Malware Analysis Report

2025-01-22 08:21

Sample ID 241026-fhy69s1fjm
Target f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
SHA256 f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

Threat Level: Known bad

The file f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (83) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:53

Reported

2024-10-26 04:55

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\ProgramData\BuMIMIko\emkgQIII.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\psQQIEEE\UQUYoQMs.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQUYoQMs.exe = "C:\\Users\\Admin\\psQQIEEE\\UQUYoQMs.exe" C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emkgQIII.exe = "C:\\ProgramData\\BuMIMIko\\emkgQIII.exe" C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emkgQIII.exe = "C:\\ProgramData\\BuMIMIko\\emkgQIII.exe" C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQUYoQMs.exe = "C:\\Users\\Admin\\psQQIEEE\\UQUYoQMs.exe" C:\Users\Admin\psQQIEEE\UQUYoQMs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\BuMIMIko\emkgQIII.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\psQQIEEE\UQUYoQMs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A
N/A N/A C:\ProgramData\BuMIMIko\emkgQIII.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\psQQIEEE\UQUYoQMs.exe
PID 2396 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\psQQIEEE\UQUYoQMs.exe
PID 2396 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\psQQIEEE\UQUYoQMs.exe
PID 2396 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\psQQIEEE\UQUYoQMs.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\BuMIMIko\emkgQIII.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\BuMIMIko\emkgQIII.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\BuMIMIko\emkgQIII.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\BuMIMIko\emkgQIII.exe
PID 2396 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2288 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2288 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2288 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2848 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2764 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2764 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2764 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2848 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1468 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1468 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1468 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"

C:\Users\Admin\psQQIEEE\UQUYoQMs.exe

"C:\Users\Admin\psQQIEEE\UQUYoQMs.exe"

C:\ProgramData\BuMIMIko\emkgQIII.exe

"C:\ProgramData\BuMIMIko\emkgQIII.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWYYkMck.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAYkMYUk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWgIQYko.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuQAAAYk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCowEUks.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqkkoQgM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOYMgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwUcAgIA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqAkYMAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngEYIooM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSUgMoQA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIwkUwgE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeQUcwUk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGAcgQkc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAEgEQwM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeMEoscg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCQsQEkg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hugggQgM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYAYUkwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCsAIAcA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dScwUkAo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sagQMUAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUckIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOgsgEkg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuwMEEgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOcIUYgI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiskkYcA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkkAgocE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyIEAEYU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWEwUwEM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUkcMUgs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyoswIMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQUEkAgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyYIYUgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOAsosMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqsAwYYM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGAkocMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoQoIwYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwwoEoQw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUUEsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcgAkIIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIUYUYok.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsIgkoYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgokcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmQkUoQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UYoQoYwI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\escQQUwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgossscA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymIokkkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAYQUEAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOYMUMck.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeMQoIwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmMgIswg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAcIcEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSgQksgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISUUUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIAQssMU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGkgQwEE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcwUoUQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwkUoYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgsYQIUs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQIoogQA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qywskgkE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2396-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\psQQIEEE\UQUYoQMs.exe

MD5 0449a1809c2e3c20b1e3fb138fffe896
SHA1 874670fead0de32fe927838788f02f2ad958761e
SHA256 5b3643b18f03f405c150ea8d328ed238e22c63a7a9dfcb0713277ace4cfb7713
SHA512 a1e64ce110929ed0d077e2493e504c0a2e8caa230e7733a17ef512b328bcd667dc7f2b1a2a73f1482238c3a1335943313bd021618cfedee452149d225d989dda

memory/2396-12-0x0000000000310000-0x000000000032D000-memory.dmp

memory/1704-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2396-9-0x0000000000310000-0x000000000032D000-memory.dmp

memory/2520-32-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2396-31-0x0000000000310000-0x000000000032D000-memory.dmp

memory/2396-30-0x0000000000310000-0x000000000032D000-memory.dmp

C:\ProgramData\BuMIMIko\emkgQIII.exe

MD5 cf14af69a98e261a8ac66aacab15d424
SHA1 a81cdeca18569fe44c981bcefdfb9a7309c54f56
SHA256 e818f616c211f2a0099ccae78018e55ca44b613184d0eb947ec5b16785aafdcd
SHA512 7a180ad7389dfdba0f0757b02e51244f5f645e461bf5530fa15996ee4ea33346f07c0701fbdef4eb3198b99175f3ebefc5f001136903bff205106a606b1bf71f

C:\Users\Admin\AppData\Local\Temp\jgQgUscQ.bat

MD5 8dcaf6b73b31049de2667a70022dcff3
SHA1 b8fb88fbee98ec119fa1b66048ba02a4495577e9
SHA256 7b297a8dc63ef19293f164878c2e165c13f3fee9272e1d81e150640dd32077e8
SHA512 43bf99d2e8e9029641c1a94ba8154a98345be50ae929827b9bedab23da97924a3e307e6d5e29653e73380a438f2d6e6a1d5b9e56fc3bb5b642d35ca6e771682b

memory/2288-43-0x0000000000260000-0x000000000028A000-memory.dmp

memory/2396-42-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2288-41-0x0000000000260000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nWYYkMck.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2848-44-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\hmkYsQUA.bat

MD5 706e04efd9f1bc4071fd2a245162f649
SHA1 5842a0ffe3b948014f6ae943a61a224edef22c87
SHA256 db83059c584a42669b16dd55a55cb08a4f50e3e01a6e77e823cddfa1d03cc1b3
SHA512 821ce1191bb53c681c8dfff14971be0b3d39b2df76c58e4f07a6a30ef255a389275b48a2b0ed45517efa59fb0e8517d0f8b661d4a0588a7460f919eb852f1569

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

MD5 8850c1f63d9932bb2d8e957ed72d8fdf
SHA1 44271a436bed981ced2c5f3839733bbaa54dc8e3
SHA256 419b5f32629b747ac897aa66acf77ef2320d4f066470d616e21fd248a4a55f29
SHA512 8a33601de5ae88e7dc7aac1325514f68c5e8e40fc7514fa1d1542e78fddeb6612b26a04bd109e40efc36efb591f5bef48693a918219b9e56598677cb26e1978f

memory/2640-58-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2764-57-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2848-67-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jKYQMIMk.bat

MD5 f423eff62816154ffd0703e97e25f795
SHA1 9b3f6eb14f5d84ea3acae449a87d1d23a4da4311
SHA256 51fd169b65d95d7f5b4d9e13c605bee31ba718ed49bb98bfb1cd43647ccf0d46
SHA512 8ac34503e36ceca3008b5578f9a2dacc166249fb297d7a634a21351750c54b985969deab986a7cdc4e5d6d4e0e98387915a6ae0795774957919ab6f18095cdae

memory/2432-80-0x0000000000280000-0x00000000002AA000-memory.dmp

memory/2640-89-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sWooAoco.bat

MD5 1b4e12b42bdf29853e04d4799fd8d72b
SHA1 c28512a68e1ee0aeced4d2c83add9682490d6167
SHA256 8b1e959983a992ac67978bacf9cf56ad8a4bf584083917b40e2b08ef932840a2
SHA512 2288519efe9a86971e7c57415afb1581d23dd3d02ada437578539ade1c1688457cb000283cc7c378f189eb8c9b9d1ee38782c7cb2f9c7b21e53029e9a3cd6069

memory/2372-102-0x0000000000370000-0x000000000039A000-memory.dmp

memory/2144-111-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mqkUUssc.bat

MD5 4c1c221c2c860ffef18577047824d779
SHA1 3a9641ab0d4ea329dfaf2722f58ce21f8cb2bb4d
SHA256 0ebcdb3712d1aa5608f2d025809f2a12aa18fcf2e9ada929ee20752f8d942f65
SHA512 9163fe6035862bd4c5c1e304f1df2256db75f5232a15e69db4a57b84f4fd3417fa51757b6cf2926eaaa856b2d7ecc9319bc09b8379de78436c49caf4dc00f4af

memory/1536-124-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2976-133-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QAYEYMYo.bat

MD5 15466018965d8d2748d9f6f8e97037f6
SHA1 a753c8ff26eb4ce7e455e695bd314f3cb6b6fc94
SHA256 9a29d9b227586c64f369426d8b8aaeb8df5d23aa2e5a2317e1de45f05d4c814b
SHA512 5b04614e45ae502a5cde083e37d4e8618abccb242979b00b3f0adb23d736b8aa3008f4ea71f39b6317d27f81b68b022b750f19174d30321421255ccc2b3574fd

memory/1624-146-0x0000000000430000-0x000000000045A000-memory.dmp

memory/3024-155-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osYMMgAA.bat

MD5 72bba342102e1bf4d59047fcce06b97c
SHA1 15fec04efbd7236819f5eda13bfbb3fb7096ff47
SHA256 f12835f6e3b72d27507bdbe37831ae982545715965bc9591abb8068302b1318e
SHA512 00ed2f79ec9c28564ffa40af42bfb352429e921d61cef93efc9cc73c946f974e0c1a3ee5bb1a41c0bfb69f1894aaf81bc2d73cfbb896bd9b7fa9983d7cf66fa3

memory/2852-168-0x00000000001A0000-0x00000000001CA000-memory.dmp

memory/1564-177-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lscsEgUI.bat

MD5 8df718a6ae0407db9b638516d65acb3a
SHA1 0f182f412f2e6f967fff9dbd0f595a8ea51b61e1
SHA256 8a6cad1b292ad736bfd24626054032b86da854abe8cc1a48b67468ed1fa01f3f
SHA512 4ed09dd0c5cd72e02b554978ff821473796bbc5f939c27c6273b7c50a4fdb64c224614e44b4dbbdf3c6ff5d1e23c3db3bdf09ae3f0ef4120a0eceba26e1a04f5

memory/288-190-0x0000000000260000-0x000000000028A000-memory.dmp

memory/2916-199-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jiEksQMQ.bat

MD5 2081760672a746130292e8a3d2d4942f
SHA1 8386b6a4bea7a47f16d81bfa83ad329baca2ea2f
SHA256 c7654d00a606a5bdb9e94a4d78b46ed00cc834660c0005778385498de4b86186
SHA512 ac2aed7f7a3578052a58eb8c7c2765fcb79bddd0780ee9b03041db127045de9e26ce740ad69bdc7658569cd3e0b7b25f652eb5b1cdc1760b553a9ed4b6dedc2c

memory/2912-212-0x00000000002F0000-0x000000000031A000-memory.dmp

memory/1792-221-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zIoYYAog.bat

MD5 2e1348dc39524e41082e5d080a895b92
SHA1 c3557a3ea30f61ff5e4d059d20ee221844aef5ac
SHA256 3a8b18879d370261368bcc465ddf8cc792b779177f35238c796d4c071a0413f1
SHA512 0adffb79171aef8bd28f9c90ef9c7d616b35af096d0be9a495162fbfe95525420829418bbc5c3f90cd716de2bb51c7ae6397e879e5b2970b115dae599dbb8987

memory/2904-242-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DkYAwgsk.bat

MD5 8afc7a94fbb46ee1b8996c1fb95730f2
SHA1 3c14202eca070d3191cfb51fe363b0c4d93c7740
SHA256 3033ebb8910c5ae506d58045231306f0e82a2e8794603fe3bc8fec67bcff5c0c
SHA512 02bd55e9412f8c5a0fed3e7b91c786e33fba28efca5df9ccb2daee3de7578c9b7cdb2d8d03c18cfab4c38d5d0e4be70ac9a1249de0e0fd9170205cd2f2eb94b0

memory/3032-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1856-264-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tKYswcEM.bat

MD5 6d0102a9f6384177f9c104eb9721e830
SHA1 3a15c4625970d9becd093ae7ab23feaeec70ada7
SHA256 28581f96b25794925e84c52617d0ec72b21330d451ce4fd34aba5332ebdfdc4e
SHA512 41c3c727f8295abef0db64d44c0145b55abe1034f738b4646304712623a7a34dfc2e527349cd32f6dfec2507cffa7d768daa9b9c22adb49b15e4b19478a4e68e

memory/1536-277-0x0000000000290000-0x00000000002BA000-memory.dmp

memory/1780-286-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IEsEAQEY.bat

MD5 c480e186f9dbf546ec093995aedf5aa4
SHA1 47fa15dfdffa3985ea669a36092a561b610ab20e
SHA256 93e732bcdb77b74fcb38881f84ae16d5524413c2d4f796ee271e4e8eeb1eee6a
SHA512 65e07bc29bcb7018ac6747f2b5f6784ae0a293a864abf463498d862778a3c30f0ecdbbc8b853d1afb7196c15af16e95d47c788abbe8e43d8f0cad915b11377e7

memory/2120-307-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwcoQkoY.bat

MD5 d40c34b2b3f42bc56673d267c6d2ee5d
SHA1 51eca97596affa654693dbc466b047574489c0a0
SHA256 608247faddae8037c32af36c14f2ea9dddce1cbc29b5b2a00caf912564ac1add
SHA512 8ac2fe080afd3b0e5f5e443a1513d8a9570a2b609cf3acd7e1c019d799bfaf112f8639976e3a651d91be9a22cd2d53de7ae0396f23d39b27e0d0e375cb4dfaf8

memory/1420-320-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2832-329-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QMwIQoEY.bat

MD5 685ab2294bc7161ba5c164938364db5f
SHA1 18a05127b73e9a1cf5ada9e64718e6b0407ec379
SHA256 d45bf9bb21a7f8587165190fa0cb4de958ffd1c6a161fb47e40a5b3ca86ccedd
SHA512 2a3c2148119da922be1d563da0ec23788bbf8d3b45bfc0b8484ce595953284924fb2aa9665573340189457c986e494e6b55c1ed68a8a0da2e73affe69a3506d6

memory/2696-342-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1936-351-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucogQMcM.bat

MD5 a2aca786b845bb604ab0e6e4b578d749
SHA1 0ba7dc39dcc0b08464c30929d005559823a2f076
SHA256 be3175f4d44bed408c358c1b810a1e25dccb08de9aa8f27d13b965af1fffa190
SHA512 d5c2a8186b22b6e26e788d2ab813544b498595d10c308efb2b39f0d5f95ce9d24f4f4813ffbc1fbe2c55c7665e97afd34dd678e6fcb20754103325fe466aa825

memory/1772-364-0x00000000002E0000-0x000000000030A000-memory.dmp

memory/2940-373-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uoQIgwYk.bat

MD5 ebf44b5c81666a758103e21024f34ed5
SHA1 9ff9d9d4271eae84666c019d3f40f14b2c6dfa7e
SHA256 b1f6af013ddf828cf8e84e72e9eb7974250332d810f869ce5b6c61f16f5a7be2
SHA512 08faa39d62ba8a01f7126d46930e832fd7beca7a1aca86109dce458dbe304b930ab71ac5798bea9cd45132003ac6bfeb1a88d606c5d179984f853de7b03a18bb

memory/3048-386-0x0000000000120000-0x000000000014A000-memory.dmp

memory/972-395-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FKIkYIEM.bat

MD5 4328e9667734877504a15d94d723e376
SHA1 869ee7f60057df5ebd58c3c566f161f8c2b9a57d
SHA256 1275a6d0b95c6dc2fb33b141fe69d7862e4a9c65f19a56568ce4daba1b92b74d
SHA512 3a932ee4a67a576f6a0a19b0ba8f74235ee46ba8ae9ff683d4a76d805ddd49e0a2283e01c1d18fc067caa9276a5850fd9c7eb247391a81dfe6fb688234db0036

memory/2312-416-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\zkIswIck.bat

MD5 0ef631e059cd194a9f84e54241c6658e
SHA1 50e06970b966fd9f2bf86ebb9c6c7d49f922edf0
SHA256 d42517381462a55005ac6682f39c8bdaeb45bc2a2cc2231788c4fe5c158b7a34
SHA512 41a76474b738d4a7b682a21416364c10e93f5043f2dd7fafa5504e5876f4f3b2f4b47df07a21c8a2c2161e38b78d7a507f9d6971192397fd9d42179c0caabfed

memory/2440-430-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\OkQs.exe

MD5 68abb309a91876df6987992ad35bc802
SHA1 16cc3aea2c29c056af0d43b962d746a2081a531e
SHA256 2581582832997dd1aec84ea1e450c473995b7c09f6840b3268bb5f6e018233d3
SHA512 3e41ed460cf305171ac9e2d82921cba8e6a8a416bcf0b017fcaf1bfcd011376316770ce3ae331bc55203574bcb2e0b45f332ab6fa394c1766fc2bbd4cd253ac0

memory/2740-454-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LqEMYEMY.bat

MD5 90372174cb1d6827a6a7199bdb3d4f60
SHA1 b4372419911263bd2006a6151cec91dd6f8312b6
SHA256 43fddaa3aba9351dd62fa330bb47ef1b4176918f6c2c026afd308999099af36e
SHA512 b178ee5ee34e868db9880ea29dffc51729291e53e9a68c46fd9259d9790aebc9fbf5df3b1d2f78d27fb86324789a376428db4734cfb7179202e3cb3677323551

C:\Users\Admin\AppData\Local\Temp\OkYC.exe

MD5 99e40c8fa53cfa77a127e767110bbcc9
SHA1 7e3e61dc399103104f35621cba345a5cbf7508e7
SHA256 980e378eb0abdab6bb7f6b75d62187378697cf91e55d6f65f13d9fd1bca91d3b
SHA512 8de33d84e28898056c063bb01002a50dc0fa60f699f62a42c58d704da10eb674ea18e7f41130bc52c58783f0d865c1ca3ae3a22bb39340efae26878fabca719e

C:\Users\Admin\AppData\Local\Temp\QEAA.exe

MD5 a7313eeb2ae4bc8c24211775da31d464
SHA1 b0c0a4195afb24488212fa35af3308e67dc69271
SHA256 6840bb159318c4e3ba9b074d12dcb0876fec422ef11cf77b9752e6e1caaa76a3
SHA512 3a921f39f4931828dcef2a2c92363ab4a49be25ad1784cca30c61bf685ee643e509624161b486b598a9ea183c066b808110d6f6cd0f19b6fd6076abb83178f94

memory/1508-489-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2328-488-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/2328-487-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/1096-486-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYgU.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\YEEw.exe

MD5 a09fd4dbe861c2fb355c361b98676dd2
SHA1 e4a39f90ab2cba1f7b98c0af9c7b2d249104558f
SHA256 04069f0a82b7a894b84aabd6a57b9225ea63dc9690fa4bbbfb278f803b04e334
SHA512 6d60e996e8d26930294ad5a53338be30fc51b95aabc127ef75fe41ff3fd47f244377cace363943122e11e603994775e17d5358c1701504caf9dc2004a8489aa5

C:\Users\Admin\AppData\Local\Temp\mQYI.exe

MD5 02879b50bf591bd26250888875346b40
SHA1 80f3670e86e54d50ae9b0271c599882e44704ca0
SHA256 789ff602d743ec358258bb49b9c895dc4962da2a0d7defc5890c29fc8276f2c0
SHA512 a7d64f1568cf7c9e8cbd73585c2cadc3186f981ffca74675402c18d7214890b0d5d5f09d65017099087bf4d5362fb0eb19f7297be349f104a275f0301e2004d4

C:\Users\Admin\AppData\Local\Temp\qAAy.exe

MD5 94247f7e51a4893bca22af424c8a38f7
SHA1 03265f2ed37c88bafa3332e195cb07d2b105cd7b
SHA256 55febad4dfd77b370307ec8af31b6d437d0ed55a6b317952f1fabc38d3236a44
SHA512 2287b1b7499c1b64c3c468bbb80d36f30df3a019b4d3f3b906bd01f21dbd82683f5ce4cda7a1d9df588fd95ee7ec4cd11bc5f53cca9bbcab96a561e8f45b577d

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 def5be1f60731eea0dad060a13995cf2
SHA1 45e329934fc7aa1524ab007ac67fc303082e3f52
SHA256 6d976672b672147b59a7d9e8d430680ccddb4b528f2aafb78fb390b92e00850e
SHA512 f57fb10ad5c1735c9a04366af550a8d6f6ea986de8b16d429e3adb0d847f787d4827c4443ed141f7f864018b0182cd1bcfb553b492fcd56f28645a35bd2c1582

C:\Users\Admin\AppData\Local\Temp\BcgkoAUo.bat

MD5 1ec488ddc74d23e64f848054a1b0508d
SHA1 72bcef389e83e106a755dd29391347dc04db09cf
SHA256 a3409b1d082d61d4e97774b66dbbf4689aafa577b2397cc63ddc6a2a617640eb
SHA512 6719af8a1bf6673b1f83ab9a161d96090f82403ecb8cfdd7970d4978fe83326fe54e7e1bbda909851c396008316ecc1621cadfb80b69677cf0cf39313065af38

memory/536-577-0x0000000000120000-0x000000000014A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAQy.exe

MD5 ed28628aee65a8631d830ea8ba49e2d5
SHA1 0d7b7cfd5df2d2470a2cf8e44dd2193ac18d6ea4
SHA256 f091e8a46f82163eb8aea7c724a2c159c7fd0fd5b489423dcd68ea90993303f6
SHA512 dcc9fd8d3155e223578a68fe1a20a15410f388d7d9e1af62c6bef8d4b6b411efdc9ca417014775dc24d6520b0cfc4bff9af8ce206cc8daef8aaf7966de26ee97

memory/1508-586-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkcU.exe

MD5 b8e589a357cfaeb636a21ce8d9e8f165
SHA1 b90e81a8638afdc23f487ffe349acf72ae031482
SHA256 1d40a79b01ba1b63689c67aff55b32eba3983628779cd460dff5fb5555f8b29d
SHA512 9b7c5ec834fdd70407b7fad33457466ad6ce69ff3090e26a82bdc7fd17e44917b23f6e1ea76f2268b27014b5591c552938e8f988961535c82d029dea308ac5d4

C:\Users\Admin\AppData\Local\Temp\CIgE.exe

MD5 d743dca239bae0a9b05a938b046a54a2
SHA1 56a4025aa0854a5ac4fdfb42f0fa60c452f89d76
SHA256 8fbd77e2a5b82949781d8be97883aab7201fe07010e3ab33827c5d9b987bd768
SHA512 9ff82c7d0a5f84f3ce5f5c07447ea5879d306a782c7cd9ccb9883ceeaa709262566d85a9d5197b1aaa744248ca8bc7f1632c5bb4c1fcf1fc5d576189d3853d56

C:\Users\Admin\AppData\Local\Temp\mUcW.exe

MD5 d210e8f05660df1ff84cae4b68fc488a
SHA1 5b85364ba18da11a656140b72345cf1e8648382d
SHA256 142ecb2a9451c7b421dedbd9bcb2e8d3ec339c1d90a7f765ae2cbb60bc98144a
SHA512 f168aab32c1700e60cb653830e9a2e8026fe856589222d8c07525b9344f18a53692962247d8428e40715e556e51a4b5c66cf2b27c06e2c170c3bdb8162f19928

C:\Users\Admin\AppData\Local\Temp\sqMsIQME.bat

MD5 70bf8c7069e3b2e91a161407b1f7e854
SHA1 0f54d9e70429fbcdb75da48f133d0aed20d4894f
SHA256 58579198cac79b8bb4b11225d10b23b190cb44b4c64acc598af754b87a398cff
SHA512 82ded4f55c48c20241474a4736108a6a260ee59018820699246b328282c94533df977e9d4830c387379806358ff534eac28ef29d4d57b0dd92fbee6e0ad03126

C:\Users\Admin\AppData\Local\Temp\qIom.exe

MD5 a123ea46fad65afb3521ac23e3c36680
SHA1 b846afaffbea04666e8f8a39ff2568010f3b997e
SHA256 866b1032aa995592b139abcf0c2fa57eef2bb952e533520f7510927d5293b852
SHA512 7727a20f293c0de27a6d0e575c9e4c8ca3e623ebd74aeb6b83d2807bd21719cdf7be4852de9ac594da88ea610dfaafdf5ac2d8d96c0023a8de987a2d2caff2ce

memory/2456-648-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUQO.exe

MD5 a77e756ea803bca5823189307d6f194d
SHA1 7c46283325cee770f626819cc1c53679cefcff28
SHA256 b2d8d92741225a668772955ff8be428bd8038b3a8659de3f59e2363efbbeab62
SHA512 cdaacf0c109e9680bd108de74acae23f988f3da8cfea4414f21aee7d0ca84646f09f68c1105a15e8fa6f9e0c70b1ef4815bcf5f79e4e543aaecde9e1458afdf8

memory/3016-657-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkQW.exe

MD5 1f69740dc6a5147c3397f3fa6168cd6b
SHA1 bf15aded95197ff68c3b838fbc488e8634e38372
SHA256 8da5694e063c6755991b8758d751f2bd804423c3e1c794926db5c11a0ce3e994
SHA512 fc69bb3427e17af9af9b06c4917a4502f7c0fd31b868eee32521c7acd63432352bb7008259b669c031e225ffbd7a2dd9388d4148439f32c2024d3a85875d6bde

C:\Users\Admin\AppData\Local\Temp\WcEI.exe

MD5 051d802cdf4532f747260d8f50cf3436
SHA1 0a64065c23b03cf2c4f20a5a4561827f7319e95c
SHA256 5280a038d45d762daf4a043943106ab318b617df5ed6f77250820edbc8620aec
SHA512 ceac51a30348e714ca06364b37555dcae9f589bf73aa1ef588961bc19ccb53ec9db16cad9dff2902994f1f7e85575ea27be0e19a510f914353edecf1de0cdf3a

C:\Users\Admin\AppData\Local\Temp\coYI.exe

MD5 f7346b8b510972aa0816970e6708cdcf
SHA1 bfbdfe56afc1b930b960d5159d033f6983c0f39a
SHA256 e8fc844ef3d21c8179aab7096b88ead0e4d6b3eb10edb4f58d39dfdd16518f56
SHA512 bcb766ce553637e995e236bb6e2110d9bb535cf043cfa44740e92aeb446eec04f15fefa817caa05ceda73fa54ae496faa9a1d37f9bdc85bb655f5c8bd1994ee0

C:\Users\Admin\AppData\Local\Temp\mYYS.exe

MD5 fac81b11eec67cfc505b9c0191fa482b
SHA1 d4e17c418d7c3ea66af8c8baa619d95fd412f0f9
SHA256 0c595c139d05e1689de3a5a4fead2757a17c152d52a06da84b84315955834631
SHA512 98d6bb5b6052c869ddf5341c2e946f7297a97fb682eeb11f2a48c6d7250305ff840f139f0776be762e49cc0a6911e152f741d59979f1160c1d544f76d2fc8718

C:\Users\Admin\AppData\Local\Temp\WMEG.exe

MD5 6a61f286006074ef025120860e60d666
SHA1 287ab0c75307c46c050aa4b75f62b3642f42161f
SHA256 8bc54dff2f8c16573654182706dc81c21ddbfaae80ef3a9f8bc3408d785a8ce5
SHA512 1e845d8f0022c98db492707b10ce6d07a2dd697a4dc3a1dd37169dda2620252f3084701b6157d492882dc7e593e0da00fed0350546da47639746e5b39d508b48

C:\Users\Admin\AppData\Local\Temp\aMQQ.exe

MD5 dc59deb0abf476decec6a9fdf3d09f64
SHA1 b827a81666506c6129c665f0c985361603477540
SHA256 5ece968d02151a412e347917a0faee29864042b48143a8c8ae782b39683bb7a9
SHA512 e2143459c78a6734a0d035817ef453aa33fb93f77d55c09ae4ce2d16c8110ca86a3b1354c695ff7cdf57aa176b8977a02257ce60c09598d4bca7380397760c73

C:\Users\Admin\AppData\Local\Temp\aakooAoQ.bat

MD5 d0d50a4c509334447a40a6f4199fe304
SHA1 9bc7427784c6475c0851d4236788d6cfd66f3229
SHA256 32a3be7fe9d29a2440cde2e831fe4d1ba7c75a68c06bc1be1727dae794131a8e
SHA512 7067442aa8967e93d30785a0bab429916e20575249b8e94c1dd3de02abda93e03e0dbe1f7f699c516b2681e53154fd3033f22f782dfe7a2e5e39495b01353b3c

memory/1360-758-0x0000000000270000-0x000000000029A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUMc.exe

MD5 a1cec8a35fb7806ad014620965f40cd2
SHA1 769be963cce62bc3e42dd41641d6049bfd6ffab2
SHA256 2ed8b9a6d0f1488511e9dd4385c676b8edbe609ab45947ffceb7883c5985b6ae
SHA512 430b8970ebba96228c2b2e383e519dd380826efd8691db119ff29433cef8111ef4fe335aca0cebaac7dad9f6f6e73f0f9bbb69d5b31a69f3eacad71ffa998a88

C:\Users\Admin\AppData\Local\Temp\CcYy.exe

MD5 f556db589bc0840fe7f21ef9b2124029
SHA1 3c5e4002458c072658376cc771857296db6015a0
SHA256 d453154e731e79db4f5956a09bb973dc0c39220a0f1562710cb2f7d416da6ad1
SHA512 955be448a385627d0a3eb37db0f518f1efd89f958ff384829c24323fae102b25cf3a726684c13007e7a25c0bdd0eb4285c86e8a8cafa3b8635fc7e01d84425d3

memory/352-793-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oIQI.exe

MD5 d5221d1b9c1aba0a1d54e3e28c3b1088
SHA1 4eb6c2cc69ad30970a15196c16044c24037399b1
SHA256 399143ff56e664133496dc706af6c264c383eade3cf6c33f38f3efeaed334d96
SHA512 22785be7b4fba17a70523015755e4d68c52fc823b62b77399ad9911ef2d49a4d25383a4ecd3c2bc18a031e20b9dbd04588af0bba30aad34cf9a942db3f561337

C:\Users\Admin\AppData\Local\Temp\CAkm.exe

MD5 67dcfc5f4952377ff6a38ccba536f336
SHA1 cf971b762753adac21482435961089cf1a9b4e55
SHA256 28f080fe04b3339d6ca434c31c13f728b5b532bc56ad6994f28a2bdf1db79065
SHA512 9c29a3132d1800a1996190d4ed4f4d1d874454e8401579fde546cfef7dbc5abc9ca5b02665924ee3e435246c6882fce492fcaac7083814685f88a74febad26a4

C:\Users\Admin\AppData\Local\Temp\akcK.exe

MD5 24ccd44db3a90976a7ae011aba4ca60d
SHA1 45091ad2dd9e7521809706c082e0a52521357370
SHA256 15e67c1ccbb50546d99b1be80dc3608d50e58a43205930cd75f1885da112d892
SHA512 6cc96dcfbd3d67c9206f56acabc1d30ca613a7211206fc69154a1f35c3becacb8f9402daaebd271f31ee400364f5d7784d698f21763baae299f17ec01bc68514

C:\Users\Admin\AppData\Local\Temp\MAoQ.exe

MD5 5c4831253d943fd6aa8697fed3bd9c2c
SHA1 38413576c666da32664f22babb4217a901791987
SHA256 cb11fb3573e2871311561598b526ece9a77bc72bf0d5f013406fcf4c0caf00eb
SHA512 5b5549ba93c014c6c42a63d9bc328278127535e0647bdacf8a5eabf78473fd0413243e274a3e2644019d0472b750603f514ae5f1e8cd9273ce52df7d26485d34

C:\Users\Admin\AppData\Local\Temp\IEcI.exe

MD5 b5295b1541e6d25b9b2d76ca33486b45
SHA1 d560a77d07cbb37866fe385130d6e5798c4c0f01
SHA256 9143453a450a13cec85bf95cd0dc4610195e304ed12250fe70b1733c19bac2d3
SHA512 73e054c49c076ec32b81df395d805962b48d5be6fab3e278d089c046923d352cb7ec22352faa5695698c8b69e92af71fe207e35b0fa9cc255e1181e9103e837d

C:\Users\Admin\AppData\Local\Temp\sQQa.exe

MD5 c2a0c31c604c17d97f4bd0bafcc8dbee
SHA1 ac31bfb27054913b86cf9974c5b3eb756385048b
SHA256 d87b73a353fe6b77239bf32ec7feef37f7f082c03c6727370864475f4edb96d0
SHA512 ff380d5c2f5a772b637dfdc56dcbab844fe8eb9bf578e9f78393518cf6a73648427c172b25ee2e882e189f94cb2570f7b96a9766f1e204805d767377a4626ac7

C:\Users\Admin\AppData\Local\Temp\QQkG.exe

MD5 0e17805936f10d7534f3bc4abb0c4cbd
SHA1 35a6876c9f0474646dc48e78ff25e527baa39fcf
SHA256 53689100f5979560e5ea5f5de4034eedaef96d5bd125ff635f35005f9360d583
SHA512 e696b43fe991db44381ed8839f76a19485617bb313ecba2dc429238d8b75021f8550c89f810577dd7057489a33419c4024959e330bde8134eac61d38346a1c67

C:\Users\Admin\AppData\Local\Temp\CmYcEcAI.bat

MD5 d6a20682cc74fa22cde4645834cfa7f8
SHA1 cdc0f46a8e60a32b3cd5113026f4fa448da56303
SHA256 9527033952008dfca688b1b135af6813db1d432d448866593929d744097f6d8f
SHA512 7192b82ae7b590f19e661aa6a3a3a15f8682a78475d77951ac84f46a4313b7c3179ff6116584513e6fa005a340f51aebb7cd8fed521c6cb5cdc18e726b45f902

C:\Users\Admin\AppData\Local\Temp\gIoy.exe

MD5 4b25c24534f8fd992fda43bcd918f2fe
SHA1 df156e234651302ef78d48923d28b8cb0b6d3aaf
SHA256 ea26e4030581cc2c68c5a37d4682f57bd073642290b96f2997b98d116618bb63
SHA512 328eda95cdd2e20e3138200bcc99176d18df986d2c4fe775102bd6bb97a929fdb2b6c5f96a1fcab797b0669fc2396b54e999bbc7c9ab3bd53577805dbdc90fc4

memory/2548-909-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2724-908-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2724-907-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIsc.exe

MD5 ef104581b2c2dd77fcbc23e2b297f51b
SHA1 29352853171afb30e88c24fd7a1b0e9e8ec0e2c6
SHA256 7e54969653d9ce4ead7daa390bf0161172fdb6f5ad55d82a83fdb9495c65e1d4
SHA512 e6d72bf32539ddcf16274c72e7a7e9cd5189e96f5a90001efcf0ff7ab1a9f4ceac65c05217bf395fdca726acece69960e2891172a51a23a34a925434a6d4bc5f

memory/2276-932-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woMa.exe

MD5 10414192e7cf681ee69262a610989b67
SHA1 b57e7a79c7cc043de92d5cd35dc4d47c295b6265
SHA256 5e1b288994f00a14fee01c803322234b22bdd607042464c04b45ec0d5156e2bc
SHA512 ab8f31fd643b2487dfc3a8229ea7423656698f0ee1c03f71ed4352808910a980919d55bf46bd8e794b4aab2c87c79be713ea14a64b6de98b77dd42946fd6e16b

C:\Users\Admin\AppData\Local\Temp\McQc.exe

MD5 3026486119f600d9809c0cb6ceaa520b
SHA1 73eb7e5a48cc2dcb89cb134c7318389d349bab2b
SHA256 bc4b51b8e7751c92dd8099911cb5701e9c1d287ad3ffcc6fa352941ec73d2d81
SHA512 c8fffa49b5dd6808466950f86c4e8a21dc0aaf9a4aee8d02e292b9744668f51e2ed0d1b4fcf6a3e37186cce9bebdac9349f449fdb94b4702ea84504ff25fa164

C:\Users\Admin\AppData\Local\Temp\WUcA.exe

MD5 63d0df5e4e4f6346e0523f72d5438512
SHA1 cf9298dcb24d838d94bc2ad4fe0668ef9d670ebc
SHA256 ad5e27c8f8082b5f8326d22a694424aa81368178f4bdab2311b9b0d44a2729ff
SHA512 8f3030591fa5fa406adfbfb760344733754417a9b030ec32b28f4ce8ccd162614f96b2940cae4895d1ba6a260b9ba0ecea0ab84220d4370ed09c6d2177973eb7

C:\Users\Admin\AppData\Local\Temp\AIAA.exe

MD5 026f6626ec79592c7913b15ca724ac46
SHA1 3654ad002b1e22cdb625ea36233b53cdf69bf18d
SHA256 d0ad2c08cb074d6c8e7439246d0b24bf9647d05d8880c719f6f1f55e3e3a999d
SHA512 52567135078be9dc977d08a4ac0c79f95fe0344a2cb317910804bdad8c0250cefeada8e2742c800c35302423849811f7c6d5beed9e58ddff6676445da98a0714

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 a521bb1f53a7142e1526950eff6bbf22
SHA1 b3bab55ff1f96748eb9d4bea0e22ce4e544cb463
SHA256 1babaf2f2f6211c5b943aff8de9290dbd61457991ce0ff91318dc7ad69b5fd90
SHA512 c406469fcb085d938c716ef618a9d755fcbb5bbeace8cf592b6b413e986b5c24ad19021c7ff4220492319070075b13787062a54bb9ddfea5410bcdd0e7ec5fbe

C:\Users\Admin\AppData\Local\Temp\esAe.exe

MD5 20c16742125b1cecc9c038e6c6e7f705
SHA1 6c6413d8da0d98cfe8491f789abd89cf0fabaca0
SHA256 fb886fd2e9c1ee032fa793c93a2a58a04110c4eb93a950a2722162ee92c2a5e8
SHA512 15dfaf38f172d104fd2ea90bc8343bfe8d598be6f77fcabb6d7748b63cc201000ffb61472720914a7029c795de05fd325af69a62f533180e0ed86cc0b4a7bbd7

C:\Users\Admin\AppData\Local\Temp\GkYG.exe

MD5 2a71aeedfdc2fb78e83048b640dca2d4
SHA1 216a85a2444fd9da904ab573e85b9c5f06802bf1
SHA256 ab05c4227821e4e0c75406009f26e9de21bd7c7117daaa79d07a29a61451ddbf
SHA512 db17075a95bcbda8a033f9592f2472070253698d5ce23bb5a6d40e158a53709febf01641b7e524b3c01ec809669f0e0480e2cdc75a4f99179d01d0a1dea5bde7

C:\Users\Admin\AppData\Local\Temp\PYYIQUkE.bat

MD5 f358571f34aca6b98d3ca2fd5ee4ffe5
SHA1 ed11af971439f143f332eb2cad6326d451bc3c4d
SHA256 955404e5f928787ab075de76110a74b77acddc54af301dae78cafa4fa53dfd9e
SHA512 170861597f49de1643327efeb64e5214f0c75be6f613a4a316df2ab47c35902b14a800e4c172520d26274066eea0aa94a766ef8ad2fa9a3abcdf26a4077f8bec

C:\Users\Admin\AppData\Local\Temp\Egoq.exe

MD5 8af8d38df2fad302c7b4153dcbb5e9b5
SHA1 f432f85a7ea12a0d2a2779d5d2770da42f90b27b
SHA256 ff568e2565e96dc970bbef30246c9683cf6708a82515c3188a614d87a8d5a2ae
SHA512 b1bf3e3fe4bdbd74f85acbc89e8d44753982d186261c6a2d85866dbc96ea1ad8da72c08ea1ac4e0d0b2d2e810997f6743ed7b5ac9ac029bb0b4115d16238b520

memory/2536-1059-0x0000000000400000-0x000000000042A000-memory.dmp

memory/880-1058-0x00000000004F0000-0x000000000051A000-memory.dmp

memory/880-1057-0x00000000004F0000-0x000000000051A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eAsu.exe

MD5 b7acdd0eabbafe555b6c166a0d600d1c
SHA1 eaf479f0054f69a644c2871e78a821b37bc43465
SHA256 4fd8df45966cbfa050550d4762b7982701f68ca7285bd8f00385631d2474ac4f
SHA512 8363589f29f09a6e4ae647b3f3134b0474aecc88bc1e21cddb9121404f18b512ad51b3fa913bb8f89fc76ae0a3ae17d69a48ff499a461bbc3878ed84ef692888

memory/2548-1081-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYQY.exe

MD5 bcc638ea78fbcb5deb11e2c4117c26be
SHA1 763beea75be2fd4627502e08c5296748356560a0
SHA256 44e1633ba46db5eec0f7c18fbf06b78507f50feee1e16575e31242d107eb0ef8
SHA512 2b9dafda822c651548b1bdefbad7e70312f16dfa2ca03d046178583c19bc6fbfdb1d20c427d3396de8ac1890695dbc0ef52c851543d4059ca4e4b83f64960b01

C:\Users\Admin\AppData\Local\Temp\UkkG.exe

MD5 b7ed71d9ee775232871d4ce8a63645e3
SHA1 3ef65a83a361fbaaf81e495202f222e25380a511
SHA256 43a847d1311b9b715207c8dd478b92adc5b89a7f3637fdc04a5dab422b180313
SHA512 49b5388d6fd81feb450876e35aa642e20ce2e7cff4926d4c89631004ac1821a9b969fd6daa75ed11c8a2a1f75ca0bd72a31b6e2e21ed54e47d95bb3e68a6e1be

C:\Users\Admin\AppData\Local\Temp\ecUU.exe

MD5 73212cafaf0f187bf404b4c2231799d4
SHA1 2fbf3acf9c7073b6d013112332d76601564991b5
SHA256 f25ab576a10d290c039f5abc4f252483857d883152764bc406afa2704426de61
SHA512 676539e11a2b905613a944a51702574d16b45dc56f331e6d0e67de28058aabb72b2b371e651215e000de63b9b322cf6face00f87ff354144e28dc727258ad328

C:\Users\Admin\AppData\Local\Temp\qYEa.exe

MD5 2aaa83b247522366195b56538c712d15
SHA1 8ce7562f4b190b2a599941b85465806ae601c48b
SHA256 2d0c4c9c22b86c70c92611828a15db9eba4c73f70b51cca22ae24a8da78d01b1
SHA512 74de9055106d2ebbe86f2905c7b2446485d83f228a0f3a0bf00ef2bd83fb9f6a1ae6b4734800a36cdae10c1db1f21ebc977d56c456f2db6d9f53409f307dae72

C:\Users\Admin\AppData\Local\Temp\vucUgowA.bat

MD5 34df2bd7af04132389cbf64b29ed8bc9
SHA1 9e3766e521205b810a0e28380f98f63070742aee
SHA256 d9d64871c91f774f0b684ff96c0ddb8296cceabe2d653a3cd34703653853fc36
SHA512 6566b8d87eb6779ccd762220fac10cc864353b0a509db85fbe367cdd252b6aeb15ef166e9a033916763d063d7d18d6efb24de855ea920be47440985913326ae0

C:\Users\Admin\AppData\Local\Temp\ewoE.exe

MD5 741f310efe7d22c9420798a4f1b02107
SHA1 267855165239d0be2d90082970ec5b69453ef5fb
SHA256 f759a65e26395361ae16360a99b96c161077ea81c4500d13905a8b49249d9264
SHA512 94370946c8050f2c53b491a3cbb553bc8af7e800f5a7546a61c6eb6dea818d50474c1b44aef801af10277ee4c324a1ed3345e55e335299329a7f803566901ed9

memory/2852-1143-0x00000000001A0000-0x00000000001CA000-memory.dmp

memory/2536-1165-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMcE.exe

MD5 036eb3b41f3e00d23f34ea7912810897
SHA1 7af6acb889da70b8e4733b3f94f6da142f8d852a
SHA256 50a0bfc7ae3935dd6722c9ad17cbbb8733b208ef9f7bcd6bb1145f68f505b9a7
SHA512 cda40fceeeb5c6a7865109247d8a573e0b0a57b029a72a35016e71a1f9277e9ed1603b74bab934571173f74c0779283eee095dfdd7dc7e55e9d2d3b6d8d70b91

C:\Users\Admin\AppData\Local\Temp\mIgs.exe

MD5 5c8f158f7f51d1e7dca9861f43471e72
SHA1 f7edd15428ec6548f483b75f5725f6b8dca7cc44
SHA256 975b88c2e4aea808c7e15edb5e3ea39cd0aed213e28196bfca717354640ac5a4
SHA512 9ba52c5547f9a7f85983ffb50d615e9d9fb2469781d895366463d2d1737e4f82e1501a8916bb7ec9bbe2648bc017e7d1a530c0550293876c46babc61cd5c29df

C:\Users\Admin\AppData\Local\Temp\SgUs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qQUc.exe

MD5 41413ed0448bab2d7e37740e9e791338
SHA1 8e4ec22430cef731b18984f132e6f87a24afcb10
SHA256 800a5690c001075db25929bcb306571c2878c16ca7f834cc659087423519337c
SHA512 35dd94a780950f8499b1241176f605fb7becf62492d877b5ded97dd9c2ef86cc20bb736d3b38320b0b71fc7fab3058659f8d44fdbc9306564cea8a0b925d628a

C:\Users\Admin\AppData\Local\Temp\LGsYwoUo.bat

MD5 cc175da36a0367887eeb3bd62c2152e7
SHA1 f132951c7f59bb0798453430ed22b9fe285dd792
SHA256 2c8542dc459b69118928a2e01169d869f57f0f9b229af80af5e94536a526bda5
SHA512 f9d32e6ee5860de1244b3dd49df192e7f6c2c5255d65b4b86ab8e27f5b04b13e28833322fe4d12a98f649c4a2da29a0757e3f7ec609335ae4ca61496e1272757

C:\Users\Admin\AppData\Local\Temp\kkka.exe

MD5 681349064b2ec4ce2cf388c1bf87d7c4
SHA1 b59e6009797d5a27edb21dc42f8901daec4b4ee5
SHA256 b67642294ff3b16d94aa9fd936d870fe8c50731d83e667b709cbc9951645557e
SHA512 f905c45bc3772b2732e183b252c22471f4b10da08333e5c4ccb5a71dd08144a9d093cd74f9f9f69646234e739e4b20bf583fa27213b0a8a4764b1b4eee0f96f2

C:\Users\Admin\AppData\Local\Temp\MIUu.exe

MD5 faa96e3e0014a90ff2561dd33f9b4bbd
SHA1 f948fb2c8b17812a392c991d0fca68e87e536359
SHA256 ae547abd1babd3e799fd1ac7bf93096de637e6059779e8dcfe1a058fd587e5d9
SHA512 5774bc2d3021bad07ee97172f3dcaae211f40a7122bcf90c7b0bd02b95f3be2af43dc5d9dc18868c8a4996548bec43eec95f1179dbb838559047b06f8abdaf17

memory/3016-1248-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2920-1250-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1868-1249-0x00000000000F0000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEAU.exe

MD5 b192daf57cd3afb0ba53956682ca0167
SHA1 3f14794805104793cf71c4c748b41b34db5c6f5f
SHA256 64febfcafb94329a53c591902f375e9fbe8fa48170689638fb2723fe381a9d77
SHA512 4119ab321ad2bb0e280e76852beda9c8d10d81c86eb43ba2eb0987342c0670f4a8b33e145391256177e48d182ef85fd742b7dd428bcab179cefd205045a547ab

C:\Users\Admin\AppData\Local\Temp\wkMa.exe

MD5 680fba4b460ca154ae923dba54dc32cd
SHA1 6586e488cdb0d6783cad2db3350d3c7511b00bf8
SHA256 5590269509990a15b9467a93bb6f7f1ae16d2ddc2ebbbbb3e71c71fdc4dc0b12
SHA512 88a649fbfcde7c1f807fe85e0c7f7ca04817fd970b57b0350e8b2d32d5fa6fb07cd48f7a97055b00ba9e8eb6639a926c6364be052897451378d9fd1272114fae

C:\Users\Admin\AppData\Local\Temp\UMki.exe

MD5 d9e90c48769bd68ab97ff37aa76b3ae3
SHA1 7cb5d7ebf0af08c273266bdf9b095614ee9fbe92
SHA256 7b2f74c5638403726461d09a44e93e713aed7483eee989b2d581f15f7ee8dc24
SHA512 173644b6ebf2196ca0ad21a3ab7b2f744db861b1becb55978467fe79e783cc7909caaf730edea53efe2aa6c1cbd0c756dbb91253ee09f9de509656afd0c4bdba

C:\Users\Admin\AppData\Local\Temp\HEgckoIk.bat

MD5 ae886cceba02d3b3f362d8cd05164fed
SHA1 05e807069c3b96d931283fe4ad342eb785bc8b40
SHA256 790d657171b4f913f328eb73bb087f99443cfbf4989e69370fe64459bfe6767d
SHA512 4c8d334ae9a11041ff3416a4a35fc31cf5e1e4da334ac5f2b9009a0d68e836e5bb7e32c7eb4d2ef9add063b5e3134ca3045f03136bdcbf5c1f0718f2e5dec16c

C:\Users\Admin\AppData\Local\Temp\YEgW.exe

MD5 f54e66967bd6d1d2b2216f809c42743d
SHA1 ce3f1f346896392add644c277e0c7bdcc3aaef8c
SHA256 4d3ac14a35baa72490b636f5c553042234ccca9281e47b6d6cf41e4284ae1295
SHA512 3ed3666f283ec77cb61d7edef64f9a51d048aaa5876b089d435afbd65754f7188a03a59b9fdfcea4a5d17fb7002a038752b081f87caa6c848e9ee9e495c574e3

memory/2548-1321-0x0000000000160000-0x000000000018A000-memory.dmp

memory/1704-1323-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AIAY.exe

MD5 eda8fd8c7d10abcf8da3bc7bd9bf2fbf
SHA1 700afdd8ed06f029f4f2643ec33d80aeeb769f2c
SHA256 d4056efcacbde315fc6c6cc5da244b0bff33625f21d4647676a0f143b03aa1e8
SHA512 5e6821191585756555e2c0d79199cc5d217430499f18c8041ef1937b2d65ceaf9500a1db3a98ee3c2ac6634c89ff3f90f21e605f526abf8d6ee42f36d68f5ada

C:\Users\Admin\Documents\DebugCompare.xls.exe

MD5 9b62fa7b83869a41a82f267c425db50e
SHA1 79860cdc0348b0725d79b369dfd8ceabaf68ee3f
SHA256 754ed431fe7195f5e111b07ffb90175acd35fe3bdb8aabd2bf44d729e63ef080
SHA512 cd16b77b7cd53bd0a7459644b85011c1d75cd28687f2973d509f2fc6acefe0f00278a79667fc6983fb7cdbad85b8e78f56cf9aad84b6bf09143fa5fa9917385b

memory/2548-1322-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2920-1320-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MYYo.exe

MD5 7ccde7db9f611194741062c7b0a5d229
SHA1 d33a946902907885c3b82a808a332136033a6bb4
SHA256 16f7823f7b45d65590352dc1ef77f5ee7e06d7352be29c1b62c10cf111fd6981
SHA512 21909d24d36442fc2e95efd99051e68d91de0939c1970563b953fddb856edf86394947274bfd1e80099aca949e1c10eb8d0111419e96849d993657c5c591d4c0

C:\Users\Admin\AppData\Local\Temp\cwYa.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\MsEC.exe

MD5 7cf90f81e00b66a5934f912a321a8557
SHA1 13503d5258246c5226dfc55c6cbaf7dc1d178457
SHA256 3960ca16453f440270b294f25540bf445687ac741ecd0a03e10cf8e26e38620a
SHA512 57cc6cd1cad1e5bdf8e71555a44b70cc8723b061de2c1789ff82229bb91db436b18d5a0e955324dbce06ebc9ae8e4f13db447fd9bf796cd252842cb02c4d0873

C:\Users\Admin\AppData\Local\Temp\SkAs.ico

MD5 68eff758b02205fd81fa05edd176d441
SHA1 f17593c1cdd859301cea25274ebf8e97adf310e2
SHA256 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5
SHA512 d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

C:\Users\Admin\AppData\Local\Temp\UgUY.exe

MD5 33e96af715d792c252eec2ac8b8adad1
SHA1 a48537b0ac603d0db805763bf85ec0e9b2b29b50
SHA256 4824a1fd53e0c03908ad6d791849fa9554767b1924121f9d03336e0c59bc314b
SHA512 fa636db4c4cae0edf7ddfc6a42433cfc4e2ab419702e795a71662203e1ccba21366dfbe365b225d578e32390f85f68add4ca66bdaa660205874ac0faa75b0fb3

C:\Users\Admin\AppData\Local\Temp\SwEcMsMg.bat

MD5 9ecb53f9c5a5d20b4c55021a4dff0d35
SHA1 62e0862fe247cc75c94951221adb3ca09898edfa
SHA256 6a0d43349e9f6eff228a7d85637ef725fe28786db8ba2c9c80a599cbbf386972
SHA512 31593cc3aaa28c9b1ac568b904a59b609a004da8acc7624399c04c3a1c8330e35cc4f76bfdfbfb8d0919f19c1e88e7821c7c73645aad0b0fc86d950a08d10bb3

C:\Users\Admin\AppData\Local\Temp\UUsG.exe

MD5 1c7c23fe8be46e746c99ae570b96fbd0
SHA1 8fd0c0ea04d8f32a5851524403288be310c0bc71
SHA256 33de413b8e64d732270673789c84cc47b500cecd9eb849034af8853d844aba35
SHA512 8ef926a74eae4193a6e30157f6b2ce2b1cdf83a936824900d3f2fe8685f2ab44667c6d2aca4cc6b66742f82614bde77e2c3bf7ba41ec070ff298d12b97db058b

memory/824-1413-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-1412-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-1411-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2864-1435-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cQoi.exe

MD5 192f776a876ff20b2c2eb248611879de
SHA1 517f3d92508deab082dfc221b3f6fba4fb0fa84a
SHA256 b37c72ba619a6d460ecd68e1184267f836f4afe14287db033e0ab6dfbaed973c
SHA512 6b08fd386b7c786ce3e91400df7de586dbf9604b492a6c4eaadc0bbcaa9de314d5fff77162d59d029cce20c1163d0ade787ed0885df1b035f8633eb414212a5a

C:\Users\Admin\AppData\Local\Temp\oUgu.exe

MD5 4b3b71fde5063a15ad91dc312b13474a
SHA1 29506dddc16e475ff26b12b2f439c8fa7b6dd168
SHA256 f5463424df4aa2ec1cbf3f22ce3ec5a3acf8828fe9c9d0d14a1c82545bd9a4e7
SHA512 1aa5407e301ac2c60eb064097d02c8ee26da4629c2c8a5308b8a40dfabad7febb45546a31845155b93cacbf4d4badceb5c51f35c763903779d96c4685baf85a3

C:\Users\Admin\AppData\Local\Temp\UUIy.exe

MD5 7d96d7ded0455665ce3a3c6e6549fe6b
SHA1 6bdc1127804f8997e193e192072c110438245871
SHA256 1a4d37f998322ea7dd9a8d7113c72752b103e5010a4bd0e3375dda1b3528c5e7
SHA512 1b2a6b5cb11fa0fa4f9e93d0b2b1121e1005fe52cd5982337a2b1cc4e2fb1313be4fe45e7f89ea7741086adf0184a257497788ce1e53fc5c7b937737b5e60f09

C:\Users\Admin\AppData\Local\Temp\WowYEccs.bat

MD5 02d19ea7614c1164a4384de228ad4003
SHA1 447978b3616d2802b738bc3d1a3ba9db4970a836
SHA256 1cc965c10b6bd680503af9d91651090413b8b28565a36594105cf9e60fbd5deb
SHA512 386d36bf39fa380e7967f1d7eb3edd5cdb4d74be61a6e0f4c9be7afb5e95fd8fe73b00807ac5586939bbb805a5018bd1641559812b367956b4a8ec7e75be2844

C:\Users\Admin\AppData\Local\Temp\cgEq.exe

MD5 306c98bd2dd8dbc8d5e62206e64dd1b4
SHA1 e7efffebfa84cf6c34c2e76dcf3a0e783241bdf3
SHA256 ab27a8ec1bb59083ccd57745a5dd973dc4f550157e031e52db36d3761a6ab0a6
SHA512 3ebd919d1a1d0111a468bd9bd891a82de3c1dc4067b775cf3aa095f101cd24bb53f5551131ba3c351377b5d28f4eccfd3c35f8c6a8b1f4cdd52c325ea119e9a9

memory/2372-1487-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2696-1486-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2520-1485-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2696-1484-0x0000000000120000-0x000000000014A000-memory.dmp

memory/824-1499-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYoK.exe

MD5 023df06a170ec3f876aca8b0b6cb8085
SHA1 2d65155dab4c1e786dd3456c207e5e87f9170a86
SHA256 dbcb1a11b5f1a38781025f5876bb18d4a77a422cc804f7027f6f7c1f01503d19
SHA512 812de70a7b8bcdf35dc0861f0542b3f91441f780c9f28a30523ae688ccaae9922079f2d9a3b300b5240e39323275d5bb3cd73732a0f748119cdb756175a4b7ce

C:\Users\Admin\AppData\Local\Temp\igoc.exe

MD5 9088a5a6656439bc9637df09e1cc88e0
SHA1 ecac3331dcf95834a4d1b4aa9544ea17dac95db4
SHA256 04ccce3075595a295bf8f0e3b737e5dc6967ac276e036e566c14a751b2ebc89a
SHA512 b32e6fd97131debd6981a5ba7799cdeab19e5106820ce48f4d1f482a6a55ae68d5ee9267ca4d734ecf027112d33b8efa5f247c79dc81533de110ef4f9d35cfb1

C:\Users\Admin\AppData\Local\Temp\wIES.exe

MD5 1800fccb5b5b39049f519f357e3c8bd3
SHA1 67af0b662dae2e49ea37904664fb44dfd0982b75
SHA256 eea43a929e9cd36cd22df17c8f47d3f389dbac198871e7d07e781a9ca1400679
SHA512 2a367b36c5e7e17c55cbd09a00eab5f3ba37abe2671ba22e8671fed2d246bebe63c6611625e0de3c526a810f2fa282248d8e71254f84f9726a1a5b8186a8839b

C:\Users\Admin\AppData\Local\Temp\gggi.exe

MD5 614e198d811fe1e47134f83e5e5161b7
SHA1 de94cbb912ba3ee7ae0ee613c1df57643f9c261d
SHA256 0cdc1e65960cb92332786d4e03e02ae9ee417f1e92d94292468517dea9bf5cee
SHA512 f461509deba0c116469fcab84a4bf91981f9a716a28e5b2d306538f8ffd3f46c01069a876e8113a695ef60d0cdca1ad4eaef2f615097aeb138bde12bd11b984f

C:\Users\Admin\AppData\Local\Temp\oCEwgkMw.bat

MD5 a51e3df5449f60d26ecaa5ea833f630e
SHA1 e755f6fbf6309072f8bc7aac0b38c693485f9b3c
SHA256 a0a8925e729a7e869c806f3b6d0aa725da2e77ebc9df160848529dfbf440da21
SHA512 022ff6b0da65a513ed8286b4c8cd587a87a3d8fb71cf5a268d704d694be79fb89b7574aceaa26760702e9209a6059409638df87615bd3792eb073a92fcf75bf8

C:\Users\Admin\AppData\Local\Temp\kkoo.exe

MD5 6070933a4d0d395b263a649e89662048
SHA1 4525549a01d72371e351cbf27e98ddeb05ffe4aa
SHA256 647cb55b958630312248d15ed92c241204beda446050ad70825ddecb59fbd20a
SHA512 9b1cf03c69a88520cd5ae090a867a924410c03a541323b37c840a46fd4d39b007d250c6c80a899e180593c8e0b0e12ef7483b4e2e4f0c412bf702d36bf643520

memory/576-1586-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OAMK.exe

MD5 bb995863ce98c9e75eee9fe4f41090fc
SHA1 137589e27604cc2a69b3846da15fb780e13f2a88
SHA256 1b29a6445593c8bdc1e63d3975aaf2708f1fc7c10dd9bfb2e81ce34f8ed8d714
SHA512 fb605986bee07e798e27bc6bd04ea58107c32d5a26c5d826e9c55b6f1e9db852ddb18e47b2640798ca81816bb66a27c630531aa615f1a8757d671eb650b15a29

memory/2372-1601-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awsQ.exe

MD5 6e5afbf115ef76a96b9e4f995af85c31
SHA1 f08cb910d26968032e0065dedaa342daf528d5bc
SHA256 858f0b366d25d383b6c3fcbc92a00b8637c76de0d4e9808dabc0c833f3d3089f
SHA512 d15814fd5954acaebe359a11ecfd3631a7acb6e0868df48c6074a6c89383e91ceb7cb3a5523693ecc4f44ec380ed034f58951f7c406ee00f4ac2451e33a65df4

C:\Users\Admin\AppData\Local\Temp\GgAcYwgE.bat

MD5 83c57510d7eadcaf956840d2e44fdad7
SHA1 01a02cb95efc2b5bd7418007ea71d2fb87b21cbe
SHA256 dbb18b2ec378455031bf30914eea95f385561582161f6f93a203028add7e0e29
SHA512 734e51b580b0503816c1550852e6942400ef08caff982c5e2ec5639e0e8e3677d2529e36c262cb4fc1654932d912acafd918a2baeb70894a19f7a31c26af1f57

C:\Users\Admin\AppData\Local\Temp\AkwQ.exe

MD5 b5b78b1628246d6ab45d0f20839fe964
SHA1 28b22fdb2e49d27b8720fc87ff5f90e6e9b19909
SHA256 f02a59ea3d7273029cd8c66e97e0b49a79d1fcb9ca8e5626ac300e18620d762b
SHA512 9a6c4d0dd4df4069d7cd832be95d09bc376a26dc65e24076903f5ccc4e7d90ab0e29aaa1b7ca12988a744557f44ef2fe3130f7c9e36c4b3bedd2e013fdc6b97d

memory/1788-1653-0x00000000001F0000-0x000000000021A000-memory.dmp

memory/540-1665-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kcca.exe

MD5 86ca0709e1253382f4448ed83a16062d
SHA1 a0c0655af907e840c27147334da0e1c6f64e2c29
SHA256 9eb05026fa0b418bb23997c6c15540f372b166dba59161d33af9de9237bb30c2
SHA512 ca65f4be5a97f55a43fb697e4be1aa6e9cb0611fc40493d5d32ec0f06612362c2dfb460eb7970e1d6bdb4bade51643bcaf8f96cd106d5cd8ce6d7305d6b3b40e

C:\Users\Admin\AppData\Local\Temp\Gcwo.exe

MD5 79b7085a6e22432fb102ed2a80901d53
SHA1 bf698aca926326a343ea87e08d6ec0db413ee107
SHA256 69ec17f6721094483c29db1bf61fdd49b6b4ac26cb1fd2b129c4a1c7eb2930ee
SHA512 dba20a05b1b47697205c4c6a1ab4dec8a0fbd88258e15a528201029bdb6f220e518ac989840b6fb81354ef1d3731c20cc86a1d7627faec2ecf77d2a779f1b56e

C:\Users\Admin\AppData\Local\Temp\sMQwoogw.bat

MD5 866371fd995e27e05ec1722979f831ca
SHA1 2be4276342bc91a0de46479482701a35ba45bc18
SHA256 d10456d66afe16eb3416be344c1d1b8efc3dc268cdc84cf387e7f6ac14143acc
SHA512 172de533668b5a09add327074fc1fc6364013f65721353c2cb38f1e1960aef693a06ec24a9f3839dd3fb330ac9dfd9188d425eb8fba75e8ea11a69439e6817f6

memory/3004-1708-0x00000000000F0000-0x000000000011A000-memory.dmp

memory/3004-1707-0x00000000000F0000-0x000000000011A000-memory.dmp

memory/2268-1717-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEIc.exe

MD5 cd18b253223dfa852f2d4bf2f86826b5
SHA1 3a52b0c0c7c187d8a16d002c5ff25372e7e03f71
SHA256 7fd3ded795ec983c35e30b8c827308504eb0405c45619070ee9de080a01355e7
SHA512 94f665460bbf1f5471ed1cb3e377458e178ccb3c6b4f22ff3667a9549e850c001ff59aa0a704f2af09ad902043322e545ca7455aaf580ddb2e06c976007a6f92

C:\Users\Admin\AppData\Local\Temp\CAIg.exe

MD5 9813c0bb9d2c1f280b5652534b35e427
SHA1 f14c80413a069ac306c476f27f79474315d5db64
SHA256 3fbabcd9fa64b0ff206a60fe062f3c284427c7b98f90302337fa06b5e09860dd
SHA512 9d1780b716477d93c3a46a342130d1cfed7d585ac8fe334372f0540af85e7b04d511c493b45fa4e211795f72f8efdb14e3bfcc995e289208e71efb7521017b77

C:\Users\Admin\AppData\Local\Temp\bGUgMEsE.bat

MD5 3ea6f13eee0a89302ebc7091e44de01b
SHA1 61d666956e20296688f272fd19f9bcc45804749a
SHA256 52bc3755834cc659fb56965f513d6d241bf05ed79f9741b7b3a8416319191025
SHA512 33ac029d681fb52ba50f8a983073af219d2a46c26f4eab19dce8fe2ca9af2986ddd826c1877860d897d8ee06e2ec4491f9149a3aa778487a19cd49e246d6e80d

memory/3004-1783-0x0000000077A60000-0x0000000077B5A000-memory.dmp

memory/3004-1782-0x0000000077B60000-0x0000000077C7F000-memory.dmp

memory/1032-1784-0x0000000000400000-0x000000000042A000-memory.dmp

memory/328-1781-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gUMg.exe

MD5 593249a80730a1273d402bd9616b1459
SHA1 1727d85ab387aa7cff681cef089d765b9db0a2c1
SHA256 f226f3f6cb96539e58548af872753c3c35ec283c7d2700a9a407afe87919ed9f
SHA512 08817da5e6fda82128b3a1eb92a5a27481ed1ce169e9872987aa47aa3d56c6f7ca738a31a864b55eade17a218d7683229b6cf9c460e6f0515efed2c7be963379

memory/3012-1764-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUgA.exe

MD5 7f43fd44a0e468ef7a64092c972fc9f4
SHA1 50ed7db38047dfd5f5a5f6634a8c92bc7367a182
SHA256 1b639acd05ed8e81abb367b93931985a74bd1c920f8b3fd4f360f11622574a8e
SHA512 6b3dc933a36d035daa342384b67a85b6cbbce73834f08176ccd24f17ba3fd0c5b199db8ab582a508d509938ddeb73dbfc4263266dd9aabdd156fbce280595613

C:\Users\Admin\AppData\Local\Temp\raUQQIgU.bat

MD5 9635c84f5b7397699dc1888bb79218ab
SHA1 c276b542b29c13d41df5f78cbe7e6cd7e82856e9
SHA256 2402de43ee2b47e3932e81af206ca1affa54ad85522175940bc3fa146e9fa499
SHA512 3359a088df035b0d00c71a9f433f4d0b971433ec99a625dfb7f9e9e638d1743fdba8cdfec138ff1fe0852e8b2514771f07901f32818201a15e2ff2965a464f46

memory/2772-1815-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2756-1814-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2756-1813-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1032-1837-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUUw.exe

MD5 cc9b5bc6976731e2f81afb9c375137e8
SHA1 851f7e2a8ed53e9d276fac9ad04c0373446f8402
SHA256 bcbc1bbc253ee631b149ed860122627e24be5046d6d4c3fb1c8d149f3ddef0d0
SHA512 edf94af57feb7a3f850771f03484ac0d97da04da4e62e3f482d078c5770ac3aae4535784be421339c72e37306734788286ec6785415f1e4b186216efbda34fff

C:\Users\Admin\AppData\Local\Temp\uwUa.exe

MD5 c4e6c828dd357bf00c87d99b804495ce
SHA1 a05d087463b378d647654a3bd5d12b2dc29b78a4
SHA256 a03f75b6d41ee484aacc408204ae9a8ca6504bd7e95833431e080fc3999b16ed
SHA512 dda0a1c2f4bea7535b2213846c78c19443ff2d4c99cc450c2b6c97610bcca23e00f6d3eb8531f4cf04b83d79b4a1ccd70706147f73a1204557a966c2c20f9461

C:\Users\Admin\AppData\Local\Temp\oEck.exe

MD5 e414817f1dd448d7185496e9b5a39718
SHA1 3b3936e92b9381af59333c99df1d0accc6a07aac
SHA256 9d9701c7a8ff6c038f9fb58b404d31c4c9839e4f27f5654bb0143c296198755c
SHA512 942a6862bfdf21b534f7d235d89a32c6b0e55cdfd162bd09309f4dcb6e4c07a4eb2b26167541a8e3448166c55dc995d91efb4336c00f0566423f87546ebc24f8

C:\Users\Admin\AppData\Local\Temp\DUoEkMwI.bat

MD5 f8e4abbc9a89d47db85686c257698b44
SHA1 f09ddbeb0d7fb1ee7e70328db6656b898b857ab7
SHA256 160d85acb139dbd9554d55888cb4a211ebf58177a15b0c1885325e10b29de53b
SHA512 32bb3ec68da8a52986dc205c77b7ab8d20ae83be55e388c0c89da51fe4492746d277111d68ca9641bc4fc53e2b95ad5dbbfeb16bf42dba4d951b5d090aac7b52

C:\Users\Admin\AppData\Local\Temp\wkkY.exe

MD5 1262737f1ed965178fca334da98d0423
SHA1 950453727436ef2911c1f7837f5b6e20b2036358
SHA256 1f037a2e2ed4625bdeadd78fdb398ab4a7a9300344203aa243c6f08bd8eaf37f
SHA512 ceb3a25560fbff548dd896bf31700eef0fed4280cfe8672cfbd13ea3ccb975da0b7e581759dddcebee7ccf0ec3b9df58ecee08a99afa976fb386f338330daa72

memory/2516-1907-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgsg.exe

MD5 b53fd0f2ef0483e00af6c0d63f72d879
SHA1 55e240383702f99deb838ca5c02ae2a837978bcd
SHA256 8a7866eac6c6f434a3c9e0de2f3ff3277f4741198e0fe3dabc05ee3c8348c451
SHA512 8f3f214f0380e04dc1b2c0876e656ba5ab25bf99decc5a8f80846038a2552f8c94f4eaf2365e6c3fdfc94d1ccbe5aec6095855e78115ca6ccb7daeff27c1460c

C:\Users\Admin\AppData\Local\Temp\kAAc.exe

MD5 9caa65b7cb36345bc2109801bf69c6e1
SHA1 1826efe71262d836181210f5111e1a44eabc9e57
SHA256 ce459d23265d78074a68f2a593901e0590376030d32484b8388af837a4481395
SHA512 216da91f6c22e883bd82f9e6ec306576a4171ec130b0ef00528a9e8cf61143a0c28ae284ad93eeb66b006f6febeffb8827622f022a6c8f970140a63177de369b

C:\Users\Admin\AppData\Local\Temp\CMoq.exe

MD5 feab99ef6931b232583a1b3d2fff6099
SHA1 3b0f55aa82f12123aed145b55037e70ecb82eab0
SHA256 4aa4151b9b02a8de89f83d0fb151c1aea548ebd0d514b0027c788c7faaacae71
SHA512 11902547b687bde0157043b0b0e34a1430d7b54ca1ca7f8acfa49280c8f4dc0c27c76427071b385463b64130b805ff8d2e2f391314c8a775792cc58ccf5ebe35

C:\Users\Admin\AppData\Local\Temp\tiEkwYwM.bat

MD5 573a65b832ef5e14cbe73a99ebf54173
SHA1 ca120489916e10ceee72f4d9d7a091bf07da9cc6
SHA256 77ab318976251f57a040d32287fe9d161b2bac61c8f9be69208ad8f283ade7d6
SHA512 d2c2caa64e7baf757582759089a661920f7035dd3e1f2228466cb23cdaceeff5cf1d98171086c3ecf8fb1ff9716132ba81fb3df7bc9cbfc3dad33c6fb4e1db01

C:\Users\Admin\AppData\Local\Temp\GwsM.exe

MD5 a953b17556e56cb9cf4444524990381a
SHA1 cf93b3de496d4b34a5a43beaedea43c1240f8926
SHA256 a6059e12c4ef557967b7044ce6fa4a8cb7c70f9c906e50674f0ae2e92d8a1da1
SHA512 23888800960cb260df3303de0e943aa7a2a6e575ac77346dd6dd69cccacaf1dbee1edbe60b61658bef518808fb9a7fa65c049e20d48a4c93e2ceb59a4e0655a2

C:\Users\Admin\AppData\Local\Temp\goYs.exe

MD5 b46db70177a778349bc46dab2606529d
SHA1 de8e209c8f377838788f45ccdaadee835a4e7fe4
SHA256 d850b75554c7d797a38538270aa68b25874ef2b6aad9c19c6df01eb118afee70
SHA512 c7ffe374a1e1de0c058619e1f57e31ccb46c0bf67ad6380b1ab1cf20ab9621b970928da60758ebd7dd65da9f49feb581a0f87c584e1bda77dfeae71fb9ac72d5

C:\Users\Admin\AppData\Local\Temp\ioEs.exe

MD5 5eab16a5d14757642aef7185fdf888f8
SHA1 af2c64d5f20108a30071c6e7917ebaa489e262a7
SHA256 2da3c9a0694f793e73f678ebab10f08bfc2437ecb4c0df6331242f35a9caab44
SHA512 883ae834f49c10d574c196ca0bfa8c53db89e0354e93d1a6ca49ea99ed87be39f7d45cfdece02251c3301c830ce7daab3049455d29da73d00fff4c555070012d

C:\Users\Admin\AppData\Local\Temp\CgMY.exe

MD5 a79b5d446b1eb77033c066a71b59ebc4
SHA1 543e346372c7fb705b9f5af7af82b11a46dbe90c
SHA256 39220366f818d487ef61164dc8e513cd1a8a457ea6193f0da0d64d85099b7812
SHA512 1afbac7b0159bff778394022aaf8e591b55da37e18c6e8deeda7b92678353f13fed807d20a7ea93859d6491e3d4e4124dc81daa7ae044ff06969dbe53d971912

C:\Users\Admin\AppData\Local\Temp\kugggYIc.bat

MD5 1fc90271bf6c78c65bb3df922f13abd4
SHA1 b09290deaf204bc70010ec979cb0444416591627
SHA256 2280ed49503e0cf92f13d16d01cf5195ee26313d5304127cd75ca4df4d36a132
SHA512 ee4bf3b893c1d86a5ccc31175d42fa1beaffdb4bd60377e284ff0652afa7df183cd520a581b3cb06145d8048d846b985854649d8c9cb139121932520b5aa4966

C:\Users\Admin\AppData\Local\Temp\ykww.exe

MD5 891fe832c59ac566c2f0b46e24d8bfea
SHA1 7bfd14bfe5a45c7c93df303f79d53c4cb198e25c
SHA256 9cf6e6bf87531ce07dbc58cee59be2e567db9c17682359ec53e4503ad452ea0d
SHA512 05ac6f1154abefff5a5209b5fe1bac45ebe5f840af4f369eff34517e3ba5ec37ceb5ef385c91a07a120074f1bdb029b61d9726e813e20a238c901fab1b1a9651

C:\Users\Admin\AppData\Local\Temp\egMC.exe

MD5 07e699b7e9ef8f9f5e3652621ea59d72
SHA1 2324580fca38266727b1b7884a77d5595b136b54
SHA256 22da0815ffc589531c8dd659314574f0b4c880d60a4277d82b8eead0dd2558c6
SHA512 02aeed7ecf2e33f14015656e42867b2f09811a61efb7d4f626bcf6143e9530327de6b07e3a8e48fbc9f1b4c34457df0900c09dcf8f55fadfe288c22f842970f6

C:\Users\Admin\AppData\Local\Temp\UAMY.exe

MD5 c9211329e40dc18726a0d767de4c2128
SHA1 254d1a21708fd3111d6a3697a0d6deb50a5529fb
SHA256 b69d92b38b819d46d5c25e702e0c63b29ca4b92d2861daaeb2ece81ef313bd98
SHA512 52c95bcb468210f826a0e759717a109b058439facdb8f555d9ef06052c1af82241aef35a6fc2855bd9a620381d7ae78c408fe4d8f225ce734b5270c2e6211e0e

C:\Users\Admin\AppData\Local\Temp\GSEkEIAo.bat

MD5 865289708dbe9934e87229d87dd25a2b
SHA1 3d6c941735875cb09bf35b9a252e952b6fd85b2c
SHA256 de34497bf1dc03df11ce97a8b75865cc3cfa9f876b52e9198f38acc79a4afdf5
SHA512 5e7777dbfa73b1bf888a8d32135493ceccab6d34e96b1af86aaa9b4dc9541ca85cacef4018dadb84b01e9509c998cd61c592acfea54381257548afd1cf8414f7

C:\Users\Admin\AppData\Local\Temp\eosY.exe

MD5 3185d2fb81dce52af80d9597f90e77a7
SHA1 8cb2bb9c74fd0d8490ed016485c31912630c0daa
SHA256 00b8c3196d1a85578dd0536c99038734937e1b22e4bdee57158381e0b493e351
SHA512 b5606cffd851816770fec332ad0bb4a44eef375ca2a50580df6ca21a0848a48bbaaa8d87fe12424aa90fbdeaf0f0ad5227fb8ffbb6e173bcb43ddca2e5926fbd

C:\Users\Admin\AppData\Local\Temp\WcIC.exe

MD5 7696a3907b27c36a950cab3894224b62
SHA1 8d330b533f9b5d689335306283f03b4f414fbbbe
SHA256 6956f9ccfc105ea083bad0316a181bf2c46d5cd08a9b01ddb487a3af9e6f6308
SHA512 9161fc1704f1c9e5b4603a1ee8b7c2b483aa6a437bee93fc1d19c3b4f8cb77a1e69f72b5dc2de64042014aa564bf38b363df6b340feeea62f1ced012ed5ca174

C:\Users\Admin\AppData\Local\Temp\ueMQEMYo.bat

MD5 8e244b7e01268baf5542786fb86ec896
SHA1 706779fa11ef8aff8dad26e7184221ec5a989419
SHA256 c5d52f05d0bd61736e02e1836af788520104f59bc8dacf73f38d5a77215f4c1a
SHA512 b546e46d99d88ca98fb013dbcdf3d28a581e15c2a6fe687dd6924857154da3b29c9b9ec1ec08d12d441e48f0f6cdeb49410ebdc5951ee3cdf42b025e11cc4fc7

C:\Users\Admin\AppData\Local\Temp\UYYA.exe

MD5 01bff4c6469082f60826064348ac58ab
SHA1 8c6effc21ebfe735d2876c220e93e8400f22a436
SHA256 2544f5c72608b7d11fb952880e3e6590ee2c542643a5bf29c5fc9af7b097a3eb
SHA512 c37682c9007489e865154810a2874dcb85747fcf388c7836b2e2f6a16c9db9e6272e994798a33526e9593a8a8653297a774661371dc18fd474edebafe64a6ea9

C:\Users\Admin\AppData\Local\Temp\mMUy.exe

MD5 4e06f2fa59c573d14f028f3e851ba15a
SHA1 13d3f2db6879730eb507267355f8aec17c908728
SHA256 3d1da00603e74b2a7fad9239d00d7094f00af84e93e0d7a2ace4f1808fa453a1
SHA512 d2414ca9876a444ba57a4279c4167f8c6affd6e45b3f642305d7c1dae4a821853c5a1dcb0e29a7e17afdbc05e62cd44826f2c754f27734013a183f386718279c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 f2ca0be209fc6993995cfab8ad281fe6
SHA1 a86d5a8b91c7ab815321d1e4a9ffa09cf7937c6c
SHA256 d1a9031e5eb8b8ee3e7dc6d1f929c07868be321b2a706623808f5037d004ca5a
SHA512 c5ac1054929411b0b4e2ccf4ce6ef53c835cae570884df340cf770ebd01e0eca2b57eec59c818ab2213f91e97a1d08d387788272a4a77f2ce7ea3c7467406d83

C:\Users\Admin\AppData\Local\Temp\GOoEwIMs.bat

MD5 4e3139d3514f76e4d20a77f2cdf3cda9
SHA1 076db7afe400fc0c27959db4ffbba995175df4df
SHA256 af69845f63848c06ceb2755a54fb8a253d107e7edf1d73b4b1d7fc60f6fbe554
SHA512 b4f6665c9e96bab2a7728d2fde43006b0a161a6132970f08f40682d4175b61499ea2e8dd87ba516f2ff8e68435fff67a2ec8966b06d131f6cef48167c3c74bde

C:\Users\Admin\AppData\Local\Temp\YoIo.exe

MD5 a6d6d14d11bcbe319fd9c8f1a06a2de0
SHA1 f596dac20c1a4acb671880f66de2bbcdf9aada60
SHA256 82dcebe535da4b28551637f599a8e9f00f9ac67539727d856091a2af28fa35ca
SHA512 8fd679d48d4c012c4cff3c7ba626fb96a60e365cc9e1f78bc84863f39b15b60b2d845578c219c7cfd0e6e6f0391be9409ea2d99ba15e52261038324811fd3820

C:\Users\Admin\AppData\Local\Temp\jsIEEMEk.bat

MD5 42a759668360af01a668d700205e1836
SHA1 459df14817e541726d7a769521ae4c8ff52ffd68
SHA256 373a8d508ce3ba36def88b9bc9a8d7024c8f3371a5c86bb3bfc64cce9d7a870e
SHA512 6e305effc4ce344ad26796715bf50095e678812e5159254dd862973375211598ac3f6ac067b19963291f9d2218b1efa6f5d34ab945bb07318e8697e4088aa798

C:\Users\Admin\AppData\Local\Temp\oQUe.exe

MD5 926a483efc7749c807e4889f39ec4407
SHA1 1155a51a6532b092a6dbfee56e64dbe300613fbd
SHA256 46e2653b14708821bcff074b118abe5fe4834117c1929196421ffb2bbd1fb7c3
SHA512 f173202fbcf371e17ead14f7fc678750a5dfdc092276045e6d54483793bd7abdcf2002e7d4164e882991f7966bd33eac9c9e283079040a8f7d9c05ec99be8682

C:\Users\Admin\AppData\Local\Temp\kAIO.exe

MD5 4cfbded314954df68eac8a07dbb92b61
SHA1 9fa403a5e28af5ae2c0124554f67b85527d0d00b
SHA256 5391aaa97125c0649dda2215951a89f9ff134bc573e35ed4504ba0f9415a1e60
SHA512 21f597713d88396f07182a261d131654ace64aabf301e1d0a04133c08a9ee7fd78c01638fc1c9fbb24b92e0429d378dfd90d55d4771e9edc4ff4f0412ee25f01

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 d700054f25f6d1636c3ed9a0801a8dd3
SHA1 fada6c9f5d82c5144b1e36aa001f70ce13898bda
SHA256 a5be13c44ede17dfe494d2789b8d4590d6831756b681f5edcab534788dc0bdca
SHA512 8b10b95b02905b47f38b283c0c0a8ae125bdad05142682593e03f32efec970098147259cb35dfc002b3b5be3ab4d88f74c62647a61676d00466c1a0d1feb0f23

C:\Users\Admin\AppData\Local\Temp\XGwYcAog.bat

MD5 a1284135402c262e886201749decad4e
SHA1 572695dbbb5033ad1c41cf0d68d591c8509e801c
SHA256 deedfd8673d0c2f6d2b83b3046b581587d63171a9ae1ff7270d096dcf1282ac0
SHA512 0068a42337dbb9c54f466c9e007dfe3ddf3f80213ffe88295b558e6e3b8249689aa3b962180ba9c846f0b637f686bfb7a460df8f96d8083509769e380a832235

C:\Users\Admin\AppData\Local\Temp\AcsS.exe

MD5 4dd66ddf1ef9964464353c361e6262f7
SHA1 c86e9605eac1d5ad47dd39255a6dcb38b2f7cb0f
SHA256 00fe6c25f520d69d84c3b25fc5f93ef4880076a2a05e40ef033f3d414beb9b19
SHA512 ba2cb78112907f982cdccf2ed36c092fcd2aab5d03076a3978900824d8610b077a12d8043302e9f03965de5ffe809eb09492574aea137f5b1b9088fd89f8d224

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 43a95cdf0decd8e7ad4206d1468ff05c
SHA1 ff43689ad693d8fa352abcce5471c344317e26b4
SHA256 c8de48d48c4684ffd599f91789c4d14bcb830162f7eaa1848cceeaba6ef82a8c
SHA512 97160176e5b42612066ee3fa4e0205a75fc6d6ddadf62083549d2650804ade9c823575c36bbd51e7e07ddd1e1df90868726f434dce66edfff036b6a65a985ed3

C:\Users\Admin\AppData\Local\Temp\duYEIUQk.bat

MD5 1708e6e722ca809c5fdf8767b1dda523
SHA1 476e4d485ab23c19943dfe87ef153ebac75bf5e4
SHA256 9b820fd05e1fe21805d17fce01419550f82242ec7c90c4097648978439ddea58
SHA512 5913cac22b85d0601fbad29d35c27d310605063b1582cc7b6f4527c1ccd3905bc2e8732e316bde341b68596cae797ed5c43afc05dfbc0765c1dc15c420a41401

C:\Users\Admin\AppData\Local\Temp\OUIy.exe

MD5 db05b971aa247f65c582a62ef45d6030
SHA1 ea03eab3555849b2f9cd668d811c7b371e362d15
SHA256 2427e599a15db663fc991ecca3396dc35a5f56f9894cd3c8f21407a9fb1ae38c
SHA512 51183e88d19cb49b85353e1d68c6058a730214d76da151e92d357a5ffa6fe70ec718949c59b99e28c534b6f0423daf5b793874df341a10034df98dd16c991e90

C:\Users\Admin\AppData\Local\Temp\XmYUkMso.bat

MD5 1f45e43dbe43c07e11ce0af5f3d2a1b8
SHA1 024ec8174dd6a50c396fdf532371bfa398bae5da
SHA256 c8bcdb6344c916896d2b9df26a376c07fe26625bbda5f4d16314468fc7f7306c
SHA512 fdf528d4e92ef78cc224205bc908713a62f87c7cf58ef4bee5161f12ce2f1c4976b49e0307c1b320b970eb37293e7fa7bf404ea4078b77ea9086c8183cc7d01b

C:\Users\Admin\AppData\Local\Temp\LYEoowAY.bat

MD5 99ed57c711f63ce06216df33488f50e9
SHA1 2417541375a1635e1ee3deceb7708b4c6483e72b
SHA256 4ced059b544a175c5893ddac12891b2ec21fc1bdcd6551ab0c4af9ec0f945f8c
SHA512 a69a1df3e7ed59b2b4bee15c27f1384beb541f5e3ee34fb8fbbf2ce611024baa50a64c93a288f8dcf103fd317414d663b217da3cf95addf4cd91b7d8232d5073

C:\Users\Admin\AppData\Local\Temp\YIcG.exe

MD5 699c87342cf045847f049dd570d3f7ff
SHA1 2f748435eed2c1cebe6b512a48bbe30a1177917e
SHA256 addf524780589898e169ce2b51ede1b6695445e42dc7ae74ddfa8e61f941c1b5
SHA512 8c535e187d8b82a2ec35c0a22d0c50a8db0d2ac0c583828acecb699c8bab6c1d3b80cf90d0b77d3739ce0d8ca6acb4936e97af8043dcc08a255658ebc6bfbd24

C:\Users\Admin\AppData\Local\Temp\mYkI.exe

MD5 376bca96f568ba275747557b67700294
SHA1 c20c78d32714cfae82d356ecda884dfbade76acb
SHA256 2b32ca517c3dbe3d1082212a31d2c2299f704010da7a064a7db993276c538c35
SHA512 e5dc8f82b3d47d129f831d06be21b8e4580370023934e36ee949faf3923fb351d2f58a30923315938b9ef8bb3d2b767fd8ca8de72f1907fcc4a7a3ff0efe19e5

C:\Users\Admin\AppData\Local\Temp\Sscq.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\yKQAMwgM.bat

MD5 3da7fd3e52ff06a65428a010dc66f048
SHA1 9c7a33988e9e5073560e1032f4c2266b16aa86f8
SHA256 de06897376d7607ba24d1a88e65228197ccea8dcf89e1ec8371877f73616d348
SHA512 db427976a7cdda698996516a9b5d372853d3661e0db1809e1ce4208d928d881a3d9e34055b01a04d202a2d8b2240aefb62fb34b8f074b14e9efde7d397e1e059

C:\Users\Admin\AppData\Local\Temp\yEwC.exe

MD5 51487dfeedd423742eed0c0b9cbfd07d
SHA1 f0f372baded48c6412ac4138a95f4ca19f75ad40
SHA256 b22807b4d0cad766996dba6a1b49ea944e548c7ea057cf092735e9434bcfa765
SHA512 9bfd25befe5d42e2b24d0ee7c95d91611c4f44f3ea39204229bde8ef62dd0b3b937f81f1aae779f550ac988c90d8b30b54b10ec36bf7fab620255ce959e920bb

C:\Users\Admin\AppData\Local\Temp\aiAAwIwk.bat

MD5 a7d8daa018c4745a6908389ca7f95c5c
SHA1 6c3be2756d0c3316fc50f467d36fad7d4b8f2e6a
SHA256 4a236b9cde009c469ce86d0314673c3b1064cf4c5936a1ca0735f31106c8ff69
SHA512 478d3675f7ca1a1b8f2ab186ba6bd43f9c69e60afcc8d967114bf383c38c212d7624cc04572e6320b980062a43762fc49945e0e1519394d175c90e00300740fb

C:\Users\Admin\AppData\Local\Temp\KccM.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\AosK.exe

MD5 66eb7167995683380c54d467346e4a55
SHA1 8afda71d0756557b6521b533efbc8d10b884d3bb
SHA256 46841a7d55cb5bbcc3cb72692cfc04315ed48f6718fa80403f369d1705dc04fa
SHA512 686d3611eb7a7b8dfdbe6c4ec27970d1237d35947bc444bcb7146197380dfd342323ca51b65fd60bcf39bacba0cfb0e8bff366d3e6526e2de1763de19d321d09

C:\Users\Admin\AppData\Local\Temp\MsUi.exe

MD5 70765a0bbb528679472acd78f91e1d5e
SHA1 938fb8d7899a7304814cb69bef2419a9b9a07eec
SHA256 4fc2108a62a32c383dfdfc3029cfa3952f9171cba2580f7af6830d861e904f61
SHA512 9ec28cfe5d3ed889f263bae47611d0c1d4403b8f53c844fe53002e78037312a12ec55f10679b9402a7d1766ea86b71d75cd8099de292bf3fe69d18262b3448bb

C:\Users\Admin\AppData\Local\Temp\Qwwe.exe

MD5 b3c28b28aeb89d0077df0c610323c060
SHA1 fb199a2181e5791640e8991ed31dda99319ad094
SHA256 e48975b806e6f8e1397fb71ec8aa9ff8a39b46e656b26eb87f2831da77291b33
SHA512 3906512de3bc067214be786f19e3266d90d08743c94469ca4e610fddc12712e283c115171d6d84fc5b88628194e40f427372aafb2d348a72f0280b3b886831fc

C:\Users\Admin\AppData\Local\Temp\CcEa.exe

MD5 26c2680a6a2df4db582a6d2d0f52d7a2
SHA1 aa43931b98f500a6c0e4f265a365ebf78a17ec6d
SHA256 2b322dcf22f94c329c727bb8e35b5c2bfd0481e9fa2285b988b9cc43efcbba40
SHA512 598785f5519549529760536eecc1ad57eabf746b25faab140c21084c0170bc7e3b50423be7957ac22a11e4e2b7f507e49343def7743ae5b6bd370e94cc4fe4fe

C:\Users\Admin\AppData\Local\Temp\YcYE.exe

MD5 0d142ec080500814b554df24cb4b84f0
SHA1 d5c27864d0aa0921fd3131f0fb10b2eaa0da35c7
SHA256 7a9559b4482f332eba41671adbb22dcd847694e9793cbca1841ee25dc7fe0b89
SHA512 fd61e041699f7a340c41c5c92b3ae27e09d2e16052dafd49f302f69d0bbef4df41339b89b3c248673ba88849ae08a4b4d7a0afe74636beec7e066eeb8bb0242b

memory/3004-2627-0x0000000077B60000-0x0000000077C7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcAM.exe

MD5 62a006d51ded3217ace556f0fb7fa9c3
SHA1 fe239222224410d4fa7d874d449afc203dc40ee5
SHA256 29ef88b46026dbbc841cd06dc059e5b45387ddc40f43f4dbc1e58f1d59216de2
SHA512 e24c97e13b3c57856cf5c33f93d800e1044ee3f98aae2321cee44da797f2531c8c190c867080678f158b27cf089ea1b85cd553ca0050dd0abc85ffd2ed7d674e

C:\Users\Admin\AppData\Local\Temp\EcsUkIMc.bat

MD5 7a58268639568b817e8f622eeaee847e
SHA1 73dfc26602513189e8488b56f19bd9a0ec2a02e9
SHA256 0c5b338fa331a00aad447b96d05d1d5021159ccbcfb449bf8cb8de1bc3a3cc8b
SHA512 a73557c2cb8b5ec754faacb28eb2ca6ca9a9f8c29b51a1bbc19ac73cd1670dc92fc949da435a3a92fcf3f073bab57a2dec3e610fd8d4bd74d027dbe4f6c79a5d

C:\Users\Admin\AppData\Local\Temp\YwAa.exe

MD5 2f00c47cc83508642324b76383dd605d
SHA1 9254b69770ba89a3a28f33560afe5a68a6317198
SHA256 f5eff9a1560905632738fae2e057a3d67aab224410452284f6e786f25779e642
SHA512 d9e359975a02295744de780b1999329f600a51f67bfed2a4c1c12b3c3d4085d10f32db41693e92f73f4bab76492aa298892bc111081298476bc0dc706084f74f

C:\Users\Admin\AppData\Local\Temp\wEAc.exe

MD5 215a5c709dcf201b0675f4fbc082e6d4
SHA1 5d8204b2133f8d751324e8008e430dcd422c2b6a
SHA256 3038ecee2385a5605ecee32ee25873fd4b15e4099cf760625c3c29d8d30ca98f
SHA512 f2ee8bf2406291af2135525cdcbbeeb479b732294c8bc8127ccc6008f9a6e18105848da00ccd26027bdae90f7824de75ecdba4f4a1f8df3696bce67bdaf81f0e

C:\Users\Admin\AppData\Local\Temp\csYkscgE.bat

MD5 bac80f51b36bbf287685b74fd6272fd1
SHA1 0fd125145a67c273b3c13110277af029329585e1
SHA256 b2975855ee48328f272b1d0e700f54662d0455b57b4790ab3810e82827af9f04
SHA512 973339720e059629f3a9a99276d79e976e7ec2f048af40c45e4fcafd6d97cb26ae2cda7c0b2e0ee70b69d4d4f2bd3889604e48a71a60523ef08bafe9156a8ea7

C:\Users\Admin\AppData\Local\Temp\ZugYYQoc.bat

MD5 e1559ece564b977baf70a01996e7b08e
SHA1 53fd35e444589d739b91e67b6dbb3a6fca074df4
SHA256 f6ce01de5e1c9941c4c218f8b5f74116c551c17b9f0268d067e50bf5047ba04c
SHA512 4ef341c1bc5eac4212878491e1fb3f8bf79c5fc8281a27209e04d2a249499d8b1bbff06f08a1276ac4d0e39394ab93add787b0c64d88ec70e66339a7886ed324

C:\Users\Admin\AppData\Local\Temp\zwsoQAIw.bat

MD5 8296a19764235e094ee592e2279767c4
SHA1 b0cb31bd9cca0a0244c71cd568ba09f2511c5121
SHA256 5e8d0ad139ff16242831b8262bf83a0a06804a58adda2f3e9799f1a2d339369d
SHA512 b7b0ea7f57e9a51511b9374a46eecc9b2eaeda142d08fe233d15d95d87696bac55792ca497e09efe9108cdce6eeb3a08082a9ecd6cbe2ba09667b1b1c26b7221

C:\Users\Admin\AppData\Local\Temp\vqkUYMAw.bat

MD5 cccc9e4807c80393ac81980fe4e267a3
SHA1 cfc8a3a175a46e28b8b56bb99c8c2588ae3591e8
SHA256 7374f02ea9e1cc3ab85230d5e421d7d1fd14bcfbf78427529c802d595c7b6df6
SHA512 c047870b7e848c185926db071311f7438edad3c64bbf767c6ceee2a4e5568d79159270439e7663ce260aa09a6a5e9edacd0840724bc1b040123f9636d5ec09dd

C:\Users\Admin\AppData\Local\Temp\bokUIcIo.bat

MD5 73d8b8ae68d83468c34dee10f04638ba
SHA1 3aecd0a00ab09378d9a31e66c99b516f4cc225af
SHA256 59f0265c86042167702215ab5844291ba6d84f2ccc9a59b3f718216fe54816b1
SHA512 f181a40f2e1b08ecb1d471104311bb1c84ecea3555e0b20edf9cbf6550fc1270aecc6bb0e24eed49fdb2fc17631b0f71cf035115fad5beb4cab6b3d94dc5f67a

C:\Users\Admin\AppData\Local\Temp\kAoIkQoA.bat

MD5 89291a78b967d1ff9b3b29b58b693d0c
SHA1 23d7ed7412199d05c16ad12fa0c8d0baba7c464f
SHA256 89fac892f2ddad534897a9907f8c7ccb32ea038991e88f746a58286cfca01d35
SHA512 56a3f794e26880a4aef84d951d4a7391c96f77144cda8991a478c6955070fe0921e4b0aa6782c4b5c714a0d9972316c32d7e91f46ab588f3773ea2cc018d6037

C:\Users\Admin\AppData\Local\Temp\uEcswIQc.bat

MD5 7b323230c82e9ea9e11a901e9fd6e75c
SHA1 a13e0ac3eba9c23ec9808fa8aabc5ca1f3119de2
SHA256 b822122a27e5841dc77c526331e7866a6c843782e1a6686e63933c3c911abefc
SHA512 fc1e945dbccd767956d3b5823437d4b7cd870663bf5e4393448c15211034dfb4996a09d481326572a2df0f0880c41365e9ab466f316326a38827fd24b8569ca5

C:\Users\Admin\AppData\Local\Temp\akgAwoUo.bat

MD5 c08dd181cab839c6514ae932093f0f2a
SHA1 b20ecb4819be12f23fd715a1ffd4d10f2b2d7432
SHA256 519707784ec71e9999f4ee7e7ca411ddb1a7ec8ebd80cc6ff5024383626c42f6
SHA512 df977be36624e43feb831608df52cafcbf9dbc59d4acff5ff1c5115c6e2c68106cbc207643ced4c134b1ffeaf6d0b235f4ab69bd54350891f0444fcb10c51a11

C:\Users\Admin\AppData\Local\Temp\kusAoUwY.bat

MD5 34e1ad8cdb556063e4040c477f2c9e2f
SHA1 2f565d8fa5c9301c035efef4d57c03df369fa262
SHA256 413a3f4e2f367b0351e4064c23fb12fa8bb42449ce743780d79b3b105a6a9d5a
SHA512 9dfb2e885f160c838af88fdafd3f0923d64fd33986d40911502caf7c7599c0311bf50f9064b3b7397648b925504b56f7b827c09ed5527dd89859c7c21ba112b8

C:\Users\Admin\AppData\Local\Temp\EkwgYkQQ.bat

MD5 9692ea9cdb36ab8b102398309cc429bd
SHA1 eabd90cc58874935db1e324bff88cff251c8fd07
SHA256 8ea0d62df0ddaaa748b9bfa976a398b198d0477d6db1b2de85b116969536524d
SHA512 af3f52cec291a51cff89f4d42b6ab8e87ad3924d0ab41039653cf19bd5f81eac0a1a9f07f5680f18a7dd9347211082f8e1b178e1f5ffcb458714635c4a308b8d

C:\Users\Admin\AppData\Local\Temp\dSQAkAos.bat

MD5 02629a3dfd48c667fb7e4793de183c71
SHA1 28530d3303e899ac3c06088e654b3e0fa060035d
SHA256 d6814887843ee8f0ea0fa5a0e1f2af3624af25ca7f9c59c170528ecad8eed3de
SHA512 4bd78e629216c49b2480ac70cf50cb2ea157db7e44dea4a991e44e113469beed7c63680565b85ae8102f9fea14b1cc3ca4ca06cce5bc69d746a334c7d2b573b5

C:\Users\Admin\AppData\Local\Temp\dEUwcgcg.bat

MD5 053376338907c1fb71ef4b35e124b7c3
SHA1 3d9e7dbf649304f0137ac7ef86141f9f97c2ff81
SHA256 7758e8077d89503b8c6a16033ab3578f5bc421cab17ee90db3c773d8d5c762e8
SHA512 c6c2c0fec0e68bd9d973e5dbf3e28181a70e611b644aeec4906366abf8be8d01c2c59707cd4cf7392fd5a5573a411e8bc5c16d642c89b1cb5477040a5c9ae685

C:\Users\Admin\AppData\Local\Temp\XYUsYMwE.bat

MD5 58156cdb923ef6fab67eeb27230e6c9e
SHA1 8d5c5af487bb7473d4eeb53e9aedfc38d3c7c78d
SHA256 a8f9becec33b07050ca5865f63704a9a94c652a75c081f701ee004f012618831
SHA512 459b8cf4fe00e850bdb08e551ee49251154274285a16a8d0bf2cac6d505f992d370f8aa54ea2e347cc14984f1291f3eeeb40fdb16ac9f6e6a9754527a90fbf6e

C:\Users\Admin\AppData\Local\Temp\lmUAMAQw.bat

MD5 81d746c98e8410774b0d772a294748ee
SHA1 8f0d676ffd2e71219dd0c7edd3d88814a06a3590
SHA256 d8b4e910539c39d5ea8f54f79b76b2b82d1ef1cc8dea27f278a70e3414bec995
SHA512 52361faa67e30ba15bd69e079d2b0124e8280b3af4817b06435777e484373e88df3f641c6551972d9e1d91bef6db9b50c30dc077e88fd801dcb948d89c80b2de

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:53

Reported

2024-10-26 04:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zIUYsoYY\NWcMgYco.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWcMgYco.exe = "C:\\Users\\Admin\\zIUYsoYY\\NWcMgYco.exe" C:\Users\Admin\zIUYsoYY\NWcMgYco.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWcMgYco.exe = "C:\\Users\\Admin\\zIUYsoYY\\NWcMgYco.exe" C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuAYkIUQ.exe = "C:\\ProgramData\\ASUQUwog\\iuAYkIUQ.exe" C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuAYkIUQ.exe = "C:\\ProgramData\\ASUQUwog\\iuAYkIUQ.exe" C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A
N/A N/A C:\ProgramData\ASUQUwog\iuAYkIUQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\zIUYsoYY\NWcMgYco.exe
PID 1480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\zIUYsoYY\NWcMgYco.exe
PID 1480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Users\Admin\zIUYsoYY\NWcMgYco.exe
PID 1480 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\ASUQUwog\iuAYkIUQ.exe
PID 1480 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\ASUQUwog\iuAYkIUQ.exe
PID 1480 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\ProgramData\ASUQUwog\iuAYkIUQ.exe
PID 1480 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 3608 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 3608 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 1480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 440 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 440 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2208 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2208 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 4344 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 4344 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2240 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 1472 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 1472 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
PID 2240 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"

C:\Users\Admin\zIUYsoYY\NWcMgYco.exe

"C:\Users\Admin\zIUYsoYY\NWcMgYco.exe"

C:\ProgramData\ASUQUwog\iuAYkIUQ.exe

"C:\ProgramData\ASUQUwog\iuAYkIUQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIgEwcsM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAscUUI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWsEkEEI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pegQUgAc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuMQIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoEoAcgA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuowEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guwYIEAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwogoUUg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkIksEw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAQIYgsw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgwkgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQkYYAA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOsQUYwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYUEgco.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYoYEks.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIgQgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REgcwoAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQsQUYMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMkQQIoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMIcAUoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCgEsEEo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcEIswgY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmcoIkIg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMMwckwo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekUAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAYgUsU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaUQcIgk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMoIMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQQgskEA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOAAYQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgIckcY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fisoccwk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMsckIYs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkQYEgkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMgscMUE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIgwYIoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqwcUAwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegoUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEccEQg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssIsMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmkwQIgw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSYcQIEA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EukQkAco.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWYEwIEk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQUckQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOMocsAI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGgUAcEc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYEcskIE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQEkcAoc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYoUAoM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BewkkcoY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkAIcUAI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYwAosc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmQoEAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGUUUckk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YygIIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SakQQMwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccQoksEU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqcQQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuksMsMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaUoAYwI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgoYwcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeUcsUgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEEsAsA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYgUcQMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYkEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkQksoc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgoMcoY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSoAEAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWQcUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiQYoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEQcQoUY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGAcQMcw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEsIEQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgosAMYA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkAsIcMw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIMgQYgk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqMAkMkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoQQssAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MusgQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMIcQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pccwcsIk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liskcQgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGoIIsss.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEAgMwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcUcAoAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeQEgMQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciUAMkkw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSAMQowE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUQIswwo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyYcEcYg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUYEAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYsIwUI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McwMwoQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEkMwkMc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIIQIksY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmcMEgMg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twsEUYsg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOgIgkwU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IecQgoAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUkQQgs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGQQwUYg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigYUsgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGQIIYsA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1480-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\zIUYsoYY\NWcMgYco.exe

MD5 ae42b24ddeac72799ae7dfa384885d1f
SHA1 cd5729738d49a8037dca3923e97e3cc9493aa151
SHA256 805bf32ce2c5bf8b0986fc6940ce0ce26b79e033565af2e0c65193c186ccdb0a
SHA512 a8bc1c17bfe3d58cd569e2240746f694c18654d79519d02bbdafa9882872d280df3ff92c0c8d062a0a04f9340982940f191fab4d8dca33af01ceedf0254d39a3

memory/2184-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\ASUQUwog\iuAYkIUQ.exe

MD5 69ead4da2bc9f38c4dd5809d8852e0cb
SHA1 7a9273b74827ac6f0b02e669eebd589debe81a52
SHA256 82239b32497c6760f3e038611e5ccbb467ea0d30be9de1ab3d434b175915cd88
SHA512 144428c065f7cd38377c6969bdea14ea2ddb90cca1544064e41dc94ebc73a0b245246073bd2c73a7008c01e33790607838eac43da8d93b3108634539fcfd8995

memory/1468-15-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1480-19-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AIgEwcsM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea

MD5 8850c1f63d9932bb2d8e957ed72d8fdf
SHA1 44271a436bed981ced2c5f3839733bbaa54dc8e3
SHA256 419b5f32629b747ac897aa66acf77ef2320d4f066470d616e21fd248a4a55f29
SHA512 8a33601de5ae88e7dc7aac1325514f68c5e8e40fc7514fa1d1542e78fddeb6612b26a04bd109e40efc36efb591f5bef48693a918219b9e56598677cb26e1978f

memory/4344-30-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2240-41-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4020-52-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4568-60-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3288-64-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4568-75-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3044-83-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-87-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3044-98-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4168-109-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4452-120-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2956-123-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2956-132-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2872-143-0x0000000000400000-0x000000000042A000-memory.dmp

memory/988-154-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2384-165-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3992-176-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4196-187-0x0000000000400000-0x000000000042A000-memory.dmp

memory/408-198-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4344-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/376-220-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3260-231-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3684-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3996-250-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4808-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4212-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1080-274-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1052-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2108-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4432-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4780-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4788-314-0x0000000000400000-0x000000000042A000-memory.dmp

memory/684-315-0x0000000000400000-0x000000000042A000-memory.dmp

memory/684-323-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5040-331-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3348-339-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2444-340-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2444-348-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3076-356-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1300-364-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3404-365-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3404-373-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2712-381-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4052-389-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4884-397-0x0000000000400000-0x000000000042A000-memory.dmp

memory/780-405-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2264-410-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3624-414-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2264-422-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2244-430-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2224-438-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2424-439-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2424-447-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3876-455-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3084-463-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2688-471-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3244-479-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1044-487-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3616-507-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eMUC.exe

MD5 87195fc65b8f902a9e41344f3a6116e4
SHA1 30006918c057bacdb69b23d2e2d652111b344f8e
SHA256 fe6157e3d2493ad9a5d93e9cce1c26d6823c72a0ef00151613934c4131ae57c8
SHA512 65e4ed4c83749c0225f1c0c1afb4dd7b72cb2f2acca8eb4e4896a16256213b277c475af0526779eba533a9611a3e31b08c4fdf34c2f895fe3375ac1e0322d470

memory/3280-511-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3616-519-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IwsA.exe

MD5 e203b7beebfae8940fd39b2eaf1fc890
SHA1 761cef5c17c10deb0cb5063c9dd28e726dd41651
SHA256 bb7ac78858238deadf4cc366024538ce96e79017717148315db13238bd6299bc
SHA512 f6132efd401075cf7630f2ef1afcf095e6eee6bdb12d146a0a7989401f74b34fe1f4e076a1ff61446971be18d40ec4b46f79153d93a444edd96f1a7326168787

C:\Users\Admin\AppData\Local\Temp\Scks.exe

MD5 f3d47baa8f5d519d280561c7982a8137
SHA1 7dd65eb1a8532059806eed2ccf883b6988e5073a
SHA256 29dc457b57a781fd185c3c3e7b1c76a3b1f61e70051ed3e84f1fa7a18cfb5289
SHA512 22cac5245be536f09c286349bf2c855bab2314e9a471fc955f02313d2981b6ea116a210f3284d127870ea3fc05a0ff6236b40760a6196d56820ff13ebb5f08cc

C:\Users\Admin\AppData\Local\Temp\mAYM.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\KUIa.exe

MD5 9a3f7c4b3643f5fcac7064a5fd6f7f73
SHA1 d4967e17aae881ae53cac987d8ad4b32ae4b2a81
SHA256 0fbe4ab1d582d950a4c2a77ca75f73ba674f3523d69642ee3792b23dc23b94a3
SHA512 d881f2a5c420b78e960048c9321ee56ce22728c5b3c514c579347ac587c553a1d8d89120ac7deabf7760942c54315a564c1a96e5ef2ffe21ae8fe479a8346f8b

memory/4680-569-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUEo.exe

MD5 0ad76cddfeb2bfe20c7255977e8aaec8
SHA1 aef3a194f9daea3fd8d9a5fcbc95375694ba34b3
SHA256 d1960378f788c9be932cb2090ebc91354cdc7cbaefb001e7b29c07ef58fdbd5c
SHA512 b4b09de6c5b7be8989747b7f41b18a94261b792ac72a211d45013b25905e14b5c691bfd8e17d68acf794e57cfbb107d3fa500477a05ca8a72ac0f09fd30114ef

C:\Users\Admin\AppData\Local\Temp\WsEa.exe

MD5 d80af8f67d924097342b1241259b370b
SHA1 b0e2d9a5276c1ae27ee38d2130274645b462aa41
SHA256 4f34828e2527828948ac9258af37f4311060cbe6a4faa3266945b2d1ca9dd9aa
SHA512 c41980808fde26d40fcc99ac3e63419f4bf49996884a5ad6c12af57344b118a614d943ee15195a90c7ab83d713ca2d57dc5ef6e0fe23b3466c25aeab57bbdb9e

C:\Users\Admin\AppData\Local\Temp\GMEU.exe

MD5 bfc44fa3f1854218f513b577afdb2f6e
SHA1 dbb2c1428eff378eba600cf1007a2642bea83b74
SHA256 8f21f4bebe825ca4df341a1fbccdac3ad628351597b389c77aeb407a1046d36c
SHA512 464c2792dfcc46504d4968a1955c57e19439cf3d058fc9edab191e501b3a92ce4fea0220695e6d386f3b738b0806656bb4b6c90cdce78a6e3856c85482ebbde8

memory/2420-632-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IQwg.exe

MD5 2bc4d203c9b9532febf86aee10f17f46
SHA1 1f73f3895eb69fc86dc07c5a9548bef79ea58ac7
SHA256 4cd289911baab72a4bca688a2f0daa1c3b91cda6a9f73757514d5050d86e520b
SHA512 c5dcb5794fbd558f515077446c5dd406a72629bb032bf9496ff8365fbe8a34d26aa7dd74c1e697742945627f6bb087e6389a54dfadc2e69849b1dcae6b3c4e57

C:\Users\Admin\AppData\Local\Temp\KooY.exe

MD5 69b16e06b0937ec25eb7587884d1e920
SHA1 8b656f7bcf84baf46048ef2132bd07dc59d33e49
SHA256 e589e94f30bbfafe3064baa854462b44f4004a3a3d9f0f5622b340e1806c351e
SHA512 871b4a9abc2b15892ccbe3b550307e751c24b94a41376d7c2240350f52be270d267d95cb22f7f61b6bd47ec902e4c8f4743792f5680b083acc981c9404bec5b3

C:\Users\Admin\AppData\Local\Temp\WowU.exe

MD5 0d9da40ac968c76db330d276b077755d
SHA1 1c6fac4d9407d365aba663115201d991c36f9ee0
SHA256 27a9ded5c0467eafe36963789b56cb7517218c179d19b80c3880b00b13183d5e
SHA512 1118d1b1fdfd073778c0e23b75a204cf20b44e171b95e13e7940b930a8a3df8e45edec775f1eb37a7b20246a2b5b9d055570d4d5317235d07d66a663e7de19cc

memory/3408-669-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwEM.exe

MD5 c4e1542de43e8e16768432d8ffce48e5
SHA1 2a5be8a00266b8961005529ae12d423aaef96396
SHA256 800c8599da6a06755f9fc3efcf1b78b236a37ea2aca1af61c009fa1b1bae11e1
SHA512 ce640be5b480cfa003d2d64b842b1e31c4fc75ef14e56590c3bd9ab30ff14cb9927de25e72098e2e046799fa62b829263c873569c0bf032fa4052de4d3d0cf4d

C:\Users\Admin\AppData\Local\Temp\sAUK.exe

MD5 9a185faed2fbb73a583de09a8087f616
SHA1 ebaa123a2a62bf4f7f6740ff0fe059537e9b993c
SHA256 5fe021a818f50ee67a9f835c556cfca473513111995f4713e6421478da7c0ebe
SHA512 226b58c17c2e67331d8cee629e7ce8c36151bc560c7adeb79b98e0c68add2d874b016bbd05505c7384f7fe657dc1f473c456d1841a61078ff78cb17952ad1a7a

C:\Users\Admin\AppData\Local\Temp\cMYU.exe

MD5 948306cffb72ef235c14956bce15cd08
SHA1 6b9977ed530d0b6f5a8dd36d9c20c47de84f8683
SHA256 90e69bc127ec2ff4d62b7e119b26a0b342208dc345d922de25cfabc7f369ee0c
SHA512 952331a4bfea00f13adbf80e99d6b3833f6838cf920cacc00ceb0b884ea55afb8b9e5359ab3d2fd1b3fe81c67fd2b11da690fbba33511f1d58d55a4ca48f148b

C:\Users\Admin\AppData\Local\Temp\kUIa.exe

MD5 5f545b9cb8dcd737db5a1af7b9769e4c
SHA1 c562bf94d9173f4998e633286000ff38b3a5f035
SHA256 668cc83ad730c8ed2f60288bd85e86ea355245883b695cf538bd24c27a002a26
SHA512 e97ede6dae885debf0d9eefce270e952f3d4592e6c1b0299ec831990f29c9dbbc2532a19b5b68d93e241da9fc9515687f9bed183e6ff31d3d74c2c584208be36

memory/1124-732-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIEM.exe

MD5 cab72857f997a9ea30544c80d8760734
SHA1 91adf572bfae0466406906f8392b8d40d6ac7bc4
SHA256 a10494e6392c4e4e8a86d2e4cee979e3cfb9de0a26dcbe42be9f14b67824540a
SHA512 69172d11ddba846eed8710e835c5fd62e4a1af3cbae98c1b90148860d8befdb20bc2983dae6097ef86784bdac20ba54769224e0d56269996c2a511ca91b9bbb5

C:\Users\Admin\AppData\Local\Temp\UEUq.exe

MD5 61d3c8c56f3217338d194bff22c9323a
SHA1 84db54e1a9fb237c44f1c7396a4f8032cc56a2ad
SHA256 2894c5f9a6fecb687c31c910741e1a4211b5bfcb4a9256836565d850554b6d0d
SHA512 82bc7bb1a74d3548142d53567c3e8502daf982a563d1acc06e88acc0d38b3951ca12c4cbdeaf4c1dc258046c5ccd192f78a5f6f3d060c4c06be830e88d7e173f

C:\Users\Admin\AppData\Local\Temp\ckYy.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 19a62ef1650cde8afaa2de68f1b583d3
SHA1 9b5c291484df2e616943ca8e265e39d9f1c69329
SHA256 d9a0c701a2c0a17ef08a6818d2bf87edb169748c0d305cde68ee859c1f01fbac
SHA512 258f42fa42400c8ffa3467a30445fe98cab11a08139e477ed58bdfce97c331a0dd9498e2b4450b432a0c290036cc936012b9764997ecfc2907c745c99501c907

memory/640-796-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwYm.exe

MD5 34adde583a1368cbfa0b1ad0d77251f8
SHA1 3deab728724204e5b49c16254274f2ae392b710f
SHA256 468fcdfbc2a0f4e0eecfeba1327dfc1017ca0731af9c370e154483b860f48ed3
SHA512 8d45a851c3286cbd77f5b814e40b5611f052d53b5b35997fc7b7e184debac7a46c8fdd432e9259fde89ce4d4b72dd87204a773cee8eb1d3864987bf69464343e

C:\Users\Admin\AppData\Local\Temp\egAI.exe

MD5 f0a534944374f543044b2788f999d8f2
SHA1 5cf636dc1cfba6aa69c2d410c39379c081eb4a36
SHA256 e20ae28ebd27e61367b000b146c5c313afab2170eeaf4cf985a8fb8efc5430aa
SHA512 e4896da3e3ff967da2c392a5e4408bf4fc264574e9912266230c9a88f1376f6b3eade4a964e54d13c0c326022b59b57947af0449f15f79bd7092f5d6567f4097

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 69af6144cc9bed0bfc587cc81e784404
SHA1 9458d2ef715fbafaf9b0dd9fbdd82c7357bf5d22
SHA256 6cf14d1b79154a93726733d66a7342657f73d8f06f717827b8b564965fb561b1
SHA512 3237085f13fc2e227a94c2369decce360dd9c751a7262c220ece350d54e6d92e3f2109183f54ac4f32fdb538f0a21168e37664d5fe25cb8253cd4cb90afc1b5a

C:\Users\Admin\AppData\Local\Temp\aowo.exe

MD5 1dd5e25a644bf6ce57c3506ad8bbfaf6
SHA1 9cf1dba95cd778ec06db0703907557322cb9211b
SHA256 08e1b2960239a3b4cac65f7f50412619450e19eb9288c20ad6d1bf079dd0f460
SHA512 2783bae42a43489dbae088ac2520802ebce70bc621dbed15870bff615acac02d76fb19ac78135ae45e5447ad5edd78a57633264d4c5282209153d0de527ac267

memory/2836-847-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uksm.exe

MD5 50e33199c0c1eb9ebc92727a5be7b8ad
SHA1 30e39e806008a632bea2076605e6a76ce81be180
SHA256 7aad9237d2146c71bec5165e1397bbdeebe2bc1a73db0d7b50649b70d8e5a0af
SHA512 6ca339481866d12e6501e6ec27f1ab29a32464333f52f158b9e8f7a3788cf8691e0c0231b69829a5f380f09accb7655c5952e4f5520d884d8b31b055ea80babb

C:\Users\Admin\AppData\Local\Temp\kIku.exe

MD5 185f9da63fb4388e6f65e572cb3a7a72
SHA1 a26028b0d7115195ddc691efb58c31409877f9ab
SHA256 15a3bcc571ac0c5893918b4e50ecaf2c3db9c265139e71d52c9078b6822e7829
SHA512 f6a62fc159d09c72d5910ee1cdda6c4848a70fba9321d654d3b05e1ba46279ce3cc2643efd92c84475e1e0c4b7e168f415776d3b2014b64eb3ae376d2e0d20dd

C:\Users\Admin\AppData\Local\Temp\KIEO.exe

MD5 91aa4c5c73b135b31234c1c670a1f9b6
SHA1 4d3b52f26d5a924d2af953e39fd25bd951795de7
SHA256 50100bf520bb19f024360376459090b3bf0dc24dd8e56cf0d953a4def58da3c7
SHA512 c400d453efe611bef2a4e8ed3e679881ce0abf1da3464e67db279ea81082292f3b7c79d425dad4ac9ae25b19f75cf3178f64a74f46efa9bcdd2903e5f675cb10

C:\Users\Admin\AppData\Local\Temp\Agcu.exe

MD5 8547cfc9ad10a1c08096820e07c23ad4
SHA1 0209f291d3c8ed936bf12f70c34bcf4778e73c10
SHA256 bd81d6162ef458b5f3bd810c341bd4f71afecac182b6f1cae23c989d95d3f765
SHA512 014dde60089f23b10bb34175f37dc0ee6eb7ceee702285c062d1e5570e431d868a1ddeff54f299368e2aef8eacee09546220e617f8bb5c81988e5f0f1ab9d104

C:\Users\Admin\AppData\Local\Temp\qIEG.exe

MD5 5204b9129efdf1a0c8d0f4c149be3116
SHA1 5d61350b724bf0d47b69ea6a7bc9d9a606acf5e6
SHA256 34d810b36ddfc8b61cb91f99855783a29df6eee29cad47e5f15d696c2583c8d1
SHA512 f79a7bef7258ebeeffd66ae91378dedca39a5d3b3a9c5e1466f1b7bca9a595deee377d79b86db2fb197d070f673ce27f2e7b8c30090ccd8705006d47c3616917

memory/3792-919-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIUo.exe

MD5 f7a2559445babbbb690757945f87ee9d
SHA1 d8e6b3ad41cf4b4fabdd7f537a12123429548281
SHA256 0e2f76bf0bd738461c6cc7d2e0fc306d9f1ac907acd00b0b44abbf90a59198ad
SHA512 24a6c59f993edf79c45f2b58e19bf2ac1c31f0a051b70c9e0c9329cc1b1666ca55fc14dcaf0f53ac79c961a084e629708f148bef999426675d085db41d93c1d0

C:\Users\Admin\AppData\Local\Temp\KokG.exe

MD5 f02cfefb0526ef260cb38aa5fd694575
SHA1 4a2a04a4e2dbf0bd77ce65f81b726fd4176d5154
SHA256 23530bdbcba3757dd23440598050beea6b01b3ab99959d27a45f49c426a64c4b
SHA512 0ce63bbb0bb4bdbd22b4e8b0cb8530eba682c3c55474f3edca34cf052c6d0aabe65e090a1a3548e8afbd9be60d7f1e419987b7f8a9a26660ee1b36f28785cf88

C:\Users\Admin\AppData\Local\Temp\yUMC.exe

MD5 441205983b725bf7770bb3946402032a
SHA1 e50d07f37534accc42959ec823c3694e33e58d7a
SHA256 cd799d4686ead2a495fb84c4b53b599a99a998fc900f67cc36a2c4152396dbbe
SHA512 1e325e12c02667863f7f0921198a5523d10263c475a59f2e56b1a8b2d7c047f386c4158f166f3eb3419d31cca06000ae71495effeeed3be90d76eaed29e0d536

C:\Users\Admin\AppData\Local\Temp\aMYq.exe

MD5 ab98c1947b894f302c1777935b831b3d
SHA1 ad340eff5e0776f927db30aca77079be099bf13a
SHA256 817dba83667089dae30cf5f52940175395bc026aa164b51a4f2a71b32a36fd29
SHA512 5705196c5fd609ac09101ee057771ecfdb901bc296e906d36de4f151185ca04a339a691178d388f7816cb210590af63afeba9e3d5c96f9ba20146b10b2cd1f6e

memory/1776-989-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1300-985-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgYY.exe

MD5 28a01dda24870cd3ebf83fc1fe325ffa
SHA1 a53b405f8482b2c17cdd7b30e2211fa40ec31801
SHA256 6461db6a3a6e20fc45f6412a9eebe7c227898fc046e5561a0f1ee458255740e7
SHA512 7aa2f9469c9dcdaf9ac1b761f1d2e60607c2f99c2664b38742b97bfec49051d436d5e79deac45b2bc4b30a1dfb24aaf5751efa9a66a51e348c51133e8a5eb4d8

C:\Users\Admin\AppData\Local\Temp\AMQc.exe

MD5 79b7b3c79807e8496828e6208387615d
SHA1 52672afb7cc81ba52050bd6d1b688fc474523bab
SHA256 58947d04b67289b4832e5f5eedd88e69d9e329e2e064f26b623de6912742dd30
SHA512 3969a98f2fbebfb5470b5985b4dc2d603b6ae5fb3e389f7a6fe7286be97ae39fed6ac50e8441e742e624bdf0b4fe30024ddfb489025adc35e7c84db329c7d09d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 80fd7a3d7a1ed0b1f5130aa71b995102
SHA1 9f09d236ad5580c773dd4e01b364a459c04f1e48
SHA256 0a8310b839e1e2bc8e4a85790d51df77258bc34fd37ce2950fca639f8275ba72
SHA512 07b64e6e3820c56ef30098951391ff8348ee61f120974e1efa138dd90b71d5e3058b03d7df1cbc96c9f5ef9ff54446358dd559e2a4065615a0c39fc1b4330566

C:\Users\Admin\AppData\Local\Temp\EIoA.exe

MD5 7c92d5096fd2d101a376598249009f36
SHA1 5a057204b8f193e3c5527720713d52d1fa8fb178
SHA256 c7e6b1a62310fc83803bbcbc743ecbc2820c35674bd7130ac6e9e31b3c2714a5
SHA512 5a038f208c74d1af4c682123b143b314597b5be76afdbd4592a15373d0dcca919c55f9bbfa30c027fad96fdafcdf79ed89a8e21bcaf0c92120550e33fc9fdc77

memory/1300-1053-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usMI.exe

MD5 14ae1a793fc55cc3ee8c5710257a47c9
SHA1 dc88676a776efb4b5f012b8637aefaee7af4fd12
SHA256 e757dbd8cf0f708e46c0b43270599e82be65317056055adca632bd70e6d12460
SHA512 1fab0b0eab01209b2c258b9a54a68cca6a9b0482b5d1dc1e64fbf6fc9af872fcfc8dd99236606a07042c74981c84ec002667c0ce9dda7f60139f6333ceae6ab3

C:\Users\Admin\AppData\Local\Temp\Yswg.exe

MD5 ce6baf0420f83b3807923ecec89e112c
SHA1 a1605237b4500af647fed936a96f6773030d8842
SHA256 9fdcf9b3fc701b6b03d8434792d0155830db21629558631ebc74c844db2545c2
SHA512 336c314a3cd02b15e46ca39883a8d7ed7f1c51914cd168f596217187b97edc5fde6cf99da25a0dbf8879850a53808f16b38fcbf309b601afc85a43dbf5003f94

memory/100-1089-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMkg.exe

MD5 d3ecd045d26af701c49c94d709b627b5
SHA1 bb5e2f7b54448ebf9ea84c2c6e1c005a1b9bc35d
SHA256 f8af27b271e2c6ab52fc0622097b13c391209d4c42a4c8b326f9f3e3d6013c5d
SHA512 29007de9f4d67713c6b2b4e93208b6bb58ff7c071d1fa297220ee1e9a7f8deb18b4f6fcdb1f77c7b2612f26715f61242dea030bfa3af449f691baa2f99bde505

C:\Users\Admin\AppData\Local\Temp\OIYE.exe

MD5 b1218e8ef5b5b3bacc222ac70695bf30
SHA1 002834cb02a0d996f7b9fe1d621b713665802a8e
SHA256 fd0b41ee16442b5b1ce4f635799616a79a8759dd0a09e50ae7ab338b4d46980a
SHA512 00509ba1e6680563b05d4871edec8495d880148df801d8f2d611fd50e0f9fefb1132bd8d3271de69bc89dfed526e92145a350f10b332a923de0269daf2804b9b

C:\Users\Admin\AppData\Local\Temp\ccky.exe

MD5 9c7954675ad43af8065f667959bac5df
SHA1 bcf9c74d227a3318d8ccf985f7b597f49ef71c74
SHA256 d86a208d845190189c2fbddd262ea90337315c08ebc9130591b0852e0edde2ee
SHA512 91e31cfc255ef30adc48135d532dcbeecc4bf97d13b2255d9f776e4d06a5c3a42d6d6f06130d1e24de82190bf24656f9f6738ecb4f069dd66e2a936e60a03c94

C:\Users\Admin\AppData\Local\Temp\WsMW.exe

MD5 4213d54f636cd1294fd5d73ad413b1be
SHA1 092d948ad4da25519d734ee9a2193588b15e234d
SHA256 9fe6a037b9cb5ed9ae30b1b8b5b84f2ba9e89fef48a82b2d580172f1d59b787c
SHA512 e641848f12a0c4091177630ce8209b1810ad1664bed12eaf5f374a200fd8e69ed7eea18d34fc522fb9f615b5bfeb315a5d1180ad4871f12a6b1f283b2a18c8c1

memory/3056-1153-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIsU.exe

MD5 044c434b92ac47f2a1abdb3079473871
SHA1 f6570d94c8b7af85fa88f67617518b72c430de30
SHA256 a98ce7c4bd2f8c5d73c5ab0cccd5b3bca933cda608ee47bd93eea93a313239ce
SHA512 707bea9362b3c423efc145d793f057266f67756e8e1c825836d6a9d389f945d90d77c71fc044b7898424f454746d9f1dd326f94af0231d24ad6aac2ce2909df3

C:\Users\Admin\AppData\Local\Temp\SgAW.exe

MD5 faa3c05cc4af0f7ea9ebc9057a8cb364
SHA1 6421bf203ea890d8eb62c434990cb3bbccc28f8d
SHA256 56348afe0a8f2a8f480baa3929086e638b1b106741c50b2c574ed866f5b5a642
SHA512 b34c0316b2f6119756726b2f1b2390156dba473fcf61bdad1e89d6d99c77ff84c616470d8969333fe17140ca2fef68499a0d379457076804b9848889ef45e486

C:\Users\Admin\AppData\Local\Temp\mgoC.exe

MD5 777911a9086bd3e2d9b9b43980bfc67a
SHA1 7bb1546bfb09c27f9924e26a480b73a43655e4ff
SHA256 276491ca997220d6cce235e9eaf052ee60e09539cfeb4026f51be7e94c39218a
SHA512 208ddf7d8181dafab84ec2856c2cb83ff76aead0b50012c1bf7aebc2ac95b0b56be1f81e4d3747ffa9723add059f2822d167400e6876dbfba5eb742ddec4655c

C:\Users\Admin\AppData\Local\Temp\cswg.exe

MD5 62b0d2b98614e8c964075ee077bedb96
SHA1 4f8001341c3b8de0e52da00f5224d5baaac8447d
SHA256 c6380882d684f222fbf5c938268e50e87b68ffdcaefa908f5e0af78564bb7592
SHA512 2eb724056624ab2a008276018b36bcd9719cd70c49f4db485991eb9da0b3d36fb4d1895f74810e3f685d99b1204413e5018a9683adcf4261dc1ca3bc3d2d49c4

C:\Users\Admin\AppData\Local\Temp\EMoW.exe

MD5 5759e35fead7888dd929fc36500d1ed3
SHA1 3960621eba8e20c91f6c974450779a609a38c8a3
SHA256 dd69f14c16036a86de688e084e922720ba420f91cf6e38fdf1aedbaf14e0c7cd
SHA512 b9e23bfa5faa92cb6b098121260347ebd79a1f07211f6a1521bfae2ba83758d2fa2b6ca0bc5892af15591b0350f8623bcd8d24d34f71a87018ce51eb0c26fdff

memory/4340-1230-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwoE.exe

MD5 94be8dc92987cbfdd1558e763c756c6c
SHA1 6138f1d58f8a79a66bfe05dab8607cc39363158d
SHA256 2533e3a2a403e2a783bbc66639c6961b091ed2e54bb2b8266cb81a9d78e99bcf
SHA512 efba09ec6f3ce866f453dfbfc06a29665e5c9751c2ab4a36f3a1f0a79a88a6b0ae6b9ec578fb5f50d115e0fc7471505a7b1e814869a4d81078916f655966b69b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 2e9e1c5ea6bd77c2b26367ca942718d7
SHA1 62298c24a4fd358e3a4e53d0e2d2b8ba0d627a88
SHA256 4cdefc6f168d46bcc460db66fb64df4145aab4606d46411b7a8c99f91c2c1856
SHA512 74ef39967a5c5b3de897c8a64763e7a2951a3f77f763f314775c315b834b53046e42d0b7d23a4ae60882771df062deb23620978af7ee7de9eb0423f1a8d3df66

C:\Users\Admin\AppData\Local\Temp\KAou.exe

MD5 939e7c9d734d43f460723986f986526e
SHA1 080be391d0670ebb4d3b3ac304282f3b0f6a9458
SHA256 0e881ffa3aa90a024ee9e36ded2d27814b9ea30cc830ce0b7183a7becdada9ea
SHA512 8c8609b986fed9f56159d3909997565e5f0feb49127c5fec9a9327870631f59f23ed9144d61e63e14f12f7dcc87c977548727436f4ec5ed0ffde8b94bdcd0722

C:\Users\Admin\AppData\Local\Temp\kkIO.exe

MD5 a35df7e59274d8c98af2de63e23b1fa8
SHA1 58bedcd99a5f7c4f16acbd5ee32d02affdb06b1a
SHA256 07c4339a92fa2458558fad57d363e278b471183a4e1aacb5572e16459bb77faa
SHA512 d8dd914713d5e267812716c1d47e8b3faa974fb34a3399d711b19a13f3356de01798b61177b6dc83fcb929459768b5ad70c7aff565f3835187f66476f4397ca0

C:\Users\Admin\AppData\Local\Temp\mowk.exe

MD5 4bd2028b884c2ed2950469732b8e7bda
SHA1 188ae5996e1b043abb3ec58b3dca2f2d3aaae6e5
SHA256 87dec7969a1288ba8c0c43210183336b1b7eb0ef7143751c4dc8ec73b2b02846
SHA512 3c771634c19bd6440acf2e99fa03081b9528a3141ebdea774b492cdf01eb339d8e308d4a9565d476bdae2cd72abc886aa448d8435de4c78a8c15fc2bdd398659

memory/2364-1299-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qAQs.exe

MD5 06c00df8c6c2964ffbd6d8a013870d8e
SHA1 99623ccd48d41b88c91a9334d9a6513a9fe931c9
SHA256 74b5b044c96f95839b98551d22367c4dec11b825884708c1739516cc5c589104
SHA512 505f66a8892aa6eea000af3b2b865c5072476d00a037cf322a7a9d978c1b5ec7dde6351ce050b4458a1f475e79616104d9c60a685f5056b404ae699e30a9e6af

C:\Users\Admin\AppData\Local\Temp\cEkU.exe

MD5 112e233f52f98ec183b0ee5e33f196e7
SHA1 5e6c78f7b4586fbdf1dcedf71d56316f3e1c873c
SHA256 8a5d390c0cef88252ee1ea798e622304f1273caa1799a902c7ade45d770c0fb8
SHA512 806a9af04cecdcfebd3cf38ab42fee4375a29cecd6e74cf29fbf2e2dc0a3e12e7022cd89b20f9765e9492ffdc72ec72301cde513255c4909475da8e665d9a3f0

memory/1888-1344-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gogg.exe

MD5 c580c049ff7c05b52897d3780ba9aa6c
SHA1 4922c1ea9a2443d4b5532ec5d585dedded09e85c
SHA256 baed7fe29cf49d98d0872d98d723880194a8b445a085f5159460150563cbfc5d
SHA512 76407fbebf97e9603db1abb36b8d9e6a0bbc3761ff6d97eda7ae6ae3e18a1014ed36b5a58a91af666fac74ceaf0fe7a4eeb4b18800228f71421ca4d4a7f1a11b

C:\Users\Admin\AppData\Local\Temp\WcgO.exe

MD5 ddecaf1bc03bc509de5ad9adbd55461e
SHA1 c0b656dc16c8a16254a202b71b919ef3aeef3070
SHA256 e1511f246c5438ba4cb332c60552abdd790746f05fe514a05f721709c8113d03
SHA512 43d540e4c3751ceb98b17a31c7f0700daef7b187fa0469058595e820d6b9f10acb9ca7d0c8491b5fab648209f7431d99a9ace9e2618c31d83f88c6cf92d0d469

C:\Users\Admin\AppData\Local\Temp\AssW.exe

MD5 94f67b5802f942d3bb77ce01d964b1b7
SHA1 b9adc73700d995c1d32bb1b62e7fe28cfe779b92
SHA256 03fb726e85340f735a4d3d2ac5c0b0ceda0013d0efe5bff7358078bcb52c9935
SHA512 268ae67ec0f1ee700539933af48488205c3095761f3d9985091eee566432dca455701379e1f227f2c8c252e0046b4c420876ae1d40eb9a1358e31ddf0b43f1d5

C:\Users\Admin\AppData\Local\Temp\GwUy.exe

MD5 dc8840ccf5f0e42c9e3c5d6ab8d374e1
SHA1 267a6dc7ad06efd7603897dbb0f63eeade047afc
SHA256 807f94dbd0550c06bb4b750daf00752bce50c1c808fa90de3bc820dd82426158
SHA512 b7a078b8ae9435e0bd4ac7370004a2b579c3e15959790c8dc443c4d96a4086caccdbe747af7b4164d5c9590f5578a80381448e3b16d7b8e9fddd1891f53e4493

memory/3012-1413-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CkAU.exe

MD5 2922fc2fe7d07279445ebdc4a846f303
SHA1 7660819571d42d785e8d9ac2fada11c4ec473f25
SHA256 c4d58d9a73e913cb88a62117a08005114eaf6e7ec02dc7c8bfda279867814982
SHA512 25aff296f9fdb0b630000564d43e68f04b04a7518b46add5c266494e88dd40c21482e2fcfed2c6bf9ba5eb528f3571c626684eb3062350ba80918326ef619357

C:\Users\Admin\AppData\Local\Temp\KAES.exe

MD5 bef44fc567e5efba35b6abae57b86056
SHA1 fa4d875a9e6f975b23544ebba76a367e2d6d419f
SHA256 11d5374227622d9388915a3d544b2efbe5750016666719c2594b363005b7af2e
SHA512 bde0d96192d69c6d672695f37e5a162b1e99969645168752d775538ce515516f0a0a62c73d6106c8beaed4ee5b6698edbe1081485fba53c22d982bdf1e6ac30d

C:\Users\Admin\AppData\Local\Temp\ooAe.exe

MD5 70ac51653b58850f63f6c49d3f5da0bc
SHA1 42b669c848d901c4559fdd99301976547ebc9c2d
SHA256 7eeb7f6c7c5745577afb68b2d4a68a73d3094a5e52b69e34fc0ddacee2996cf5
SHA512 53cffeb4910073ad023f47c33a84d12a87b0f14091ab4351f1a468b5f656c0937cfb9cfaaae7be1e406772fb2e729800db013d73557003c6421237a5793ea658

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 d5ff70d192f0ca53e58e84fc39e1d8ee
SHA1 3636008929e3cfcc448ee78d10d16b8caacc32c0
SHA256 b4fcd32f7c6fc9cbede0860b557789c10f467a67b9bc8cad47514ead4776d190
SHA512 4e685dabf5febe9c73265c426d3674c2955c071f1119d671add81ad932d81be1ea0091aa7ff21ca75985c042e49a55741dbc7833d598cc92c618429adfe8031a

C:\Users\Admin\AppData\Local\Temp\MAUe.exe

MD5 371f646a15164c5a82592ec717d8cdce
SHA1 407ccdb4506bb9cf8782e52cc8120c64102dc605
SHA256 644f4ce6b4361c55392485f460571f7294bf85a2e94d4f1ca572ba64f50762ec
SHA512 a8a888fd3ccb95d4fc277b5047931bbf7c9277995df3287ab352dd11cfd377f6bebe98f27600ba89ee3d65894a220db783e2af5505dd96750cf839304cb9459c

memory/1332-1486-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okYq.exe

MD5 bc59464fe8c054813933f33c0f68ea87
SHA1 cb323b1282d140271b4ac02b3846eb199a94c79b
SHA256 3cee776fbc0860db18fe655c8dc8302a491ba936be54c55f74ba8e07ddc64085
SHA512 eb83ace978e75962a5eb5316ddc3976e70be8256c8623c3624c38cd6348f84f87ea364762fd4125b4cabd5b93a552439ba9b936b89ce465316edfed3d1f4c43b

C:\Users\Admin\AppData\Local\Temp\sMca.exe

MD5 fb4ecd3dcf8d073f498aa8a4f4df9b03
SHA1 952690ce5a6b94f0dd3587f143e24db12e4a1be9
SHA256 aa19d04735c54e4769bf3e06193cb9b0c222117d4ab60bac51516b85936ae79a
SHA512 9b8ce9f194cdf37705a98fa21270b542e94801a685f5d00068860929a098dd56525d1bf77f42866297530897b75b3c7d099150406d2c41cfc58515822e141038

C:\Users\Admin\AppData\Local\Temp\EAky.exe

MD5 0e73bff415da5bf944a892bd43cb4df9
SHA1 20b1be6a7eb553a46e2b92e40459871caf6f9364
SHA256 8ff00005f4cd2ec7086de53596c4a77ab4b95a9f9df8913582066addae049141
SHA512 ba97438bdfe3d2caf1f0d4aaca74fbf3a53435d7358dfd8b4dbc7d871b9b1840c3838d12303db5c1eb92b0b92bb4a2d282bcb52303d77f882b0392bb51fd2302

C:\Users\Admin\AppData\Local\Temp\iwUg.exe

MD5 1daa0c54833f6b182ff37ac44ce50dd2
SHA1 bc7ed5156371ac68ade3fa1ff218029a50db98c7
SHA256 30c6c258d57c1343c26ae0f5020997f04cd2ff397528f2380f8be74cff7b9a2e
SHA512 38e153d0039d42e5d649f3032a7e5bf75300a4c1dca2e5106916c5b166a94f033aabadbd923db82656130a74ed8ce95a553ec607f1e934a1b630bdb0598f44ef

C:\Users\Admin\AppData\Local\Temp\WksU.exe

MD5 23f51424610e6dd99f3559c2773508b3
SHA1 18d308d249bf6355a3eca53c265de7f7070e48c5
SHA256 cbc944dcc52ea7fd8d44cbafc40cc08a2cd3963dea1669107997f94b6a1dfbd4
SHA512 60c3daa937b2eed77764638fbc28f9f0bd772e0d452c13cdc68a8da70a71ac8d02c2f10f5ffcc53c73145c605c572b2aa9343f4667701e5a434a98f16dcb4c0f

memory/4068-1564-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkQa.exe

MD5 ebb93adc3d61d3a7408cfbaae9fb99c3
SHA1 e7b358b9b28ffbb926a3d74e00b7c7e1a8f2cd45
SHA256 59b2ac7e4aff3a29e06b7118f5d62c6d3d5d00c1a582b812fb6f200b7c607aba
SHA512 bd2b4cecd0100478b44d84a5e804203e6ae6975fbb2ceff9a11b01677c157b342bdfb37a45ddffa83497ea5dfc0091415f723fbb4ee66a3f6f7213869540edb5

C:\Users\Admin\AppData\Local\Temp\QYIa.exe

MD5 f5bb0d718eba54d0e6a027ca18e00d52
SHA1 406e9c6fcebece165a8ae1654412f99df6fdc5cc
SHA256 657add018cfef537808935e7d1af15253281bccd214d4fb171f294827f405e7d
SHA512 f649e03a11810dcfefe18fa6ea13d444a95c457b409f6870787402b58cdb89343ca30790cce3dcd91deb722aaa0cb2ee3be2ee2553dad2c8dec7fe89346e3097

C:\Users\Admin\AppData\Local\Temp\EYUs.exe

MD5 93e6f79b3076b59b1dff6bf573953ad9
SHA1 417a4e0085022b1b3f99236b50d4f8a04e0091b7
SHA256 1a84c1889e2fdce56989b394d137f1fc4b62bb20e599cdfc17e4bc8706f31a23
SHA512 c8c31520a0e049d6b42b5ef1a0bc715eb988023d7e28a91ab530232d6dd16a1372f22058f779a2c18e1980038253d9d94301d71dc459872ed25505c476c97480

memory/4212-1614-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usQQ.exe

MD5 d6c8be11ba1af4f38d1f943ee8f99de6
SHA1 3f53a71cd7d0d9d6c3289c4fbac128eaf3ee4efa
SHA256 44ac809835ac38c9dacf521f36ea4f7356e5f39845990f50aa73f81cfc4d0ff0
SHA512 86f5ae82cede7d3b57aed4732941dd6f5e264124a693f120613bed6b4234817cbd5b27af0f284f86045bc9d7a1a9cc0c168aa947884dd20119161b1c60a7d44b

C:\Users\Admin\AppData\Local\Temp\SoQW.exe

MD5 552dff8a1ebe61af3b67c6c2678260f2
SHA1 dd22e9c764efffc1e851fe1fc8d4f83f331d9cce
SHA256 2223405e3afbd2eaeb5808aea91940763c4e208a0397a3255a091357c82948a8
SHA512 928f62d858aedb7d14802ae42108816563c58f74ecd5f320672ccc793619ea2805eff3e18b5c6e1db4f18340419fb7304649da7bf5b5e8ed2be95b0e88e79b1f

memory/2544-1663-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ckws.exe

MD5 6fefeba241f7fa9bf173272ce36481b4
SHA1 25fe431ddd393d9c95b64fcf1362d76be21670df
SHA256 31dff1082867bfcc820879a3101019a7f6c11875c9aa513bad867783d2d050a6
SHA512 f395ed9af305e6ff5f794f46213008a7ed3ee665fb786e44494d88815c78969a8a741e8ccd2b9d70a7dc015bf59977de46601ac72a7e03ed3a348aaae9f82f23

C:\Users\Admin\AppData\Local\Temp\uQAU.exe

MD5 a3916e767a7ee34227bc5c8d1f55eb83
SHA1 6dc1e871157f42be3ca4219314cdd70d484e10eb
SHA256 bbd16a680919cac45617c681a7a4199f5feaac3357a4e532ce0f4b4c53f724a8
SHA512 fa49dcc43df73f4de6f53bc0d66aec168e4f90b4f8574f5a197591bb9ad9caf93df840aff414b5240305d086da410c2e718dd2aabb06d3005a2ad24d91f38dcd

C:\Users\Admin\AppData\Local\Temp\WMAU.exe

MD5 ac4d38fa58aea47d579d5a44bb897e36
SHA1 30ff00911dd519b4bd624f4a239cdd713e92d1ac
SHA256 d640b8985fc0a9dff44f0b61dacf9d29cc1a937d587c63654e259f24b9d15a9d
SHA512 33b934e6af90c02846cfa0063d539bfd3cefb637cef5945e3166d93e59ae64d868a614c33d60803910d7bc4424f76d54eee52ab4ea62bb8fdf1146f907f50972

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 e67d2e53e54316b4e15b4e1b7c00a0ce
SHA1 45611a7a5321517adcd17070abed423c2fe2f2b0
SHA256 8b2730315911500ee3c8e9ecf50df007dc563c59c07e322902d4b5af6fb16c97
SHA512 c5f79bbafb4012e932f584c99cf96ec92fbcf257858032b2a15d9ddd1f293a711b20dad86f218f9ebb92d4b446cf34ccbbf413c17942fc9c5f88cf0ae963b981

memory/1768-1717-0x0000000000400000-0x000000000042A000-memory.dmp

memory/780-1727-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kEcU.exe

MD5 8cb6f19c88c2a5a200ce12dae2fbba53
SHA1 f16c812a920083d06672a621c9ac9322f1e8fbb3
SHA256 33f38c97d1997bf1d07940d63ea08d0e73d4415b6d51173bf83710d7441b7976
SHA512 e1585ce453f8d3873dfbf3a2a0bc05e48008d4a817880dc79663e84dac9807a557c07812f191daeac1ebab18933d67f85fbb079f84596fc5dc3e4f6d39779ed7

C:\Users\Admin\AppData\Local\Temp\WMEe.exe

MD5 7698f540c81eda51aabfb3e973ff2aa2
SHA1 df5438ad0cc61aa5079c736a8668cb777a56ab35
SHA256 8a8a7e222a31171a6a824fccc8595b144483c446791b7d67b6062be86e96cc26
SHA512 f206a95929bbede89fd551d52de40698a5333a80ccc87187634b647befa434097327b537158bc1c106d6119d29600bf83c7d36df598dfd0194762a3944208892

C:\Users\Admin\AppData\Local\Temp\MUcE.exe

MD5 7c7bb95169775b84c8af476990d68146
SHA1 961c5b041dd0c8b1b721ef005d179413bda0902a
SHA256 66fcaa9a28cb8aaf2c35ea1f9d84f3a6eee3ef39126ac36e3b7b40e23e829861
SHA512 419c7b71f64e6e7585186e38c81d8aaef0255c6a9ce9c97c4460ebe152a7e7513fa3822edd3ac758e52a367451e45bf3712e538fdc0736d03babbc27115de836

memory/1768-1777-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asEE.exe

MD5 b2d2e4f2312db7cf26a599b1c26366ff
SHA1 7b90e86e3984cb15493db271cc6b04f8645182c3
SHA256 9cde79a5e611c09376022a459264b5874bb04911bf8734ec04173834d789f9b0
SHA512 bf24fc170660edbac2bff728e172ec100222d9a56b618a9354de6abf592ad3d7744432012774b8a92716390f032d21ae41a726c5192b6ff8bb02a5b692ee7750

C:\Users\Admin\AppData\Local\Temp\sYsq.exe

MD5 e621abdd0fffd0f9e6ff6a682b248b8e
SHA1 f7650944bdc785562303e57cae3811044e22339f
SHA256 884fac1fbf026f9589db1cd2f6e15209a0b21ecfa152391286c4b4a18b390ba2
SHA512 4555b0073d43d1922f59b84561e0a689a24a42d2cfdbfbe94959b42b20333747632a6f8b94f730e8c4d3834a3a67527f8c959aa4db0398e0e1d27e6a578ce87e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 e79eb598be6f0fa478e24ed4040a8e3c
SHA1 a7589c9061d8ea9eb3e5e75b42a9844438147f54
SHA256 7cefbcc44de24b02c3f3db662dece149829dadce1aa23a8bde836b3bb64e3998
SHA512 96ee5f1719c903958cb668451225862955e1ccf6ca7894a086c74814ef6237d2ed420032222a40d9c14ee0850697464ae01c6fafa4a41bc66be246692d350e53

C:\Users\Admin\AppData\Local\Temp\cgUM.exe

MD5 1d47a77ac62ba0baf9bf099ae1bdebed
SHA1 c5d270788d49024d63e559c5b21ce47fa9ae7308
SHA256 2faf106c06238ec4127746550796ffa4fe788d9461124b6399ecc28d3ff10c68
SHA512 efa3e8d93227c4b6ffc7d75453a9d8169d2633265907f7b65cef5913187a0ded8fbc9c356328a6ab9b4f9908f2ef4d0348aebbac402d657a26376efad9ae3463

C:\Users\Admin\AppData\Local\Temp\EswM.exe

MD5 87ff9858a0781c8804c4c27ed1439af5
SHA1 0ef911927f1ce6205a3c0c996d45a1cf34a0324d
SHA256 ace8de415995f751baf8e3578cec8385fd81911982077c4463dee6fa2e122a88
SHA512 8da4c09d1c5803ccb7b422a9abf3d0f79b762b961288a271a928fcd1eb7599641df04ace02ba65bf1fd31b96b98523ce2add2383ad18a5ddc96aada81d675c68

C:\Users\Admin\AppData\Local\Temp\ycEq.exe

MD5 ad4e3a8ce35fbb99b5cf08d3c32bd57b
SHA1 df04cdc924a1bef5d380b9b69ee44036d7cb1e48
SHA256 e7f919916a28b568f184321cd15174522b83237ef90f0dbdd85a914a4eb0d341
SHA512 9af75d5a387c171658e7617dfb50951c8ab80261244bd70799f0787e796e8c6f353650f41376af2030ae0500296bf4a407289b637292a1d5d5b38ec16d552922

C:\Users\Admin\AppData\Local\Temp\wIAM.exe

MD5 64ca84e5332146029c7d55040b0168ed
SHA1 5aa217138a60dafdf405e679959f0d2504f43486
SHA256 edbf7b5101f2ec5565827e9f57d35ca8dc52bad5c74f772c9bde8f87bc18a2e4
SHA512 e24266a357907a7c54259f3e5a5c96bb84a311c3401a550a9e13581f340bed7b2d3a7450a9ef1d59cbc6e61741d65cee0677a7ee9e7886862cde9733108aabc1

memory/4060-1860-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GcsI.exe

MD5 b128a8240fb31cb71d621a7f03a3ea4d
SHA1 03e8d200cb25e328c076f8378c51dd4a754207ab
SHA256 ab62bc7d610051e5694a638889629582a3d6b3a0c7a161d74de8355d8f4fd353
SHA512 171cf9a12153ce8a825313a6c9ae1424f83fb0bb1151d7d384aa98014e7fc051c586f47dba9dd7ce7fe075d82b416da383a9b0f08f45e3ce7c8eb990275f8fb0

C:\Users\Admin\AppData\Local\Temp\gkIk.exe

MD5 4a8a5b07aa612395bf5f513ef7e17056
SHA1 ce6af71b81190abcac3b521f41233fc5bbbff914
SHA256 01bb261d329653c681ce48965329f1db703e2f62c7e9e93988c16b2e465f81ee
SHA512 7edc831cfd508fc50b0134650cf464e18443ce70520b94885c3a61e4eec6a55faf4ca7bf61042f3bbed49d8802c00c96a7b3ae9ab434df2a8597b727ff4a2ac4

C:\Users\Admin\AppData\Local\Temp\UUEQ.exe

MD5 dc2fe9586631f59b72e30a6622593bff
SHA1 2e2aee90b24b81cf08ed35ea4d9fa5996a89fb70
SHA256 2f93641728de0deb0838c313499281dbc774570d12d55134f6d09ff3e41350d2
SHA512 9b5e77c3a846c484ee4a991cd4cbfec2bd2f7b9aa70a808c71250d5d1b4b29b9334327c10eddc2d294c0d4555ee8cdd696e15e6f696c3e08d2b37faa2a9b05b3

memory/3956-1918-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQMW.exe

MD5 2af5b8190b744d37490223b71ee2913c
SHA1 52891e1b6b0cbfdb93e77cf29405f0bf88080143
SHA256 58e612863cfbf5c62825f0a17566d5d880ca1e9b9bfd7d701bd724938a500871
SHA512 7179fb9614673ad5ec891d0bc5c54e60eaf8e2a18f09d6d8e7c19f7b218372a788ceba51124630d4bfca7437e88c1d25a6f08e25d8c1c23065db79ddd990d380

C:\Users\Admin\AppData\Local\Temp\KMUu.exe

MD5 1cdb5cf83d308dfaffd781fe3903e3bf
SHA1 b0aadabe1cb6e6f99ff26a2332fc4b94f8a44813
SHA256 3da189131768e4934575dd2fd4c4e29299a266c7dd27a0d85f4a4cbc0cc1a415
SHA512 c91f4524d6fe9b23ec6801dde61d6c2e0ccab20aee5bae563e9198c2c7db39ef763a3afda1320bc66fcb56e8cda851e46bf461f9805ec070030c0b27ad02fac8

C:\Users\Admin\AppData\Local\Temp\McEE.ico

MD5 c7fffc3e71c7197b5f9daaea510aac10
SHA1 23262fb8038c093ac32d6a34effbede5de5e880d
SHA256 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865
SHA512 c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

C:\Users\Admin\AppData\Local\Temp\KAgo.exe

MD5 30c71d57d880d1130f6b2e9ab213d1bf
SHA1 44e595db4641e671c91f5535cef50666a8c893f1
SHA256 51c83ee34eb2555cd427e4924435cc21c06c86a686b2de60aef09638923071c8
SHA512 6a6b79f7a25051c4d67033c4788c41788d24a1c5171ef8197add64c5435820682598cd294cacf6927fc71940388e4c015064af96770abcb4cfd0db2316577a26

memory/4856-1967-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMca.exe

MD5 27e203dd19da1570b21a55026a7c35c1
SHA1 82fbaa4223d6972313a0a90554aa66ebaab7dd1a
SHA256 72e2072440d75f8f3eee3e10aa343d387fc3e0601611ef83e7fe08be6538b5dd
SHA512 df97da1f22d9a9ae442096f0d2de71e9dc4c2131c11fb0ea62d956c280319137ba4dd2cbc18b9e2a2e7590c69c5b348dd7aa3c0657eab6a29fe94e35927a6b11

memory/3112-1982-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MwMs.exe

MD5 4479a106e042fc0378227abc1c68761a
SHA1 825b477ce23a205fc16c39f84fcfe809af5ab596
SHA256 5671b8084b2b3160126bafb153135676e71d7ef27e482cb62c135366c2434cb4
SHA512 b9607d9e931863dabdc3e64119846e62892d4f3ba58052d9d28e0bbb1713eb6416e5a857b545f2e219fe5cb74f6503396ab81af26710dd9d19a4000ec71a4f37

C:\Users\Admin\AppData\Local\Temp\gAYS.exe

MD5 1f30e7c2a43c808f69ef789b6bd9b9c3
SHA1 8da113552bcd7ca9c8d4819b34fc0e3d71a10675
SHA256 5719226818a65e1abb5508d673bc642d6aaf96bd502d5fcd82d273da360720ba
SHA512 bea3d5aae1169bfb72fa84e283cc45c986a98e318219213ccc9eb2c4d6763188262e32733bc03186ef7d8637c80180748ce919936bf4844019450781f14e4a72

C:\Users\Admin\Pictures\DisconnectCompress.jpg.exe

MD5 01ffe2e7fc773fc3b2825bdb6760ab07
SHA1 4c5c8cbb44d3bb8aed9eb8505546665bd23740f2
SHA256 fcd35e5d6004aa2548ebc261a1c56c0294be66182543e689b6632cd93621ca06
SHA512 4cdd760dbdc31725106943fd2b4c4f7f643b45aab32103a854a03aa3787777347e71ad53e0881153f15495e935b494dea8f5a7b44341af2b8f35c1cd0b86cd88

C:\Users\Admin\AppData\Local\Temp\wEEY.exe

MD5 c70774ecf21b807be69316b1dd7ebce5
SHA1 f1c89e1e5fe981f1433603a2744b32e2dc90f620
SHA256 e0010a2a9ab2cd4a432b97758b8ee1c294095eeb04913fa63afcdcb7b63366f3
SHA512 2057e15b78953ffcd8449de9508d48708e64a2ba0a16bc80a760fdd3ac8be686475208145a9c86d17e39caefe0a218b1053a1251d0db6c96e0faac516e32b567

memory/3616-2043-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3112-2047-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYYE.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\cAIY.exe

MD5 87e7a447ea71c9221f3ce626fef977d7
SHA1 d4676f3e150022b55538bdd5b6e677e7450501b1
SHA256 16a217ca06a1f7f87742e88f329c36db4a1671019d96b667f003584c3faeef8e
SHA512 2989be255f438612705fb1b65db6a5a443c9011fee76627611f043eb339e017f038087e7691ad14aeac6b49ee048c3350c5fb732d72d62d5faf0df07fdcfa9f9

C:\Users\Admin\AppData\Local\Temp\YQce.exe

MD5 b980c5a4ba1d0c07de3a8d1a73496703
SHA1 2431bbc31d40de985b7c5e0823d8234602cb1328
SHA256 31be3a875cc1f2a764e82ce9e4a73989f7d3c1419b632a59c43423a8e96f95b6
SHA512 a16603ae6765004acd03e599ef9c4c6ccee5f635d23ab1210870e8c2b727d725bbcecfa370d70cb64f8c91efa2a0cb9151b724216eea9339037c7398c198813c

C:\Users\Admin\AppData\Local\Temp\sAAs.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\RepairUndo.jpg.exe

MD5 61aacaf37cf5670f6b97f3a03f62c46b
SHA1 242dc0e948c0ff8584a2c1d789b5ef142ec3537d
SHA256 0190087a02a7175caf0b3b2230c65836e0d622f489d6d14ce88d71448d4af497
SHA512 920a823c904db619044c5ffdfacb8df50df5494e0a2510fd116032cd10a74a20016d4529dcd86379579b4b78c35f4ca461f4800138804bb606568181c7c5b978

C:\Users\Admin\AppData\Local\Temp\qEEK.exe

MD5 4de714072dfddc6b17817e65cf565c7e
SHA1 c1a5a862232e06451e8932af943f57432a2db0ed
SHA256 326c56e07a76581c2d598c5c6bdb761a9f19cfd38aec82ef5519f3808777d46c
SHA512 9a01b47afc66818078f02091fc88b690c04a727538fd28ad38f88504e1ad68a763c7b45ac76c4bfda30a5d43255b68293cf748585d527b7c819960c5130046ab

memory/1416-2125-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2184-2126-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SIwE.exe

MD5 e999ecf1166da4e1f15e5da73f8e8b3a
SHA1 473d66655f106cdaade2e23fa623415f197ab668
SHA256 3f26de0e540b64eacf7dda5734bdd4292a6199265d0615bb58c4cadc3e4242b2
SHA512 107bb7f70ca79309a83951f1f7f01520e7291c456ce2e26856502b481c53f62a66a31e10f0db77448d744831303564e4d3d815e062c6df1a10c2770e9aef1738

C:\Users\Admin\AppData\Local\Temp\ekEK.exe

MD5 fd1ea5e42b8834f78b9717fa04010659
SHA1 8d2ab09eda32b7cd60b5f5da73a11a51106f3f26
SHA256 cdb7e21a1b864092e16f0c85bff9038d43a86d375bb2fdaa4c0472649320d458
SHA512 f0192fbc8ad858b605b1bf2c510683de4aa4a89c3a71fb28f11c93f1dc904aa256ce5ea5cd4e28f752b4b199886a63ef39d1bd8b0aa2376d6078d58a2e0d41ce

C:\Users\Admin\AppData\Local\Temp\mIkm.exe

MD5 ff0b736ec5d18d02952f50ef5282bf94
SHA1 e21f1b0bd4e47e52cc6cb14ca8725f5ba75f4b20
SHA256 69caaf18f6009eed713e6eeb45bf62572bb43ebd7c950bc20447103ede36f729
SHA512 4c9f490e5a59fb3e221ed5430831e50980c61b97caf83ea74c7782b370cdcc23833a022ea9d9248a5016216a3935a3b17893822fea1d12b2dd2273239dc658b6

C:\Users\Admin\AppData\Local\Temp\UYAy.exe

MD5 1b5ed3edda4470eae27706251ca7e530
SHA1 fd440c36c556c68415cf9c454f8c4e874e5fc758
SHA256 75eae00cbc7d06bbb01b75dff53df8e121b099a8b5af821446d8a6a21422c0b8
SHA512 cb3d82832b5ad344441442c207243957f904eed0308d898990bbc1ff71ef56013ec2c5366c515bbe4f7be2306fb61dacfffc288c7929e13bdeaefe032bc940a3

C:\Users\Admin\AppData\Local\Temp\eAUW.exe

MD5 c8c579578982fb15461e61c9cacd96ce
SHA1 10b9bd856cf295385f9e18fca20352110d4344e9
SHA256 71d06c39ee8c3cc9629d4758d5de82ece87bf85319c16d93e22b00099a095da3
SHA512 0280600f705cafdc47cf401460f8b21601ee1eda9492a9d341433dd4f2cc6a44d8a47ff9f018ea16e42cf1cebffc46b367dab102ec90da70fec869bce2658b18

C:\Users\Admin\AppData\Local\Temp\AEEu.exe

MD5 01d1b43d3b66460865c200b71588ca4b
SHA1 1065a2cf0d86a5408d301c508ffb876c161098bd
SHA256 7a8227705c06ee2ba23c30e4ffacb2f345d37b1dcf7ff34e0626944fe9a2ac02
SHA512 4667a62126b3008cb35510ee44d60b49ecd4f4010c521b8d639ec1a653f88ec3f3ae8b256fd2ab3475100a8ce5a6aa2097ccd045e9f9186a3146e99df94b5d75

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 1f1eb0d6c784de1c3bb77e96ddcb52ce
SHA1 f07b7b4b983d6f5c9fc698a4482b27d39522ae21
SHA256 6ca1de70d443fb74dca14975cf611e5e347c6b7d09f4314ba5f157f7ed967410
SHA512 d116316ddf72873afe8235142b810aa484b37af9457fbbca36854e26461b6e02b710fcafc1dea636231eecf8281a0dac863dc1961db5423b9354e94ca8b2d7be

C:\Users\Admin\AppData\Local\Temp\GwYe.exe

MD5 9e47a38ef245c39eeda4110dd0b47860
SHA1 2a05b1660742472a71a1cebe3fc643c86356dc7d
SHA256 bcaf7363bec4995d0a3d904db6ed2d88384d351bcad8af1725be0250a8a4d54d
SHA512 004b12eda63658fb2c38a2b3226c119dbc77a7dfcd3454a01d7d2fbce867c6d9d2b21bee2d85e3084e285277e14cf9fc3ae1e910e9513e976392c834135540dc