local\Temp\UIsi.exe

MD5 07091fdb90c802f9cc004a538358afb6
SHA1 18297543142dfe6af60c2e3e39f1ae086b30d9fb
SHA256 c6a343e5cbf941f85bf8cf968af45cea4f099157a806e5d0e04b53963a115258
SHA512 28e2ce9341eaf824f15305e17a0492adabe8c7e6db111da99341b2ee7f85a7af7d2339f7aec0056ea831602e4f94e3d591c192ec8b7c9bdf0ecc59dbf622add7

C:\Users\Admin\AppData\Local\Temp\gwsQ.exe

MD5 a85a9741e03ff3f144b89a7509733e1b
SHA1 37ee7078f42cd1318a30f779c651ddacab406d12
SHA256 5ddafaf85071152d2bef738bd0da3e51c6822d50bc03ab1f5e34753d8bfa6688
SHA512 be3a6456ed37db96c0d80c9a494aeae0d8a78bb8383f188b33290abb6fd12641f499f58a7770c1eca833f0dca75f4891ff7ca147ee5fb163b794a363c8b456b3

C:\Users\Admin\AppData\Local\Temp\EMQW.exe

MD5 419d83ef1d9a35b939e3ae784796443e
SHA1 994e8bf7954c8e517ffda811912c78f27831224c
SHA256 b787ab745f947f5b52b5d7d8a3b2a1282a0f64a8d198246d9ad2847f11e2213c
SHA512 86d445651ce151bc47ebf233064a3572a529719892103f31515d4192235c2e92e9d2427ffa48f9813c5b029874acf58c70449255a78d5e99e1130e182a4515aa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 2df750ce5f17a0e64031a1d1de7187e6
SHA1 25b3362350b2106d35cde2575a14947c28c3738a
SHA256 eef38ca4d331fed070cf4546da6a8ceafaa82bb883cc7921f4267bb4eb676a65
SHA512 b5d67d1d4b6436a9a310a278b22e8466a997f8322b003901b481de3c7b5990b91712231fef0f4724b6130b07e55a459ae3ad82a05d17290551c1e00cc733a0eb

C:\Users\Admin\AppData\Local\Temp\qYsM.exe

MD5 25fb758d2a81e9b5620726cdf9cf2923
SHA1 36e15e628618ed99510e0ed4581c17e1c526f529
SHA256 43eea831af5aa7a02b362dc520d0825977db6fe615c0ea8b481905cf7815b1c9
SHA512 e25b3d83fdfd4bd7232fbea10a7e581a86b1d04a65db09b6f0924be5d685c7aa6234654f9991ef0405ff694762a53f40634c5e6bd846b3e8476a30f26745fef5

C:\Users\Admin\AppData\Local\Temp\Ugww.exe

MD5 792a03331f17f38d3d28a5c7ff881f83
SHA1 204f8932806f2a711f50365ccbd764649db9454c
SHA256 179d288dbdfb46c20573263e877369131fcf3a203072e505f5e6466a25b1d255
SHA512 5cee815541c2398ae4c2b0b200cf784ee8d5a9ae77d89b20a53182db46b9d142f5e3307e52de17f3d88817e242a5e980b675cbb8c255e66309433dd3981d2836

C:\Users\Admin\AppData\Local\Temp\SMcm.exe

MD5 78a0e7fa02a1801f3a5d6e6825e8df62
SHA1 b493b3250404d34267edb5c821073fc42d46b315
SHA256 76c8b6f78cf37fac58dfa0a7ca0b54bc4d3a7ff7049805f134a362ea6f5f0132
SHA512 20ce40d41ae027e832792fb45c02bcfa5cb15c2c045357f93324e434fe9832185b6acc4ca74f2f8c72ca8f342b8af3b4f6cffdea2303ad33cdd69fa96a6549c3

C:\Users\Admin\AppData\Local\Temp\YQwa.exe

MD5 b2b9584f8520e48eee385f7e5d773893
SHA1 7c7dd22503f615bf957cd3d530df1f52e911234a
SHA256 77052a9ff6ba23b621fa462aa6e4b8eb0071797912919d90179b53d32568ec29
SHA512 bf163755e643a872ced5b9c6d59179cf7e113bf4f9cc6424795ddaa61a8c22e307234a2e4004da97a08247f74faaa4a47b012d1e30216af3cd05b89eda19cd75

C:\Users\Admin\AppData\Local\Temp\ysYC.exe

MD5 13574054bb573962806a31a7cd5837a1
SHA1 2761dbb6509878eca452197daf49311059badb94
SHA256 e9263a03a744b5d725eeba8223c4bdda49a1cc47d384d6f1920c7976ed7ac6b9
SHA512 d9f1c5854721369ab4995d869cf5ee0cf4e43602cc465a5bccd023d5909b3f862c4c66dd9515710b1d63a2865d5a5348ac61d219e8c32be91bd78ed6af1fc9ec

C:\Users\Admin\AppData\Local\Temp\iEAA.exe

MD5 8fd5f01780fdcb1b9184e1aa2d265d68
SHA1 3862272ace201762a5d700788dc30fe81b4d90c9
SHA256 1f42a1350839f20dc9974cee3adc9c527d11f9860fd3cc7b566698a43515e7c9
SHA512 42cd68e0f409b27a85968e0d3613904b9d0042fd30f0135496f72b73240b9fd4f26702c5d44c696ff403cd02cf1f39a4ece3212deaaefe2fc5e63164ce2f7537

C:\Users\Admin\AppData\Local\Temp\GUIg.exe

MD5 148a0ec72a30553cb4a57b6aba18c29b
SHA1 db18d440fbf283e5250e4b0dac2c15310ed1a0b5
SHA256 4d76e5921c183dff9195e36f85512b305485dd8d2a9d10e9fb0eb5debccb4102
SHA512 e826c4646789e18f1038cc5a3794177e9aa646485ce3148d8c24caa833fbeb190c976b742b4ad55b3263cd6390a01d4c74bbbb74b0e7ed1341f6314ca7cf245f

C:\Users\Admin\AppData\Local\Temp\mYcS.exe

MD5 347885f7252e48942bd1b52012d5b6f5
SHA1 e090d367e9ff73f9eaa6bbd2ab38109335c40a87
SHA256 2fdd259ea9ec66f964da841af8799db9b6b7983ba5faac60d377c1e55fa2a154
SHA512 42fcc28071601569eeb691cf1fd72185f7844b39b06068824f72de4b887aae0675051e24db49870ed6d8fe4590eb1c5307c05a8c4083f88e13d46c64677f3529

C:\Users\Admin\AppData\Local\Temp\OYwq.exe

MD5 d8ab3a016f8c0318b366a94cc6a399f0
SHA1 48bbc215cada0ede1a8413e512553617ea176305
SHA256 54b03856f72bc21234565ae096c30e6cbc2306a817931cc0067659e8a824e105
SHA512 ef628f5c5ebd2118035f50a57e5afc0c8351f4ff931befd0caca86feb279bd42b1880697263d27934c54e2f7147cdb2af46e4dd98a1c24175b1f644a48ec098b

C:\Users\Admin\AppData\Local\Temp\okUO.exe

MD5 c7c65e1b28722b206029585b8a918060
SHA1 08bcd0c13f2e2199522a9bde4f66342bf40f6169
SHA256 6f0292d45b91b9fcb3a1d42d5eb4703e24feeefd08104db5ee025aca255f0207
SHA512 046a1585038588b08afe7711b0a9b941faac9bbfa9b1beb17a84298e68fa8010d970967dc2e12fa725c8b424abfcf765101ac66f3a6e40cd7e3b48fb4b50f6e1

C:\Users\Admin\AppData\Local\Temp\IQEA.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\sEkG.exe

MD5 f38e276f714c2528a9285395f34dd914
SHA1 478c19319ac755716d9fb5be2a248032844d8159
SHA256 c669f1cc06398d73a0b1f3347931b10a08c698a01ad6ce12298e1021a1acf1ed
SHA512 c8930814d89798211a51d6a06390d6f410f8c7ad60caadd3cd8d946ae4610ec9fc6da0105b63dbbc583ef202f1f64f942ae3fcfe7930780b7918e6f4897e7df0

C:\Users\Admin\AppData\Local\Temp\swAa.exe

MD5 b0245d73a83f46fa691912f690a00d37
SHA1 66488877b38a69264dfcdd5634480827f31edbe7
SHA256 a55dbd7162c66f52dd523525161be3c285d29bcc18bb5a1955692d63bcae45f1
SHA512 3a7aaacf54d48935454c865232bff2cb3a36f0d803833e12b8fd3e6c570b88614166a8d167b838bfd8180d0d4cf5feeba5e1d828e69c804ad2aaa12c5774a048

C:\Users\Admin\AppData\Local\Temp\sQsg.exe

MD5 e51643e6273bab71ccccf9b9d2e6f471
SHA1 852a2dc2d19c13d664454796245e1bb730d6d9fc
SHA256 ead3e8f8dd4318dce20c852e27fd24f07d9c8b0ce130959785db14ae549be544
SHA512 5b4f958167bbcbd959fb9d4f3f769a71519907dea3933263710d1c38266f74b88e5971a8ed09d884a48799fac0d2c1908466e9042cc0b4f8fd620a11f5d11934

C:\Users\Admin\AppData\Local\Temp\sEkA.exe

MD5 b5492373a514d99a8c207c79b4a2a731
SHA1 620b0ea1caa81f40ca0ff7035d94a7687688bc7e
SHA256 e61ba5bcd827efb7dcafdee87d4e8710d72c24f5b6a9a56bdc46d932cc1be87a
SHA512 92cdb80f55d720f7e66364bb25240747aa206b85d321f4d1566dc4e4dc362700488ecbe1b534cfc720d196884fd7d5663cf5924d123e2fd0acb4dcda3b5741a4

C:\Users\Admin\AppData\Local\Temp\CoYy.exe

MD5 b7e6be3618ea53276dd59eb70cec597e
SHA1 0ab235a5c800d2ff7e98fc3c2ecaff839e718000
SHA256 d7b5716f91c104cbc15ffc0eb089739776ce591623575adc2a988260f161acce
SHA512 d7fa5aed9ee40c8438bdad53157eaac157cfc5ef80e6fdd1f8ad7200bde4c6bf021998da6d7cab5da035b9ff3324f9a4d5e8a1f472e407b3f0e5919b57c8a5ef

C:\Users\Admin\AppData\Local\Temp\WUgk.exe

MD5 4ac42c298a49a8a3fa8e721ef8d72336
SHA1 92f745053b39116aade50540ab8a7015283d8b9c
SHA256 e57d26695629e00afc7747df1c19dd2bda1c3023e9376f28cea68ac0ff5b9595
SHA512 d12908746eb279d1505851afd21a077d1e3035231cfd22ab04ec746891178e09da4799b1d6d93ab0ea793f56705d10734cc39a8f2d984e9efa13956f36f60c8e

C:\Users\Admin\AppData\Local\Temp\QYYq.exe

MD5 df1571710f645ea6baf197beb105a8e8
SHA1 abb4937a7cf6222a77ea7b767442105647793f71
SHA256 b3e2746f2dc1d082e9d36fd53bf2f86d1aff175a6d5064692cdb414d985647e4
SHA512 c6ea7b59688ad4cb30156eda59ec206fa38a414e9379dec60ec023d97f5614d92ae687691ea379106555029ab013f92aa989cf7bc0858e7a9a6c011f0923a9c1

C:\Users\Admin\AppData\Local\Temp\YMQa.exe

MD5 d46d2d275241da975fa00aade52c5b5e
SHA1 b7655db1f56376dad3fb9b3859c2a332ffd85deb
SHA256 6e5a9721fb150e4e293d09b8b236b47c493dffc526f360f3a4cce5d6fe1b0401
SHA512 35f0abfdccbda10a0c1b866860c2fc1d67a4f9376b4121fd2cf254944db9dbefdbb5f150eeca2d2bedb004b1f96a49e99f48dfc2524a0001b1b9f85a4b46dda9

C:\Users\Admin\AppData\Local\Temp\QYIg.exe

MD5 3a60426358ecdce49351c1a8e4d5ecb9
SHA1 26fe456d152f32415d850787359713697425a821
SHA256 def0d4a71de4c8fd179f6d10a9b6dcdcf1e26a9353a60b39f3316a98f4dcf822
SHA512 922d5e83659399c1d737e72bf8b691be4c5511bc94bec03f3e5eed4bc283d50ec15283fd6b4724012d58efa8adccd0b51ffc860c398abdeac109050621eb9779

C:\Users\Admin\AppData\Local\Temp\IYIM.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\SIwC.exe

MD5 b83a88465ef085435a2c427fe3ece8f5
SHA1 1234e3ac40ff3d481123a9381f147a05d260b98a
SHA256 54c9398f63bef9c856d0f4a57d7eaef29fc852d273ef01c6f99de2215af6ac76
SHA512 4d1e24636f7c0346852e516360cfd73e92e6004b74a338cb6b03fe4912ad2bc70227e76e3fcc522e8259a35cf6688a9e0ae42668dde37b782f4714d407df64ef

C:\Users\Admin\AppData\Local\Temp\Kwwm.exe

MD5 38dbaca46cea2b18a69963d98dfb2d2e
SHA1 e99f728c92d42e30905ed3fdc3a68cf6adae6dc0
SHA256 79e1dcb50c9c6f8e0e383bebf0a0a288bc1a32ddfa523685249220a43b0cfd5a
SHA512 45da0b0f1e5f75ce4659609a90fe579f7de7bc6ac27de188bc499314374bca22fedcf34a8988628f198e9b1358059522e82f554059b0c390389eee936427be7e

C:\Users\Admin\AppData\Local\Temp\UEwq.exe

MD5 5e48d31cfef6116cf31fd9015e3fd903
SHA1 cc5b9151a4e93ea648c11b12915379a342dca123
SHA256 d1b14bbc2b6a9c7ca4b1f41698901ab0fdafa08de526deefd77dff408dbef6cd
SHA512 7e6063c5f07ed824e868bfda92757f7ce450aba22026f2e7eb839e4fc4597ea744caefe5683acd855a099ffb6ef4ef03b5799d67cc024e386612247cfb15d00d

C:\Users\Admin\AppData\Local\Temp\Kgsc.exe

MD5 6e237e3cec5d52c64e5b489c2eb98e69
SHA1 77922ad2987e1d6e274868c9aaedbab86d8a6c83
SHA256 58d192e82bd5632d3ec2cedf9c9d9675cb787e9c3af1f5764cce80ca52eb7dc5
SHA512 a873cd1ae5c306995197369f48066797ca580f3c921b5e626d6154ccc476822ceeb40210e8ce13872ff3b62ab2e24d57c66b4da72b1975d57f7fab4b3d67a3be

C:\Users\Admin\AppData\Local\Temp\iQcO.exe

MD5 eae9d1c1d47fd9b9015e0de3234224e7
SHA1 8efbbcc137dabb1e08593d4e9e5433a46931b68a
SHA256 4b3e8390db55b2a7416711aa69061d867367dbb7304476aaaaf387d4b81ec8cc
SHA512 ed9638ce7ebc7e0fe16ad14175219f1cdc6a815f4232bb7bf6c7c84423066b01df8e53b6c156a4ceb516264b08c0446c841bc9b1347c76f6b494e7ed6a5eb9c0

C:\Users\Admin\AppData\Local\Temp\MMMU.exe

MD5 f4c561c972f8bd22b98fd130e165beac
SHA1 196fceb745e07f628d37b72201d8ff7bef1c52e9
SHA256 502896e0ec7e5e4e5f9206ec5a14feec47f4ffcb21d61337eca2b4f971e987d8
SHA512 3ab3b51073130c8b176a3fcebb8847e17618d0d1dd4146fa905570d036a4cad65374bdf4ce043ad9457762bff638654e8c0d636d53a2dea7d23074f4e8cae0bc

C:\Users\Admin\AppData\Local\Temp\esQA.exe

MD5 e5b3a971c95b21b74e6d0db55bb9d84f
SHA1 5511a9f2c2c26c12c26ab8e47d54e6ef6b110e39
SHA256 374aa8fb26194067d1fd8fafacdd3d5dac30aac230e16e82ca3cd6375d8259ef
SHA512 57faa51b6056b6f38421fc67f3039557a3560a283f4afa6f3be012d40b0b73e4de83b755249670e5ec28e7219f46800f60b490f4032c5a7f38360bd4a3294247

C:\Users\Admin\AppData\Local\Temp\Wowm.exe

MD5 54161a52c464592ea796efc5d49f2a0f
SHA1 b3b5cf5b201c150530823c2889b2b52f60a64ea7
SHA256 8ffba9284d70d74eaf56e6ca6a1a1780e9f1e80bea15364933027b02c29a3475
SHA512 895d4dd8d912be4e3a32a501e03a16ec6084b535e9b10f2a18680a404668471a79dea7529ab5c4adc08af59db8b53e880c26dcc4b24f2284344793940a8526b4