Analysis Overview
SHA256
8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
Threat Level: Known bad
The file 8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (85) files with added filename extension
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:06
Reported
2024-10-26 00:09
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation | C:\ProgramData\LOAkMAgs\fAMIYEgY.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe | N/A |
| N/A | N/A | C:\ProgramData\LOAkMAgs\fAMIYEgY.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqEcIcQw.exe = "C:\\Users\\Admin\\PuoQwQAo\\hqEcIcQw.exe" | C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqEcIcQw.exe = "C:\\Users\\Admin\\PuoQwQAo\\hqEcIcQw.exe" | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fAMIYEgY.exe = "C:\\ProgramData\\LOAkMAgs\\fAMIYEgY.exe" | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fAMIYEgY.exe = "C:\\ProgramData\\LOAkMAgs\\fAMIYEgY.exe" | C:\ProgramData\LOAkMAgs\fAMIYEgY.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\LOAkMAgs\fAMIYEgY.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\LOAkMAgs\fAMIYEgY.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"
C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe
"C:\Users\Admin\PuoQwQAo\hqEcIcQw.exe"
C:\ProgramData\LOAkMAgs\fAMIYEgY.exe
"C:\ProgramData\LOAkMAgs\fAMIYEgY.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkkkYksA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zosYwkwY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwIgIscw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SigIswUE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOwEwYso.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UuAkogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEkgUMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOYQEYsI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYYIQAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUsAUQsw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyoAQUoc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOYoUMIY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cigQccko.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQkcQssI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAUsUskY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOwoMkAg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWYIsEwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGAIUsQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-440999511-1155300936181164591210668703835374953-1370716411-1392040357-1182375777"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKowIkEI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIocUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1531978821-170153260441454644-1568343422-234136477-1549663008-17192498081069427790"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKsYMUQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUwgcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-562610642-1012686143-1823529821627534025573683888937657951109441090-1434522835"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQMMUUII.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1684412327-76320201816065152608441403622103630331205356645569190144611771160"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4434012343984981381663635953966065408187333917174603648320520853211795173721"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmgcYowI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14838520339525129391306933750-15531957801929914349-14278369881917251631-1761057869"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOQsEoMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "989972481691039484-1439563656-17970014547512975433404416981966436671-1960887852"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMgMkAkY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-116314391292071513-963266584164256776018708505581588814441144782848-1730487192"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1577704050-1683544744-770769748616314146131678904120556107641232260824-4495685"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIkwQEo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciMAkcYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kegggQos.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-889792155-22352944-14318574521849549300-193098601418762819564400872771662604915"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyoskIMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEUYEcYY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8356572851737083676-553080150-865838722-289085357-6554794141125087206-2096936540"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\biAAosIo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-175029257-494530956-1689006027-111651272-12534062191834863706-1643781308-829071450"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQscwMMA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkssYwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59999687420859386711794014904878821408-8654199651125802841-947256953-1149455641"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-239290127294818250-591828114-1199054742-16170107712127489858-530367467862633738"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSMcYowI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5231830861206300148296010046123737901692976290-103152939-1186453371-1195890439"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoYgMsMU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwkYMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1397410998-452574074283940505149179424211773734281899517239-1261525213834832866"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcIUYUUw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIAMAccI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2028725122752435165276583696114929501015958134341577823000-1530691802927902092"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyIcUMcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-929043516-1541777163-1691134539-434295233-6521340781779287521896365605-1274709824"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwAUkwsA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9630034101188884700-929702436-1959189090-1111449273-72338353820389246451172867991"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKAEAcUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1552002492-1304379883-1859931463-376606024917772597635128455-333506462630586553"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "597072559-33919362211841098444056587497656992591371053768-1800735143-2054992817"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cSYogAIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUYsoYQc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1985729524-835445459-583205538-7274497641107066562-1372715323-425262637-1762804913"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUYosYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-127589827-858645630-1624350009-1619904254-599176506105950975912758718201565754165"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "169349426864754629818273259821222083860-1650822325-155973531-1199579469-885364986"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYcYAYEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1694044765-6891120412976818181467533841-969713469-190585099912666426061372012205"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6052215931957945482-314004617-4259453302114216962647923910443998954-154523009"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497812969-5148095439803126331600507654-9331951201348641780-4555056111169254803"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiUowIsI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-22370143419090483471510901341419627714-20395939212068521532153077058-1564734625"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQQAcMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "377879575-1202911604-1930378794-423241462-1308409258-1135788462305048294-86383817"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGMoQUgw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOIoIAMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1653237630523632968-780773843297890839-351182943285675971203648498319006748"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "601484009-19340068141947020156461726530-8218668431163020947-963292442543469356"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KokEIMgE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWkkcUQo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1204430981613066144-1137214729-174368645119626615812298479401301028227-385536489"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16429557876778464-1423795083-1223911596637218386-26107974118311610561844969716"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "274332885643631700-1073421658-158725767459938022818057630431115498082-221619465"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1741733654-12779567751953693818-52518267-20682039311131976044-791103077-1499857222"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LascIQcM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "791578749-1052162916-1197602497924621078-1676167181-75723629914409032838796298"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1313776710-127748642013840550865820095341135956919-14188991071909625302-1109916457"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-134317576016337122-1770672522-11148093209658151191996804778-3586157782065839472"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuMccQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "369435502-984855316-17474034612140319024-9061923969936491358514289-1737450480"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1056316033-203156177511906096231370390908-1025415278-15647663691405620824-223761642"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQgMUcoo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-510479764-132276419-16094870781672261372184175319-1745346043-331252519-251989061"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQEIoEYo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-136769349997536416264543926117786159727187928611249733029-1033060719-2144830181"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSIwswIA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUwcgUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyAYMkMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "117920964420539522718499216341650678781-19937889751720336510-884698817-1853840851"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuoYsAcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "988707844415915722-609243999-327066083-1665363118-1192982968-1999682685167566459"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16644747351746314424-8060752141473244612-698105996-428804660-2799125271062821770"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcQQYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11050572231544981268759397333-373549152-2004014128931458152-991365174-455273832"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1693863997-620914136-173626340-1244531357-20631061491070059639310689854370032224"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2128-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\PuoQwQAo\hqEcIcQw.exe
| MD5 | 9d27902d496067ee6b9e3105a52dc074 |
| SHA1 | c734f2933ccce8e78bfeb6b35e3b2f42ce46e7e5 |
| SHA256 | c872bd9727746f3fac21cc446a6dd863671d72e44dea4f1cf0d3a3f862d9b4a5 |
| SHA512 | f14b74d0235a1e7dd7f0afe5431f64c04ac6572c28516041358535c9c2eb0106fa8fc7ad50c20ae11031d2de9d2e58a7a82524ac12cfa8358e1e061904f739cf |
memory/2128-4-0x00000000004B0000-0x00000000004CD000-memory.dmp
memory/2128-10-0x00000000004B0000-0x00000000004CD000-memory.dmp
\ProgramData\LOAkMAgs\fAMIYEgY.exe
| MD5 | 6ece8d0530a944a5ed673170a3ea3f46 |
| SHA1 | 82baa6fc700423865f0e251719f043dd6ca78ff6 |
| SHA256 | 0bd73fb3682d5a33bb9252d2ce21ff65fe040ec97fb2caba8c931fbfb04ad101 |
| SHA512 | 1d43d6b9261220e33dbaf01b5eddaa40d3b72d1a59ca1d235c81703afaec7345092596ab204db1063da93a82b4a67b36566343a95a0a944b6665c8b99702344b |
memory/2808-30-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2128-28-0x00000000004B0000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BEkooIwM.bat
| MD5 | f6275d2994af7d7605c32416ebcc010e |
| SHA1 | 521c3f882de72c35453f0465bdddc152753c716f |
| SHA256 | d5cbf64a010b4e969e7f198dac87400f3f5d316e313859a3e925feee7e7320be |
| SHA512 | 8d80830e7c6baab05b0a421a6eda5a990c3426e743c027f1b02351e5e6463720b96fe31f50aad9d04c2e67d5fd6a63271dcf42a8be3244820774a186d6bd0673 |
memory/1708-31-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2872-32-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NkkkYksA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2128-41-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\XCsAwogw.bat
| MD5 | f81a7aa19536898983814e68b8858afc |
| SHA1 | 579ea97311bf014d90e38fbd87ad1cc807160882 |
| SHA256 | 0c8f89a1bbe8e4a637f714293db362eef4cef5b7611702d8cd1744dc4d01ad1f |
| SHA512 | 8b004bb6167eabfc04a72f9e97a2507248ac276180636f32ea2432e3e7fcc7627a9fe5bc48d40f4498cada44ecbaee6dd56c612349c6f765516a37a132fc0378 |
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
| MD5 | 62eb5f8af13f0886f278614f5f43e21f |
| SHA1 | 7a0387dc6c5f9c31c18196fb860dd50a7a3e9c71 |
| SHA256 | ec3e84ad90487122ba0eba5945de8a2ca2b10ffc16b3a02746def24e926148b4 |
| SHA512 | 7c5008c846420519589a99f04d6e5421f895c18cba00d3ae43cefadc594b185dfce5d21942cc67d0ab0e0666b6bab497e368ceeea87db8c35bcee8342d827c80 |
memory/2116-54-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2872-63-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XggQMYQs.bat
| MD5 | 0afbd30cd357f3748fb470555519300e |
| SHA1 | 397d2182065583ef08d827ee6426aec8868f25c5 |
| SHA256 | 6afddc20ea00eaac511e7682646b50ffd74f2b09e7f75ff1117d804e248acd80 |
| SHA512 | 3ab20c43cc211deb50fd6be218684f50b16ed84608cf39ff2d4ca112b1dab9a7c29a45316634753d64f4bf444eacbfd94e5f76058b921e7bec52941ba00bb420 |
memory/3056-78-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2304-77-0x00000000000B0000-0x00000000000CF000-memory.dmp
memory/2304-76-0x00000000000B0000-0x00000000000CF000-memory.dmp
memory/2052-87-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QwgMIQgI.bat
| MD5 | ca3c9e8e03900e8a69c89a377f8dbd21 |
| SHA1 | 017653e81256b64f7423b2d72f42a2d0c93d7a70 |
| SHA256 | b29d549ecb3eca922b4c43310c3f932d4fc89ce9fa31edc17e25b9a11d1f58f4 |
| SHA512 | efc709e7053530e22f67cbf3a4eadb903f00bc2b1929774efb5ae89be9f8c6a3677960f5b43493a153c334d96887caf39b0502ee03ffd6d260239456c7898655 |
memory/824-102-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1048-101-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1048-100-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3056-111-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oAcIUcQg.bat
| MD5 | 82c6b867d0e2433fee177647f277f4b1 |
| SHA1 | 07d438c2bb87158b853606bc592e39269591e3af |
| SHA256 | 1ff5f455dd615fd1adfac27b756936c3d4ff59aee7087a98f3fa7ef3a43eb237 |
| SHA512 | e3118072a76449398a4fc689472962948d0544adeea084a48ee6b8eb61ca035c871704c1d1df077c4105fca477f7d8cdb5c5847ac85aeb3e6b76e466f533cd90 |
memory/1180-124-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1180-125-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1260-126-0x0000000000400000-0x000000000041F000-memory.dmp
memory/824-135-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csgMMkoI.bat
| MD5 | c513daee3c16406f81bef256d906a9b1 |
| SHA1 | 06f192ff47031a4f667a3d2ffda7444bde6179fe |
| SHA256 | 1089755ae8e03e55fabe6b619e2beec52a2a634748bef7dc771f0c69345865de |
| SHA512 | caa79eb7abdb536749eb50881ec8cd1335321ae5399d32ac6284a7a897c8615d087844a3df6da1879cbe93d7c01df3831cae0a4935599a8587c359455ee881fb |
memory/2024-150-0x0000000000400000-0x000000000041F000-memory.dmp
memory/872-149-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/872-148-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/1260-159-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\occkkQQQ.bat
| MD5 | cebbb9c34ae1f7b361e121d041d8f7ed |
| SHA1 | d21065864305b6159d89536944fa6d0d9d41a4a2 |
| SHA256 | 41df081045549bb8dfe3733a4c50944715e47b20727d0a5dfd16cafd238e9703 |
| SHA512 | 292761e5c80c543f1a01b9911b5b14c97958865e1d3c1561ee3aac2e2b0e1ef1d6a2236164efb223efe3554762d56d57cca02c162073aace2440d38c7ce0759b |
memory/2580-173-0x0000000000260000-0x000000000027F000-memory.dmp
memory/1976-174-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2580-172-0x0000000000260000-0x000000000027F000-memory.dmp
memory/2024-183-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QgYIooUU.bat
| MD5 | e24674676548ff57a8ce206d52746744 |
| SHA1 | b3ca672932f5943f98e3f4453a14d2fa0e0e8cf6 |
| SHA256 | c2e964e13c570a2079f608b642a4e90b355fcc594b99f0ce93fda4df5c7cdbce |
| SHA512 | 9d7393ad73cc899858deb5528f718d6f1cc37958c3d184ce2cd2178e2813d72e6b661b91ad76d44a532f47d10ac3182400683ba59d52cc74edb239da69cfeb40 |
memory/2968-196-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2700-197-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1976-206-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LQkIkscA.bat
| MD5 | 44839e68a38477c6f3ce0f2462223b1e |
| SHA1 | c7d791af31215ae3614652a6111bcd30a1c6a1cc |
| SHA256 | b873987199fa2b665849ca85ad5c6c1a93d3a34f62848c3a97ae92d2754af855 |
| SHA512 | fcee7d9d75e359add104bc06002fbb484b2aeef81a833ded029c256efd1b730a3a98ca879a34d84f5ba8dad2f11916832d48a5f1ba55ad8611dc522ef627bae6 |
memory/2184-218-0x0000000000170000-0x000000000018F000-memory.dmp
memory/568-219-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2700-229-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hOUosoYQ.bat
| MD5 | 0e4312d20996355c8144df1781fdef7d |
| SHA1 | 2c3ba774f0384f0ccabf3b43108d57bfab013aae |
| SHA256 | eb9b4a029fbea09f8033176958942cf690a3e2ea6cccb5b9eeaa7395f95b0f3c |
| SHA512 | c245b84ad62dce5af126514fb795aac9740b760f98a348af6aa11968c48d76c978296a94831e9930e2a95e70c1615870155c2951c161728b8e4bcced35424093 |
memory/568-252-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3068-244-0x0000000000400000-0x000000000041F000-memory.dmp
memory/664-243-0x0000000000120000-0x000000000013F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xKQcIAks.bat
| MD5 | 244567c5becf5d1da8a16d558b56d56c |
| SHA1 | f0148545ba5a4e01c0082373798fd972d3e54cb1 |
| SHA256 | 3f861819fc5616beb6f40b5f3839abb0c6c7249d43eb91ae08c09c0e524452cc |
| SHA512 | 21b16b9f022d0ce4b47169238ea0fff8ca28c37348a40251e575186b97a0a30ed9bda8a813b63bda727b6b535b2ed8b732bb39cb9f93cf3c3c8f51bc2bb39369 |
memory/3068-273-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1728-274-0x0000000000130000-0x000000000014F000-memory.dmp
memory/1728-275-0x0000000000130000-0x000000000014F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vuYUscsg.bat
| MD5 | 44eef243ad0f610dcf91e470e8fbd8c4 |
| SHA1 | feaf3988bf4bd98a6ef0d2890407dc0a2ed49833 |
| SHA256 | 1ef1cdd7dbf199d6eb1b815015f108637695bb4a9d76dd521956eaa49e22dd43 |
| SHA512 | ae07c0b960574b76138d24796e034025201ddc6287f5003d339372e7278c8231ddc27eac1a4105f77af9a9a50bc5ce45da3cd7bed22e691f988725df0d2a5bbd |
memory/2444-296-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2584-298-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1808-297-0x0000000000170000-0x000000000018F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SewwIcMI.bat
| MD5 | c349728ce3d216923431a0301ba6c429 |
| SHA1 | b1292d3ef0e15b6ffffd8541793dfe608f3a3832 |
| SHA256 | 71d4dc5754d83118540a52c72336489a66e9631f8f2c33282a187472e14dc9f0 |
| SHA512 | cc3ea865f54e9b11cc9883e53a89ec7f7fe3608a1f75de54780981e29f376ba835b8836a034ca8048a2bd081595120453c945531624d7e97a8f1d855e6ac57a6 |
memory/2312-312-0x0000000000160000-0x000000000017F000-memory.dmp
memory/2584-321-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2312-313-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CaoAsYUU.bat
| MD5 | 2344d0fa538eff98ea5a92384b2c0b80 |
| SHA1 | 0d4d883778a59a606dc0b77fa546cb4661fe7769 |
| SHA256 | d9bd2f8c46f5d46507173f7c9d1298484e8155cb0b63c7877769736a75ddaaa5 |
| SHA512 | 10e63b30bf12f8273510c50777b6891338cba67d987b20ee9003968f1ee050e710c587afc2cf62bff90dcb1cf60878f035915fe9ec72ca1437ca966b0c44a2f6 |
memory/2636-336-0x0000000000400000-0x000000000041F000-memory.dmp
memory/660-335-0x0000000000400000-0x000000000041F000-memory.dmp
memory/660-334-0x0000000000400000-0x000000000041F000-memory.dmp
memory/376-345-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eWocAAsU.bat
| MD5 | e32cfcffa4a852c5af5dab492d5c9f98 |
| SHA1 | e549ecd871eed85cb005ac83740e161915beddcc |
| SHA256 | a35c5e7f10480380f3f36672845ed2a487c7bd49e3f0fa1b6cdb1468fcdff350 |
| SHA512 | 364f93fe94c3293268de8ffe79571885f77b18633f43c7a2426dfb59bba33ae50ebb0b78bb887d71c260a955a9db02b7290e123f86de80f72dccae9ca878c849 |
memory/1868-358-0x0000000000120000-0x000000000013F000-memory.dmp
memory/1952-360-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2636-368-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HWAAgQUE.bat
| MD5 | 632ff675ce075186218de498c6616424 |
| SHA1 | ad796de5ad7e018f94c1b0ff1d7b58b367b554b0 |
| SHA256 | b7f914f39d37b6bce1ee48db31ffe2084dde36f86695f9c70c5634e99658947e |
| SHA512 | c32f6648267fce37dae83caed2db555292658d7b74c82ecb1d78819ea0278ca890f05f47acd664f9ad3e59c6e05facc80ca46a6fa6863dc79a292161f63c6087 |
memory/1952-389-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkIcUAss.bat
| MD5 | 2342f5198e639ecf76e485d5da444514 |
| SHA1 | 4890988977ff91ff2d6648aac2dfbfbbdc1e04a6 |
| SHA256 | 000a1ebd4377748cecebfa113fd459b2ed13793f5c7644c596a438bdd4398896 |
| SHA512 | 806bcbf67d6cfe86fb1cf325a7f0baf71f1c82c7def2d46bc2125066681bfd989f646cc870879bafaebc0d17b0791186b7fb991d72adb616c442c4f62ead861b |
memory/556-402-0x0000000000160000-0x000000000017F000-memory.dmp
memory/2296-411-0x0000000000400000-0x000000000041F000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\nqsYscgw.bat
| MD5 | d6d3e39a0a40d108cfd3378985325ef2 |
| SHA1 | 25db6925e014f10be9cd265e9a2fc19eb3435069 |
| SHA256 | 49e08be9c2e2c986ed34591e618a0a1068e78ed1ec67eadb36096e78075b976e |
| SHA512 | 94e0e0b02e66ae2862372d8a07d28bba7e417cc02879037d51db0a7cf95448dc2edc767bcd68ab37436559cfc2ea8658046058ea062f7db4824de9c87d3904a8 |
C:\Users\Admin\AppData\Local\Temp\YcgS.exe
| MD5 | 1588b0a1179d6ffd97bb0fcfa2882600 |
| SHA1 | 262acebb9765c02fcbffff935fb3eb89b9549604 |
| SHA256 | c820bedae1ad96e7e3e99040345c01d493958994e9828797316a2ff112e97a37 |
| SHA512 | 2d0af8b71236d27b5cd711dd04f81fcbb8f0fcab12e1f6016477858d303f20fb4dbafe6af9d0a0ba879f55484b673078b1f9133f4aed76e7c67b5eed75da25cb |
memory/2276-449-0x0000000000400000-0x000000000041F000-memory.dmp
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
memory/1724-455-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3008-454-0x0000000000260000-0x000000000027F000-memory.dmp
memory/3008-452-0x0000000000260000-0x000000000027F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OYMY.exe
| MD5 | 511f229b58e452ee14646d97e05814ad |
| SHA1 | 047b4d5c03f871b1c72d51cfe29b3fe940d5a34a |
| SHA256 | 340a4c01a63acbd78657e2b37bad1251bfa176eac8a51a1b3b7b1eceb10177c3 |
| SHA512 | 527759c3500cc4fa32cffd7216fad2f1ba5737f7441bde076f92cba7037dd4dadd53fe7a7303e5f71ca94ab38499cf4aaa69bec96e5734328e6d29598c79c4bd |
C:\Users\Admin\AppData\Local\Temp\FOoYQksw.bat
| MD5 | 46d2d8e77611ca4684e401c5198ba2a2 |
| SHA1 | e893205d88c71a6c9e5a19767381915196192ad3 |
| SHA256 | 6d5c8c4318815d34463b6a6a6ea6fd11bb53c8c9f69550cc9d70af98d66be364 |
| SHA512 | d6687fd690d07c885125de2028e11cf13530a09c0c7c29f6e3c4e8995fd90c0e5d52a4ca18c1c21960b8918934ff97381c7cc61b0b177bba53b025323cff0975 |
C:\Users\Admin\AppData\Local\Temp\Wwok.exe
| MD5 | 28d07f574274eaec1d8ba6aa1b3e061d |
| SHA1 | 110c82c031426c8a092630e68408b90363dc1a87 |
| SHA256 | 59fc09b983656d4e43b778380a80f2d34b837faa1ebc6d3fa06cf83d34c05fff |
| SHA512 | e2613672487417a36516b825a92a882ddc30dde84d18f9bee39caf863f73bff84ecadeba260194e61587618f4ee4cf52dab4b4238153b40f5b28c775001b8a22 |
memory/2544-494-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2076-493-0x00000000002E0000-0x00000000002FF000-memory.dmp
memory/2076-492-0x00000000002E0000-0x00000000002FF000-memory.dmp
memory/1724-516-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cMUk.exe
| MD5 | da350c39b5aba16a83d1f03e10e570d1 |
| SHA1 | 20561e80b17e0700ce40e578d2057807d3878a0b |
| SHA256 | e0c48b2f0ea4d6e0ef818a3337b8672dc495a98cba31194771523bf90e50ff62 |
| SHA512 | 4351e4cbc90f2dee9b03cf7d0ca459f931038ef1293bc810e3c0ae343c0c1c76d672b24544d54ad575e4551c3404d704a66366c71c7894c9a2f597830f22de0e |
C:\Users\Admin\AppData\Local\Temp\msEG.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\qcgE.exe
| MD5 | e0f4917005819e794d294fde7a773a52 |
| SHA1 | d1d9c701b3f92aefffd23ffddee126348bd84499 |
| SHA256 | b1dadc809d11ad9462c48350f023520e7cde12268c09d56baf3d4ec7d9f3949d |
| SHA512 | 1e4872d75af6771f0feeadcc7367208ff788a938a899bdd155d81f02cc74a657602bb40a684df19976857396e3d2e24c3218870b429a3e60e992938c5d209b7a |
C:\Users\Admin\AppData\Local\Temp\gAQK.exe
| MD5 | ea6010b4256546cc175b3ace77681e5f |
| SHA1 | a752974bca53519083cb19a3d54b87d0703dd8e5 |
| SHA256 | ee1981231ea98c21944137085a084e3979a97b48ec7a8156f18e21d80a4a0212 |
| SHA512 | 3ad02194c127f943da6af71339a8cc904cab7d536419a89d63dbde69f7beae1a9d8ffddaae7461fcfcd3cf5e039e307729e8ce75c94007e89dfd71dedcc21202 |
C:\Users\Admin\AppData\Local\Temp\oUcM.exe
| MD5 | e640212bc30c2522054acad1ffc4ec58 |
| SHA1 | c488a809291c820772a4d14c5446d2487e36d675 |
| SHA256 | b015c93c5a03bcfa3b932fb4aca154a8f95eb58a598dd484e6f81d2d6b2d7912 |
| SHA512 | 382f92068d900ea012422b160ce5b9ecd3e496c231519cba0cac6b02441df4ac3307ba8e15fbae737b1b76ccf4880eb322e75764b8a9c1c596b3861daa900ab5 |
C:\Users\Admin\AppData\Local\Temp\YSAMgQok.bat
| MD5 | 38c3a5f0fbe4025a52b2574aaa347618 |
| SHA1 | dc5cb97293069b817083a0c2ccc7428bbae99999 |
| SHA256 | 0d2c2173e49fe8e7721bef798ee54c17e286a2fcd5e99b5805fdfec3397a2a93 |
| SHA512 | 52adb61dc05c21bf2fe8dbfa2f50c5afd6bb6f3d539bfaf6637ee4cc2c4bd0e4204c5e1d872046daa0f7b1fa9c55adb0767e1241dd8e0beeb61feecc14f8df03 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe
| MD5 | 3f5eeddad135797e9063c85aedfb8d10 |
| SHA1 | f377b6d60b4a638def6a1dde307ecf17b31b21d3 |
| SHA256 | 571a293bdaed682409cfb98384b720e4fe2c00d0766250e47e0e7036e26c7ec6 |
| SHA512 | 3d937b848b7cc6b5d585b2a7fe3a53c2228339119ccd553420e905a97903ac655982558572df1bbc7b59f7c1cd4340b91eee7dba3e54376a919c91bef5aaf8f8 |
C:\Users\Admin\AppData\Local\Temp\kcAo.exe
| MD5 | 563d0a066868794eed3fb53be604f3f3 |
| SHA1 | d8ae9370a6b7a5bf09104ba43e7796c90602db96 |
| SHA256 | 749e2f391942df18ba7c8ed6da63b8839f5ce9ad2b4a3d4777ccbdb0087ab31a |
| SHA512 | 85e4b3c0f5e95909839e6a286546c94e41605a0e0c8ac70ec5fcd21d0292c9a8e20b10d6bd5d924500460dfd26467614dbca0d765d7c7faf959c5a12728ed0bd |
memory/2168-592-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/2168-591-0x00000000000F0000-0x000000000010F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMIq.exe
| MD5 | 7986d7220c98e167581d339727181788 |
| SHA1 | 8057bdf3a12dfbe85b97a989a9a5b944fde8c074 |
| SHA256 | 3b17fd67ebe0eab11e58cc08163466c588ed72384ce7a60a74697641a900211a |
| SHA512 | c56a717dd44f74ebd4af383b65a0ed0b6f7d6ebdd8df1ee07e7b6f8c63a37eb2a9b0923ca0a55642e9e46e9b4483b548c8ddacf629c99f7eeeeefe8ce2432c35 |
memory/2544-614-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAkG.exe
| MD5 | 2a0e4d5fe1c751205ab08e4b8f4fa588 |
| SHA1 | 75ee4548ec4e2622e8c48443c5ff573dd3e38aad |
| SHA256 | feb57ca1f1387d47d3c80f6ee950a8cb37467b741b9170b02aaf5aaa3a54853b |
| SHA512 | 41e00fd8b0d25ae5a6da3f02d8dc4aa9def22ee20b1b189835eb7396fdbb9adf6116995fb40c7697d430279f742792c35741b565a14b84e433714d2f608de527 |
C:\Users\Admin\AppData\Local\Temp\YAIu.exe
| MD5 | 043c2479303c819deca907f6c0651162 |
| SHA1 | 0dcb5c39f9000e4df2be38728103806eecac24da |
| SHA256 | 59ae60ea6bf0ec2efeb507207fb3e8c14fdcf4c69216d428eab8c76c9f71f6a6 |
| SHA512 | cd925433ad32bf8d8e4363ba7b3c1d042687249344bc500e1d546396e3522571b59529e2ceba2fc792c57d5ae1f3c34a4fa848bceb41fa50ff213ab63dea6626 |
C:\Users\Admin\AppData\Local\Temp\kkge.exe
| MD5 | 81b4d6dd8f0dfddf1c8b583180f82a96 |
| SHA1 | 25af92e8eccb3097159dd5ea8ffd453397390ee1 |
| SHA256 | 4b6bc302c2c14e8cb66ad0d4afc4aec227400c0ae4b240711147ad0152592c55 |
| SHA512 | 8ed8a96cf7ef95cbbdd87736c09ac0aeeab78cdc3387372173c61a54210e2abf107a5996cd245beb326fdbdd5b04daef7e2a3cd3c13e7e1425b5afa288063f62 |
C:\Users\Admin\AppData\Local\Temp\IQIK.exe
| MD5 | 69f87b08b25a64c6c79dc0e4981f6263 |
| SHA1 | 88783ae8c12bb520c33737ae33933d4a238791a9 |
| SHA256 | 66f0ceec00e5b30aaa8d0a6d7cc73f663ec2a21298f38043f5ca61787ea205a1 |
| SHA512 | 2e46333883202aea8cf494096be808252d245ffdb3cb44d8610322eb4f2c6d06b0b8a0c73f8078b24ce728aaf644329f68637d2f15d9f09b20ca4ba9caa53766 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
| MD5 | 0e912c7e0fbe24097bcaab9504b15874 |
| SHA1 | b8c267020c605f352fd0490227adab3f14600a9a |
| SHA256 | 456915390bb4b526b9f9e4ffac94c5878116118eaad55e459b4bb1ca42a23302 |
| SHA512 | 17a6d30cfbadec0cae95d56e8b451e0ee272c36d90076f215198c33e793db8456d1686f0a153229ff73b5e42da996dc26111aa94c688aa302eba2faa03a99798 |
C:\Users\Admin\AppData\Local\Temp\uMgU.exe
| MD5 | 7d500d187fc51b6372557b4c3b21ed57 |
| SHA1 | 6ad34a10f425dcdfa30067be2c2e8a478804e513 |
| SHA256 | c4c820fc1825410e520cf1357e70eede074107e61b57c33fd5d5285c8a0734f2 |
| SHA512 | d4f2458be9bc4aebf4b55f9c82a594ca914df92709734dc6dbc041e4e1af4d8dbd1df77fad33d96995f0b98a58795b4ea44f81b390986dd75826ba67484b7491 |
C:\Users\Admin\AppData\Local\Temp\UmskEQEc.bat
| MD5 | b90757465d4415450061e449dea31f17 |
| SHA1 | b735bf52226dbb6a2617adbc40fc7b28f943f4f8 |
| SHA256 | 770583cd35136667d711418e093667c7686bc9613d63cc64932c52e24742e764 |
| SHA512 | cfb067714b345fa36988bf4e564bee44362af4912fb4efdc90485fc59a78796fcb4313c5e3efc4461fe713afc2eb158c7a57b62b6227e18514a25332c118f883 |
C:\Users\Admin\AppData\Local\Temp\Uokc.exe
| MD5 | 48df2920bf6a50c60e06f435e394e9dc |
| SHA1 | 89f3c56274f636eb616585f74595a5e6571818ef |
| SHA256 | 216d396da85abfc3a9741d7d2c9b66ea71d46eb12e921d903d1da85409c56225 |
| SHA512 | f0754efb9d0112bf659468bebfe5c303bf91110774686222025c669242e417d7820c9fb6b3aa1319e310f17f7c5a7a8e8eec50e971a80be70d0d2439570bc1a6 |
memory/2508-715-0x00000000001E0000-0x00000000001FF000-memory.dmp
memory/1512-717-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2508-716-0x00000000001E0000-0x00000000001FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ewwC.exe
| MD5 | 05906274c67c521d45ed690d6f56bbf7 |
| SHA1 | 7a76f0df75e6d8108bac69c9919272739d13a5d4 |
| SHA256 | f7a3256cd9a20efa2f8022cedb65501e5d9ae4bc595ba500e70295d363661abc |
| SHA512 | 6e53722a47241cf346e9be6f26c77d9e81bba81bd7944446e332203059155de14b8eb6665372fc32e32ad8c0a67ec456cd973ce2c1d9c9066e961fac2802cbb5 |
memory/1868-748-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IggU.exe
| MD5 | 551bb7f8c8233c6b36760b9709235e63 |
| SHA1 | 6d4403df0c23cc8ea642149cddf0e1ecb208b3b0 |
| SHA256 | 9de45f9a7162db67cf71dc2dc38262caf67625ef7885c3393401f70c52486580 |
| SHA512 | 028e85ffa1fb300c8d0f6feca756c740de33b1b26802fd68038dfc23ec825c99c509abe99c7d29d861aee9314a2be0893f514f4f7fecb0350442198f83f06488 |
C:\Users\Admin\AppData\Local\Temp\Cgwm.exe
| MD5 | f0972abcc52dd14a42d950521415a6b1 |
| SHA1 | e33dc25b367e841df1b3769c640ee97b9c860e68 |
| SHA256 | fb0e20f4d8468cf38cfa156c06bc97426f80d804577568e39ea4d3cdbf83b48e |
| SHA512 | 9b238540afca7a463353f74670d91191def5d564254fd2c39783ee33728cd5a93b88cabc30403efc8fc1167003337f973f4a09876d423dc697a38b223d3f5b8d |
C:\Users\Admin\AppData\Local\Temp\gAUQ.exe
| MD5 | 8940e37505f16bef712e315bbfcba05a |
| SHA1 | 5df59e9675f8b42e55622175d586df27235161c0 |
| SHA256 | 6a8f45047a4205fc58f37e834425525d390f672a8a8e86eb8c54410907ab9d46 |
| SHA512 | 2e689a433e5f19a94bd6cf3ca66a75455758c511786cc61af5126abd32118585a2ccf934873684ac72f6058fa40002217a4a4aa2477c61706a343fa7b54c4176 |
C:\Users\Admin\AppData\Local\Temp\IQgQ.exe
| MD5 | 70032a88d891ef304710b78c5d0d5a67 |
| SHA1 | 996d4e2b3a28b60ea3db8830d662faacfa3928be |
| SHA256 | d69d4fbe1cca69fe56d543fc3fb2429b178ac13bf6f9de4fc5080a3f3328a18e |
| SHA512 | 7587a13fd1429280f1b549a526290bbf5822fe4ae193daf106ac263150ecd6d5d14c76693b5915d7988b77f79d2f6913dc63fd9f71cd7fec57bc150ee43532d4 |
C:\Users\Admin\AppData\Local\Temp\ikcc.exe
| MD5 | 80f6f11381b97c54a1d69a2ddeba0d80 |
| SHA1 | c5237d561b4a0e4940c769cf6c77223ad10b8cac |
| SHA256 | 4a77d4f7b893d69fe0372930b19efcf6c22ad177a2a2901441a7beb9fda31487 |
| SHA512 | ccfdb1313673385dcf4db1f5ba75cd43eee3202c031ed6908fac76c2f92f65183510b77c214f262221100c62be504f403e7a9df2223aaaa614eebe1346604a8e |
C:\Users\Admin\AppData\Local\Temp\WYEa.exe
| MD5 | 875308218c68c1709e7422f5d8a812e6 |
| SHA1 | 5c28f6700e88fe191c6c82992efa9bbdbd9e298f |
| SHA256 | 4ba7222c36c468c4a9438158f4ce7e135644bae85bc1d8572f74419002acc821 |
| SHA512 | 9cfd7f3ab4ea74a3bbea34a3c935c6ac5c7c52c9b9937ec0d0c9a83fa68b2069bfa2b78c18b06b906d98951ff57413fa5408be8292799f38e0d248478be02656 |
C:\Users\Admin\AppData\Local\Temp\QWcogUMA.bat
| MD5 | a58f0c89dfd0e1b1e05b1eecac19f356 |
| SHA1 | 514fab2242c2dcd3d0e7ba77fcc72711fb42569a |
| SHA256 | 40baac15ccd121afd866538b956bcd7464b36ade1c27880c1a0dd23e834f8b31 |
| SHA512 | cdd74c957689c68f43e71f14e8c61c1151d033da0a282588f8d53a9d73f7bf9bcb85c140777ba59518c01b36f5b8a2c9ec653afc75a5cfb54ef80a439c0bb3b4 |
C:\Users\Admin\AppData\Local\Temp\WUwK.exe
| MD5 | 238f41315756da05c22a83c52cc42e5d |
| SHA1 | aaa34ad7ec338d964da5fe7ccb3662a13a76eda0 |
| SHA256 | 9911a5b8cfb07f859ed658093c165a3ebd8e98f7d19697c695a2eda69bf5e239 |
| SHA512 | 3bdce6c7024b4a8f71e0cbb4a7068ba97bf120a77f57356c26003c08f7b39a1848f87cbc0a6d55bd40511c7a44a87737bcdffd257d02d270cafcff2716860ec4 |
memory/2328-840-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2328-841-0x0000000000120000-0x000000000013F000-memory.dmp
memory/828-842-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1512-864-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iUAY.exe
| MD5 | 3f337d790daa4322ecfe3af53c1eb176 |
| SHA1 | 84d000c08653c67b257064ef08c483e990bdee13 |
| SHA256 | 2e7d6d608f813561a25ab49c47931c47a714671f110695e5331cbb34e05c0bcd |
| SHA512 | 81d0bbca49a6567383a793acbbfca6627cc7004af93f428c4ed9e6293510ffa4d72ac282ed119f19bd826f3eb51c24e8e486e383af57d2caeee494650fad1c63 |
C:\Users\Admin\AppData\Local\Temp\kAou.exe
| MD5 | 62d3e9693649b937cff53b7226d517fa |
| SHA1 | 6788dfc1821fac65cbbcc718111b15ee65c24476 |
| SHA256 | 04c0c827f3e299801d213d3bdddafb0f37ee80de0e0dd33f8445c884eccaf0dc |
| SHA512 | 1b2b5dc81670474c6c5a5518c14b8fd13cccacf045f02858c39b3c64092136505696b86f52e2718f45ca36509c29b15ba13e4ab1da147b4b382ba902c6c7165d |
C:\Users\Admin\AppData\Local\Temp\MkMq.exe
| MD5 | 7124e25d01cc9c62f69c30b669ab4cc3 |
| SHA1 | dd5f5ac832e096a1ad34cdcf81ec3057fbafb878 |
| SHA256 | e80065e8234cf219389b7078c598bc10c54c4686b2b14c0a1e4fbf5725118567 |
| SHA512 | 9597e7eca3f0a62bfa787472752e2ebfe3987200989abd8a407f7c7c4d0fa30cca4ac42e662a71959e49ea0d5611eda3d506e75aabc23ee859e6bd539bdb92e3 |
C:\Users\Admin\AppData\Local\Temp\rCogcYAw.bat
| MD5 | de0fa9656d8db858d9b2f4f18563e812 |
| SHA1 | b22dfaf103520472475a72db5ad2c8ad23324e7a |
| SHA256 | e1754c32702bbefe49107588f226f6a3cc37f4b4087259af434aa6db773cc6fd |
| SHA512 | a744211376500d526323b3b057c3f2feca7b4dfe33030a6b18f46bbb66f3baf65d2866de4a11ea3f6a1a30dd397899002e0567996b426c2e8b548d7dafcf48c0 |
memory/2300-915-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1688-914-0x0000000000160000-0x000000000017F000-memory.dmp
memory/1688-913-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IccA.exe
| MD5 | b9c91cba44c79446a746c1a7625dd033 |
| SHA1 | 1ee58e4504ef5ea8683fae6a0c81a4f7f46c8f92 |
| SHA256 | 49981bbf329e852b4e3f284ac0b744adb97448ea12f558ae6a578084720475f8 |
| SHA512 | 91b60aa4d99ba5848de899bfec71986160e34be31dad3f5814f6286b5a2e8d4a6ba8681c69ec5a957af2b2d853a3a00c6689e25078c5f576e575d1fd4a2a1919 |
C:\Users\Admin\AppData\Local\Temp\AYYI.exe
| MD5 | 2377b5d102ca87ad1a7430d7cb3d96ac |
| SHA1 | 8bf1a7f353a36f91366ec125c5e9218913bc5cbd |
| SHA256 | 6d6f311d36adb24387449a89eed435cfff0d231947bd22c0f2c9df5bcbc37d50 |
| SHA512 | ec44f62ca983547b909f84879ad79c0b42cfee5845aa2a1f0004fe259157fbecd058b6a6e862b62d4c33a4afd11c174d4ea106a7ee6bbe6622fddf9ada19d5ef |
memory/828-937-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ogEk.exe
| MD5 | 2521e1a58d23730df2c497e06104654f |
| SHA1 | 28ba57a057c71cec7e120882c3ed516446246fbd |
| SHA256 | 6716a351e00de7643e325b1ab09662f5cced27abfff84dba4cfbed1ee1bf1a92 |
| SHA512 | b3f4372d1e94e5ddc4e4690bf616a72839a231f63dddb166da460ce9f4c8941d98de5ea31174519b0c725dcd070f165c77c9459816c6b35b28eb649ee9201fea |
C:\Users\Admin\AppData\Local\Temp\sAEC.exe
| MD5 | 4634366f50502f5a9fea8f64d80bca3a |
| SHA1 | 9c9d878ba75c30b5ee28e15f61f94dab4a26bd6c |
| SHA256 | 8a4f62ff145bfbd48dd44f8ff8b35ab5d8b23f648500ee18289a8ddaf3bc63d6 |
| SHA512 | e29769b917765e0e2d33242394aa731c606ce18291f20ad22151016feb2549c2d72971ce5c8f1511652f611902d1a380407c81d8140ac4ceaf2dc5fb3bc028e7 |
C:\Users\Admin\AppData\Local\Temp\ucss.exe
| MD5 | e2588bfa6b4177049edb0caae1ccbade |
| SHA1 | de419b31b386082a9f3eecb7db7111537dbbd07d |
| SHA256 | ea55f04025a43ee937db7c1d2ed5ea910851740020001e3e710d68ed334d341c |
| SHA512 | 0fede4fc622c5948bc6526d15ee703ba622a18b03aed988530ef35afc37b64b48f01d8e5acb320c2475bb25bb7a8d3a6eaba081b951b241c66d046aad43acd54 |
C:\Users\Admin\AppData\Local\Temp\DAsIwUsY.bat
| MD5 | 5110b49f8436ac9d30e8120b4e06c8ca |
| SHA1 | 61f10cafae2f84a3f3152922f014fdcb8c020b8d |
| SHA256 | b4437d6b5381784a5f2777ba018432ff76d72db08199f0b02ced1c584124da7e |
| SHA512 | 2f4ba7e225e9324ea9a68d658ec4ab08197875e4b4ea6a797f8087dd21c76ad641cce87a043c679d1b80ddb369eaab8aa9c31cd64a435379af72e8865dc4570d |
C:\Users\Admin\AppData\Local\Temp\eAYs.exe
| MD5 | c59b14fd0a773897d8ed6535d0a30af9 |
| SHA1 | 86cbed7228dbe18fdfe52f539d5efdcb9a8edcfe |
| SHA256 | 21e7226d960e41cf97fde3648e14377fa1fa248e24bc879e6227a85fdb430e52 |
| SHA512 | 59f1e85c1ac9c42d38ba50c69d285122e3a6ff399931d4373a97bf8b75dd01bd66ecf90a6062c148c15ea34fcf49ea4d8b15c96de0233f04835c40b04be1d835 |
memory/2960-1000-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/2960-999-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/1724-1001-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2300-1023-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gYYU.exe
| MD5 | 5519d69dc4f5c88f0f4acf04a4e01c13 |
| SHA1 | 3fb96e62ba7de37ec39a68ce76a430ca5fc26fd8 |
| SHA256 | 587211d683d91c8f606bb13eec482495c45fa14ff25dac56d8a9f5d19ebe586a |
| SHA512 | f3b1f6268da45463e05298691b1b7830e43fa28fa90871e47b743a664e54e3dab10d2a9bcfc00726dfeee7df0f8c0f0a81646b51ee78393064cb6478bfcfe5fb |
C:\Users\Admin\AppData\Local\Temp\iYcK.exe
| MD5 | 2fe8fcfc0ba7b517286662586d4ac3b5 |
| SHA1 | 7d09425602ee61e7e2a032627006dae115abc0b3 |
| SHA256 | a145751d36a45ae109a05873aca2c4f82db8a82f0c480ad5718b467c7206864c |
| SHA512 | 33cbf8891995032f6c96374b605b5a4e9d589c046d454b3261891ead0a532cbe033d05038f38de551663a8e4d5792a2c458354b620a927417a87ef5a7c4408b8 |
C:\Users\Admin\AppData\Local\Temp\OQcw.exe
| MD5 | e670efa8c8f06c782cbc1e5c9cacb70e |
| SHA1 | 6c9ef07420a578f812bb434a616e00f07359ad15 |
| SHA256 | af8495555709a79eb2176092cd91524436aac73c320f43040bf5b6df4daf1a70 |
| SHA512 | bbd90d67020f8db496f6ff92bb89e0386d26d21955a034e6d0b0f88e0dec1cf4252940070f8c4a1bba2f76b3aefccdd2b4cce27a56fca7d176261893e833da9f |
C:\Users\Admin\AppData\Local\Temp\Ygsm.exe
| MD5 | dd7f9f19b7e66329a6365e5357fbbbf6 |
| SHA1 | acd85baf5766a79ceb39c443d4f0e60ad36a8ffe |
| SHA256 | 3f1aa6ce6bd8e014e371a7529839e033634cead99de87f4cb6f37513e0829cd2 |
| SHA512 | 048c09eb90d89dd246b1c88b0a32d62358a445367bb0c02f48a5ec3beece0f166c97d3a4be21abf057bc5f62949f4f4d5366f2760eaa23e6edae79161d680356 |
C:\Users\Admin\AppData\Local\Temp\sUoe.exe
| MD5 | 13121e34c1b7c8ef1162397aaa9cbbc6 |
| SHA1 | afc467c379ffb1401eba376552329658edef8577 |
| SHA256 | 5a2d06fb7cb5dccecc3f352d17d1079d63b0b2c840f878e1ccb2ec741e11f9b7 |
| SHA512 | 1208dbc8cff8264d061fc4b59a3b517ad45e7e2fd18f136bbda1a2b33fe2e4aa1e86b454cc5a2de8d081646cc96ab04b4ef96e7025f12be9ce2b5f71c758c013 |
C:\Users\Admin\AppData\Local\Temp\EEkI.exe
| MD5 | dd83b5920507039f740227ca7b41a5af |
| SHA1 | cebc72ac7daaac6bb3b9723c99730da8c58a92a7 |
| SHA256 | 999c8c0a790b7359b49cdfe64d0837f260c94badbf88bbe22dfe78e66edfa059 |
| SHA512 | 9af22073324e1488337aaa369e0cba493162305ae723108a90c58ef00aafc105d95d7a8cfde566c12a7e19c3b93c99d292103a2c0756f5ff42671a84a8e7486a |
C:\Users\Admin\AppData\Local\Temp\LqwkAsoY.bat
| MD5 | 0c98a60b4ed91754eb261061e5ef8825 |
| SHA1 | 28e8b0885d311bc9d45ecd1adf1eb57466368b5a |
| SHA256 | eee1ef28e5ce74719daf901c7058018638ffb70b381958bf309840e13b298254 |
| SHA512 | d07d58bd4f7d65d3335fd7237ffd236a0fb31dc445edbc963bbbac02fa9c648acfd0dcecca731d9637d2fab2e448d1c1335e79661feab9d451a3f3be2ba71458 |
C:\Users\Admin\AppData\Local\Temp\GIAK.exe
| MD5 | 526ba42030b05c39ffbee064f8ec55fa |
| SHA1 | 1bcf9e507591f0da6300cfea130f4165159406bb |
| SHA256 | f340c6737496fef6d7f4cc6e77e9d36d4a1fbac6da24719c4a5e9ac9c25267d4 |
| SHA512 | 144de74d03c896f4ac42f242522f0462390c31238623fa1082997f379da6cb91fba0b4e6b702dd2096fb883b1da8e35df3c8d3ac1816c7f26a6e167ff5b3f4b6 |
C:\Users\Admin\AppData\Local\Temp\EooG.exe
| MD5 | a8801d398d10960dcae77a3cec6e0ee2 |
| SHA1 | 7bbf1c210be6f14a6d1e7f4c158075c336d17ee8 |
| SHA256 | fd3b3b5f7c670a07cd5ebc255099c83386a4a7db83fc9c20a7ac44d391f0773c |
| SHA512 | e5e12a0cf30234708fa87e2b523c9ca705b8549e3586a19e24f7503a834113b3feae7d907f3d7784affa1f8e04586a7bb7a9acd0d6910b0e18b887fba47be444 |
memory/1620-1125-0x0000000000160000-0x000000000017F000-memory.dmp
memory/1620-1124-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUIM.exe
| MD5 | 447e57296a917502d797ebd9dc7b1bbb |
| SHA1 | 1c856e1f8e36ca91b4ce6ffb7ac53695b09bafb7 |
| SHA256 | 67301658b6da73244254c9b0e5e7bbee9604e7b3526be4397fa35ddb1e00d802 |
| SHA512 | b66e8381738087d3cd7b54ea5edbdcc8a4a29c506512974a22e787198e4193237ba8df34b3abd44af962a37f1077489cf5001dfdfe480610903785b92684c52c |
memory/1724-1147-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yQMA.exe
| MD5 | e0c93c1e9cad863a72dfe82f2855737d |
| SHA1 | 48259b49a80b7b993c7458af09ee262c69aa8732 |
| SHA256 | d2bbfe0fd4898081d791f225609c9db9ae3a8166ea9705b3a5dbdef859fdb24d |
| SHA512 | 130c40559b597bcbfc885b391dec9b90843a5e1a473ec805c91ed73e1c7a2bcac3a5c6a0ef6fea72840befee0945127a14ef7dbb3960869a803e15b364e72671 |
C:\Users\Admin\AppData\Local\Temp\SgYY.exe
| MD5 | 740bdcb9f04848cdb2e8fbfed16a1698 |
| SHA1 | e6f70110064a2bb62459e44f8bac2f449deb4d9a |
| SHA256 | c5b029cc6530d7d7820b41e24ca43d4ea428a3e5d5689266e5c9774796ccb083 |
| SHA512 | 409c8cb8cdac3cc595028ab457fe4d6527cf8878ae8a6b83a1c7e0d929acc314bfeb6a660ab8918d0e5eff32781fbf3a4ba7a65a8836fb0163a113f6b27c8e81 |
C:\Users\Admin\AppData\Local\Temp\SwEk.exe
| MD5 | 2d1d01328b826ed2f620b6577088ff5b |
| SHA1 | f5a312fdc7b8066641e1a36de4685dec0dfcc563 |
| SHA256 | 19aabb349ebda1fa4ee05544796a7d37ce790d68e1321053b02b9dd6c15d79f1 |
| SHA512 | 93ca23498433d543823f9606894769d0ed39e9aa0d46b9fe2ccc6418fe9b05ba34a6519564228796c059aa0ea1718fb7a445863901ae6f3ceef99f5ecab59285 |
C:\Users\Admin\AppData\Local\Temp\cAQG.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\aAoy.exe
| MD5 | 451d84a2665a9ccc41cccd6fcdcdaee7 |
| SHA1 | bce77cbe4c6a6aed2e15dcecc88ec5f68ae0f8c5 |
| SHA256 | 32bcdd72ba629e6fc57235528ef1c59a8015bbffc07e0a653eb914898ce01ffd |
| SHA512 | 2b23d1277fe8a559415610186d2b5891d974d55375d606f654243608768a479d6c8f12e8e8b95223fabb86bfb85b404082675dc2353fd6b9f28c2d660d973c4b |
C:\Users\Admin\AppData\Local\Temp\rGUsEkUs.bat
| MD5 | 44ae21b6ce2624bfedbd7ee109ecbe1a |
| SHA1 | fe25a30b51cfc4d6087b1ee38309e1bf7df09478 |
| SHA256 | d221cfc79a6fdcaa1b2ff6e4804a4a13377db0cd17bb36e313b90e953fe87068 |
| SHA512 | 2d98b4d0c0defed7017bc548c7b00922f8b54384cbac2387e6090bb4b83aa01ec78850deea7ccbeb449250aabbf3d55ef3c01b29de2ee0e03dc49cbac0884d33 |
C:\Users\Admin\AppData\Local\Temp\AUkM.exe
| MD5 | 85e9a217917f679c670050ad9e29dd04 |
| SHA1 | 59456a0dafc3f8aaf4295f1976c3594f62234e8d |
| SHA256 | 3cbd7c70d6ae47901029bfb3e605d0538f839ca9e4a4b94239b7a70a92e69008 |
| SHA512 | 4e6876210b200175134b17d48aedfee837c949edf0cbad48114b52f78d291e41ad3e63c08cebb7ae04283708175d1638102cdec0c3f0e52c7541527ba8bb2937 |
memory/1896-1222-0x00000000001B0000-0x00000000001CF000-memory.dmp
memory/2168-1223-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1420-1237-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uAQu.exe
| MD5 | fe4abec8aa13ef725d8ea983efb0dd45 |
| SHA1 | 33549645f371c7b61c4b9e69b3727b443dedbc7b |
| SHA256 | 618ebc08dc41c587b8eead46a764b331a0a24fe9336a5e37b3022291507c53f4 |
| SHA512 | bed38f8b1e48121987b23749b0550f8646c3aa74adac009c639765919dbb716203b1a7ec1f4a10e5278f1e179dd9cdce22eb66c8c9667ada6d62b0b5dc233a63 |
C:\Users\Admin\AppData\Local\Temp\cUsW.exe
| MD5 | 7d1ef8e42f9dec3885fdb39fc027ecf6 |
| SHA1 | c51125ffe329d974e1467984d30ead1070c37b1f |
| SHA256 | b972e1e178793deaa7dd4e59958079cede72c6468c280891d9795b8b8a70e488 |
| SHA512 | c56a6decbf1678fb1acf095911f66dc883e1a989b1719b97f9a6ac5f934d619fdc8d3fb16abe606a66e7039244e96bf84ebedf8f99a787b2270070498cc5ef87 |
C:\Users\Admin\AppData\Local\Temp\WMgwQkoM.bat
| MD5 | e33c174c23854082eafd33e8479ef891 |
| SHA1 | 78e1b0bdad9d2926b01bf1ace0f69a2722427012 |
| SHA256 | a7f4088ee37a433127d8e7fab50195a76f3f00f03ba8848ab011e44a30924735 |
| SHA512 | f72ec41e3f459fac65b37e86b1f1f06c93c90375ef1990de8f3afab422899f1cc7584bea2dc9daca5daa6124263c6951b08028a217930d3168503c9811fb3288 |
C:\Users\Admin\Desktop\PingHide.pdf.exe
| MD5 | 4f3799ccd72873de9a1336eb2ff6bf81 |
| SHA1 | a1a7bd7ed4915ab02068559da4efe753da4e8b6f |
| SHA256 | ab304a84ce9e98c24791154e4f606f55a6248d901c8e88779cb1064890d15d46 |
| SHA512 | 9b22f24571de1c452a69deae1eb869b1ced27bc936d9d3322ac7b4ff65a296faf58a6afd1648ef53dadc16c664bfecb3ab0bdf386e9f255bcc337a63ce0e65e1 |
C:\Users\Admin\AppData\Local\Temp\MMMU.exe
| MD5 | 82fbe0e036e95850299f1f300f95b07e |
| SHA1 | 2696efa9042252bc35704a63bed7ac07118894b1 |
| SHA256 | 77f0a3d4bf112d49c1da8b3c7a65d68533a3ee6191dfa9a443af2b871aa65a9b |
| SHA512 | c2635360de0d3bf769bed926add6840452eb7bb31416be9a1d1a721d878fbeae998a471a73b548faf86e8dc2ca96bae071cd19a6342e3fad458f7857e5623242 |
memory/2088-1308-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2168-1317-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2648-1307-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AwoU.exe
| MD5 | 8c53b1abddd6bda0bd0e5cfeda53ce47 |
| SHA1 | c9083a1f2e43e1f7bea829c4ceb58bdd3e7009c4 |
| SHA256 | 413e1c4c96a35ec527d0888993c1fc977f2e0770836f5835f1ae67663f6e72fb |
| SHA512 | ce9a0093666eb9d509e1aae653de3219628e112c9e9bf572356c665c3868c0d2b960c1a5586d0ba09d559c1ac0968779c0ba895ec1b76b5f97ec4529ca583961 |
memory/2648-1306-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cwkw.exe
| MD5 | e9c7de071ed615d628be3fbd0a307f7b |
| SHA1 | a62393542811d048ec440981f0a60d26a98a9f7e |
| SHA256 | 9755220cebbd4004ec13b7ef182e94510058acdcc1b4ab6a9436e85155bf120b |
| SHA512 | b3933dbd29d530bceff2ade057faed2ac245712552a9e88cdf69129c5295ae5628f7c6ae991097711d91e6ec14b2a644ccc46cf32a4bc24e6b74457c3b672d9f |
C:\Users\Admin\AppData\Local\Temp\wYMW.exe
| MD5 | 98081f4356b11133105d516b1c3d3049 |
| SHA1 | 926cbfb72196ec39244cae0f5b8fbfe12c27610e |
| SHA256 | f16c21da73411a457eb69957797f0bf49c00ab40c4854e958d183c7ac15593b6 |
| SHA512 | a5ddc27e83032b4979e43ff14bdb06f8043ef690d7aa1a1440cc3738567bd42cb123d48eb9aa306254ff68d618d02de0a596eb7421085bb87bdc237f1fffd831 |
C:\Users\Admin\AppData\Local\Temp\giQIAIUw.bat
| MD5 | ee97ec9deada285c3d6626eb43997976 |
| SHA1 | abc87ec5abc92f782ed4bf05417a54e2cafc43c3 |
| SHA256 | 8213240e1b577d220b29d84c34a3dea0527b258b7568409016a4564b29ee174b |
| SHA512 | e73f1ff0f9d217c2a3a9e9e90b314b29cb196ede0e645d8dd45ce76002d5b93efd2090c80bd1e5d7354c8745dc148f406fb7f0c95b37915f42f35c5c5f09e683 |
C:\Users\Admin\AppData\Local\Temp\kgQk.ico
| MD5 | 0e6408f4ba9fb33f0506d55e083428c7 |
| SHA1 | 48f17bb29dcd3b6855bf37e946ffad862ee39053 |
| SHA256 | fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67 |
| SHA512 | e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914 |
C:\Users\Admin\AppData\Local\Temp\esMc.exe
| MD5 | 88b6026d76efff228d1f315276b51cbd |
| SHA1 | ab925f88d73ae4c8fbde102fdb3b2abeb5c4b2b0 |
| SHA256 | 35744388c4e191d0bbe8b6ced3b89686fc57c4e620333e83ad1e06aad19e6e6b |
| SHA512 | 896c58299900e9201af6254bbbbfc1997cee21b8da224f8c128b911fc73cc0bac25c3761ad15ff1d24a2095c829674666277fa10612665b0ca1106a213f64d43 |
memory/1724-1380-0x0000000000120000-0x000000000013F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UkQS.exe
| MD5 | d6f27411821c05092be3dd37edb1fe30 |
| SHA1 | c66e1221a429812aee8191e33ff2764e9f9d8da6 |
| SHA256 | 1a535013b3b440a4df282e4889830c3f73da9f347caadd87774b445c73925e78 |
| SHA512 | 2c4fc0c1857831531b6a058fd23eb7ec635477b1a2699aa3a627295da42bfb578c712e0e4d5514093e29d25f255658701421b2dacceaeefa6ff3e5ada61a3dff |
C:\Users\Admin\AppData\Local\Temp\AkQYIoAM.bat
| MD5 | a391117976d6bb435309c6a26614cf7a |
| SHA1 | 1eeb85dc5292e9cceb2e3afb5a9a74b0636c46ed |
| SHA256 | b0415dac4c608a75e19ed44ab387d5d33020048cccdb9056804d642a763272f6 |
| SHA512 | ff7f1cb066ffb2e7f31e0e1be541b8a0bae54d40923cf369e1e273cce31f959d48ca01d34381ae1fb6005482f1cfc34f8743fea81347bfce7865da051d5cc3b0 |
C:\Users\Admin\AppData\Local\Temp\WUQI.exe
| MD5 | 235d3a866b324206e85452912c17ad98 |
| SHA1 | 68cf123c61d51408d5c96e02790f344ca9c0e482 |
| SHA256 | 4e1c1b326f543d6994f1a6cf635d7a1e319952a27ead8afbb74e2663f5ecd341 |
| SHA512 | 32a6311d2ea773e6fd7e97f9484b411d1a6debe291cc7d6c98403488131ef7711ff48523b8bddd06b9150e971e57caf923986a4d19c281ed83c13cae933964b6 |
C:\Users\Admin\AppData\Local\Temp\cQQI.exe
| MD5 | 24b01db0e3fea78689865cf3023a12f5 |
| SHA1 | 5ba87c719d9baef460cf17bea63551107c503f4a |
| SHA256 | 983da5f1fdc6e021f4748064082a7fc76c85434ba90762087559b782cab6366e |
| SHA512 | 62e309cb11e78e5b8884e3cbd6012bc699a8d97a6bdc2a89c6d8c567f3bc180891708a20ffc8fedd2d5c67d81517e3290c31648057f299e2e3577395a09edae0 |
C:\Users\Admin\AppData\Local\Temp\AgIQ.exe
| MD5 | c21575ed7378ca47cc5846a1d35e68a1 |
| SHA1 | 635ecd135e24f8e1f9ed0fb9843c41aaeaecec2f |
| SHA256 | f9d18b5757396bfc0d28dd5b6466bd26402b6fcc16245170a7732e495021eb2e |
| SHA512 | f85989fc615dd18bda90d9e21d3a300eb3f97f7eb0cd9758767efbe40de2c8dba71235ce6f032c656dca92e3149dc89538eabc3c2366cc037e377b34293e090b |
C:\Users\Admin\AppData\Local\Temp\iIkQ.exe
| MD5 | a7cca9560acebaa8b8c8675c0f2b3387 |
| SHA1 | f310da3a2d37628e713596de7d838f64f3eaa17e |
| SHA256 | 7a42d3e786866e1524ba3b011cda841ab488daaee78a93d417fd860563997795 |
| SHA512 | 6356d8fd08ca43678f1b77588126d4a558e49fbbf07ca33d219c91ddab5efc21777bb62bd9b2f30818aacd43d486665987870f24ad5f30e086208b2ceee11c24 |
C:\Users\Admin\AppData\Local\Temp\ESEMUkUc.bat
| MD5 | 47b69391cad46e61cc719bc6749f0b19 |
| SHA1 | 482b431a7c962f4fbc9db6570f50989145e80059 |
| SHA256 | 6eb0b99a2a92f5e1451ab4e744d24fa104ad447ddbf900aee666c9d4cd81e003 |
| SHA512 | cad4975ebf46fb59e97bc079b1f5d1b5a5a734e76d555428744ad28aff0514c2ffa2d98fe29e8ccb29aa6e4b971e2dd6ba690fc57986a6c582be4148f127a426 |
C:\Users\Admin\AppData\Local\Temp\AYMA.exe
| MD5 | 1354b8b686c2544839bfe0218d71d073 |
| SHA1 | a1df2df6523c63bafccd60c3154aa7f6cecff789 |
| SHA256 | 06b9d14315601b22bfa4c1455e3d4d374a2fceef1a35a78c886aa9a395889021 |
| SHA512 | 828bc9c76335f6de51a655fa9c636bc68e56856417bcdc892543e33828057ba24f8e5ff87a8e160e2628ff256fff146cc5d97af75f3de4c7ee4722f6e0b0adfe |
C:\Users\Admin\AppData\Local\Temp\MkoO.exe
| MD5 | 77392fe983b14b761b62b97d30d74e4d |
| SHA1 | 16e46d274b80bb17732b2a1dc09938937e0ad99f |
| SHA256 | d685e41ce064ed5445268c67a8eec19a316cd6b3464e34f11bbc817e2f566259 |
| SHA512 | 5d24c948d5a5eb681c8ac084ceb24170d097a72af033677b89f08c9f4e0227ee5433b20507a6a09df0cbb6dc26889f16e3a4df11bcc1c4225380d98fe12414ef |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 86c55206b92f4d70f97cbc19271b2993 |
| SHA1 | da04756f3dad8ba09f1b0f6547ac1072d799dea1 |
| SHA256 | ec918ca6e6c94b20aa1fcc903770d290edcfd5c412f9e49f0c26a174f0971692 |
| SHA512 | a231c2aa2e300de21729e0548003d675ebec4dc4b98498fa66db6de6909209f10b693eefb428942f4198bfcc89e07bd4cd8ee76a070acc0d063041ccd1ee2453 |
C:\Users\Admin\AppData\Local\Temp\egYW.exe
| MD5 | 6df7f5167e000f2dca3a32c9072d88d4 |
| SHA1 | e19fda2663945ba96bc70f44a085e699a95db713 |
| SHA256 | a540fb74d53d115b5c83428ec52bd48480eea34a0bce82e7d8de029424c1473a |
| SHA512 | 6110600910d5bdfcff7722aa9ade7a02a59003bc4f44de61130e237c2298b79691b2b65ba992e31a179d3d3a32751ac821528b12d12866e59932d5aa6544e3d3 |
C:\Users\Admin\AppData\Local\Temp\lococsgw.bat
| MD5 | 4c193eb3ec2ce5f02b29eba38621bea1 |
| SHA1 | 7163d28263e69194a23cc96dde29dd92886fb034 |
| SHA256 | 4a630b8e79a0cd2fbae3f58e751abb28d0f4918f76af188d8996f13fabe08af8 |
| SHA512 | 796aae521f4601174a336fb283ff4ea9e4744b6629106757f6391e442ade57eddc6834f2ad85d7d1f545751f56cca2081e92fb48dd17ab18fe190a5fb4adab91 |
C:\Users\Admin\AppData\Local\Temp\eckA.exe
| MD5 | 4c7aaaa3e8b2403acebb29a8e971f1b6 |
| SHA1 | 7bafdbfb7a845c56cee19a13aab5be32675406cf |
| SHA256 | 93566bb80b346419fb368435694a3b25ef1b714ee9bc9174231f304f0d6db784 |
| SHA512 | 4c1238457a4d8646c37445e7543d211f5d6e5a3dbc6b6a1cc778fc0dcf3eee3674b5943defd9d829f5f97583084b4d3a3f99feea46a174b1112d58841a679bb2 |
C:\Users\Admin\AppData\Local\Temp\OEMs.exe
| MD5 | 2feb9883a1852574b97f0378434e22f1 |
| SHA1 | 42cdc6e5203a0ae5fbbbb8176b530181a0124a74 |
| SHA256 | 892706b60c001fdb146190e9405b52a5c24c030538dcb3c7dd35c3a3b06009b1 |
| SHA512 | a81bba22c0d612aeffcdf453265e3cf64ef192969a3b910f71823e9cae80e054715e0d37c9eee380e2833a039f9c256326841869c913a249e9edc2eb93da8c4e |
C:\Users\Admin\AppData\Local\Temp\kMcq.exe
| MD5 | 3264ce356130cb46be339a8a745ca10d |
| SHA1 | d53a2253898075c3657bab347cc31a9a4b2498de |
| SHA256 | 1e1f9450b6638ba0da93d1b9c9b605458558dff27b86ae414c23a6615d5ba000 |
| SHA512 | bb6d736722a1ee9622b92b51b72ea6a32492f9fab7ae544ee5926151680a4d3acce15550733bb4db8177ad59a2bdeadd4107bfa0258254f50e15bb51c39b7710 |
C:\Users\Admin\AppData\Local\Temp\wkUC.exe
| MD5 | bfb1f59c17aa06a54444ac493d33031c |
| SHA1 | c262f5430d77eea3c90ebfc59fdfb695b497c0fa |
| SHA256 | 4c8993ba1596541492c4d3d6a6eca0c9d2a85c4ab17660f232e733c3f01fde09 |
| SHA512 | 7a8363265ad105a65832c0011744ababba18412dcec3a3dacb0cab3a5a356cff8ccf32bb34fa283b3f41cbf08bac2d02ff23e61208d6ea8810a51a55abc652c6 |
C:\Users\Admin\AppData\Local\Temp\TUMAcgwQ.bat
| MD5 | 8b69d8462484c30f1834015e791f8533 |
| SHA1 | bfbdc6cb01a885c0aaeed5c33636d9360fa1f92b |
| SHA256 | 6636ffb8d2480b18a0abbaca63346d428260dfffe7ebc400ea2cfaea23cceeb5 |
| SHA512 | 7c2a33d7db5e252eebe8b7cc331902589815f03b9ac602039782b518846f475dc23f71febce3f0de0ee7a417ecf1b1880d7433058b4375f596aa97ae568923f7 |
C:\Users\Admin\AppData\Local\Temp\uYAe.exe
| MD5 | 4c7565785050f63a1472258b67ac420e |
| SHA1 | 6e06b46a53fbe6f81ba99c663c6a1bc0f09abce0 |
| SHA256 | 94b6666e943cadd82c8e26a246856adead3404e4b8a87fb637c789e97ef3323e |
| SHA512 | e3d037ffd49d2a365a6a3bcde7b39be366d3d00928eb674db52387c7335f358dee6a44f69eab0ea3e8b43b6c65f77fb336c0c4df8c5c2301d51c4227069a8ce8 |
C:\Users\Admin\AppData\Local\Temp\skYG.exe
| MD5 | fb49da428034a1e06798e52cd5f50228 |
| SHA1 | b06f2c4c2cdd0b94b6013917306a5876a9c5c64f |
| SHA256 | f027146d80ff32670620d50e3a7ecadf5a8acf73dd091508c9e7cff7f2c1d588 |
| SHA512 | fcb9d0d8ac03bc7ccf48c6ac3801774c35514f1f41e284418a6f77cc1abd5d010add252ca5a541ab029c5dd2733548a72487699f40d739264514e78417f119e5 |
C:\Users\Admin\AppData\Local\Temp\XqUEwEUo.bat
| MD5 | f374d636f71c06c726a3b6cc0f769a98 |
| SHA1 | 252b69231dcef0cb870e1df93435ba14444d96f1 |
| SHA256 | 915eaefc3266b463751a91b41aadd57885a36c6e1644eb538d76b0ffbddf0a13 |
| SHA512 | 9ae835404e60330d7a00557da74c16577e35ec4478737a089ac5cb6f89004f916dd73462e30f45bfeea3f37d4939ca489cecb429c61d58a564b5defd9c52e75d |
C:\Users\Admin\AppData\Local\Temp\UMsE.exe
| MD5 | 4d5aeebb867e8caca0fe42c24c9520ec |
| SHA1 | 5e543192940eb1d95db6c222d42626176f2eedd1 |
| SHA256 | 429fe1050bbed610536fe1b5ccce507862115ff88f359aa36a6443e6bb481951 |
| SHA512 | 0f22d16a45751f683f06d81433fd0ee4901b0fa34dec01cde49928dc009734e9e6d4640398bfadac70d7ca9f35572f03864ad340c06f90ef93bcab9e024bff05 |
C:\Users\Admin\AppData\Local\Temp\isAU.exe
| MD5 | e3c098356154fb2a793e1497ca8d7942 |
| SHA1 | 84d1247805fef508e0e0d0b6bd375398bbad208f |
| SHA256 | 47010e0bb1d93fb212ef04e298558e54dbdece12cfd592bb12ba5ac1b5900138 |
| SHA512 | 72389ab836f7079134da0ea4d1bc2be9697ab0b6478581448ff0dabb7bf113f900181062a04b2b03508c2ef82f2b106eff42c9a5321efbb8045bd3c9a2d60ee9 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | a5e50a4bb443ee317d9720049968ee27 |
| SHA1 | 7fc4e89535ac18259a9f04e6408a3983fd2d7040 |
| SHA256 | 390710346ab6e5f243520b32e42d24214fbde1320ad4e90a410d08fc1aa0bcdc |
| SHA512 | 820a8173bba860ad9d1cbee5920f325999eeb5e8de39a82c63acc8f7624cd4af119f4c29a8d25f8a52ecb75cc4570af154122750bc6da635c2c7a7392847b34a |
C:\Users\Admin\AppData\Local\Temp\lKEYMQEc.bat
| MD5 | e48fe78442179b5b6baab0af84c2785d |
| SHA1 | e43d9b211d22f29c1c9893bcc6665ab4363ae9d4 |
| SHA256 | 4484657568641c4e995bb3bd336d37eda5e7a08fc44412a5cde3ceba069c104f |
| SHA512 | b8628acc3f7dd075d807199352f5dd004bd0d9aff7408a88eaa69ba24983b316fd132fbc5cbc7d748cd3396cb62e21bc709cf33c2649532d4b4a59183e2e6874 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
| MD5 | 5b2d1215084dd8a7e40f8640e674c4a3 |
| SHA1 | 491e4f012a09ad09f83c977994220cb70f241d29 |
| SHA256 | 933e10399f6d72e64aea3c875fcf27f7a8620eda248045380760389fe20a6eef |
| SHA512 | f6560a14220a1e518c770b9f4eb4526c5124926b736b4260963b55eaa5b5d2a92516d8197fa231cd644eb0d3a1832d7a7f90a369b8655d0485de4152d9ba5d79 |
C:\Users\Admin\AppData\Local\Temp\GAMG.exe
| MD5 | 3dad03d8a08a44ff510292eae15b37b2 |
| SHA1 | d111f0ba82f787c4dcdd1287eb1b1d6e495bce79 |
| SHA256 | f645f663e2045735b2e9c79e849fea78e3a4a9800e15a979d6a6fa806fa20ccf |
| SHA512 | db8df2705c358dc6f6638d523dca4b6caf995332946767e7b654b2ff82af1bf820f7c86a34d5b78d3cc043ce2314cdb10966c78e3d1f7b26e77511b6cf9d19bb |
C:\Users\Admin\AppData\Local\Temp\IcIm.exe
| MD5 | 2110e95ac90c2b7e4b11f298ca5d174a |
| SHA1 | 706a2af91a9c7a0ea5a57486547698b390f115f8 |
| SHA256 | 0a2db146016dce2faf5f861fffe284c72a136aa690dd16ac77edccf67b8a8fa5 |
| SHA512 | d688f55c951adfb4b6640468e327df01baf18b8f4b676fc6407e910a81397d606e9614bb51f0d13bebdbc6397d2e971f14ecd89aaa1455c0cfae69abf75f7ddf |
C:\Users\Admin\AppData\Local\Temp\MAUu.exe
| MD5 | bfb60bb2708f01705346497b63c7f64c |
| SHA1 | 74f9ea6dac49784fd29d0ec5e672cdf77bb1572a |
| SHA256 | de53b774175224020f29b95e3448ff81717c7d4d107f58629c18d3ee82a976e2 |
| SHA512 | d7e0c9b6a213068c21a552443ba968e81945287670e6b1b3a5e6d2177c0fcfc5344391f94209df5f9711cbaa46a30c26cf376f22cb64c0cbb3e16cb974aefb08 |
C:\Users\Admin\AppData\Local\Temp\iIAW.exe
| MD5 | d405cfce4a4695f88b4a98ade1e07eec |
| SHA1 | b9ef07670b26bf3fa6ad4c243c02a4368bd102cf |
| SHA256 | 94e3b0eb22deae363b7013ce26d0addf7f516cd48a7b0b443896a714a97c51f1 |
| SHA512 | 1755710fde0e76a5181bae8faccdb88a68aef53f8485c804371c60736e75aa08379be83811894c7683f9d9a66ad01efcd5f65e30ce370639106028456a3ca0ec |
C:\Users\Admin\AppData\Local\Temp\EswoUsos.bat
| MD5 | 6eb9506973c850df2644f7e0f7caecf5 |
| SHA1 | e0eaccda018423950d384a803bed80bba955e63d |
| SHA256 | 4b01d8cbd3a3219752a3486094ccec6c6e1384a64807c96b4150491798778097 |
| SHA512 | 0daf8420bd8032c930b95e3c4773cf183e0e4fca7e4bc7c1628aba8b7bd2481a48fb1b1bb5f754fdfde3774c3a9711d300dc47565acf83409b0d104e124166d9 |
C:\Users\Admin\AppData\Local\Temp\cAcG.exe
| MD5 | cc916837e305df4f60b72559a44dcc6f |
| SHA1 | 11aa6d2a1adf888e4387d7ec921991629c23c31d |
| SHA256 | a63248e4c7b65a14d61ca96edc24f6e8d58de01cc3d3483595e3cb630afe7ff5 |
| SHA512 | 3eebe388826b279c6c5c1061a8f0b899e2a421959f5c6f665e41bb9e3005febd300fb799625ae61732a031742b16cc33a3ef569c849d6b14a840ecdce0bba564 |
C:\Users\Admin\AppData\Local\Temp\kUcm.exe
| MD5 | fbd054c27cf281276897c1392bfcb0cd |
| SHA1 | d9cdc5a2ed2c583f9a2841b9977bb68496a8b836 |
| SHA256 | 1e3a51e9156f0b902de304df4a9bc69299361c4276e9b2ed13a7bb4698c37ec8 |
| SHA512 | 60265511f603a6330194dde2619fd0ab256995c748bd67043b0b681a35a5b24f966df6d343f2f1fd75b278ccc8d38c9e49165587c68ef3d94778fb9221683762 |
C:\Users\Admin\AppData\Local\Temp\kkMK.exe
| MD5 | 0d29ed46ab7fa9db2d8448b5ec4cb9fa |
| SHA1 | 7f62b06760f31803f865aa9a0235f42b4f40cf22 |
| SHA256 | 4c4466a4e0c942c9dff8389b68596b35305790472012a9df9a0d25f00b92d13a |
| SHA512 | 50bbf95e300b51a24ab92a44bf2158c9ee3a0253cf7e1493346e1d53b21285dfe9e8edff249bac1f76ded57e65f6e56c50b27dad3cd26d663510311abc6e483d |
C:\Users\Admin\AppData\Local\Temp\CAUg.exe
| MD5 | 78bb66213217c05f2f6820d30968a2bb |
| SHA1 | bbea6acde68c7cec743e894928f782a44893d684 |
| SHA256 | 69d7352d7ad46ba6336edefe6f7f0bd2ac5042e95911ede72692297ed4c6f9fc |
| SHA512 | d74226db3a267de5d1fd5d0306c4be02d1ed8a4bdc695849b28527dda0e85342b56b8c51aa214fc84535674f6d14c0bacf6ab5166fd345f1e01972afc0999abb |
C:\Users\Admin\AppData\Local\Temp\kkwksAUc.bat
| MD5 | 2edf0d73325cff91e8de2191c7ab60c0 |
| SHA1 | 79449e46bbe716ef5219a40d4f11b66af68a644d |
| SHA256 | f764384fcc37f899b8981f679b1d23cc1feb7d24c85e4964d7d7f08aaf4c6c4a |
| SHA512 | a0dd8398396b2c9bd754e1c25233045ffa9752cab17cf8839f2ecf277f7d5e7e72f1ce9fa3db73dd5046857d378555a830524f8ed71b9e1c46e751ac3c187548 |
C:\Users\Admin\AppData\Local\Temp\YkIE.exe
| MD5 | a521efa1eba00e7d4dfcb883ea83b33c |
| SHA1 | 0d9c975611d0ed79205bd9ba0426b03d9e17bd1e |
| SHA256 | 5fe7b549bf041aff89d9791875c0e541bf41cf97c69ebfe6c1d3514c60c8b33f |
| SHA512 | 6ac1e731b3054d6b109ca2b2ce7842a471a5a8948fab769b28e9edb61ba9d28c50e568ea2d6d657e626a6a852616c6035fe56c81bceffea1be2189794872545c |
C:\Users\Admin\AppData\Local\Temp\koYu.exe
| MD5 | 507700eec40aa5c2a9cfd0cb0ebb41d5 |
| SHA1 | 132e562c0da4418412e3b9ca838de3944198c300 |
| SHA256 | 70bc84bcbf48d20e25038f2989d9bd2d95b69a5ae25ae63b6d8d1d1d4bd52924 |
| SHA512 | a19ac07a725ae64f2446c00e5c2e4335f05b832d17737d56d21165189d2673c84457d51f0e46ef71dda329ff68e1758d70c6fb5b42c53fbe6331df2e63254c5e |
C:\Users\Admin\AppData\Local\Temp\MckM.exe
| MD5 | 584cdb48739e8e7b3391acc86c214694 |
| SHA1 | 2252ba9e833fc5ee651290723dfcd9d6c20382c9 |
| SHA256 | 22683a0befb36a10d0da7b5223150a63385039ea1eee92f35c39446643da7f95 |
| SHA512 | a5a602a806a6b7a2339603fe46e4ae7cd544977c27eec185f767acc68bdb03c5e67e1c477b158b3db59f069f4e69e48132eddd572a728184a04ae19c6510a5ae |
C:\Users\Admin\AppData\Local\Temp\Soou.exe
| MD5 | c130d495c2d7c38e118909a5ffdb0bd7 |
| SHA1 | d3077159d61dcbda17540977a8c8a9c501c4ce76 |
| SHA256 | 7b27b13e267d9ecee4f745bd0683442fad5954d03ecd8bccd4347d7eaded15fc |
| SHA512 | bacf698a230c275d4997b99b7554a7761159de5e8cad9c7eae5b42076e0f6057b60f762ac7481a21418de2c8cf7deee31a991d5fde1a1d7303a72b0903da8f0a |
C:\Users\Admin\AppData\Local\Temp\awIM.exe
| MD5 | 927116ae9e2d133d17250eb9a62da1be |
| SHA1 | 7aba7a5ce8c8df766bdce074bd276a61530f3d58 |
| SHA256 | 1dc812d5778091daf4229dca8c1526a16f0a45d0a7f78a29ffb194ee8e20c216 |
| SHA512 | e8a03c195a70d8ccf0608293b68abf297d59a106c53d885175fdac937240694b1b7fa7cdd2af5a8a22d4877a80dbf2b7b5b7d8720b894cfb71f20b5b8c03f4eb |
C:\Users\Admin\AppData\Local\Temp\UOcEIQEA.bat
| MD5 | 5aadc99dddf8493c25808eb033c3b97e |
| SHA1 | dc47606201fcaadeda01df6fc72fbafadf2847d7 |
| SHA256 | e9f9b06c7eae41b4f2cd5711d16adefc2ad715b64cbc654ceefad127cf878fa3 |
| SHA512 | 30613fce1c575e5888b807380f4875e2968d0e9e4813be3453a3200f45250217d9f64dea451f597ba1f4d668077329ab63c16bd391a598837b3f0d3876645015 |
C:\Users\Admin\AppData\Local\Temp\igAO.exe
| MD5 | d93c8fff4550fd9df74dd95fafc08320 |
| SHA1 | 7ca158cc493adfbafa1aa157c68585f325e3bf9c |
| SHA256 | b65865fe82c839c085b8b84f7e464649d3fc5cb46b3153259acf58dfe2489e4f |
| SHA512 | d15c992e311890113f8ca439042a44eabec68fb2bf2ade5aef7d5a650543c052aece8b42d5658e41dae1353683680b0da951ef88d1ec96ad9fe2beb71354fc8f |
C:\Users\Admin\AppData\Local\Temp\AUsA.exe
| MD5 | f02dda539340068b5630ee1cd0d1076c |
| SHA1 | ee0e20a3b906b8ce5afed98cca359b6f8c0674de |
| SHA256 | 852f28e23fc473849ecac7937374efac0821f41328c7a519437b4797abf360f8 |
| SHA512 | fd793e5beec697b99920a9cdbd260d6d3dec75df75658fba0ee60deb630523f1463c9a2e2914717c996ffe0b4929c4544a7968515061d74b51946921b6ba5517 |
C:\Users\Admin\AppData\Local\Temp\YwAQ.exe
| MD5 | e00f244a5b8933379b5ebc821facbea6 |
| SHA1 | 0b448c4a2bdca1412f1d79d59ce54f642f8ad48b |
| SHA256 | 1c60d55c3e50b740d1a41b0fb198c13d1adf0afa11bf788db4e6871c91c7a1d3 |
| SHA512 | bf97460b9073448ab81335e49732cca9b491cb2d15d894d0eb156a0d152920446776e284a0e1cea31bcb484d09a9d0ddd51a91fc5b4dfe5243fc05289d80a8d4 |
C:\Users\Admin\AppData\Local\Temp\KMAw.exe
| MD5 | 2df073feb95ba6c79006ad612e2bd4eb |
| SHA1 | 49276ccb157f1b290f2c67f302422bfb687aa5e1 |
| SHA256 | 3603e181020604c6823c81bb066271daa8169674b588cd3eaad55a9c5c250e7e |
| SHA512 | 3732d3c2cb336e13a8b624fd62237f34c4f900f8596dffc7f663c5296d026d0331e7c2aa656d51d979e331792e2ea3a1822f94bbb635006d2f6ea9ab06a5825c |
C:\Users\Admin\AppData\Local\Temp\paoEQQQk.bat
| MD5 | 9dfd724af80ffc4b4020ec9279d84298 |
| SHA1 | 927a20ad2f5d52a2e3fb7fa23948583a08d3ffba |
| SHA256 | 7782b95219871b7a5c748b184883c951112409be0aac517d2619cee542c454fb |
| SHA512 | a91fd5c5a08e0ee2ab9119ef23126233c2f2a4aae1dc2111e8b42a4c1a3e3e2945f1741491ca5b28e544c9ecdfe70e6761bebf3dceebdeafaeea3832c35e56ec |
C:\Users\Admin\AppData\Local\Temp\YYEM.exe
| MD5 | 006f021a9952d2114a363f63ba5df3c6 |
| SHA1 | 844249ae507ed321f84597a36e46551fa6b9086a |
| SHA256 | 26a638d6374b05994108ddd119f896e2e42a8eef6369a0e223941fc0e1c03798 |
| SHA512 | 11b288efa49e757f397d94b2fcaf9e4047f4df6420c0e9e46abbee059600412cf7d803efd5e1772e5cb3c32afb25923cf63a952e85c5bb0fdc8147ea2d1c5c91 |
C:\Users\Admin\AppData\Local\Temp\gosY.exe
| MD5 | 47a7a7cdf77f5a4100a289e0bf31aeb3 |
| SHA1 | 0c2b882bcae9a602e3c3dfd9429a317967c6ee09 |
| SHA256 | 6307b4a6704a959a5d42d95e0bb0802fe7f4fac17c89c95cd1d45ac6b901fbe8 |
| SHA512 | b7874a51d40ba699d757e20eaf3a2f489272518dd701eba33d88570f2e4929467e74118a8ecab1929014a99d86d658c176c747a9431d5aa987c100d265b6c7af |
C:\Users\Admin\AppData\Local\Temp\eQgG.exe
| MD5 | 868ab85dfa577b61ceea01244e22ad51 |
| SHA1 | 309f45a072ebde774174f5c7aa7711035f018222 |
| SHA256 | 635f2dc1a624c2ab396b59f43b996d7c58c0161aa67a648e9c6cdb149ad73d0b |
| SHA512 | f95008ea1cd7252305477b7c92593597080f5328458acc46cbe29e83a7858badf0969d0273b68c6e51ba2ffbc3312660a62761911303a399f919a48915f9bc40 |
C:\Users\Admin\AppData\Local\Temp\TIEMMcsc.bat
| MD5 | 0ec4247338633cfde7f80e4ec6451302 |
| SHA1 | 7d2e648f3da13e2ff66362f6f66867b499df58ad |
| SHA256 | 94de87a5a0805f8e94a35688c4ba37e35f867b7637cfbce96961604af0131c98 |
| SHA512 | 1ac8841cfd2b173809b1052adc151623dbfcff52564877c901483166b5b0e879bec59f11547183c6fea6556fcbd1e4dedb441515a109e75bd10ce8edb1f7d1b6 |
C:\Users\Admin\AppData\Local\Temp\aUYa.exe
| MD5 | ac22bc3ed4486e05a7738d4050a945a6 |
| SHA1 | ad515707e269e3e0a6078479828a46a3784cb887 |
| SHA256 | 316c91deb18c11d282131bd04b45d4f0f939b09e125c9b776dfe2f664df76082 |
| SHA512 | 9352a254c5712c52d2da962bf50b7e8d053111f2e9c69c92814ab32b0653a2d27b4697ffc26d95757c32d4d03a8e7b034559e57fad96e712b6417288926dbb17 |
C:\Users\Admin\AppData\Local\Temp\sEgk.exe
| MD5 | 7c8bebcae9d0327ce05cf9f7ee3b8aad |
| SHA1 | 0c8329376aba6a0624f9f85100ed97fd032a1d06 |
| SHA256 | 4870b431a718e8a923919c6163a3ac3e6d5831b54da555b7767d42f21fd8ea9e |
| SHA512 | c37de95f9067a6fdfd97e1b8998cf53cc711090efefc861c5b032323f987b39883621a8d9acc9d255372591bae6185879a7cbdb735a5c760810c59ab94035ec6 |
C:\Users\Admin\AppData\Local\Temp\ugIq.exe
| MD5 | 7c8c03ab6729c0d8f6466501b9bddcba |
| SHA1 | e6bfd0563e212727aae31af361eaa792cf107b0e |
| SHA256 | 8784f64b62475dd6a9092b8c2c9bebadda11275a42f5be8aaed70e3c38bd2304 |
| SHA512 | d97f19cf7b9b9044dde0d129063b848808acc2ef0caca8db900bd8ace37998d5339d9679c0c7427b20ba185585b6aefefd11c8d8c14b8a59e2dc45c18b3611ea |
C:\Users\Admin\AppData\Local\Temp\uYkg.exe
| MD5 | 3bb81bd114ada854e775ae008a30e52d |
| SHA1 | 97a33e03fe403349d0de3ce4c2d5653e1f516d74 |
| SHA256 | 87a4614ac64cdcfa564adb3fa2e2a62342210b1010433760c9b13cb3f906d163 |
| SHA512 | 2e92daf87032d501e4c82b17cce7792ec6774b4db06f2fb1151d4391268c96ac470d4af8a4e0a2e2e3f6a98c66f1f98d6cf1080d272847273668c4a5eb4a5967 |
C:\Users\Admin\AppData\Local\Temp\NmEgMsMA.bat
| MD5 | 4720f1abbedec69478bbfc6635ce2a68 |
| SHA1 | 6b97954614e3c0536722b92614307f9b7a2945bf |
| SHA256 | f478ca54da9675492da1353efa97f377361ad44dc24cff7c0add0cab1744c568 |
| SHA512 | a3034ebd8aa44778f83bb72dc935c6739556fbcf7357b209c65207cdd7d8f5eb25808c9f1a9d8fdef8db407df960e91fefaf9e3c5cda7638f181b6c0f867af3b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | dfe187acecc26a45ccd65d4d9876d7ac |
| SHA1 | 65e6565f975f89319671c008ecd8261e44050a75 |
| SHA256 | 0b8532fb3250516bc8f6225951839cd44dff62765404d9c9768ff51be9b9d68d |
| SHA512 | 28afeaf1425d5baf5f159078dedda2107f3c47398e9123a13f3c9123b7141d6d5c51ba3c088ff2c4d5c3c8365f9cd9f44d1d44ee6c6cd84841ecc4b810df1595 |
C:\Users\Admin\AppData\Local\Temp\IAYi.exe
| MD5 | c77b3b529b25f8509123ab5d854170e9 |
| SHA1 | 7439f61badae1d0da7405d87d5cc93f83f8eb6ae |
| SHA256 | cd147ad7e9c698f87d712eb2d1cb078787e388bf8cfd5bc400f08ac57e89a0cf |
| SHA512 | d88108fea2a9941d1fdc9165c5af7a14ce36574363d18c9c64db2f87f4eff7f4683d9e5197e63653fd2e5afdefc5bf7b937fbea8c44d26ed1847f2b1bdddc5a6 |
C:\Users\Admin\AppData\Local\Temp\cMko.exe
| MD5 | 2a598112530a08060d99550881f4f7bd |
| SHA1 | aca839f6ef4d39439fe014ae7061bf85a4e47dce |
| SHA256 | e7f30f37039b5e922252422d05d1fa18ff6fe7f9a91bc57751e6af6bb6d6f5b4 |
| SHA512 | f06af957f4e0130a8dfd718dd6b1644250360a7ececf4e3ba932657f79998f62ba2a1c2eb025790e96a784b3d103a08e24bf14b78271d8ef7d1cc2f26f3011f9 |
C:\Users\Admin\AppData\Local\Temp\aggO.exe
| MD5 | 7115eda2af4a583537507ba0fcf5716d |
| SHA1 | 9e1ca037acf0a77ae14234bab3ae0dc276ca4beb |
| SHA256 | 808d372d0343cb187cc93be7f5d4461e7ee817bb67b702621db40832bd199f42 |
| SHA512 | 44cdcc415017892a137dc20bc0fd8ef4deeed008703673ed8d45aedb69e24aedcf3978777ef9d5172a9348de2ec620aa26c967e63d735062e17aaefdaab47e94 |
C:\Users\Admin\AppData\Local\Temp\TMswkMow.bat
| MD5 | 71a96a1c79de0090effb7004111bc370 |
| SHA1 | 5eca5a996da502f09496b5dce7a3def0aef7dde7 |
| SHA256 | bcbf138ecc1dda2ba64ece317efb05925e75f797ef1b5eaf4c33b2cc7a619b01 |
| SHA512 | 0e222e3e4990a32aef18c34c92950abdd857fa73f43ba2c379fe1da45197411f12a7fdd660265a59c02ac0215e86c892d42738329ef6c3673cde8b7a5d9d2a08 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 9003ffb9b0535f08b8927d698d67017d |
| SHA1 | b87f798a2cd2b204f826968db943db24f8c3f052 |
| SHA256 | 00892e0e3fe8510394bf0d10aa558c07e589affdb026d1f8de4a41f3c33f2c50 |
| SHA512 | a26d95860302f2481af1febefbf3a9e6af592a429f0848e345089954b03d6749fb12e627d6fc50357c3da63b9e9be1ac511c1c90a2d98a6915309398051d9cf0 |
C:\Users\Admin\AppData\Local\Temp\ScsS.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\yAocsIwI.bat
| MD5 | bbcd480cb40c52516e600f391c210f54 |
| SHA1 | 56dbdb1e91a2d356aa470d6df0d31d8d6537da43 |
| SHA256 | 21d67ab96aab1373546298c40a7d6ee310c0973cd27ec47a155b27c90a0baffc |
| SHA512 | ac60de3626a86c7e4b063eef313325fbc1e76689dda89b0188506d8e6d1fe0876c9c5e60aafcbacab9cff470a000804f1979ce467850315c3fbb979c8eee4743 |
C:\Users\Admin\AppData\Local\Temp\eYsw.exe
| MD5 | 7cd100d3ad8d1f3174842a29028aa2a2 |
| SHA1 | dcc982603261349e670f6542b76f22826ff22170 |
| SHA256 | fc32dc80a3f4339bb625948d8833600bb868c956e595d221182ba5f028eea4a2 |
| SHA512 | 2ecd474b4aa4bfcef177997ab56ea3f8fa51b52ba2f7f6f9201d57a317083c6af8db430b2ae28c35136f77616d7baad994e41ea60bc817fa7473a402bfe83479 |
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe
| MD5 | 34c38bcf0a9cf148a6af2469e1b9a632 |
| SHA1 | 32241aacfae2ff57b806cd1ba7a4545dd4796e7d |
| SHA256 | 55ecbd99db0dae7445d160f85e4c8572e87068e8b6b3e0c684758ae3bfac2913 |
| SHA512 | 1dcba18121157e85f97ed86666b1708d60696a46d5f041ed7d0acb20763d473715a493850ff1b235fcb29ec41c8ee7b59cb8cce7cb768d6198a0441c1f351455 |
C:\Users\Admin\AppData\Local\Temp\gQcI.exe
| MD5 | 0142b816a4a6c5154c3fbf1dd9b2a40e |
| SHA1 | 62eff2c11c7935aac83de1a9d69f6bf81b640aaf |
| SHA256 | f79f5f82210514bc2626ba6929db68d8fa999ef7c6869e1614bd3d6aff84aabd |
| SHA512 | b90e29f38e0847c820d6336bd9564e831b90eb4b25bfa67140ef9c68f03e033103b789e00733e775a6befa088627f19f1ab0ebdcabed775574452551eae083c6 |
C:\Users\Admin\AppData\Local\Temp\WsIMkcIk.bat
| MD5 | 221af32b755ffbb4b75dc2daa7fdf621 |
| SHA1 | 258f5278c806e4836f427c8bb7ac994d60cc7a42 |
| SHA256 | 59088f531a06aefb605bf1b7b6871ecd2f2af6e6a8fa725d7a107a647cf5b698 |
| SHA512 | 409e6ebc013444832b22301b33a55fcc5bcbbcc98365ca824604fc6cc51b34812e0978e991f394643d38a3295e7c40b8eaa00007b6fad9f9231b13636e33e315 |
C:\Users\Admin\AppData\Local\Temp\wwMi.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\yskk.exe
| MD5 | e30a8c01b78b3c15a62134eb14594dba |
| SHA1 | 0f667c5939398819c9941f949f34fa638c2587d0 |
| SHA256 | a19dbd787f029ad4a5b6666f09d9c585410955da1f72f2c2a0f7d7dca2e0e821 |
| SHA512 | a7492b0b82370530c8fcc3a466d76a659683067b0393694fa1caecb97c6cf885f30687e4c4c81a8a61fe30f67d66256e66330e78773f91ed339abdd96f69023c |
C:\Users\Admin\AppData\Local\Temp\OIgK.exe
| MD5 | 1cb44beafcdd4b189df9b9fe75eafaa7 |
| SHA1 | d6712529e1f07a3a84977885a0e72ba07a9d5df1 |
| SHA256 | a038aa091e50749336ce45d0644b9b3d2f68ce426751b6b73caae0463b140f0f |
| SHA512 | ccb11eb812dd2c957dee08a95d1938f28f1e7512b483d7bd148e5dfd6388bbee152a11185abeabcdecd669e9dea44da6ea570b8aeb2e4f806fa379edda8c9ae2 |
C:\Users\Admin\AppData\Local\Temp\QcAU.exe
| MD5 | 020dc3e0679714ded30ff39cca1b5be0 |
| SHA1 | 9e4e365720036bcc03fb63fb109c7dcc235fd8de |
| SHA256 | cbde0a0ab06cd92c5d19319dfdca2be10e10f213addc78a90e5c8c483af8b51e |
| SHA512 | e81b53276f7aafa1dafd09f70a76c8361e1b4f46f8d03725896f38136d05a6ae93e2204550384339b8b1a46e61dc544a3e1b12b2271520691464140f1d461c76 |
C:\Users\Admin\AppData\Local\Temp\CowK.exe
| MD5 | 1c53302166a4a085b840c2c3de841543 |
| SHA1 | 254cc8c46b31797f30c41167c1108c7ea6f7ce65 |
| SHA256 | 1d9a036075133f682e322785a04299d9d34bcdc63eb02a3691933d39777215a4 |
| SHA512 | 21f004578f2f757eb26fd2fb76f300a8e5adcca942b6364610b9aa95b4a2bbb6471f5fb9b4fed2305e550debaa1a1d10bee3a6115dbf58a1c3b3914cf20049ca |
C:\Users\Admin\AppData\Local\Temp\acQO.exe
| MD5 | 957302bceb9b26015e48e7224a8e4481 |
| SHA1 | 927318c8fb0976de913103903b23f9b3f18af9dd |
| SHA256 | 31c194753aefdde73deb88dd0b989d72e5ffb5e60658a757d83772b852a92259 |
| SHA512 | 7d03ff87ffb43a33a0367c8f015aa3975d137699e0af84f2bb50f83433770d47bd3894e25ddf62209114daaf2d314cf0a3f758e77f5db1fa3bbfe7f94fc1b4b3 |
C:\Users\Admin\AppData\Local\Temp\ksYg.exe
| MD5 | dbdb361d4dcac7943f5dd0a692dd4a39 |
| SHA1 | e29b34f6fae32d45c4522fd0579946157f19722f |
| SHA256 | 6ef8108aa2bc8a9d5a5b1bb2ed47f9111a602e4f3a7734e1839707491eca86cf |
| SHA512 | b5ebb8ddc395ea3e95cfa54c414cfd81ff193e58bcc4bc8877d318d49eb9609856bdc735aec0b4318e592643d2501e98a7336345cdf2797638c66619f894cf03 |
C:\Users\Admin\AppData\Local\Temp\CGUoUoUs.bat
| MD5 | 577e826a6e17fd970c9e41e2560f6522 |
| SHA1 | 293b2d5bafadfbdd6001db224d8f947e06246a06 |
| SHA256 | bb6362a3e848f35e9218089dbdcb25cec8f756f22acefdb721032c1425a549b7 |
| SHA512 | b5c631d9dede4380b880e2dd1b01e8f0e5e7034164076b993955257c9ff1c98dc42b8d2cd0b6bac7c1626d9a3c5fd86cfdd9cd1275fee624c50b22de9435f47d |
C:\Users\Admin\AppData\Local\Temp\YUMU.exe
| MD5 | 41c2896ac00d2da73ba6606a307e4b8c |
| SHA1 | 3c3379998b6f189f5cf276b22454982b6fb03fdc |
| SHA256 | 09e39702c9ce17aa4ba931e9da3bc969a029986f267a06b471847acd93aadd7b |
| SHA512 | c1181fcb26581f7e8a3b148318226c462c86a555870a2384e54e290c2a0357107c97e512932c08140744212dc792925971977b116cfb2b36448162928c3aeedc |
C:\Users\Admin\AppData\Local\Temp\swwk.exe
| MD5 | 560c99be3f6dcef1ac53f90e8695f518 |
| SHA1 | 71bd7937c826eec8eea1baf3773bc3c6231a4f81 |
| SHA256 | ec89d0130f21d11976b412192e9411a62d88db78a385463ef42b9150cefd8030 |
| SHA512 | 57a5b800b5a61f26a3c8f98986f10d07032c4cbfb9a1edfc1a387fe3e20aa606fd8be8a093aae7e219f2cd5397fdeaaac2a4cc1c4736d70d0ef867253bd8313a |
C:\Users\Admin\AppData\Local\Temp\hOAMkMUg.bat
| MD5 | 5bd64bc997950146509410b9608dacb4 |
| SHA1 | 1dc312f16318853f770add16903680e5f9d39d1c |
| SHA256 | 1c5ad54f635e0a4098fec655249ab6a781d23241a3ff758e495e329cfa459a43 |
| SHA512 | d27812c8e4e968f68457dcd1904a13d86f2932e562d08395533880a4c1f78bf9f16c35cc56c4a2be2557ef42ffe312a379d1e1cac220e8f16a3412afea45877c |
C:\Users\Admin\AppData\Local\Temp\VSAUMYoo.bat
| MD5 | 23f518b78e6a0d1a3f4d361cfb517a7c |
| SHA1 | 6cd4bbaab586dd221ca754e6dca28df892acaa8c |
| SHA256 | 3a8d629e9990a67f0edb18c336ea7bb1659e0faabad2a37315d716b085eb6dab |
| SHA512 | 73adb6b6b0383a8c79084a64692961e6568a92af287d3a2aaf452d6c44223e63e3eaa872718d4c65be9a41c8b9b0d8da3c69360cc77c7a353a99ad336dcdbbfb |
C:\Users\Admin\AppData\Local\Temp\jAsUEMIc.bat
| MD5 | 888d3aaa146972c99b2b28a22ad2d050 |
| SHA1 | 5d3e86e0e4fd47a83d627d8cb133d2b7658d46cd |
| SHA256 | b1e0065db35a0a2fc3463ac46a1d5ee7a1deb4aaabaab01e7996b8d2e3f60d27 |
| SHA512 | 96ce382f074148ecc2809d0fd560e977caa2740fbff4def167053ed22cf455c97bff773e1b962f736ba185b0ae636997fda06edb2998f745e5f3b58084669647 |
C:\Users\Admin\AppData\Local\Temp\pYIowAkM.bat
| MD5 | 6d5c658a62bd1bc89b03926bc40c8547 |
| SHA1 | 234879b0ff3e7571bacf5f9b4e962ca2e7860d9a |
| SHA256 | abfd249705f4decf9b8680ec886e28ec93abd90f9bc076dba00077beb1f58bfb |
| SHA512 | 4e10d7c65ebffe99495b204db5769659afd5ab5b09410bf23fa252bdc6b1796d125f192e8a8229c90eb59d9078e89b71e8f1b6a4850b0fd3bd967ffb8b4867f2 |
C:\Users\Admin\AppData\Local\Temp\CeEooQAM.bat
| MD5 | c87f8133abf999fa9b8abcb1923ce1ce |
| SHA1 | be32d73a3d28eae95fd042d7c468981b591956c6 |
| SHA256 | 38c5cc56de6057004c666f4904db717b7b01ef6c56e2a71b7771cb0d54930f0b |
| SHA512 | 151aa573ae0d242933df493cd132fd04836843ce560178b88a25f92bea3524edd6dfd0944ef5932062bd70062f565822956bce9732a8d6a5981883effd73fcba |
C:\Users\Admin\AppData\Local\Temp\mGgkAAUY.bat
| MD5 | bda9412da2875eed97c91dcc38531d53 |
| SHA1 | 4be015994434184380e3d88167a566e0353fd834 |
| SHA256 | 9e97a67329bc3cc3eca55cfdaf898d9751b88340f9b2abfc4e737a21c231b07b |
| SHA512 | 2419dd18ded72b5c02fb8d0c62ab0ea697d2799fbc97e272685b6f9ad2dc49dc3baaae9676e4afc6f6815bf0902a064080cc17c63c7c4932f9108d6e732322f1 |
C:\Users\Admin\AppData\Local\Temp\oAAYMAgg.bat
| MD5 | cfcf016771f7f2f556b9bcb8357e1ad0 |
| SHA1 | b3eae1f1cc890303444d2f4dcf97013d1b2ffa62 |
| SHA256 | d211929ee35a1379e00d7cf14e32bb2bce603c4071c57fb606ecfec2507bc228 |
| SHA512 | 133d33a1179d8a81e2187d9a6ab3e2fd5c814a8920d5637b75909a28ba85feb1db5148f70a4c3e97577d201e8bd4dc5369ac0743b615981be4bcbf5bbc08270d |
C:\Users\Admin\AppData\Local\Temp\xAYMMgAQ.bat
| MD5 | 98e4def231c1d6c26abe8db94558c4bd |
| SHA1 | 4563523b10dc32f2a7ecdd16901e2018739c2c51 |
| SHA256 | b11666400be2630b0efd607a957fb9d54f1cf8cf44283823b73ce28e40fe4b87 |
| SHA512 | 1d1e9d396c0f2ee8e2c47cc9d664da1873ff3e5ff6bc813999b01105bfa5cec6dfbc6bf6bf52755574cab666328c1e3133dd673934f29050dec8c640dfdbbaa9 |
C:\Users\Admin\AppData\Local\Temp\vscwgQIo.bat
| MD5 | 9f5b3af7fc2d1298cd0534c6f34dd248 |
| SHA1 | 694e5c0730d70de1408f20007811e2351e284182 |
| SHA256 | b7838a2e61da7e32bdcc27e302a1c4a95945521bab036cd709c956c083559c5a |
| SHA512 | 963d4daf785537ea14377c8a826c2d458c73cb7f3b70f7814bfc020c8116c0d0d73ba6e5a0ec75c67126a8835ea38bf673baf3dc939f7c3ff1058aa79953e12e |
C:\Users\Admin\AppData\Local\Temp\pyoMoYQk.bat
| MD5 | fb43acbd4fa54e71ceb7f0100b5e0ed8 |
| SHA1 | 28b7b31b1a6d720e6f475233bd487a5f9385990f |
| SHA256 | 7b9376735b339172220ed8ef4e46d39ef01992700eaaec54251ac18a762b66d2 |
| SHA512 | af332b22472622fc6df311f080322fdadefffbb6d63323e9f62d5db6477b64f831c7d5a950a0b285e4b631ce5ab7b476a41f1793d5adc1b625f8afae413b5ecc |
C:\Users\Admin\AppData\Local\Temp\fwIYsUko.bat
| MD5 | 7ee847d1448f39f34e7f44bddcb4f01a |
| SHA1 | 28e7b955ffbf50828139e635564be7736107e899 |
| SHA256 | 4d424c30f00c4ccba475fce896ca5201987ab29c5c1dae7e38e4aa488545de9b |
| SHA512 | 59270be0f42d003b7730965b879f7265a777f58b3e5c67cbc29b53199ec87623d48eb7e6380bbdc519f89c2c906fe4ee9af78d60ffdf0c32df49e89c6cbff75e |
C:\Users\Admin\AppData\Local\Temp\SkIEIgMs.bat
| MD5 | 79e70c2f88a320ba7e491eec731b877b |
| SHA1 | 301d0e6644a97dc234d9ea44b5ad84df4fe34d4f |
| SHA256 | e71ffb1106ac2273c317ca9dc250689458c4f7b919a1ec9145b59dd1f4ca07fc |
| SHA512 | b9056a1be9b99b5c5499d99d5be4d84ad676fd863ba5aa0c619dbdeb839e8bfa9dd617dbedc35937451afe41d7c3dae88088d054090d1b900ae67c0e6276bc53 |
C:\Users\Admin\AppData\Local\Temp\WSYYMAcA.bat
| MD5 | d2f8cf29d44583fd30457ef147056478 |
| SHA1 | ce1d32350daf261544361e87936c86f36feef0ad |
| SHA256 | a66e2407beecac6841f8c662c9c6506cf412e371959e6b904c2ac2f9c56e3612 |
| SHA512 | 40b0a176ec567c741555694b4b30d74499dfb893b65a65d877bc6012ce9b1580fcea5861fbe522387541666d5bc40784084d565a141915608fe7755a4baa03b0 |
C:\Users\Admin\AppData\Local\Temp\cMcEoIsg.bat
| MD5 | a86989ddd983e980d061908a61e9b737 |
| SHA1 | a9dd93bca8038e1f8407045d7665cf03c71d5403 |
| SHA256 | a8e63412c8b7cef92cf1c13577d91f0261bca673ac421ce9881824afc07fd82d |
| SHA512 | 9c79a6488b56c50f2658fc859bd8683596c4d1783c9e8558d318afa1369d30164c5c64c1c7736b1b431f8297c79d14d5c59a46172fa50040574fa9b8975e7abd |
C:\Users\Admin\AppData\Local\Temp\BKYEoYAQ.bat
| MD5 | c750a4c6199ceb1eac4659f43dab909d |
| SHA1 | cdb8adb52249222e7184629f7cf8ba0e927175fb |
| SHA256 | c3c33a42855ed0f1c04b2ea567fa5c8ac4ba293e09f6273db32d92fef94f6be2 |
| SHA512 | 6ac492b639fe370220c1d8450e247ea90a615153227b6120f31b272f083990a3c4ac3de4e94ccfa5851a44a914e65322f860dc6550071822d625fbc088636598 |
C:\Users\Admin\AppData\Local\Temp\HugQEQYw.bat
| MD5 | dc04adf5157b361294d93dd45d36fbcf |
| SHA1 | 503c6a58ecac087f4afed6dc7bfad434203dfba5 |
| SHA256 | 7d7f9cd9506298a35fc8fb1fcc9b6b32774e590f60fe6615a93b4a9789b24163 |
| SHA512 | acd1fdc65c20c5247f8e259155db49c7dbb3db86982ba84e092b5e63194b0b1252d4cb3cc17a0e1d9bbcb3e1c19038f5646585832f59cdfa661a95d045bc4b36 |
C:\Users\Admin\AppData\Local\Temp\necoIAUs.bat
| MD5 | 63350624360fbcba81775bf138410ff2 |
| SHA1 | 468c0902492dcf9fbeced8dbb9f1ccfb15028bbd |
| SHA256 | d14f69b3218c54b0eb818c15e1fcc0b54e4cfa32599f6bbcb58380c99ed8b8b4 |
| SHA512 | e674703362cab8e5b3f8f60d7b3727df0928cbe700263583c146104f0e0b5e1ac911e2c19439ef4075287ff55cc3dd888a8eac05c94548984458f368391bb9bb |
memory/2380-2939-0x0000000077570000-0x000000007768F000-memory.dmp
memory/2380-2940-0x0000000077470000-0x000000007756A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:06
Reported
2024-10-26 00:09
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (85) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\mSgYkYQw\lWwscwwc.exe | N/A |
| N/A | N/A | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lWwscwwc.exe = "C:\\Users\\Admin\\mSgYkYQw\\lWwscwwc.exe" | C:\Users\Admin\mSgYkYQw\lWwscwwc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lWwscwwc.exe = "C:\\Users\\Admin\\mSgYkYQw\\lWwscwwc.exe" | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IOcYUcsQ.exe = "C:\\ProgramData\\RogQUwEA\\IOcYUcsQ.exe" | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IOcYUcsQ.exe = "C:\\ProgramData\\RogQUwEA\\IOcYUcsQ.exe" | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RogQUwEA\IOcYUcsQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
"C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe"
C:\Users\Admin\mSgYkYQw\lWwscwwc.exe
"C:\Users\Admin\mSgYkYQw\lWwscwwc.exe"
C:\ProgramData\RogQUwEA\IOcYUcsQ.exe
"C:\ProgramData\RogQUwEA\IOcYUcsQ.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmAQsAAI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYkMMcsA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMggAgME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKgcQMMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwcQYEA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgMIcggY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEsQcwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKcgUEMc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEQscsUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQgIYQow.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcksAEEw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsIAgYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGcAgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCssEUcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAoswYMc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KukkIgUY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqwYwEsU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nygskcUU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pooYkQwA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCgsAMsc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEcAEUMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nokggUUE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgQkkMAI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foIEQQgk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaQQgwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwAcgAME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGkIkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSIYwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eucswEwo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCEAcQII.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMYkQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMYgoUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAoUEIUM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaEIQUMs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoksgIww.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twIsQMok.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsocQYM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQIYwEkI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FysEMUYk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIEAIMEw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REgEsAMI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkgkocYM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiEMcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgsIYMUM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMkkEkIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEIUQUks.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieQQMQgE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUgMoQoI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiMUkYgU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMUIEIQM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyYoEwgo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWYQogks.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCIEswMk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmIscMAY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQUUYEg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIMEcUcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmEYMwQw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAUUIAwA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issowQIs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wuggccwc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JskYMkwY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcswMEAk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KygwwAYs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcsUUAYg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgEIYYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAwMMEYw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuoQAwAg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQIMokkw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scIMsYEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwsEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEwIokgs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiMwgocs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOAMIwIw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IawsUQUo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikocAEU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQcIgoAA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCcowYMg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEEwQcEk.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWQAwQcs.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsAIgsMY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKgEYcos.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKQEUcUI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUYgssgM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcUkAQwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xscgEIwE.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGgskcUo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGkUEowM.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkgkosU.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWkkAUEc.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcQcQUoo.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcoEgcQg.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FewQcMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUwcMIw.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv la2qyzT3okuaHQyQ+cgrQA.0.2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCkkcskY.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOoIAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKEskEcA.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e"
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEEEAMME.bat" "C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
memory/2008-0-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3392-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\mSgYkYQw\lWwscwwc.exe
| MD5 | 170696f6d60b6c2b4aa857aaa68a7002 |
| SHA1 | c8832ba66a7ceedffde830aee29aac83404eb9bf |
| SHA256 | 090ff5e07cfbdbe0c5f58fd88e9dd4225efb29f7ef14fffabe8dc73706b9ed1b |
| SHA512 | 1bf4a449ea202ef972bc5147437bddd2e50b452436fb60634c64619f03f2846ae94194a179b5420f82ee4e863a4bad3165519af49cb5ce663664fb357adfb0a7 |
C:\ProgramData\RogQUwEA\IOcYUcsQ.exe
| MD5 | ce4649abb9a7ba9ef67dd5526f9e7c72 |
| SHA1 | bd8f91bfe17fd00456954ce00994c4e19238dae7 |
| SHA256 | 8501237e21ed0a6361b32a09840af55faaf1858577405a7285f1b51f122c3ac4 |
| SHA512 | 23a6c632e97b88fc519b7ea407c423395a4b10b88742f85bdc7f966fc48edaeaaebb767fae5e0ba8ea23f02fa0f1367f1e740afadd6a1161584282ec72a01732 |
memory/3964-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2008-19-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8dc8d6503cd281dc4bf3ccf8f40b019322043a57c56273513b0e74eb9a4f7f9e
| MD5 | 62eb5f8af13f0886f278614f5f43e21f |
| SHA1 | 7a0387dc6c5f9c31c18196fb860dd50a7a3e9c71 |
| SHA256 | ec3e84ad90487122ba0eba5945de8a2ca2b10ffc16b3a02746def24e926148b4 |
| SHA512 | 7c5008c846420519589a99f04d6e5421f895c18cba00d3ae43cefadc594b185dfce5d21942cc67d0ab0e0666b6bab497e368ceeea87db8c35bcee8342d827c80 |
C:\Users\Admin\AppData\Local\Temp\cmAQsAAI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/228-29-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3024-41-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3928-52-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4396-63-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2208-74-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3668-85-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4768-86-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3668-97-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4796-108-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4588-119-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1020-130-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5072-141-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1112-152-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3656-163-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4380-171-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2972-175-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2544-183-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4380-187-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2544-198-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1904-209-0x0000000000400000-0x000000000041F000-memory.dmp
memory/228-220-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1984-232-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4276-231-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4276-243-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3116-251-0x0000000000400000-0x000000000041F000-memory.dmp
memory/648-252-0x0000000000400000-0x000000000041F000-memory.dmp
memory/648-260-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2412-268-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1560-276-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4804-284-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4556-285-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4556-293-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2448-301-0x0000000000400000-0x000000000041F000-memory.dmp
memory/736-309-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1240-314-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4536-318-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1240-326-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4200-334-0x0000000000400000-0x000000000041F000-memory.dmp
memory/928-342-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3796-350-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4660-355-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2388-359-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4660-367-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3160-375-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4124-383-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3868-391-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4392-399-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5112-407-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4356-415-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3052-423-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1424-431-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4384-439-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1844-447-0x0000000000400000-0x000000000041F000-memory.dmp
memory/652-455-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4300-463-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4396-471-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2060-479-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4500-487-0x0000000000400000-0x000000000041F000-memory.dmp
memory/244-492-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2712-496-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xUkA.exe
| MD5 | 9c287847ded76e3ef7b350dc9b9296f5 |
| SHA1 | b10e6b44e86296444bf309bc132636976dd7b0bb |
| SHA256 | 83b09bbe1aa759b67746405ba883c783e4b9855fa41943ec27f2fed1585fad95 |
| SHA512 | 468b8ed29ad6da8ad6c2d2b4688534c500e8dd68226e062ef7a82cb435f5190ab266fcbba4b36e7c2fb364b361fe23cfd2996a90f217856d6b85a2af4417a321 |
memory/244-519-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mQkG.exe
| MD5 | a05b1bf4bd19cac0327f5e83575ab98b |
| SHA1 | 91ea05fe30707edf6649614ceba38eeda0a09908 |
| SHA256 | 042c9694c71ac02d2dff5868507ec071c3a7f6b53d2e7bb802436dbb0a11c5fa |
| SHA512 | 19abc343fbb2be4555956ad72a558fc36264f45f0ab1adb2557ea898e08e9ff11de0bf2738ab1d346e8a820982ef063677f7b8b0707cdefb30a90ba17eaddbe2 |
C:\Users\Admin\AppData\Local\Temp\zMwe.exe
| MD5 | 53723caa0b5bea3fa70dbb9eaa913eb5 |
| SHA1 | 3b146c148d1a3e7ef33456f59d14419945f6394f |
| SHA256 | 98c5bbedf1705843b2325caf00affd2caba20b932ae01adf068dc7c575b8a43a |
| SHA512 | f9349d7f97e66191d21c5a64e2e5a85512e144581af63c5f38a43176ec19496c6f68d5dbccc2fbb831dcf5e0ad6ebdfada23a3f39a62e4717cdf7ab0c226d93d |
C:\Users\Admin\AppData\Local\Temp\tkEu.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\qEMq.exe
| MD5 | 3a35f27d53e5d3de9c3794b158598855 |
| SHA1 | 17ad3f44fc2b22067433cb56c46247449806fe0c |
| SHA256 | 4d460a4a0a9f74cc860b42f791599fdfb4aae0d15cf75fdef38282bc33428f58 |
| SHA512 | befc2e9b64a0238c8f86a4c19371d045951839cf1522c79491ad54478c649137a97a30f3f53b1817d387487efa51e0ba01aae1b4442618fd966e79c6c423e3d6 |
memory/4736-569-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VcIg.exe
| MD5 | 1ce251b698213158e296e0fb7e02a4db |
| SHA1 | ad7c422f74b6cfe3e28f58ba01cbb59e2d99752d |
| SHA256 | 8180ea748c3ac8cc81959a898473883d4d0aec5eff6585ac53e09e42b2d5ecf0 |
| SHA512 | 4a0fe8b3416f1e9adf4455ab0c8ee85cd9beaa6e517f6e9edeff7c43bdae7666356ac876f9a95fd2dde800bb498235424e788f3a2ffd943b77b4f9baf57886e1 |
memory/3424-584-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aQMU.exe
| MD5 | 354975adc55ba12210b057ee4f58f04e |
| SHA1 | b7bb90a738c723e13a59f61d2f804a1adc0ebe1b |
| SHA256 | 95abbb1dd98d5445f945e3a5baec3a89ffd53c12cfc01bbee10e2ab1c247229a |
| SHA512 | 93b4e61c0c5344d6e2f53562fa1190f577936fb7492131559e2b096af6f9bc9e4d8a80beff99d7f5f613a605ce205c0d28af12940797262b09032a4ab5929197 |
C:\Users\Admin\AppData\Local\Temp\FUEu.exe
| MD5 | a5c393f5ff0efe0a75d71ca3d2e255af |
| SHA1 | f4672e96ff824d8f76bc7471e16e98c07192488a |
| SHA256 | 4f4c1dd6656b8a25985246949371960810f5e32e99149ba060d4bc77078e4f17 |
| SHA512 | 4088a0224c85668e2e38579f7dbf05c17fdcc159a92509be1503614ead5f3f5d9df84bda56a778080d5d1571558946e92beb005dfca9a44f4b5df1fce3613616 |
C:\Users\Admin\AppData\Local\Temp\XoYy.exe
| MD5 | 668bfe757d44d314324313611db90759 |
| SHA1 | 9ab87cf02f0aabf7400c0f0d5a58a255e4ee528b |
| SHA256 | 3884bb7ef9edd30193e5afdcebc2a49ef875d9a565b5e48c78d0b6cbe637347a |
| SHA512 | df49574cb154fc3ca3f384b446dabfc67163a8568dbdb3904cc28a794f39a8fd7a92ba2adb9db62c90db053048c1c0eda8849f017f6caec8abbba66780c5bcdd |
C:\Users\Admin\AppData\Local\Temp\dAwk.exe
| MD5 | b7e398a24048e68f1ee36674e6a9173c |
| SHA1 | cb9703d04a35dddef00d9007a564fbd962107139 |
| SHA256 | 35b3a54036dd872d5bb649041bbee1b7f2ad7fcb2029113012d4c903f89d639b |
| SHA512 | 63bd10d98b106fc986059485bcd68639d2ee991f3c78da0ac337d569fc070499d215cfb1233814aab17ccdec47323973da1fb4e60cbfaf6c87b1cbeaa849699e |
memory/3424-648-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ncIG.exe
| MD5 | 392737afbd1053eb810338e003a5cfa8 |
| SHA1 | e97f4249550aec1049fea055be87eaa80bbb5bf2 |
| SHA256 | 8bc319d04d9e04dcad0ff6123dce7598afa941fded8587935a19c2e7a91821c1 |
| SHA512 | 32349a186218d2eb6c27eac921e28109b93de51062ac4723f7637debc043787fc633ccf7cf55e019496e6c7aa3f1a3dbda47ecf4512ee3bc9e5919003b31ecd5 |
C:\Users\Admin\AppData\Local\Temp\Usoe.exe
| MD5 | 4d8132968bf93c6ceb2106ff41862585 |
| SHA1 | 93d1569d0bd7a19517872ac95f9f1f964017da6c |
| SHA256 | 87a4a6c08387a4f78006d76fdce53483f746202725858f1393d1e8fb10f4ec11 |
| SHA512 | 439fdc90ad191328686a501acf89715e8b459deb76d91d525d2c16ce2a23b34eec73fd69fa30af0c3ac4b411cfa31b769880490bf168d9227464803212beb551 |
C:\Users\Admin\AppData\Local\Temp\tYsY.exe
| MD5 | 326983cd6ba54abc1d05067d8a5b16e7 |
| SHA1 | db72ca1363d0f9e234f521e10f700d7ef39876ac |
| SHA256 | 36000cfda95dff87715b2152d1bdf000c3c4df7dc7115f50c761e4e9ba0524da |
| SHA512 | 52d2e36b9d6670b6974986e3606c15382f73c1a338c6e7ce248e6f5a61f32931339d89dac26f134258b0c67beedb107cf77b26e8933b9d42338a705cb5efc8a5 |
C:\Users\Admin\AppData\Local\Temp\owYM.exe
| MD5 | 73b2e4d84bc46948ebe4bab4cb46ad00 |
| SHA1 | 4c7c8247eec44daf6bb218ee9a62023981d48c81 |
| SHA256 | b590fcf2e2f6bf3c2e0c55a7d03c14b37cfa24f828ce3eea783e54d1f43377ed |
| SHA512 | b320e702fd5293cb8dcecc5b35c0c9ce18fc272e74dffe9a149ac4d3f5c49765ee8b566d321e4e2920dd56e7caa5daf7aa05bfa5d21f31dab8f3e9a9e975b162 |
C:\Users\Admin\AppData\Local\Temp\rsos.exe
| MD5 | e4df7ac4ae24b4d8cd5ad0bd1cf71c35 |
| SHA1 | 75627e085e241f680d2a6ad343f0ad966706fc3c |
| SHA256 | 1ce889d21c0a1e7f01ecc3c15b6844f9ebb69f239f833fc4e0582a42b6ad9021 |
| SHA512 | 4528fcbcaaa3d77b739426c2c73e3e7d2db0b8d399a462f64a69b8239f4d12c5414e7aa615cbe38bf0af0d7d2648ec4ed225b91927ee04b5ba72924b100cb8f4 |
memory/1984-726-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\agEm.exe
| MD5 | 2f161a6fe91f445b2aca87ca9497b458 |
| SHA1 | a9b307e42a7ea5a3fae57a1c8eb9db9b87a4e5a0 |
| SHA256 | aade616b4f87eb00a80d147a545cd4e65dd37d1e6553490706660a3677c469c3 |
| SHA512 | 5ba14f84ab99b106e5ea2c051a6edd2234279f415f6dd460c8a6f5e229ce20dcdaaec65ad388a9e9be536f313265fdd076a29c97f15e57fb094bc284dbc1f497 |
C:\Users\Admin\AppData\Local\Temp\XgIA.exe
| MD5 | 75f556cec5e858e112d9c7838de40ab1 |
| SHA1 | c8e4b2cec53b64e0cc9455352fb6125007bdaf4a |
| SHA256 | 570489877fcd7378ad592f2f220b127b9af9218cedf4e71c6c989c06c3a03ce0 |
| SHA512 | 2e3b91296cae80863fd6f66d42fb59d284954b1bf6c2a0e86f6f1827ac3770f3752a42a9b94c870375af7881660d86662204e0c5992edf898882793ec9953e6b |
memory/900-756-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HIYw.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\wQEi.exe
| MD5 | 98a3ed6b4082070aa6ed808e1fbc207d |
| SHA1 | e5e4adf34b644f1ff2650aabe4b3b1b404ec2158 |
| SHA256 | dff48c446fe38fac532ee7a17145e8269862638ea958eb3dc96265541ebd5fcd |
| SHA512 | 8e3d10162bc2286afeda2c87dbf4531da6a8460cf47d517ac956d9a22ceeaa19864a97385b2e967cc4139ade297b44ff842fb14a99fadd3fdaf2a92fff503d78 |
C:\Users\Admin\AppData\Local\Temp\awsM.exe
| MD5 | 22d9716967583b4e044014dde206d451 |
| SHA1 | 40ef99da33feef28194b835b8b8be892cf11c5a1 |
| SHA256 | 97f58073605d25a3cd5f1c4b09d7220767150a1a5457750083609335f93b26f9 |
| SHA512 | 809dfa18e93bb31d92ccffafe0222986b5c97792795472ef919b98586044d223a0dcef57a1fcdb8d6533e5c55f42b131ec255c75b386b67ba7259fb7fb23352b |
C:\Users\Admin\AppData\Local\Temp\DoYO.exe
| MD5 | 6e786cf05a8dc5b9a4cfb317cf527fa8 |
| SHA1 | 01166523c14faf3b7df73e9870cae4939f77a325 |
| SHA256 | f4698fe30a789fceeaf338b9ee934c4b8dd6f9fd0a993efc7ad06cae93019d09 |
| SHA512 | bb343e8bf3182b6a5a851d2bf888eff0e048a28ffc33298d603611b960a6697eecfa8c47dcff272068669951c8d4ff25481c025cf41d8dbafd4534c5ab1e6705 |
memory/900-805-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwou.exe
| MD5 | 7b6f6e28a8999fca837a30469f5e2fa1 |
| SHA1 | 4bb697a0dd71f5a069ec3ad508e1cd83c24beb4a |
| SHA256 | 54c1ed9fcd8c0d2e8d4e9198c08259e9d96ba3571dc2036c3c74eac6d489e270 |
| SHA512 | 8a417455dfd17146979bc19c692036dd2b6e91d444fb878ec66bb4323ef8c365fc8f5e8cb4a67eaf8ffc1b44152d1da8f84f2126c9f196b40fba0848897df835 |
memory/2432-820-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ikgS.exe
| MD5 | 60a8f2ef92c70b7d602923fd8182ef14 |
| SHA1 | 4077168ece9ae89e00c749432a002d4129da4a4b |
| SHA256 | 84bac11bf9d02a060cfb7f98823340042ab23fc47b1f949a7f1644a98583574e |
| SHA512 | c46aaf5d750fd2211ad13b6d8c19853970810514bcbf631435124c5849156204d5954f6d9698adb4c645736a061d46f6227cb7db0ef8ece7da492c27bc0d8ada |
C:\Users\Admin\AppData\Local\Temp\rQMK.exe
| MD5 | 31be7bfcde0045f0a9fd4b02633ee783 |
| SHA1 | 8868eb58a34b77a8eb0725222bd147fea90016ef |
| SHA256 | 271d893368ef6d80a8a9fb482daeab5f573a1fc2dfd44737bae288f9991e4ed9 |
| SHA512 | 05a379ea5a72b6464c1c70bcb815e620a595c83aecb513611ecba970a7a76d983765e27cf97b6ac5b0c98954d6ea3de179a9e3d8123ee460ab0d665f02428b06 |
memory/2432-870-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WQse.exe
| MD5 | 57f4906c277972ad8b4b56a0e654bca8 |
| SHA1 | 2666f6cdd65437c506bafd7dff1b984b9207c91c |
| SHA256 | c8df6bbe3de1b688188852a114b9d0ae2b96ace422d75916bbaee2d0ed390662 |
| SHA512 | dbfb78d8bb467b52e55b0a694a34f43b3a0a6c3215f21e75eddf5cfd7cbe9d00c2de0319f4c50d8114e979cccd7ac262e2b2e5f0284c28d0a89a1e183f0b14a9 |
C:\Users\Admin\AppData\Local\Temp\tksI.exe
| MD5 | 3cc650e3dc9ba6ce131daf551a8174a3 |
| SHA1 | bdf5d0a4e77b945d7f1ea7b35d56b0a7d98bde89 |
| SHA256 | 265ec259f12f3e698697c66ca4afe3caaf2ba1659cae1813db2c6375cf33c928 |
| SHA512 | dac04cba92b8997db278ccc50c5d63e78c5cf7d8e5f7d85b69e2da9ba35ac3d094aca38e33e2c7bd538413721c6946c3bcbd6ffd8abc25f6dfb7f9c5072a5cc4 |
C:\Users\Admin\AppData\Local\Temp\JwkE.exe
| MD5 | 43320279f4e8e965f6fbccc825231643 |
| SHA1 | c83f1d6138d634b3295e2d7529da8eecc46e646f |
| SHA256 | 0c8782ae63e31f513d5adec9249af851a790434c3e385b8b493b5dc365e3e7c4 |
| SHA512 | b9e3bbb0120c3f0dcf79b2496ff698f12afcf0e4ce705f79b765f97908df6b1c74eaa72540394776edfa69b019d82e74a24f03f637e6532f92da0269bffb16e9 |
C:\Users\Admin\AppData\Local\Temp\YcMk.exe
| MD5 | 95f2ac31c5705ca89a156e807729077e |
| SHA1 | d68d0949557436f73a1f626c0204042a01d9936a |
| SHA256 | f000398ceefb2e4ffca3b33e0ce7950c6b46c071bfbb7e9d7608d328ac145032 |
| SHA512 | c15b8337a8befdb3d15e033e11b3be83169c03b23b0d0b95a6d62819b6e2feea334f637728bfb9b39bb1ce9218637b0bf267fce0034587302d2ef33090592345 |
C:\Users\Admin\AppData\Local\Temp\ccMA.exe
| MD5 | e7fb29ede865f7a4b31c96e0e40afe00 |
| SHA1 | ebace261f660648e8fd52e5d48c11efecffe6934 |
| SHA256 | 9cf46e7090dd931515df5129889ce67928cb0f3a6dde3cd7a2bc6fff9add6f2f |
| SHA512 | 99e8c89c0ee6004e8694468fe3318271b0905619e0310c85f078e137e20ead470628ba583ffb3649f964a68dd7684f40a28740d41cbacb83c02f902813d848bb |
C:\Users\Admin\AppData\Local\Temp\ysQa.exe
| MD5 | 9036b16b71163d85581632a9236977c2 |
| SHA1 | e0aad156d29fab1772dfb500a84ae0aa84c44dc2 |
| SHA256 | 8a031243517b7bc7eac33a9e8b0bcb9b6fd3979f63a1fdebde8f6ca1f8d25815 |
| SHA512 | e969950004537644c4c78b02e8ef29d5244afa595ecab9cf94237e0bb4ffb82d37ecd4a40a3a0200104cd606c5a61aa256d2de43e4c1d9036a6be0bc618ba8dc |
C:\Users\Admin\AppData\Local\Temp\HEYo.exe
| MD5 | 76d894a490f9811f6dac2b00276ae1a0 |
| SHA1 | 8434eadc0f9bad5f242a18916fa52e63e7ce55b8 |
| SHA256 | 64f9dd16c0a9a201a10a217b2a644ededb9e92202c306c876fd49b97c50cf54a |
| SHA512 | a650b3f46ca073b2e369b414c7d83d30d8a33d4d310ff6fddbd1e103492c24c3fc0664e7fc79d91f9c203c2cf554db1d341977db1115796c542db28793ee4938 |
C:\Users\Admin\AppData\Local\Temp\dUwQ.exe
| MD5 | fe4b020ca4fe3f1e7cf92b7d47fe568f |
| SHA1 | edd56021a0c73a72af392c94ff797646fdf3d6da |
| SHA256 | 3eeb7874bfd5e865bc3ed3ce7b7cd5b283454bb4763c45ae6dd0b8053de395bf |
| SHA512 | 7ec49f09aedbb3913b1ebbd4bea406956a7987315d9c6f1ab51a67bbfd4b77c0681a416c91dd5a6360c0ee3bd39d9aa780c3b0a34e8a7ec8c213259439575e03 |
memory/2504-976-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkUE.exe
| MD5 | d74d4b2e3ec097e2e4578aa65d6c1314 |
| SHA1 | 537a46a5a90631a09d6695b9b90d17f0a176defb |
| SHA256 | 3cba8e8aec8f1e29657616162683786887ce3953b8ca5320d5e30aa11e952cc6 |
| SHA512 | c6e31661d86ede097c2bb325145d618f719f7cd6db1b444895cba2814c8862e29007891f9a65a97a35f3a4ca40782290d6a6882eb87fe84f9c3ee5bbf3020554 |
C:\Users\Admin\AppData\Local\Temp\NEog.exe
| MD5 | 70e6184d7b59893d98f56fc00c79fb2c |
| SHA1 | f44952cbc76e8d1e8450173c2d1b4c717c7368db |
| SHA256 | 61e38afe7b07e54b2a2022c4318e668e7651481dac62244f8448ce488e2a3d08 |
| SHA512 | 689dacf07a9c5811f178b8f00c347ef0442114f55139b83f0317d52ec354853a32899c6695e438f1504a671ba8b1af78d990243395944b257aec2ac050ac641a |
C:\Users\Admin\AppData\Local\Temp\DoMc.exe
| MD5 | cf1e743155a002684c28efa2c44b3a21 |
| SHA1 | c8e8aab8a279b56afac141d465ecae4ca2f60db2 |
| SHA256 | 65cb1a6f211fa74c6725b7e57bbba92ebddfe10578c1aab002dc5f9fb95be60c |
| SHA512 | 57e8527e72705448fd374c49205e230c26d71f72057d1ffe69e109de6736ade4bbf27d18ec5570aad95a5480f93e1d7ed064822d2dda7a0887e9020e7fa3c4b5 |
C:\Users\Admin\AppData\Local\Temp\rAou.exe
| MD5 | c6c7c75bd5c273c21effdc8e9d5be568 |
| SHA1 | d4195109115f15fa60d0a4c68f4bfc409396ec32 |
| SHA256 | ec530abc71ca7147fd35b5480fd76d7ed258ca0e288029e6ad14c11b9e1e4ddf |
| SHA512 | 049ad3def27a7e4b69de1ca7da392df4a5c50efec008c1b6d7dc1d28f66331495a73d6eb16cae04208189ae257862af4a560e683bca856a8f06bd97e1d1d3a18 |
memory/3252-1054-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bQse.exe
| MD5 | aec81b5f179d68549b7891ab8b1e6525 |
| SHA1 | d355ebdc794e0b336f70b0155c1669cd23f6cacd |
| SHA256 | 21d91f5e53e1096511193b6bda550c8a0cea92eb4b3a19eadabe092afd837c9a |
| SHA512 | fa5f0d01bb67afeaac31e9563ae5c0d257d3a0596e9b03e26da3f23302c6abf67c4df98bfa9de5dd4da622f7849865b57440a1abe671d992a1d4c8154543ff52 |
memory/4956-1055-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe
| MD5 | c3a9b0b7937746b731dab0042eb7efc6 |
| SHA1 | ab440b471f5c9bfb84e81bcf7a9fad5ae37e7562 |
| SHA256 | 121a2bf38894032b3f66d7822a3aca91afb73e04604be73cc801e369b6bffea3 |
| SHA512 | ef0228b9bebe53f564c6f8bc018d41504b8a8fd134732db80223f313388d2a4fac86d197ec35054b0bbbca2c4d1669d7759d17796a465c50d78ef1f26ca1a56b |
C:\Users\Admin\AppData\Local\Temp\xoog.exe
| MD5 | c18ca21ec0fe071826c998529c50f1ab |
| SHA1 | 2ff9a4056b81ba7860a714dc1dfc76b9bc86afce |
| SHA256 | 76c18710967a2da0b9d52e069787319e989a59bd34d5d862d5fb0fbb1938f6ec |
| SHA512 | 780d7c3bb11a0fe4404722d4e0c0888993dc812b47e6e3e43113ee8303caa440049e45c0ada57814e685031c723558d15529b66b5628c4bc0ec48e359d921023 |
memory/4956-1091-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
| MD5 | 335c9bc61eee21faacd6f91506f19938 |
| SHA1 | 128dfec62db282dde940aefdd887b27b0871660b |
| SHA256 | b16ff7eee28c0da28b4440061b271d62eaecd2e5a307adfda20f113de4672a69 |
| SHA512 | 88a038ff1584a541bcb50855f917659c8d67fa28899b8e0adf13e954aefa53972fc016e1321a4f45118b05adc844943530f8539e5b9f38c70cebab7429efba56 |
C:\Users\Admin\AppData\Local\Temp\SQIU.exe
| MD5 | 9d6a66c0db75589fbba63847bc6d575c |
| SHA1 | 477f5470ee1b2c1042bf6d4e40153197731b3213 |
| SHA256 | d1736991060d983294817944fb97822bf19bcfeace5f936d8e21ac37962e9a90 |
| SHA512 | a9718a73876ec8165d56bb5c9b2cda48e80eea219e3f758eca800d7fa115a8a695ef39963042ff0e7a9c2ac8c5ea82f1f9fac96bdf3587b4838159c110997bd3 |
C:\Users\Admin\AppData\Local\Temp\hAEg.exe
| MD5 | af37c05d4ad09c55879339b3bac22828 |
| SHA1 | cbfdfddd751b629e96e563107dd2142994679ce8 |
| SHA256 | 5100a7cb2a9f93b1414a060481fa590dab755428b4cf537d263b5063d7310147 |
| SHA512 | a1a7a5c47dbab81ec1494888e99e44dd8600b0d86d7d050f6e120e4f6d770fcdcb3b9f0efae5d0772e282ed81081dd87c620096e592d48106e4cebd49b5ca5c5 |
memory/4664-1140-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AYgY.exe
| MD5 | 5060ec2db655b706171f3b97cf885e47 |
| SHA1 | 4d0eb303962affe3eb125f303bfc4ab4027a61de |
| SHA256 | ab7667486941f6b1a95c92928618ace599e80ab4fae9be57227d78ca35f69f31 |
| SHA512 | 29be808720d4d39e5c959b638b3645599a2c4c8ed5846e897c00a3ef58930cbd8c04c7c408666a802a7a56671f1eb6eb64dd273145ffe9117d1d80961afc45d7 |
C:\Users\Admin\AppData\Local\Temp\egci.exe
| MD5 | eaeb83243da14df1f74389269f62e5f3 |
| SHA1 | 88f7317574f6b529b1b5a46c37b2f2a59ac01477 |
| SHA256 | 78c04ba212072e92b00afa1da0ee2d5502919b4e19a86cee0a385eea0a3078e3 |
| SHA512 | 48ff0d37977dcab8227b2b0f8d7ce6c9631c45bae32205ef98024807e59b323d5da960df4783b0dcde84425466932169486c458553f3c911b1da0c6ed3c3943d |
C:\Users\Admin\AppData\Local\Temp\FsAa.exe
| MD5 | 95e58473a6eb5e7796631a59dfd61167 |
| SHA1 | 01def5d3de68a31a96578d2e3fb6922a54aef21f |
| SHA256 | c3b1817d4d8bcd3edb9b1625ef26e4afba6f294866806e6cbd5fe54d678f8b61 |
| SHA512 | 83ee3808cc32d1074bb9512517794cbcf9925f8d25e12b9d520609eaae3e42b64b438691bd46641c5ced890007aaf1f03442443c036666b360a3a12ec26cb0ed |
memory/1612-1195-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3780-1205-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uckg.exe
| MD5 | b99e33b427e30959d7624f234322d96d |
| SHA1 | 2de24ebd69e421caf7e6e24ccc5c15d14e0c1b74 |
| SHA256 | 0ed2e9b3b1d1bc8b4b36e04ac187a8b187adfff4b6b39dd4aaa2bd5c9d2cb8e7 |
| SHA512 | 9610cbb8604d75b8737cc5fed6f833e8f9f1308b0de117f9297cb2988cd34d1a5c3d6d7687685bd53f5bb781057d2ad5f814f28b21ee04d464af4158a3041ac6 |
C:\Users\Admin\AppData\Local\Temp\XIgq.exe
| MD5 | 468c4c5f896358f08640d7cad653e850 |
| SHA1 | 10efa6c7a5e9894c0e6a5eae9fff80efa9d08019 |
| SHA256 | d9496d3b2a72ea7be28ba8effa98208b0565e2a1c6c23a7ddb5d928e180ab377 |
| SHA512 | ca84aa6e9df142f27531924272800fb3b740fdb1004994779ab95e490439d1679751eb72818ee78024442f1c2cad592b0c6e83886017461f881d0a08a267dabb |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe
| MD5 | 5fc26ba39cf378c5f703fc35a57f4a87 |
| SHA1 | 1eef1965c9b934562546f5f0b418cb6fc691c718 |
| SHA256 | f2f08bf6a518e8d76698b86b477d61a044044518da9484767359405eeb9b40c1 |
| SHA512 | d23dec1dc7f6f980609a10052ac98a9d3d418cb75bd9993d5d97100f8432c6d81894c2e7f4b2c3340595973ccfd912190feadc7d53d8063920c51a2e750e17e2 |
C:\Users\Admin\AppData\Local\Temp\qYAG.exe
| MD5 | 4dddf90fd8e9b6fab708bf8db87aeca9 |
| SHA1 | be3c9e47dd1632768f1b94aa3b306f07efceebb3 |
| SHA256 | bc6b118b05154afd45c0bd21944f783f71a3197f0a014e4a9cd4f5b2e16166e0 |
| SHA512 | 73389d27a0d7c5e26788ebfa2ef58fadab64d316644680f9a206ebda33ce637921e10cefab9072f983aa4283c4f661c1bd22c06e7cf20daf252be9b482e73305 |
C:\Users\Admin\AppData\Local\Temp\FUYU.exe
| MD5 | fd58e6d0f4ed7e9ee988d31551b73463 |
| SHA1 | a5580906907e643bc8098b1b744311ef8e8662ac |
| SHA256 | 482fa3304143f7874fd11c2a3e27ec130ac985adf8ee2a4c0497b45e5982080f |
| SHA512 | bb70d51acb05be7ade435bf49af4674a27670dec8c152ffbaa5be0c4479146597f7c3d4c90febf5fd0118024ef9ae8c034b5f01e635129d7c22bd2ca3910c828 |
memory/3780-1268-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tQku.exe
| MD5 | 139ad49105b286300c96b023c3b8ebb6 |
| SHA1 | 9a34c9162fc1faeeabce7d3601405f261677e101 |
| SHA256 | c66df69b9f37c91715d770c5a5e17a99c4a63e056e16d45ae7870b147e33a3b8 |
| SHA512 | 02a9b37e00fdcd40ad885d8c60618a52a6c058cd553a4658129774fb569078a591d6f70d049d9cdb37b7e16dbaa34c433446b5a9ebc0995ae8586784b80faaf5 |
C:\Users\Admin\AppData\Local\Temp\VkMm.exe
| MD5 | 1e093f22e6e1212b3ab08ca924c5cefb |
| SHA1 | 92007e5b21a7edee4461f28b693110b5587a37e1 |
| SHA256 | d1d7335de11611ec7d48bc237bce476616e0c29c0a4d8e3df5ec50eb9c6cddad |
| SHA512 | 1d0db790d0459a56f95370205ed34064c532160b01cfb588250a76c2bb05252bac88016249d6eaf264c47b329e58af674c19e0b88115b4b7082eb89a09d42863 |
C:\Users\Admin\AppData\Local\Temp\Lwwg.exe
| MD5 | 26e8186dba657571fef50a0d042b302e |
| SHA1 | a4047129c14e234ad90df2977d4a34866091c74c |
| SHA256 | 31cfdc4b095e8f7df295ba060e3217340edf652c91f9226037976a6fb5fe0f9b |
| SHA512 | 1d35435e957b38efb3cdd87dc7b7297f649db8bbce800f658974aa8101d6c24b72ed392fef8a9ba16c29aef1cf5f9359d20ebfae11f0027406a750584d09bca5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe
| MD5 | 9c2945b4e26c92c1b6e68b5a483fa144 |
| SHA1 | eaa17fbdd4a3671437f1a335a46230564a8896d0 |
| SHA256 | 6f9bde6cce2fbffce66ace4281b3020c5b14d0318a6c5570617832f9341fd65d |
| SHA512 | 0ee4baf07f04e572347cbf851c2fc7ae30f4b5569bd7de048fdef487bf8e46f092614c3a236af8a751106a880b9a6bd93969872222f4e3089674ff4ccb580b0a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe
| MD5 | d678c1cbc69d813af290c09e91afca7d |
| SHA1 | 3a65f425d17d31c97f353e66ffb5a27f707d33a9 |
| SHA256 | 55307e48f386e2890109d2731ec827c4cd8138a8bb52fbe6437f0577f453f4f0 |
| SHA512 | ed8128066b692373a0103d1a7cc6572657cd91fd51fa2fe802dd871bf2d2837cea423a23caee737e7f485cc30d32400647aa031f95622072fe4b019c23ad5f33 |
C:\Users\Admin\AppData\Local\Temp\KMYG.exe
| MD5 | 34c0fb322063cb15577ce6c8ea17b75e |
| SHA1 | cc494c6f6058fbc9e0e089040be3d816f8c40731 |
| SHA256 | 2373261e95a6fc10b0cc8ab39111d0315776971f592da6b3bdad4cbf0cfafc91 |
| SHA512 | 751b4aedaab5759e1d607b2fad4a42edd6abe0dc425a5c1753e9cf75f81a9b3127b15c5541e8bffb7efec78fa5f7fdf9e17ef88e75f661cdcd1aeb3d5c8fb4c8 |
memory/2552-1360-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oMUu.exe
| MD5 | 9a3cf84fe26beed1ca5f8999cb9f69fb |
| SHA1 | dbc68e17da358a1219ddf62b1c5f4d3f44e25928 |
| SHA256 | 684f8cac87692739463a469beb09654404e5f7ed72c09a6a8311d950ca56b110 |
| SHA512 | 64c106a1c842a7faba82764774085d8182c23b089a7ffad8e504d333d9823c67eb435265020a201899beef7ce08d27070dc9523cc5cfe221065dc5be5a90f067 |
memory/3660-1375-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vEwU.exe
| MD5 | 124e9bca97a9d0f6e92d4e8773bb1993 |
| SHA1 | 4e825a401c60322a5d270c5b5ea684e754be12dd |
| SHA256 | e9e5a953f4e456f7b28829e0c40d3c0c64369776599ddf21790a9fc0e0eefef4 |
| SHA512 | 3d20cd97846e0436c6e200b6c378febcc3da580371746014665bca7de675ec1773315da483089ecc152e2f652d126cf265ce4b1013a4d6c731d6c78842ee27f2 |
C:\Users\Admin\AppData\Local\Temp\IAIi.exe
| MD5 | eb7b2ecc553dfa1f11e9b61c17bdb162 |
| SHA1 | c1ad1efd33ac254ada494cb84e9c2771f32869c4 |
| SHA256 | 397c2d337fb3719c8963fb83eeb1a8c5025b86d04e8a6e26bef3516200394c47 |
| SHA512 | 8faec50cae948780ea81ce4985c52f0b07ef1b8decb0f51ef2112ffb572c437d8395d4750fca49dac9f3571481bef106284729ad3d8a12e59f7d2f8446485e7d |
memory/3660-1411-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rYcE.exe
| MD5 | 44641cab792f25b894603d00807acd6b |
| SHA1 | 422e244aeb07a91c52492a721f3e56d0f5c16eb0 |
| SHA256 | 4e37302e884ae22b5b5bbbcd1a8061e4047badeaa036df46caab467ec56ccb8c |
| SHA512 | 0337a9046cfadb3e7d39766ac89d571106e25a0f5705e036082127ebb53414ffcf55dda4a6c4c7982840647c0a36df97c1255ebe325ba31efb04e907de5e2c0b |
C:\Users\Admin\AppData\Local\Temp\TIYO.exe
| MD5 | b019f3a27e043202b1a89b2675967794 |
| SHA1 | 89bfe39658ecbcbdca5d5166378af97ab70ad5aa |
| SHA256 | 4853ca31e2fe46560f9719d5fbea349a1fab9c54648ca55aedc256a279eb19ff |
| SHA512 | fe61e4eefbfe27b9325ac4184c61e8c26955096fa371e6d037ababac36ba4f08d2727d6fc7ad36b90bf44b51e904cd8494737e6f8fc574246395bb87467ae074 |
C:\Users\Admin\AppData\Local\Temp\TwcY.exe
| MD5 | 12bce37608072e9e34459f7f833f57ff |
| SHA1 | 202542b5ba07abdd7a223cd9d6967e4d74b36b2c |
| SHA256 | 8f6a2406854de514490575db9d9a568877484cd9e99ecfb0f686de7ad377426a |
| SHA512 | fb1e7eac2c2e2e622ac9a0530b35de81362fe629d2cc2b78c5ac54f9c147b044eab8f063faffe123a2d14cba9d63784884e4d0d9d888c7d864371c8728e0d9d8 |
C:\Users\Admin\AppData\Local\Temp\wIUe.exe
| MD5 | 5ab0f0d267ea8f593f91b9e7b40958c3 |
| SHA1 | df0617954e4d7e4ce169d50320e17dffb382f650 |
| SHA256 | 8902772d475b185a80971861da0553ddd136d3afc4f318a67e60d1c9f8bd6aeb |
| SHA512 | f82bb06d1d9930e226050beef7913ecb8a93206ef6607f7faa203255079679dcbf6b476c2061f6f00f22c7d05c5a143ad553873a011b2c8e816f1c5e7a45ce01 |
C:\Users\Admin\AppData\Local\Temp\Gkcm.exe
| MD5 | 5388d031dce6a23c45be20fa3a1ab4ae |
| SHA1 | f8999c6d578da73285191a3e369ee6a587c99913 |
| SHA256 | ba96eaa9f92c46d429fd7ae31582ed647d3b3c9f182d8dd5a33d3db2d18d1ca2 |
| SHA512 | 6176308b53c38eb28eae4f2466d927c38d880d5aef56f3d3e19297a27efae15139a29f7ddd3b3457617e5d0d1e65d4087c029d935f56b7a3a9e4db866b4d7a98 |
memory/1496-1489-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zUgs.exe
| MD5 | 91122c948e44f7cfdadcd026d77b5107 |
| SHA1 | 7b834aa6124767687cc4ab8e8134c762d19bc9d1 |
| SHA256 | 3982491be70eb5b0fd5da18a4b677acc2e900cfffbc15a964f06855bce441fc1 |
| SHA512 | 5845be715beb503e33661e14ecfbf58285749c3e1b9da5993d22ec464a63ccbc1b60595922fda5f53dc1914abf19588adb956bfd4f8006373bffb8c270d050d2 |
C:\Users\Admin\AppData\Local\Temp\vEUY.exe
| MD5 | c566193cf6ee70e9392ec470d8c8fb5d |
| SHA1 | 88613339299bd4fb33f07cc0ca1d108dbfba2ce9 |
| SHA256 | b5ce2764ddacdf20833ffe9e6bc1f8e2a94148d9d65439711ccbc4988179dae1 |
| SHA512 | 06759c37e77720698eaffbcbe6ea3dfaa46ee362655a1ed491a9896c70893e5777a3cb9c6d03741d751803488c074c28fa6f6c2d19fdc4c44ab38770c30bd26b |
C:\Users\Admin\AppData\Local\Temp\Eook.exe
| MD5 | e86e590f3ecdc92d2cf33ce5c36b1e47 |
| SHA1 | e76180141f8ef4097fe74d059310ce7e479fe09a |
| SHA256 | 0b00b65cf162eac991f70e17cb20b0dcefe76b4ead4835c6b4a3c7adff814c7a |
| SHA512 | 7f1df0b3db5101c604db1037349aa62ef0f3a816a55ebe311ba17466d6822359b588fb7bf7ddd78c238b40b43c296ab6bcc7e8cb01e25d6ce9e9168b39cc287d |
C:\Users\Admin\AppData\Local\Temp\yMUO.exe
| MD5 | 93c7db940c09ef506f7324b83bcf128a |
| SHA1 | 19ab73293bdd286f4bad21e7c6d10b10656400a6 |
| SHA256 | 5b9bfc20b0602ee6ce70aa7399817ceda6db2f980eb46fece580149b614418ee |
| SHA512 | 629aa78bfada5aa011f841b6d4c3e47be11675755b27e9b0621fdce4e86b8649e6f71325856a6e9397501093a1cd822bf0f5d5198cb3b2f9681f3a4f42079dfe |
memory/2208-1567-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe
| MD5 | 2e28c0c6968770521be75fe2991a7cde |
| SHA1 | fb89ce7ccb05fbdbfa9738a8b3c618bee3a09ab9 |
| SHA256 | 79e31d081c71126164c4fe5239e47940589e548cd115bfc60ef87d17f9d86c47 |
| SHA512 | c5586096fca2e63fee1c03ec56b93ac6938edec054d63ad055c4f94b1607e96f7298e571267b1b85114372cae493fdcd840f07033f68dabe7317af2ecf600ef0 |
C:\Users\Admin\AppData\Local\Temp\uIEq.exe
| MD5 | 5965c38fab454efbe477b0fe9ab40ac6 |
| SHA1 | 1dde49edf8df3dd67a33cdb890bcf9f7638c1e7c |
| SHA256 | dc69be93b819a1b8e3420855afad983041d07aaaa7b0d44a117f0366d60e4cd1 |
| SHA512 | 0bb81a6b48ead92c4710e76ebaa3f1728b2b9845ebc356e2996048900ec189173ccb4fded02bd2a23e1d93202413422440560e0ce47921286e997f359ff65c4b |
C:\Users\Admin\AppData\Local\Temp\WkAO.exe
| MD5 | e5aad98a057281bae2570c23ed26943c |
| SHA1 | d1ee680a4dd8e790e92b5db77c4fb9182d9e4b3f |
| SHA256 | 2a7acdb7ee4c1262961dc04fdde8032b3f93f55a1b756b832844564d81a4db79 |
| SHA512 | 2fc902aa3dc6fd182fdb6c213fd109414d0a3d7cc871f8792c6f5292b77a0e462fd2b87f2eb7f7f2a0df7d66e9a6c1a321d4459fceb1ff4774865593a3ead554 |
C:\Users\Admin\AppData\Local\Temp\uMUS.exe
| MD5 | eeba0d91cadc05309d0440cf6722d3f6 |
| SHA1 | 825d04a659330ce2cd3b92ff8b72cfcfca999e9e |
| SHA256 | 19ea7831def8a0e09346a00eb327282b19234c3817c89a624300cf65304ffa12 |
| SHA512 | fbcb72363ed6660d9d6f455a9cc0a7cab94e962ed4cc70735190ee12701834ed3329efd3f1dcb561a760c861b80abd0af82b38a899eb7c82db5d2c47ba0fed06 |
C:\Users\Admin\AppData\Local\Temp\AsQu.exe
| MD5 | 29ae482ee1b3ae07d86f008dc969e481 |
| SHA1 | ec4b05266e24399628adc8349b3d21f9dfaf956d |
| SHA256 | 591ae77ed7b28e2e894f399e6b919294bbf2f1397b77d654e4b1aae6222b26a8 |
| SHA512 | 3e9169c429f0348b7b0a73f6d915bdfb57902b8432728b8b57a0258262139da5eb9e53551d6be7ba4046d31c07877700df94a83086286704b80243635c5ad66b |
C:\Users\Admin\AppData\Local\Temp\OAci.exe
| MD5 | 5c36d2f8de447e589b2c765613eb34d4 |
| SHA1 | c578affc49e98cce8d9b9548c72b6b53b462b354 |
| SHA256 | cb00bee557ae294f964309782d4fc7719e30662154a792909c6511abc8038504 |
| SHA512 | 149ea48280f497bdd18974d82c71e8c3d4853bb122613c5ab064b9bdc4e4d80ac0276352522d7e915903c2fc31538ec53271cf8fe6a0311827ec5663f3caac4c |
memory/1604-1645-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mAgQ.exe
| MD5 | 95e9a753e25f24806f3559ec5c8e5b31 |
| SHA1 | 15c7caebca1f067d4d4a3a0b4c689db116b5718c |
| SHA256 | 3a6ecb10cc107de3174aa827148e305cd075829f06ca7e66276d34b668ca31d0 |
| SHA512 | f6f049a1062caeaff1a8cea96f9497bd595bbc916b61ff82fe7054415d4cc94451e3d96296d2dfc6abba0e3d8fc9ea4e7aa6abab08bcd00e19754b6168beef45 |
C:\Users\Admin\AppData\Local\Temp\yUUO.exe
| MD5 | 30a905292f98b5a8db8c3f01a9f36550 |
| SHA1 | 12d82a8b3fe86427d3f6c1c978ba9ed92da777ef |
| SHA256 | 27011bf8a04ce928a8c322443ae384c3358ef94e8c9d0b7c65644ef29e7d6078 |
| SHA512 | b77a4cc5e0b851b6fb6c780e595749714ec88ab1c6963819bde0427d807ba4e00695d11f6d2e085bc29ad36bb036356dfade9c46e91d8779a7b83bf8d541143b |
C:\Users\Admin\AppData\Local\Temp\GUEK.exe
| MD5 | 0140c208f35542105c7ce80283a9f727 |
| SHA1 | 2eb5fd034b3219953e0b034bd74b4ce311fa7e83 |
| SHA256 | 4368ee578a2666a3e26d6f4657ae71121cab8e8528098e79fd7ad31ebacf0bc1 |
| SHA512 | eb94a7c06f7e336e0c0fe2616396dcf41d51e6f33b4c08feec96f33786bffdb2dcf5eb12ebf0d5a830d2e6b9417bd79747e07f0115cf09ed0e8873657c8b2fce |
C:\Users\Admin\AppData\Local\Temp\BMwa.exe
| MD5 | 043d1421adc529f8574bd9f7dc7bdaa8 |
| SHA1 | 7bcadca0c048fccbb07d0039c6984c46908fc70b |
| SHA256 | 01f908aac315838216deb70cda8d9733bae2c2021cc3680cd1d16d945bfaa800 |
| SHA512 | 0715e19118fe53a3f19c724321cbc0ed4cac5f491b353d076e5999ba9e5dc02b7c0cc0ebc53fe858d8b1267e36b11eae42bf65d6938c79aef1431b165341b334 |
C:\Users\Admin\AppData\Local\Temp\FIcs.exe
| MD5 | b95364b03d37133ef90d9d67fc21146a |
| SHA1 | f92807c1d9fbffed924603470aea85a13f8a4461 |
| SHA256 | 2e7a208985ad307a6dbfb0eb000aba96f602b393d480d5facd487fb63fee407a |
| SHA512 | b51aaceb9f4536b5a5c516604fa40b2dd035b5c3802577dedcc8577ec8812474a85dc83682fd77481b144bf687ff532a2c8611933a28f73bc91070409921b88f |
memory/2552-1722-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FoAK.exe
| MD5 | 0a55b42f9afb7fa07b225bb729f74a1f |
| SHA1 | 3e770e62bd913c5bf893997742dc62d2ff38867c |
| SHA256 | fc16c9d53bd0a48d1224e98dd83b3d5a127877a8c3f47928e84a482d2397e3a4 |
| SHA512 | 85a28d40fe6ac02aa6b62cb0d8fd735152afaa5342df466398c188b10593652569da7f273bf320559bd5df4b886625a1e517b9b3f915dc1c394aadd4cd60306f |
C:\Users\Admin\AppData\Local\Temp\HEcq.exe
| MD5 | 7a8b3229c434618c879c47ecb9807a68 |
| SHA1 | 16b19616caf828d3c296185694ab5ca862992e28 |
| SHA256 | bcf162381b3eb1ec7ba7d8d23a01f7feac7bbad2e8b5961728e4a84e4027545a |
| SHA512 | 8d8113d36efec5a456f80c0322ef27da7d9a40e9a488ead9de076d04a837c80459910e52876219497159be869f8937ca67abe422a905fd8937fb01ec5678536f |
C:\Users\Admin\AppData\Local\Temp\qAAq.exe
| MD5 | db23aa5b0eb46a2ffb9b9088def40887 |
| SHA1 | b8473505008c292e31176fbfa5d1106e3bbab5d7 |
| SHA256 | 9b2ab446dd86c004b1f8dfefe309e4ee0b78dba1c5abd1a71009df7cdc2420b7 |
| SHA512 | 68f286e056f4ba5a39fbefbe21e9f308201b19ed2b302b205e06689ef29b93f9676cd8850d9727d49a5f336e762ab6b32c916d0e74cbe7d0ab68100ace700055 |
memory/3656-1772-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iMoU.exe
| MD5 | 165498d73b76a01cf3c442525b5de266 |
| SHA1 | b860cadf9f961a8dec2fb181ca5897d5b633ddee |
| SHA256 | facf510d39d5a460a9b8ca6324564c66473cf1fcd335c25eac422fc1b4006a75 |
| SHA512 | e6b1ab872663ac30298becad99aa385f2dd54bacaccd1fa067a196f19ebda66782f1254e16406ee567b3e3e2e64da002a3b4a0ad903cec947144c4a4e9af6f72 |
memory/3840-1787-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LEoA.exe
| MD5 | 47f0705d4327bb0bc86d172e83ba2f17 |
| SHA1 | 52b4b393d622eccbb75e604b77cb73fa345714a3 |
| SHA256 | 2d56c1fdc380d3e1ced9c89e6fc2dd9376dd88b8d955bfb5df7c39f4858bd6e8 |
| SHA512 | 7d6b4e72a853d8dd9f7ef81e81d30f0fc9ba6799450a860316ec4a40f022dac726358e98545e48acf840122489cad7ff53bca216924a9bfac1c7f249640ede3e |
C:\Users\Admin\AppData\Local\Temp\kIAW.exe
| MD5 | d366dabf261de67c21c540f41c867f04 |
| SHA1 | 55e110a94d6b83aa1b020280ba11924379c4d755 |
| SHA256 | 3dbd25aa7341454814caa1bb3086447a72367db066caff85a399c7b6f94ab649 |
| SHA512 | 00a347edb929425c07a1fad9e015534a908fa7fe7b8093aa9faba8a9c6d291084fa28bde1df1721d7df94f60c29b8e3f06dd0715a61c76863d1d928dda52698d |
memory/2616-1820-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3840-1838-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wIEg.exe
| MD5 | 12d88d22b6e204dc39d7f82905aac7e0 |
| SHA1 | 711f59ebc694476a657c9cec37f84598902a7264 |
| SHA256 | b6877270726e7932c34087c65c130d168db33e563ba9b3d49d88c9c354c77736 |
| SHA512 | e1f4314e88652dd1c4e0fdfc9d06bf817ad27509587d9101d69db55ad8e4a6bcda6c92c20bb38f11cd49f856a1ea4d7f444926e4eecae0b1bcc8aee50c62c817 |
C:\Users\Admin\AppData\Local\Temp\swAQ.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\rkIA.exe
| MD5 | 473d426433782f68fd3ff5a758fcb53e |
| SHA1 | 7aff5a8379ff7726a2fd473593f42f49c1969f47 |
| SHA256 | 5dbde088d0c20996ce0de13b998b3851e9f8aa9d4395e89e0aedc7e0e204e6ed |
| SHA512 | 67b0e930947e2ed49ab39f33f5824bbfd4c46f29b495818c659c131211a83364610988b521e9db4e693bc867315ff13b931eec6aadb509a27d054fe002b77783 |
C:\Users\Admin\AppData\Local\Temp\HIcq.exe
| MD5 | 6565da743b47305cc64ead7cd9eb3679 |
| SHA1 | 7d936cb0e058b3f10cf3524276ce871ae705b4b3 |
| SHA256 | d305df4b2ef10f94395e2779d42ce2cded4b01128d238a3814e3f489ba83c6b7 |
| SHA512 | 899f03a8f89d62c535264357e80473aae5d52e759b915ed5fe12c14bd9efb76dc6ef04f14e06b6541742ad5ad0126f9a43faa72e22fc8861ac44d3a0b1835320 |
memory/2616-1874-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WQAI.exe
| MD5 | f00f05df0a7a141fdc7ee47cf48e95c5 |
| SHA1 | ecab632252a07762e6f7cef1e2e28f42681ae5a8 |
| SHA256 | e707eaf4c9c0332f9a9776d98bc30935f4809a328a396c1d4bd3f4d74f6e9d4b |
| SHA512 | 09f9eff39349344a0160b42b5c154fac3c8dc2781c10479ae3219bbbdae241a9c7ef7ecc276c2b91c299dfa6d215f2ba41e50650e13eaaf2f81c1b0ed7f5f29b |
C:\Users\Admin\AppData\Local\Temp\dEgI.exe
| MD5 | 3c671e18a9e45e22969391e638765ab6 |
| SHA1 | 09c69cb843b14e15fb68caf4a55b9b426d7c0a9f |
| SHA256 | 1182639f91938170151d2c6a654cf201b98a7cd872499ab9f4839292c9dda324 |
| SHA512 | ec7a0fc5efd3a439d74c4300a82a41b9aae613349bba60e82eeddbd58e30e97c2c00e64a8481c456b49716dd833262dc9e5316ed73a96a2fce92ca44ae1875f6 |
memory/3600-1910-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScEu.exe
| MD5 | 94d35232d36ffac3b808728aba7d5ead |
| SHA1 | ecfd7026b3804b8b702e106874583c92057d8f0c |
| SHA256 | cdd47807b2b266bb053fd7f7b2703f6bd66e3ce776795ee0f5103ae85fd7e688 |
| SHA512 | eb25e88c09826dadf06062df4ee56bb37ecfa3833963570b0843e977bc6ed502b94ee0139a775c584c85fd0ed49bb8934ea797c36237b990a18950945f7ff10a |
C:\Users\Admin\AppData\Local\Temp\GUAi.exe
| MD5 | 9b014654eeaa2bc79ed98d3aa26f2474 |
| SHA1 | 4eeaefde44b9292b5319769e59907b1b3f31821d |
| SHA256 | 7cb672249e02b65f0b14a1751cabce4981d4436ec035746c73fd7f29c3a68686 |
| SHA512 | 2bf53f640b2cea710db12fa1ba27afdcb4637d809ee72ff40638fc7b86c057bc7e1c1ddff281ad41ee8adb3d351bff175aa943bd5a02f849677e2437e95104c9 |
C:\Users\Admin\AppData\Local\Temp\GgIo.exe
| MD5 | f4e584f23ef0b067ea528d473c145b42 |
| SHA1 | a81bb564ba1daf8daf3c6228da912a48d91d62e0 |
| SHA256 | 05cbd3f9d7afaa03396938563072e518276006356968aedcf4c4a1cd2f7e57eb |
| SHA512 | 482e3e4b5f23f39795329fed592214ef315f23dd0c38aa412de64a2564a0255ce69e47a6f9216799fa23aac24603b47fbfc1db7e86021cbaa8663720f3d73e89 |
memory/1092-1953-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eQwS.exe
| MD5 | 42479c6954483c4f7a7231eb867fa9c2 |
| SHA1 | 319ee46ba9186c0e46b134c176fbe322a9d655fd |
| SHA256 | ba562e0759edaccdbfe38b979e99e9d34052113928a1a9ec0ef126e3c1a7bd69 |
| SHA512 | d35d0ea5ff76e1fe0c9f58e533246deaac97959d0a2ea0e1a660de3e69dd82132bd72698d02963b04a5a5431b40ecf839a3f141af6d2820def5c528904cf6ad9 |
C:\Users\Admin\AppData\Local\Temp\Fwoi.exe
| MD5 | 9d8dc509d67b0d55ce22960b2c0d60ad |
| SHA1 | eeed6660094e41648a5b99ed0fe03a56d8c3f073 |
| SHA256 | a010b104a1782e5cd8878e8a1295bf4e4a864e1aa31c9b6ab15e2a8894e3322b |
| SHA512 | ee530fe99091e2eecd6e45717a90c499e585fcc25e9473c93721d1e35ea31814d0aa773b440bac4c9debd2987946498eff562f1d5bb991b04185f2e209cc76bf |
memory/1092-1989-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkgc.ico
| MD5 | 2d56d721c93caea6bd3552e7e6269d16 |
| SHA1 | a7f0d3d95a19f61d30b9e68b0dcee7c569249727 |
| SHA256 | f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3 |
| SHA512 | c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919 |
C:\Users\Admin\AppData\Local\Temp\cgQm.exe
| MD5 | a615b117e2b376f2cfcad016e7b5499c |
| SHA1 | e491194a5663380443e49f5db2b016d87c1697d6 |
| SHA256 | 88d8e87d0b104d948dc27a2099e895d0e17a956c4a610a7d436c85f0aa72a590 |
| SHA512 | b0227470f45089f16e2fbad681ff294a3f42329fe091c168f9775ef7047aa82864481c927a1c93d60479c0f2cea6c1216858e28070360c3112b05b0f5fc34cc0 |
C:\Users\Admin\AppData\Local\Temp\cMkY.exe
| MD5 | 039896d6b0d50fbc89c09583eab64e5f |
| SHA1 | b89e2ed00c39ea6a572273f4a92d89fca7ca8145 |
| SHA256 | 238a4d7b5574fa2a67378ac2cd0383a6dbb903eb9cb6d9eb6a62de6f2468c7e4 |
| SHA512 | da369c4acecbcb2031979cc45cb35e4c190269422061814c06cad1027964927ba5031c67043d77e9e806d51af2010b68980d62021a575e10b22a799f8e171a12 |
C:\Users\Admin\AppData\Local\Temp\voEQ.exe
| MD5 | 10d99db715cab73a5633522253d95f35 |
| SHA1 | b7225b6137455f74196380aad8eb61a856917d8b |
| SHA256 | 6ac4adc5ebfe3559388c4796b1292cbd19e4b9ac80f3400c5db7ce941d137a59 |
| SHA512 | dc5388cc637af4f5f287631a5550ab85428b3f9c78f679aba0bb8792ad97c001f67eec64f056c0e655f7aa0506ebe29228cb0466eed0c7d8b1d0112d4d9557d4 |
C:\Users\Admin\AppData\Local\Temp\sYcg.exe
| MD5 | 67a8bc7a933e2cddc0a37b36e42275f0 |
| SHA1 | c8a60c1e942aa52b69023b1c939ac10a992045e0 |
| SHA256 | 0af8d482e68a06bc9993bbabdf23ec612aeeecbd19947df8dcb9c0b35ac74dbc |
| SHA512 | 95d5dff62b912c079107cbbc9063138b08c4906438165406b1253d4cf51fc9fc8b49d7de7d8711f61f1ca7c65101eb695c466cd96bca3c5a1c89450b98b832d9 |
C:\Users\Admin\AppData\Local\Temp\ZEEm.exe
| MD5 | dace9f2b6dfee38da0543c8ec4dcf214 |
| SHA1 | 09bb013c6460d2ed142f59a9828d550f32e60471 |
| SHA256 | fe0f84b01de205f81f84482919c5aa4c366bb843631e50b2d0fa887abf7c48e2 |
| SHA512 | 839bdff2805dea36187f5b1dbc28f51b9a251d9d5352e6dcca1e309ae5c5edf56093a6af780bb9c5e51594b7654b1e1ea1b974dc1aedd81e05ee7ab527afae8d |
C:\Users\Admin\AppData\Local\Temp\tgUi.exe
| MD5 | f4296952e0e7ba481172e0bba2d65d28 |
| SHA1 | e48b2ace490a404202df5ed8fc5292f379d08397 |
| SHA256 | dfeb6814096e4905391a3921d8387d209ba32c0b20ab5d7f3c900128229ceb33 |
| SHA512 | 07755fb54ba66c3af11086e4698289f21568cf5028d5299232449a9e49003611323444bae7829409d4d71050ace7621037157899e53e6fb187ac715aaccaa799 |
C:\Users\Admin\AppData\Local\Temp\VUUk.exe
| MD5 | 65e5223e277ffe0327e4adf225569f71 |
| SHA1 | 91d6845b9854b20a99c5e5fc9c0f44cd94e809d9 |
| SHA256 | d12b13dc62823693fb2478cfacb9827b9d8590b4cac0c4ccf7458b339eeedbc3 |
| SHA512 | 8010d62556cf010eee3e60f796ada45815b5e840cb0dcd30003d3d3d756d217d52ab76c6c4098f2e364d0a7883736e198025aee2d96f483e7851510484b66b77 |
C:\Users\Admin\AppData\Local\Temp\twgG.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\kgcO.exe
| MD5 | 7bbdcfeb7ffd4831611051387724215a |
| SHA1 | 15c2998fc7bad3f28e848203d9d36c7e4f5358a2 |
| SHA256 | 36535162f9815e2b40e1779c1554b43286f82811fe89e3f3150d39ff0ba489f8 |
| SHA512 | a87048a5fdd6e224d34cd81470746f9c7620853e7eb3b60ee8df6877b1185ca203a65ff1edc2a1786da0d36f3ed4231a5639ca15c3a88fa19f8c064230c29a3e |
C:\Users\Admin\AppData\Local\Temp\KAkS.exe
| MD5 | 1b8c43b5a22b3f038c3728002b62d205 |
| SHA1 | 278af336ec2cab0ff32097b211abdcb998644c71 |
| SHA256 | 6502e8b7ac2af212450fbfcced513f335458753f034f46b2693158a3676d084c |
| SHA512 | 8d82aa8462c815a93d6fec8f092b596dd2a3a7b9cd007ddb8bbf59df1cd0d63c5806bcf66ca188c59bd722d456eaebe20df98d6b567071aa923ad89031a06c51 |
C:\Users\Admin\AppData\Local\Temp\vcIe.exe
| MD5 | 6853cb4e7f113b8df46903d9ed5cbc41 |
| SHA1 | 9d51e2b3e3029a377de6e631d919524bf13bafed |
| SHA256 | cdeaf4d90bc61da41b40febff87d364c0fb8ae3138754c1e4ab646fd171f3f6d |
| SHA512 | 75f21477ea9373ebfdfd51e54a4fe9e60668fd859ebc4d7a2d1179297d7715595c44830aa88eacc13eaba2257b32869a4dbb17f5b104dde6d6a3c4f30d5858d7 |
C:\Users\Admin\AppData\Local\Temp\sIQw.exe
| MD5 | 8ffcd70428161c54b41b74cc672d99d5 |
| SHA1 | 399f95b0d298127a055370bbf33bfab5a2d34555 |
| SHA256 | 16af8f7104a7fb49b19ec9a043bd7861e00c21cc26c2846876beab8adb78241b |
| SHA512 | 5f54dbf4a396c1ae8461b391aa98498d5a9ed5f72106a3fe0bb173cf63e1aa4ae1e223c08f813723a5772c4abc2354a85b341841d5329649ed3551d43e61a485 |
C:\Users\Admin\AppData\Local\Temp\sQIe.exe
| MD5 | 4093651077d01c1e4bfbb68a4fdb5677 |
| SHA1 | fa908f2afa4b003ce68aca0cb51068eae5e3c88b |
| SHA256 | 78bfbbe3f32d25f3f30a62ac954f9210bb309e3bd6c5c99aa632c8251b9e5cbe |
| SHA512 | b465758b2777faa64b4d6eeea911cf43ca3e844d72d71e70bc6951fa24aa4287374aa04b674d0936773dec304812eb1cdda91ef3a622b582aec1830f5f95e3a6 |
C:\Users\Admin\AppData\Local\Temp\AkwK.exe
| MD5 | d4b736fc4c9eb24a7e234ad4cc0e46ea |
| SHA1 | 33b6d6d05a65964aa75aca4a2933848bc53b15d8 |
| SHA256 | d6f95c1f7ad46ca5e203c712bc016658c1551ddca49455739724813f9386e0df |
| SHA512 | 34d02f0041399910183d498257ae4b75a53a5e67e1df0187041de0c3cec9be549eb75d5a8ec10d05638e1373ff71bf281c319c7cdc4c1dd527dbb81bb4a2b804 |
C:\Users\Admin\AppData\Local\Temp\Jowg.exe
| MD5 | 82e11db5f58e0c6a3e2c14ad612e12a2 |
| SHA1 | fadb43c4cc11358da517e7d7687b9ea18c16d4be |
| SHA256 | a8687849343233e8b016ae229726a71ce9b8f75435d6cb2d82ca4af0470c0571 |
| SHA512 | e9e37da1384d8f8ae94628e757fab35a0e4d83d5acc5b453570ff7ad2f07eaecbbbac1d37776daf794c0ae5c0224b80faea90e438bd9c88fc50eaecbdfe7e546 |
C:\Users\Admin\AppData\Local\Temp\dAUi.exe
| MD5 | 2b84f8e8a10085d49d70df2dc5a83fae |
| SHA1 | 73e0794a697193c5241f2e19f2d63b6569540638 |
| SHA256 | 6e70ef1fe542aab6ea32d71a7544220a0ee3fa701406aa7b3552b63dc66f6958 |
| SHA512 | 54ae99c9d5ebc39aa24af044b5f6b5b1c7886500d64f620de96d6ed615aed5607411da99c493466959b36e6ef961188c6f5154be1c483f3fa4121c98c8719f1c |
C:\Users\Admin\AppData\Local\Temp\REgM.exe
| MD5 | de28d7387e32a0e0aa6fa23b94814b2d |
| SHA1 | ed9566bd3b1ebafe7b96190b4c8ac97c49e942d9 |
| SHA256 | 210fbf4731cc470faeaee7f76793c33f7508c81fe21a2cf9fd23710ab170e7a0 |
| SHA512 | c513b1567dc99a0b64d2df9760144cfd61a5d4e631aa5c99488e0a622c4b3c98ef713219341adf462c7d52bafeed3d85b796ae5ed61eac21f4186b5af2f86f91 |
C:\Users\Admin\AppData\Local\Temp\TAAY.exe
| MD5 | aa57d74178ece7e5a5f16a6c3754be8a |
| SHA1 | 7576ca38d6b041a370f3dc5ed883690002c68639 |
| SHA256 | c489c69de768a0c99c4ac40c856d2424e9c2145fa0b0057b8a4c244726d97532 |
| SHA512 | 0673318ad0c81e40e6a002cec1b58a22bb3d692e9808068d57b7c0199aeba8a1ece07541fbca98ccfe7f9f169c79dc6a55e899fe0b56df18b3e1945b773007d3 |
C:\Users\Admin\AppData\Local\Temp\coEe.exe
| MD5 | 311abb6b4f4e00ef9bb084ddd92922cc |
| SHA1 | 4ae7543df15a205a11e9f92236e0d06832fefaa6 |
| SHA256 | 0d45f9df0fbf06a0379a5477086730a6217ce8c9dfabeaf59a61e0a61ad92e95 |
| SHA512 | 224e40bf5145ea4712ec498831230ed80a89511dc1f61feeb65bc72aeac38184c97b923893dafc0b0d88fac3b3b0950f0ef2dec3f5b4750c04e1409af6097bed |