Analysis Overview
SHA256
f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
Threat Level: Known bad
The file f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (83) files with added filename extension
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:53
Reported
2024-10-26 04:55
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation | C:\ProgramData\BuMIMIko\emkgQIII.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\psQQIEEE\UQUYoQMs.exe | N/A |
| N/A | N/A | C:\ProgramData\BuMIMIko\emkgQIII.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQUYoQMs.exe = "C:\\Users\\Admin\\psQQIEEE\\UQUYoQMs.exe" | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emkgQIII.exe = "C:\\ProgramData\\BuMIMIko\\emkgQIII.exe" | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emkgQIII.exe = "C:\\ProgramData\\BuMIMIko\\emkgQIII.exe" | C:\ProgramData\BuMIMIko\emkgQIII.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQUYoQMs.exe = "C:\\Users\\Admin\\psQQIEEE\\UQUYoQMs.exe" | C:\Users\Admin\psQQIEEE\UQUYoQMs.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\BuMIMIko\emkgQIII.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\psQQIEEE\UQUYoQMs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BuMIMIko\emkgQIII.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"
C:\Users\Admin\psQQIEEE\UQUYoQMs.exe
"C:\Users\Admin\psQQIEEE\UQUYoQMs.exe"
C:\ProgramData\BuMIMIko\emkgQIII.exe
"C:\ProgramData\BuMIMIko\emkgQIII.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWYYkMck.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAYkMYUk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWgIQYko.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuQAAAYk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCowEUks.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqkkoQgM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOYMgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwUcAgIA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqAkYMAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngEYIooM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSUgMoQA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIwkUwgE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeQUcwUk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGAcgQkc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAEgEQwM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeMEoscg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCQsQEkg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hugggQgM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYAYUkwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCsAIAcA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dScwUkAo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sagQMUAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUckIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOgsgEkg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuwMEEgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOcIUYgI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiskkYcA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkkAgocE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyIEAEYU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWEwUwEM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUkcMUgs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyoswIMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQUEkAgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyYIYUgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOAsosMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqsAwYYM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGAkocMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoQoIwYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwwoEoQw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUUEsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcgAkIIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIUYUYok.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsIgkoYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgokcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmQkUoQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UYoQoYwI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\escQQUwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgossscA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymIokkkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAYQUEAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOYMUMck.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeMQoIwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmMgIswg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAcIcEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSgQksgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISUUUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIAQssMU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGkgQwEE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcwUoUQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwkUoYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgsYQIUs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQIoogQA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qywskgkE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2396-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\psQQIEEE\UQUYoQMs.exe
| MD5 | 0449a1809c2e3c20b1e3fb138fffe896 |
| SHA1 | 874670fead0de32fe927838788f02f2ad958761e |
| SHA256 | 5b3643b18f03f405c150ea8d328ed238e22c63a7a9dfcb0713277ace4cfb7713 |
| SHA512 | a1e64ce110929ed0d077e2493e504c0a2e8caa230e7733a17ef512b328bcd667dc7f2b1a2a73f1482238c3a1335943313bd021618cfedee452149d225d989dda |
memory/2396-12-0x0000000000310000-0x000000000032D000-memory.dmp
memory/1704-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2396-9-0x0000000000310000-0x000000000032D000-memory.dmp
memory/2520-32-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2396-31-0x0000000000310000-0x000000000032D000-memory.dmp
memory/2396-30-0x0000000000310000-0x000000000032D000-memory.dmp
C:\ProgramData\BuMIMIko\emkgQIII.exe
| MD5 | cf14af69a98e261a8ac66aacab15d424 |
| SHA1 | a81cdeca18569fe44c981bcefdfb9a7309c54f56 |
| SHA256 | e818f616c211f2a0099ccae78018e55ca44b613184d0eb947ec5b16785aafdcd |
| SHA512 | 7a180ad7389dfdba0f0757b02e51244f5f645e461bf5530fa15996ee4ea33346f07c0701fbdef4eb3198b99175f3ebefc5f001136903bff205106a606b1bf71f |
C:\Users\Admin\AppData\Local\Temp\jgQgUscQ.bat
| MD5 | 8dcaf6b73b31049de2667a70022dcff3 |
| SHA1 | b8fb88fbee98ec119fa1b66048ba02a4495577e9 |
| SHA256 | 7b297a8dc63ef19293f164878c2e165c13f3fee9272e1d81e150640dd32077e8 |
| SHA512 | 43bf99d2e8e9029641c1a94ba8154a98345be50ae929827b9bedab23da97924a3e307e6d5e29653e73380a438f2d6e6a1d5b9e56fc3bb5b642d35ca6e771682b |
memory/2288-43-0x0000000000260000-0x000000000028A000-memory.dmp
memory/2396-42-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2288-41-0x0000000000260000-0x000000000028A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nWYYkMck.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2848-44-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\hmkYsQUA.bat
| MD5 | 706e04efd9f1bc4071fd2a245162f649 |
| SHA1 | 5842a0ffe3b948014f6ae943a61a224edef22c87 |
| SHA256 | db83059c584a42669b16dd55a55cb08a4f50e3e01a6e77e823cddfa1d03cc1b3 |
| SHA512 | 821ce1191bb53c681c8dfff14971be0b3d39b2df76c58e4f07a6a30ef255a389275b48a2b0ed45517efa59fb0e8517d0f8b661d4a0588a7460f919eb852f1569 |
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
| MD5 | 8850c1f63d9932bb2d8e957ed72d8fdf |
| SHA1 | 44271a436bed981ced2c5f3839733bbaa54dc8e3 |
| SHA256 | 419b5f32629b747ac897aa66acf77ef2320d4f066470d616e21fd248a4a55f29 |
| SHA512 | 8a33601de5ae88e7dc7aac1325514f68c5e8e40fc7514fa1d1542e78fddeb6612b26a04bd109e40efc36efb591f5bef48693a918219b9e56598677cb26e1978f |
memory/2640-58-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2764-57-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2848-67-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jKYQMIMk.bat
| MD5 | f423eff62816154ffd0703e97e25f795 |
| SHA1 | 9b3f6eb14f5d84ea3acae449a87d1d23a4da4311 |
| SHA256 | 51fd169b65d95d7f5b4d9e13c605bee31ba718ed49bb98bfb1cd43647ccf0d46 |
| SHA512 | 8ac34503e36ceca3008b5578f9a2dacc166249fb297d7a634a21351750c54b985969deab986a7cdc4e5d6d4e0e98387915a6ae0795774957919ab6f18095cdae |
memory/2432-80-0x0000000000280000-0x00000000002AA000-memory.dmp
memory/2640-89-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sWooAoco.bat
| MD5 | 1b4e12b42bdf29853e04d4799fd8d72b |
| SHA1 | c28512a68e1ee0aeced4d2c83add9682490d6167 |
| SHA256 | 8b1e959983a992ac67978bacf9cf56ad8a4bf584083917b40e2b08ef932840a2 |
| SHA512 | 2288519efe9a86971e7c57415afb1581d23dd3d02ada437578539ade1c1688457cb000283cc7c378f189eb8c9b9d1ee38782c7cb2f9c7b21e53029e9a3cd6069 |
memory/2372-102-0x0000000000370000-0x000000000039A000-memory.dmp
memory/2144-111-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mqkUUssc.bat
| MD5 | 4c1c221c2c860ffef18577047824d779 |
| SHA1 | 3a9641ab0d4ea329dfaf2722f58ce21f8cb2bb4d |
| SHA256 | 0ebcdb3712d1aa5608f2d025809f2a12aa18fcf2e9ada929ee20752f8d942f65 |
| SHA512 | 9163fe6035862bd4c5c1e304f1df2256db75f5232a15e69db4a57b84f4fd3417fa51757b6cf2926eaaa856b2d7ecc9319bc09b8379de78436c49caf4dc00f4af |
memory/1536-124-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2976-133-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QAYEYMYo.bat
| MD5 | 15466018965d8d2748d9f6f8e97037f6 |
| SHA1 | a753c8ff26eb4ce7e455e695bd314f3cb6b6fc94 |
| SHA256 | 9a29d9b227586c64f369426d8b8aaeb8df5d23aa2e5a2317e1de45f05d4c814b |
| SHA512 | 5b04614e45ae502a5cde083e37d4e8618abccb242979b00b3f0adb23d736b8aa3008f4ea71f39b6317d27f81b68b022b750f19174d30321421255ccc2b3574fd |
memory/1624-146-0x0000000000430000-0x000000000045A000-memory.dmp
memory/3024-155-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osYMMgAA.bat
| MD5 | 72bba342102e1bf4d59047fcce06b97c |
| SHA1 | 15fec04efbd7236819f5eda13bfbb3fb7096ff47 |
| SHA256 | f12835f6e3b72d27507bdbe37831ae982545715965bc9591abb8068302b1318e |
| SHA512 | 00ed2f79ec9c28564ffa40af42bfb352429e921d61cef93efc9cc73c946f974e0c1a3ee5bb1a41c0bfb69f1894aaf81bc2d73cfbb896bd9b7fa9983d7cf66fa3 |
memory/2852-168-0x00000000001A0000-0x00000000001CA000-memory.dmp
memory/1564-177-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lscsEgUI.bat
| MD5 | 8df718a6ae0407db9b638516d65acb3a |
| SHA1 | 0f182f412f2e6f967fff9dbd0f595a8ea51b61e1 |
| SHA256 | 8a6cad1b292ad736bfd24626054032b86da854abe8cc1a48b67468ed1fa01f3f |
| SHA512 | 4ed09dd0c5cd72e02b554978ff821473796bbc5f939c27c6273b7c50a4fdb64c224614e44b4dbbdf3c6ff5d1e23c3db3bdf09ae3f0ef4120a0eceba26e1a04f5 |
memory/288-190-0x0000000000260000-0x000000000028A000-memory.dmp
memory/2916-199-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jiEksQMQ.bat
| MD5 | 2081760672a746130292e8a3d2d4942f |
| SHA1 | 8386b6a4bea7a47f16d81bfa83ad329baca2ea2f |
| SHA256 | c7654d00a606a5bdb9e94a4d78b46ed00cc834660c0005778385498de4b86186 |
| SHA512 | ac2aed7f7a3578052a58eb8c7c2765fcb79bddd0780ee9b03041db127045de9e26ce740ad69bdc7658569cd3e0b7b25f652eb5b1cdc1760b553a9ed4b6dedc2c |
memory/2912-212-0x00000000002F0000-0x000000000031A000-memory.dmp
memory/1792-221-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zIoYYAog.bat
| MD5 | 2e1348dc39524e41082e5d080a895b92 |
| SHA1 | c3557a3ea30f61ff5e4d059d20ee221844aef5ac |
| SHA256 | 3a8b18879d370261368bcc465ddf8cc792b779177f35238c796d4c071a0413f1 |
| SHA512 | 0adffb79171aef8bd28f9c90ef9c7d616b35af096d0be9a495162fbfe95525420829418bbc5c3f90cd716de2bb51c7ae6397e879e5b2970b115dae599dbb8987 |
memory/2904-242-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DkYAwgsk.bat
| MD5 | 8afc7a94fbb46ee1b8996c1fb95730f2 |
| SHA1 | 3c14202eca070d3191cfb51fe363b0c4d93c7740 |
| SHA256 | 3033ebb8910c5ae506d58045231306f0e82a2e8794603fe3bc8fec67bcff5c0c |
| SHA512 | 02bd55e9412f8c5a0fed3e7b91c786e33fba28efca5df9ccb2daee3de7578c9b7cdb2d8d03c18cfab4c38d5d0e4be70ac9a1249de0e0fd9170205cd2f2eb94b0 |
memory/3032-255-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1856-264-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tKYswcEM.bat
| MD5 | 6d0102a9f6384177f9c104eb9721e830 |
| SHA1 | 3a15c4625970d9becd093ae7ab23feaeec70ada7 |
| SHA256 | 28581f96b25794925e84c52617d0ec72b21330d451ce4fd34aba5332ebdfdc4e |
| SHA512 | 41c3c727f8295abef0db64d44c0145b55abe1034f738b4646304712623a7a34dfc2e527349cd32f6dfec2507cffa7d768daa9b9c22adb49b15e4b19478a4e68e |
memory/1536-277-0x0000000000290000-0x00000000002BA000-memory.dmp
memory/1780-286-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IEsEAQEY.bat
| MD5 | c480e186f9dbf546ec093995aedf5aa4 |
| SHA1 | 47fa15dfdffa3985ea669a36092a561b610ab20e |
| SHA256 | 93e732bcdb77b74fcb38881f84ae16d5524413c2d4f796ee271e4e8eeb1eee6a |
| SHA512 | 65e07bc29bcb7018ac6747f2b5f6784ae0a293a864abf463498d862778a3c30f0ecdbbc8b853d1afb7196c15af16e95d47c788abbe8e43d8f0cad915b11377e7 |
memory/2120-307-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WwcoQkoY.bat
| MD5 | d40c34b2b3f42bc56673d267c6d2ee5d |
| SHA1 | 51eca97596affa654693dbc466b047574489c0a0 |
| SHA256 | 608247faddae8037c32af36c14f2ea9dddce1cbc29b5b2a00caf912564ac1add |
| SHA512 | 8ac2fe080afd3b0e5f5e443a1513d8a9570a2b609cf3acd7e1c019d799bfaf112f8639976e3a651d91be9a22cd2d53de7ae0396f23d39b27e0d0e375cb4dfaf8 |
memory/1420-320-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2832-329-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QMwIQoEY.bat
| MD5 | 685ab2294bc7161ba5c164938364db5f |
| SHA1 | 18a05127b73e9a1cf5ada9e64718e6b0407ec379 |
| SHA256 | d45bf9bb21a7f8587165190fa0cb4de958ffd1c6a161fb47e40a5b3ca86ccedd |
| SHA512 | 2a3c2148119da922be1d563da0ec23788bbf8d3b45bfc0b8484ce595953284924fb2aa9665573340189457c986e494e6b55c1ed68a8a0da2e73affe69a3506d6 |
memory/2696-342-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1936-351-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ucogQMcM.bat
| MD5 | a2aca786b845bb604ab0e6e4b578d749 |
| SHA1 | 0ba7dc39dcc0b08464c30929d005559823a2f076 |
| SHA256 | be3175f4d44bed408c358c1b810a1e25dccb08de9aa8f27d13b965af1fffa190 |
| SHA512 | d5c2a8186b22b6e26e788d2ab813544b498595d10c308efb2b39f0d5f95ce9d24f4f4813ffbc1fbe2c55c7665e97afd34dd678e6fcb20754103325fe466aa825 |
memory/1772-364-0x00000000002E0000-0x000000000030A000-memory.dmp
memory/2940-373-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uoQIgwYk.bat
| MD5 | ebf44b5c81666a758103e21024f34ed5 |
| SHA1 | 9ff9d9d4271eae84666c019d3f40f14b2c6dfa7e |
| SHA256 | b1f6af013ddf828cf8e84e72e9eb7974250332d810f869ce5b6c61f16f5a7be2 |
| SHA512 | 08faa39d62ba8a01f7126d46930e832fd7beca7a1aca86109dce458dbe304b930ab71ac5798bea9cd45132003ac6bfeb1a88d606c5d179984f853de7b03a18bb |
memory/3048-386-0x0000000000120000-0x000000000014A000-memory.dmp
memory/972-395-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FKIkYIEM.bat
| MD5 | 4328e9667734877504a15d94d723e376 |
| SHA1 | 869ee7f60057df5ebd58c3c566f161f8c2b9a57d |
| SHA256 | 1275a6d0b95c6dc2fb33b141fe69d7862e4a9c65f19a56568ce4daba1b92b74d |
| SHA512 | 3a932ee4a67a576f6a0a19b0ba8f74235ee46ba8ae9ff683d4a76d805ddd49e0a2283e01c1d18fc067caa9276a5850fd9c7eb247391a81dfe6fb688234db0036 |
memory/2312-416-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\zkIswIck.bat
| MD5 | 0ef631e059cd194a9f84e54241c6658e |
| SHA1 | 50e06970b966fd9f2bf86ebb9c6c7d49f922edf0 |
| SHA256 | d42517381462a55005ac6682f39c8bdaeb45bc2a2cc2231788c4fe5c158b7a34 |
| SHA512 | 41a76474b738d4a7b682a21416364c10e93f5043f2dd7fafa5504e5876f4f3b2f4b47df07a21c8a2c2161e38b78d7a507f9d6971192397fd9d42179c0caabfed |
memory/2440-430-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\OkQs.exe
| MD5 | 68abb309a91876df6987992ad35bc802 |
| SHA1 | 16cc3aea2c29c056af0d43b962d746a2081a531e |
| SHA256 | 2581582832997dd1aec84ea1e450c473995b7c09f6840b3268bb5f6e018233d3 |
| SHA512 | 3e41ed460cf305171ac9e2d82921cba8e6a8a416bcf0b017fcaf1bfcd011376316770ce3ae331bc55203574bcb2e0b45f332ab6fa394c1766fc2bbd4cd253ac0 |
memory/2740-454-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LqEMYEMY.bat
| MD5 | 90372174cb1d6827a6a7199bdb3d4f60 |
| SHA1 | b4372419911263bd2006a6151cec91dd6f8312b6 |
| SHA256 | 43fddaa3aba9351dd62fa330bb47ef1b4176918f6c2c026afd308999099af36e |
| SHA512 | b178ee5ee34e868db9880ea29dffc51729291e53e9a68c46fd9259d9790aebc9fbf5df3b1d2f78d27fb86324789a376428db4734cfb7179202e3cb3677323551 |
C:\Users\Admin\AppData\Local\Temp\OkYC.exe
| MD5 | 99e40c8fa53cfa77a127e767110bbcc9 |
| SHA1 | 7e3e61dc399103104f35621cba345a5cbf7508e7 |
| SHA256 | 980e378eb0abdab6bb7f6b75d62187378697cf91e55d6f65f13d9fd1bca91d3b |
| SHA512 | 8de33d84e28898056c063bb01002a50dc0fa60f699f62a42c58d704da10eb674ea18e7f41130bc52c58783f0d865c1ca3ae3a22bb39340efae26878fabca719e |
C:\Users\Admin\AppData\Local\Temp\QEAA.exe
| MD5 | a7313eeb2ae4bc8c24211775da31d464 |
| SHA1 | b0c0a4195afb24488212fa35af3308e67dc69271 |
| SHA256 | 6840bb159318c4e3ba9b074d12dcb0876fec422ef11cf77b9752e6e1caaa76a3 |
| SHA512 | 3a921f39f4931828dcef2a2c92363ab4a49be25ad1784cca30c61bf685ee643e509624161b486b598a9ea183c066b808110d6f6cd0f19b6fd6076abb83178f94 |
memory/1508-489-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2328-488-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/2328-487-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/1096-486-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GYgU.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\YEEw.exe
| MD5 | a09fd4dbe861c2fb355c361b98676dd2 |
| SHA1 | e4a39f90ab2cba1f7b98c0af9c7b2d249104558f |
| SHA256 | 04069f0a82b7a894b84aabd6a57b9225ea63dc9690fa4bbbfb278f803b04e334 |
| SHA512 | 6d60e996e8d26930294ad5a53338be30fc51b95aabc127ef75fe41ff3fd47f244377cace363943122e11e603994775e17d5358c1701504caf9dc2004a8489aa5 |
C:\Users\Admin\AppData\Local\Temp\mQYI.exe
| MD5 | 02879b50bf591bd26250888875346b40 |
| SHA1 | 80f3670e86e54d50ae9b0271c599882e44704ca0 |
| SHA256 | 789ff602d743ec358258bb49b9c895dc4962da2a0d7defc5890c29fc8276f2c0 |
| SHA512 | a7d64f1568cf7c9e8cbd73585c2cadc3186f981ffca74675402c18d7214890b0d5d5f09d65017099087bf4d5362fb0eb19f7297be349f104a275f0301e2004d4 |
C:\Users\Admin\AppData\Local\Temp\qAAy.exe
| MD5 | 94247f7e51a4893bca22af424c8a38f7 |
| SHA1 | 03265f2ed37c88bafa3332e195cb07d2b105cd7b |
| SHA256 | 55febad4dfd77b370307ec8af31b6d437d0ed55a6b317952f1fabc38d3236a44 |
| SHA512 | 2287b1b7499c1b64c3c468bbb80d36f30df3a019b4d3f3b906bd01f21dbd82683f5ce4cda7a1d9df588fd95ee7ec4cd11bc5f53cca9bbcab96a561e8f45b577d |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | def5be1f60731eea0dad060a13995cf2 |
| SHA1 | 45e329934fc7aa1524ab007ac67fc303082e3f52 |
| SHA256 | 6d976672b672147b59a7d9e8d430680ccddb4b528f2aafb78fb390b92e00850e |
| SHA512 | f57fb10ad5c1735c9a04366af550a8d6f6ea986de8b16d429e3adb0d847f787d4827c4443ed141f7f864018b0182cd1bcfb553b492fcd56f28645a35bd2c1582 |
C:\Users\Admin\AppData\Local\Temp\BcgkoAUo.bat
| MD5 | 1ec488ddc74d23e64f848054a1b0508d |
| SHA1 | 72bcef389e83e106a755dd29391347dc04db09cf |
| SHA256 | a3409b1d082d61d4e97774b66dbbf4689aafa577b2397cc63ddc6a2a617640eb |
| SHA512 | 6719af8a1bf6673b1f83ab9a161d96090f82403ecb8cfdd7970d4978fe83326fe54e7e1bbda909851c396008316ecc1621cadfb80b69677cf0cf39313065af38 |
memory/536-577-0x0000000000120000-0x000000000014A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oAQy.exe
| MD5 | ed28628aee65a8631d830ea8ba49e2d5 |
| SHA1 | 0d7b7cfd5df2d2470a2cf8e44dd2193ac18d6ea4 |
| SHA256 | f091e8a46f82163eb8aea7c724a2c159c7fd0fd5b489423dcd68ea90993303f6 |
| SHA512 | dcc9fd8d3155e223578a68fe1a20a15410f388d7d9e1af62c6bef8d4b6b411efdc9ca417014775dc24d6520b0cfc4bff9af8ce206cc8daef8aaf7966de26ee97 |
memory/1508-586-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KkcU.exe
| MD5 | b8e589a357cfaeb636a21ce8d9e8f165 |
| SHA1 | b90e81a8638afdc23f487ffe349acf72ae031482 |
| SHA256 | 1d40a79b01ba1b63689c67aff55b32eba3983628779cd460dff5fb5555f8b29d |
| SHA512 | 9b7c5ec834fdd70407b7fad33457466ad6ce69ff3090e26a82bdc7fd17e44917b23f6e1ea76f2268b27014b5591c552938e8f988961535c82d029dea308ac5d4 |
C:\Users\Admin\AppData\Local\Temp\CIgE.exe
| MD5 | d743dca239bae0a9b05a938b046a54a2 |
| SHA1 | 56a4025aa0854a5ac4fdfb42f0fa60c452f89d76 |
| SHA256 | 8fbd77e2a5b82949781d8be97883aab7201fe07010e3ab33827c5d9b987bd768 |
| SHA512 | 9ff82c7d0a5f84f3ce5f5c07447ea5879d306a782c7cd9ccb9883ceeaa709262566d85a9d5197b1aaa744248ca8bc7f1632c5bb4c1fcf1fc5d576189d3853d56 |
C:\Users\Admin\AppData\Local\Temp\mUcW.exe
| MD5 | d210e8f05660df1ff84cae4b68fc488a |
| SHA1 | 5b85364ba18da11a656140b72345cf1e8648382d |
| SHA256 | 142ecb2a9451c7b421dedbd9bcb2e8d3ec339c1d90a7f765ae2cbb60bc98144a |
| SHA512 | f168aab32c1700e60cb653830e9a2e8026fe856589222d8c07525b9344f18a53692962247d8428e40715e556e51a4b5c66cf2b27c06e2c170c3bdb8162f19928 |
C:\Users\Admin\AppData\Local\Temp\sqMsIQME.bat
| MD5 | 70bf8c7069e3b2e91a161407b1f7e854 |
| SHA1 | 0f54d9e70429fbcdb75da48f133d0aed20d4894f |
| SHA256 | 58579198cac79b8bb4b11225d10b23b190cb44b4c64acc598af754b87a398cff |
| SHA512 | 82ded4f55c48c20241474a4736108a6a260ee59018820699246b328282c94533df977e9d4830c387379806358ff534eac28ef29d4d57b0dd92fbee6e0ad03126 |
C:\Users\Admin\AppData\Local\Temp\qIom.exe
| MD5 | a123ea46fad65afb3521ac23e3c36680 |
| SHA1 | b846afaffbea04666e8f8a39ff2568010f3b997e |
| SHA256 | 866b1032aa995592b139abcf0c2fa57eef2bb952e533520f7510927d5293b852 |
| SHA512 | 7727a20f293c0de27a6d0e575c9e4c8ca3e623ebd74aeb6b83d2807bd21719cdf7be4852de9ac594da88ea610dfaafdf5ac2d8d96c0023a8de987a2d2caff2ce |
memory/2456-648-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUQO.exe
| MD5 | a77e756ea803bca5823189307d6f194d |
| SHA1 | 7c46283325cee770f626819cc1c53679cefcff28 |
| SHA256 | b2d8d92741225a668772955ff8be428bd8038b3a8659de3f59e2363efbbeab62 |
| SHA512 | cdaacf0c109e9680bd108de74acae23f988f3da8cfea4414f21aee7d0ca84646f09f68c1105a15e8fa6f9e0c70b1ef4815bcf5f79e4e543aaecde9e1458afdf8 |
memory/3016-657-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KkQW.exe
| MD5 | 1f69740dc6a5147c3397f3fa6168cd6b |
| SHA1 | bf15aded95197ff68c3b838fbc488e8634e38372 |
| SHA256 | 8da5694e063c6755991b8758d751f2bd804423c3e1c794926db5c11a0ce3e994 |
| SHA512 | fc69bb3427e17af9af9b06c4917a4502f7c0fd31b868eee32521c7acd63432352bb7008259b669c031e225ffbd7a2dd9388d4148439f32c2024d3a85875d6bde |
C:\Users\Admin\AppData\Local\Temp\WcEI.exe
| MD5 | 051d802cdf4532f747260d8f50cf3436 |
| SHA1 | 0a64065c23b03cf2c4f20a5a4561827f7319e95c |
| SHA256 | 5280a038d45d762daf4a043943106ab318b617df5ed6f77250820edbc8620aec |
| SHA512 | ceac51a30348e714ca06364b37555dcae9f589bf73aa1ef588961bc19ccb53ec9db16cad9dff2902994f1f7e85575ea27be0e19a510f914353edecf1de0cdf3a |
C:\Users\Admin\AppData\Local\Temp\coYI.exe
| MD5 | f7346b8b510972aa0816970e6708cdcf |
| SHA1 | bfbdfe56afc1b930b960d5159d033f6983c0f39a |
| SHA256 | e8fc844ef3d21c8179aab7096b88ead0e4d6b3eb10edb4f58d39dfdd16518f56 |
| SHA512 | bcb766ce553637e995e236bb6e2110d9bb535cf043cfa44740e92aeb446eec04f15fefa817caa05ceda73fa54ae496faa9a1d37f9bdc85bb655f5c8bd1994ee0 |
C:\Users\Admin\AppData\Local\Temp\mYYS.exe
| MD5 | fac81b11eec67cfc505b9c0191fa482b |
| SHA1 | d4e17c418d7c3ea66af8c8baa619d95fd412f0f9 |
| SHA256 | 0c595c139d05e1689de3a5a4fead2757a17c152d52a06da84b84315955834631 |
| SHA512 | 98d6bb5b6052c869ddf5341c2e946f7297a97fb682eeb11f2a48c6d7250305ff840f139f0776be762e49cc0a6911e152f741d59979f1160c1d544f76d2fc8718 |
C:\Users\Admin\AppData\Local\Temp\WMEG.exe
| MD5 | 6a61f286006074ef025120860e60d666 |
| SHA1 | 287ab0c75307c46c050aa4b75f62b3642f42161f |
| SHA256 | 8bc54dff2f8c16573654182706dc81c21ddbfaae80ef3a9f8bc3408d785a8ce5 |
| SHA512 | 1e845d8f0022c98db492707b10ce6d07a2dd697a4dc3a1dd37169dda2620252f3084701b6157d492882dc7e593e0da00fed0350546da47639746e5b39d508b48 |
C:\Users\Admin\AppData\Local\Temp\aMQQ.exe
| MD5 | dc59deb0abf476decec6a9fdf3d09f64 |
| SHA1 | b827a81666506c6129c665f0c985361603477540 |
| SHA256 | 5ece968d02151a412e347917a0faee29864042b48143a8c8ae782b39683bb7a9 |
| SHA512 | e2143459c78a6734a0d035817ef453aa33fb93f77d55c09ae4ce2d16c8110ca86a3b1354c695ff7cdf57aa176b8977a02257ce60c09598d4bca7380397760c73 |
C:\Users\Admin\AppData\Local\Temp\aakooAoQ.bat
| MD5 | d0d50a4c509334447a40a6f4199fe304 |
| SHA1 | 9bc7427784c6475c0851d4236788d6cfd66f3229 |
| SHA256 | 32a3be7fe9d29a2440cde2e831fe4d1ba7c75a68c06bc1be1727dae794131a8e |
| SHA512 | 7067442aa8967e93d30785a0bab429916e20575249b8e94c1dd3de02abda93e03e0dbe1f7f699c516b2681e53154fd3033f22f782dfe7a2e5e39495b01353b3c |
memory/1360-758-0x0000000000270000-0x000000000029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OUMc.exe
| MD5 | a1cec8a35fb7806ad014620965f40cd2 |
| SHA1 | 769be963cce62bc3e42dd41641d6049bfd6ffab2 |
| SHA256 | 2ed8b9a6d0f1488511e9dd4385c676b8edbe609ab45947ffceb7883c5985b6ae |
| SHA512 | 430b8970ebba96228c2b2e383e519dd380826efd8691db119ff29433cef8111ef4fe335aca0cebaac7dad9f6f6e73f0f9bbb69d5b31a69f3eacad71ffa998a88 |
C:\Users\Admin\AppData\Local\Temp\CcYy.exe
| MD5 | f556db589bc0840fe7f21ef9b2124029 |
| SHA1 | 3c5e4002458c072658376cc771857296db6015a0 |
| SHA256 | d453154e731e79db4f5956a09bb973dc0c39220a0f1562710cb2f7d416da6ad1 |
| SHA512 | 955be448a385627d0a3eb37db0f518f1efd89f958ff384829c24323fae102b25cf3a726684c13007e7a25c0bdd0eb4285c86e8a8cafa3b8635fc7e01d84425d3 |
memory/352-793-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oIQI.exe
| MD5 | d5221d1b9c1aba0a1d54e3e28c3b1088 |
| SHA1 | 4eb6c2cc69ad30970a15196c16044c24037399b1 |
| SHA256 | 399143ff56e664133496dc706af6c264c383eade3cf6c33f38f3efeaed334d96 |
| SHA512 | 22785be7b4fba17a70523015755e4d68c52fc823b62b77399ad9911ef2d49a4d25383a4ecd3c2bc18a031e20b9dbd04588af0bba30aad34cf9a942db3f561337 |
C:\Users\Admin\AppData\Local\Temp\CAkm.exe
| MD5 | 67dcfc5f4952377ff6a38ccba536f336 |
| SHA1 | cf971b762753adac21482435961089cf1a9b4e55 |
| SHA256 | 28f080fe04b3339d6ca434c31c13f728b5b532bc56ad6994f28a2bdf1db79065 |
| SHA512 | 9c29a3132d1800a1996190d4ed4f4d1d874454e8401579fde546cfef7dbc5abc9ca5b02665924ee3e435246c6882fce492fcaac7083814685f88a74febad26a4 |
C:\Users\Admin\AppData\Local\Temp\akcK.exe
| MD5 | 24ccd44db3a90976a7ae011aba4ca60d |
| SHA1 | 45091ad2dd9e7521809706c082e0a52521357370 |
| SHA256 | 15e67c1ccbb50546d99b1be80dc3608d50e58a43205930cd75f1885da112d892 |
| SHA512 | 6cc96dcfbd3d67c9206f56acabc1d30ca613a7211206fc69154a1f35c3becacb8f9402daaebd271f31ee400364f5d7784d698f21763baae299f17ec01bc68514 |
C:\Users\Admin\AppData\Local\Temp\MAoQ.exe
| MD5 | 5c4831253d943fd6aa8697fed3bd9c2c |
| SHA1 | 38413576c666da32664f22babb4217a901791987 |
| SHA256 | cb11fb3573e2871311561598b526ece9a77bc72bf0d5f013406fcf4c0caf00eb |
| SHA512 | 5b5549ba93c014c6c42a63d9bc328278127535e0647bdacf8a5eabf78473fd0413243e274a3e2644019d0472b750603f514ae5f1e8cd9273ce52df7d26485d34 |
C:\Users\Admin\AppData\Local\Temp\IEcI.exe
| MD5 | b5295b1541e6d25b9b2d76ca33486b45 |
| SHA1 | d560a77d07cbb37866fe385130d6e5798c4c0f01 |
| SHA256 | 9143453a450a13cec85bf95cd0dc4610195e304ed12250fe70b1733c19bac2d3 |
| SHA512 | 73e054c49c076ec32b81df395d805962b48d5be6fab3e278d089c046923d352cb7ec22352faa5695698c8b69e92af71fe207e35b0fa9cc255e1181e9103e837d |
C:\Users\Admin\AppData\Local\Temp\sQQa.exe
| MD5 | c2a0c31c604c17d97f4bd0bafcc8dbee |
| SHA1 | ac31bfb27054913b86cf9974c5b3eb756385048b |
| SHA256 | d87b73a353fe6b77239bf32ec7feef37f7f082c03c6727370864475f4edb96d0 |
| SHA512 | ff380d5c2f5a772b637dfdc56dcbab844fe8eb9bf578e9f78393518cf6a73648427c172b25ee2e882e189f94cb2570f7b96a9766f1e204805d767377a4626ac7 |
C:\Users\Admin\AppData\Local\Temp\QQkG.exe
| MD5 | 0e17805936f10d7534f3bc4abb0c4cbd |
| SHA1 | 35a6876c9f0474646dc48e78ff25e527baa39fcf |
| SHA256 | 53689100f5979560e5ea5f5de4034eedaef96d5bd125ff635f35005f9360d583 |
| SHA512 | e696b43fe991db44381ed8839f76a19485617bb313ecba2dc429238d8b75021f8550c89f810577dd7057489a33419c4024959e330bde8134eac61d38346a1c67 |
C:\Users\Admin\AppData\Local\Temp\CmYcEcAI.bat
| MD5 | d6a20682cc74fa22cde4645834cfa7f8 |
| SHA1 | cdc0f46a8e60a32b3cd5113026f4fa448da56303 |
| SHA256 | 9527033952008dfca688b1b135af6813db1d432d448866593929d744097f6d8f |
| SHA512 | 7192b82ae7b590f19e661aa6a3a3a15f8682a78475d77951ac84f46a4313b7c3179ff6116584513e6fa005a340f51aebb7cd8fed521c6cb5cdc18e726b45f902 |
C:\Users\Admin\AppData\Local\Temp\gIoy.exe
| MD5 | 4b25c24534f8fd992fda43bcd918f2fe |
| SHA1 | df156e234651302ef78d48923d28b8cb0b6d3aaf |
| SHA256 | ea26e4030581cc2c68c5a37d4682f57bd073642290b96f2997b98d116618bb63 |
| SHA512 | 328eda95cdd2e20e3138200bcc99176d18df986d2c4fe775102bd6bb97a929fdb2b6c5f96a1fcab797b0669fc2396b54e999bbc7c9ab3bd53577805dbdc90fc4 |
memory/2548-909-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2724-908-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2724-907-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kIsc.exe
| MD5 | ef104581b2c2dd77fcbc23e2b297f51b |
| SHA1 | 29352853171afb30e88c24fd7a1b0e9e8ec0e2c6 |
| SHA256 | 7e54969653d9ce4ead7daa390bf0161172fdb6f5ad55d82a83fdb9495c65e1d4 |
| SHA512 | e6d72bf32539ddcf16274c72e7a7e9cd5189e96f5a90001efcf0ff7ab1a9f4ceac65c05217bf395fdca726acece69960e2891172a51a23a34a925434a6d4bc5f |
memory/2276-932-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\woMa.exe
| MD5 | 10414192e7cf681ee69262a610989b67 |
| SHA1 | b57e7a79c7cc043de92d5cd35dc4d47c295b6265 |
| SHA256 | 5e1b288994f00a14fee01c803322234b22bdd607042464c04b45ec0d5156e2bc |
| SHA512 | ab8f31fd643b2487dfc3a8229ea7423656698f0ee1c03f71ed4352808910a980919d55bf46bd8e794b4aab2c87c79be713ea14a64b6de98b77dd42946fd6e16b |
C:\Users\Admin\AppData\Local\Temp\McQc.exe
| MD5 | 3026486119f600d9809c0cb6ceaa520b |
| SHA1 | 73eb7e5a48cc2dcb89cb134c7318389d349bab2b |
| SHA256 | bc4b51b8e7751c92dd8099911cb5701e9c1d287ad3ffcc6fa352941ec73d2d81 |
| SHA512 | c8fffa49b5dd6808466950f86c4e8a21dc0aaf9a4aee8d02e292b9744668f51e2ed0d1b4fcf6a3e37186cce9bebdac9349f449fdb94b4702ea84504ff25fa164 |
C:\Users\Admin\AppData\Local\Temp\WUcA.exe
| MD5 | 63d0df5e4e4f6346e0523f72d5438512 |
| SHA1 | cf9298dcb24d838d94bc2ad4fe0668ef9d670ebc |
| SHA256 | ad5e27c8f8082b5f8326d22a694424aa81368178f4bdab2311b9b0d44a2729ff |
| SHA512 | 8f3030591fa5fa406adfbfb760344733754417a9b030ec32b28f4ce8ccd162614f96b2940cae4895d1ba6a260b9ba0ecea0ab84220d4370ed09c6d2177973eb7 |
C:\Users\Admin\AppData\Local\Temp\AIAA.exe
| MD5 | 026f6626ec79592c7913b15ca724ac46 |
| SHA1 | 3654ad002b1e22cdb625ea36233b53cdf69bf18d |
| SHA256 | d0ad2c08cb074d6c8e7439246d0b24bf9647d05d8880c719f6f1f55e3e3a999d |
| SHA512 | 52567135078be9dc977d08a4ac0c79f95fe0344a2cb317910804bdad8c0250cefeada8e2742c800c35302423849811f7c6d5beed9e58ddff6676445da98a0714 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | a521bb1f53a7142e1526950eff6bbf22 |
| SHA1 | b3bab55ff1f96748eb9d4bea0e22ce4e544cb463 |
| SHA256 | 1babaf2f2f6211c5b943aff8de9290dbd61457991ce0ff91318dc7ad69b5fd90 |
| SHA512 | c406469fcb085d938c716ef618a9d755fcbb5bbeace8cf592b6b413e986b5c24ad19021c7ff4220492319070075b13787062a54bb9ddfea5410bcdd0e7ec5fbe |
C:\Users\Admin\AppData\Local\Temp\esAe.exe
| MD5 | 20c16742125b1cecc9c038e6c6e7f705 |
| SHA1 | 6c6413d8da0d98cfe8491f789abd89cf0fabaca0 |
| SHA256 | fb886fd2e9c1ee032fa793c93a2a58a04110c4eb93a950a2722162ee92c2a5e8 |
| SHA512 | 15dfaf38f172d104fd2ea90bc8343bfe8d598be6f77fcabb6d7748b63cc201000ffb61472720914a7029c795de05fd325af69a62f533180e0ed86cc0b4a7bbd7 |
C:\Users\Admin\AppData\Local\Temp\GkYG.exe
| MD5 | 2a71aeedfdc2fb78e83048b640dca2d4 |
| SHA1 | 216a85a2444fd9da904ab573e85b9c5f06802bf1 |
| SHA256 | ab05c4227821e4e0c75406009f26e9de21bd7c7117daaa79d07a29a61451ddbf |
| SHA512 | db17075a95bcbda8a033f9592f2472070253698d5ce23bb5a6d40e158a53709febf01641b7e524b3c01ec809669f0e0480e2cdc75a4f99179d01d0a1dea5bde7 |
C:\Users\Admin\AppData\Local\Temp\PYYIQUkE.bat
| MD5 | f358571f34aca6b98d3ca2fd5ee4ffe5 |
| SHA1 | ed11af971439f143f332eb2cad6326d451bc3c4d |
| SHA256 | 955404e5f928787ab075de76110a74b77acddc54af301dae78cafa4fa53dfd9e |
| SHA512 | 170861597f49de1643327efeb64e5214f0c75be6f613a4a316df2ab47c35902b14a800e4c172520d26274066eea0aa94a766ef8ad2fa9a3abcdf26a4077f8bec |
C:\Users\Admin\AppData\Local\Temp\Egoq.exe
| MD5 | 8af8d38df2fad302c7b4153dcbb5e9b5 |
| SHA1 | f432f85a7ea12a0d2a2779d5d2770da42f90b27b |
| SHA256 | ff568e2565e96dc970bbef30246c9683cf6708a82515c3188a614d87a8d5a2ae |
| SHA512 | b1bf3e3fe4bdbd74f85acbc89e8d44753982d186261c6a2d85866dbc96ea1ad8da72c08ea1ac4e0d0b2d2e810997f6743ed7b5ac9ac029bb0b4115d16238b520 |
memory/2536-1059-0x0000000000400000-0x000000000042A000-memory.dmp
memory/880-1058-0x00000000004F0000-0x000000000051A000-memory.dmp
memory/880-1057-0x00000000004F0000-0x000000000051A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eAsu.exe
| MD5 | b7acdd0eabbafe555b6c166a0d600d1c |
| SHA1 | eaf479f0054f69a644c2871e78a821b37bc43465 |
| SHA256 | 4fd8df45966cbfa050550d4762b7982701f68ca7285bd8f00385631d2474ac4f |
| SHA512 | 8363589f29f09a6e4ae647b3f3134b0474aecc88bc1e21cddb9121404f18b512ad51b3fa913bb8f89fc76ae0a3ae17d69a48ff499a461bbc3878ed84ef692888 |
memory/2548-1081-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mYQY.exe
| MD5 | bcc638ea78fbcb5deb11e2c4117c26be |
| SHA1 | 763beea75be2fd4627502e08c5296748356560a0 |
| SHA256 | 44e1633ba46db5eec0f7c18fbf06b78507f50feee1e16575e31242d107eb0ef8 |
| SHA512 | 2b9dafda822c651548b1bdefbad7e70312f16dfa2ca03d046178583c19bc6fbfdb1d20c427d3396de8ac1890695dbc0ef52c851543d4059ca4e4b83f64960b01 |
C:\Users\Admin\AppData\Local\Temp\UkkG.exe
| MD5 | b7ed71d9ee775232871d4ce8a63645e3 |
| SHA1 | 3ef65a83a361fbaaf81e495202f222e25380a511 |
| SHA256 | 43a847d1311b9b715207c8dd478b92adc5b89a7f3637fdc04a5dab422b180313 |
| SHA512 | 49b5388d6fd81feb450876e35aa642e20ce2e7cff4926d4c89631004ac1821a9b969fd6daa75ed11c8a2a1f75ca0bd72a31b6e2e21ed54e47d95bb3e68a6e1be |
C:\Users\Admin\AppData\Local\Temp\ecUU.exe
| MD5 | 73212cafaf0f187bf404b4c2231799d4 |
| SHA1 | 2fbf3acf9c7073b6d013112332d76601564991b5 |
| SHA256 | f25ab576a10d290c039f5abc4f252483857d883152764bc406afa2704426de61 |
| SHA512 | 676539e11a2b905613a944a51702574d16b45dc56f331e6d0e67de28058aabb72b2b371e651215e000de63b9b322cf6face00f87ff354144e28dc727258ad328 |
C:\Users\Admin\AppData\Local\Temp\qYEa.exe
| MD5 | 2aaa83b247522366195b56538c712d15 |
| SHA1 | 8ce7562f4b190b2a599941b85465806ae601c48b |
| SHA256 | 2d0c4c9c22b86c70c92611828a15db9eba4c73f70b51cca22ae24a8da78d01b1 |
| SHA512 | 74de9055106d2ebbe86f2905c7b2446485d83f228a0f3a0bf00ef2bd83fb9f6a1ae6b4734800a36cdae10c1db1f21ebc977d56c456f2db6d9f53409f307dae72 |
C:\Users\Admin\AppData\Local\Temp\vucUgowA.bat
| MD5 | 34df2bd7af04132389cbf64b29ed8bc9 |
| SHA1 | 9e3766e521205b810a0e28380f98f63070742aee |
| SHA256 | d9d64871c91f774f0b684ff96c0ddb8296cceabe2d653a3cd34703653853fc36 |
| SHA512 | 6566b8d87eb6779ccd762220fac10cc864353b0a509db85fbe367cdd252b6aeb15ef166e9a033916763d063d7d18d6efb24de855ea920be47440985913326ae0 |
C:\Users\Admin\AppData\Local\Temp\ewoE.exe
| MD5 | 741f310efe7d22c9420798a4f1b02107 |
| SHA1 | 267855165239d0be2d90082970ec5b69453ef5fb |
| SHA256 | f759a65e26395361ae16360a99b96c161077ea81c4500d13905a8b49249d9264 |
| SHA512 | 94370946c8050f2c53b491a3cbb553bc8af7e800f5a7546a61c6eb6dea818d50474c1b44aef801af10277ee4c324a1ed3345e55e335299329a7f803566901ed9 |
memory/2852-1143-0x00000000001A0000-0x00000000001CA000-memory.dmp
memory/2536-1165-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IMcE.exe
| MD5 | 036eb3b41f3e00d23f34ea7912810897 |
| SHA1 | 7af6acb889da70b8e4733b3f94f6da142f8d852a |
| SHA256 | 50a0bfc7ae3935dd6722c9ad17cbbb8733b208ef9f7bcd6bb1145f68f505b9a7 |
| SHA512 | cda40fceeeb5c6a7865109247d8a573e0b0a57b029a72a35016e71a1f9277e9ed1603b74bab934571173f74c0779283eee095dfdd7dc7e55e9d2d3b6d8d70b91 |
C:\Users\Admin\AppData\Local\Temp\mIgs.exe
| MD5 | 5c8f158f7f51d1e7dca9861f43471e72 |
| SHA1 | f7edd15428ec6548f483b75f5725f6b8dca7cc44 |
| SHA256 | 975b88c2e4aea808c7e15edb5e3ea39cd0aed213e28196bfca717354640ac5a4 |
| SHA512 | 9ba52c5547f9a7f85983ffb50d615e9d9fb2469781d895366463d2d1737e4f82e1501a8916bb7ec9bbe2648bc017e7d1a530c0550293876c46babc61cd5c29df |
C:\Users\Admin\AppData\Local\Temp\SgUs.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\qQUc.exe
| MD5 | 41413ed0448bab2d7e37740e9e791338 |
| SHA1 | 8e4ec22430cef731b18984f132e6f87a24afcb10 |
| SHA256 | 800a5690c001075db25929bcb306571c2878c16ca7f834cc659087423519337c |
| SHA512 | 35dd94a780950f8499b1241176f605fb7becf62492d877b5ded97dd9c2ef86cc20bb736d3b38320b0b71fc7fab3058659f8d44fdbc9306564cea8a0b925d628a |
C:\Users\Admin\AppData\Local\Temp\LGsYwoUo.bat
| MD5 | cc175da36a0367887eeb3bd62c2152e7 |
| SHA1 | f132951c7f59bb0798453430ed22b9fe285dd792 |
| SHA256 | 2c8542dc459b69118928a2e01169d869f57f0f9b229af80af5e94536a526bda5 |
| SHA512 | f9d32e6ee5860de1244b3dd49df192e7f6c2c5255d65b4b86ab8e27f5b04b13e28833322fe4d12a98f649c4a2da29a0757e3f7ec609335ae4ca61496e1272757 |
C:\Users\Admin\AppData\Local\Temp\kkka.exe
| MD5 | 681349064b2ec4ce2cf388c1bf87d7c4 |
| SHA1 | b59e6009797d5a27edb21dc42f8901daec4b4ee5 |
| SHA256 | b67642294ff3b16d94aa9fd936d870fe8c50731d83e667b709cbc9951645557e |
| SHA512 | f905c45bc3772b2732e183b252c22471f4b10da08333e5c4ccb5a71dd08144a9d093cd74f9f9f69646234e739e4b20bf583fa27213b0a8a4764b1b4eee0f96f2 |
C:\Users\Admin\AppData\Local\Temp\MIUu.exe
| MD5 | faa96e3e0014a90ff2561dd33f9b4bbd |
| SHA1 | f948fb2c8b17812a392c991d0fca68e87e536359 |
| SHA256 | ae547abd1babd3e799fd1ac7bf93096de637e6059779e8dcfe1a058fd587e5d9 |
| SHA512 | 5774bc2d3021bad07ee97172f3dcaae211f40a7122bcf90c7b0bd02b95f3be2af43dc5d9dc18868c8a4996548bec43eec95f1179dbb838559047b06f8abdaf17 |
memory/3016-1248-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2920-1250-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1868-1249-0x00000000000F0000-0x000000000011A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sEAU.exe
| MD5 | b192daf57cd3afb0ba53956682ca0167 |
| SHA1 | 3f14794805104793cf71c4c748b41b34db5c6f5f |
| SHA256 | 64febfcafb94329a53c591902f375e9fbe8fa48170689638fb2723fe381a9d77 |
| SHA512 | 4119ab321ad2bb0e280e76852beda9c8d10d81c86eb43ba2eb0987342c0670f4a8b33e145391256177e48d182ef85fd742b7dd428bcab179cefd205045a547ab |
C:\Users\Admin\AppData\Local\Temp\wkMa.exe
| MD5 | 680fba4b460ca154ae923dba54dc32cd |
| SHA1 | 6586e488cdb0d6783cad2db3350d3c7511b00bf8 |
| SHA256 | 5590269509990a15b9467a93bb6f7f1ae16d2ddc2ebbbbb3e71c71fdc4dc0b12 |
| SHA512 | 88a649fbfcde7c1f807fe85e0c7f7ca04817fd970b57b0350e8b2d32d5fa6fb07cd48f7a97055b00ba9e8eb6639a926c6364be052897451378d9fd1272114fae |
C:\Users\Admin\AppData\Local\Temp\UMki.exe
| MD5 | d9e90c48769bd68ab97ff37aa76b3ae3 |
| SHA1 | 7cb5d7ebf0af08c273266bdf9b095614ee9fbe92 |
| SHA256 | 7b2f74c5638403726461d09a44e93e713aed7483eee989b2d581f15f7ee8dc24 |
| SHA512 | 173644b6ebf2196ca0ad21a3ab7b2f744db861b1becb55978467fe79e783cc7909caaf730edea53efe2aa6c1cbd0c756dbb91253ee09f9de509656afd0c4bdba |
C:\Users\Admin\AppData\Local\Temp\HEgckoIk.bat
| MD5 | ae886cceba02d3b3f362d8cd05164fed |
| SHA1 | 05e807069c3b96d931283fe4ad342eb785bc8b40 |
| SHA256 | 790d657171b4f913f328eb73bb087f99443cfbf4989e69370fe64459bfe6767d |
| SHA512 | 4c8d334ae9a11041ff3416a4a35fc31cf5e1e4da334ac5f2b9009a0d68e836e5bb7e32c7eb4d2ef9add063b5e3134ca3045f03136bdcbf5c1f0718f2e5dec16c |
C:\Users\Admin\AppData\Local\Temp\YEgW.exe
| MD5 | f54e66967bd6d1d2b2216f809c42743d |
| SHA1 | ce3f1f346896392add644c277e0c7bdcc3aaef8c |
| SHA256 | 4d3ac14a35baa72490b636f5c553042234ccca9281e47b6d6cf41e4284ae1295 |
| SHA512 | 3ed3666f283ec77cb61d7edef64f9a51d048aaa5876b089d435afbd65754f7188a03a59b9fdfcea4a5d17fb7002a038752b081f87caa6c848e9ee9e495c574e3 |
memory/2548-1321-0x0000000000160000-0x000000000018A000-memory.dmp
memory/1704-1323-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AIAY.exe
| MD5 | eda8fd8c7d10abcf8da3bc7bd9bf2fbf |
| SHA1 | 700afdd8ed06f029f4f2643ec33d80aeeb769f2c |
| SHA256 | d4056efcacbde315fc6c6cc5da244b0bff33625f21d4647676a0f143b03aa1e8 |
| SHA512 | 5e6821191585756555e2c0d79199cc5d217430499f18c8041ef1937b2d65ceaf9500a1db3a98ee3c2ac6634c89ff3f90f21e605f526abf8d6ee42f36d68f5ada |
C:\Users\Admin\Documents\DebugCompare.xls.exe
| MD5 | 9b62fa7b83869a41a82f267c425db50e |
| SHA1 | 79860cdc0348b0725d79b369dfd8ceabaf68ee3f |
| SHA256 | 754ed431fe7195f5e111b07ffb90175acd35fe3bdb8aabd2bf44d729e63ef080 |
| SHA512 | cd16b77b7cd53bd0a7459644b85011c1d75cd28687f2973d509f2fc6acefe0f00278a79667fc6983fb7cdbad85b8e78f56cf9aad84b6bf09143fa5fa9917385b |
memory/2548-1322-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2920-1320-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYYo.exe
| MD5 | 7ccde7db9f611194741062c7b0a5d229 |
| SHA1 | d33a946902907885c3b82a808a332136033a6bb4 |
| SHA256 | 16f7823f7b45d65590352dc1ef77f5ee7e06d7352be29c1b62c10cf111fd6981 |
| SHA512 | 21909d24d36442fc2e95efd99051e68d91de0939c1970563b953fddb856edf86394947274bfd1e80099aca949e1c10eb8d0111419e96849d993657c5c591d4c0 |
C:\Users\Admin\AppData\Local\Temp\cwYa.ico
| MD5 | 97ff638c39767356fc81ae9ba75057e8 |
| SHA1 | 92e201c9a4dc807643402f646cbb7e4433b7d713 |
| SHA256 | 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093 |
| SHA512 | 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46 |
C:\Users\Admin\AppData\Local\Temp\MsEC.exe
| MD5 | 7cf90f81e00b66a5934f912a321a8557 |
| SHA1 | 13503d5258246c5226dfc55c6cbaf7dc1d178457 |
| SHA256 | 3960ca16453f440270b294f25540bf445687ac741ecd0a03e10cf8e26e38620a |
| SHA512 | 57cc6cd1cad1e5bdf8e71555a44b70cc8723b061de2c1789ff82229bb91db436b18d5a0e955324dbce06ebc9ae8e4f13db447fd9bf796cd252842cb02c4d0873 |
C:\Users\Admin\AppData\Local\Temp\SkAs.ico
| MD5 | 68eff758b02205fd81fa05edd176d441 |
| SHA1 | f17593c1cdd859301cea25274ebf8e97adf310e2 |
| SHA256 | 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5 |
| SHA512 | d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a |
C:\Users\Admin\AppData\Local\Temp\UgUY.exe
| MD5 | 33e96af715d792c252eec2ac8b8adad1 |
| SHA1 | a48537b0ac603d0db805763bf85ec0e9b2b29b50 |
| SHA256 | 4824a1fd53e0c03908ad6d791849fa9554767b1924121f9d03336e0c59bc314b |
| SHA512 | fa636db4c4cae0edf7ddfc6a42433cfc4e2ab419702e795a71662203e1ccba21366dfbe365b225d578e32390f85f68add4ca66bdaa660205874ac0faa75b0fb3 |
C:\Users\Admin\AppData\Local\Temp\SwEcMsMg.bat
| MD5 | 9ecb53f9c5a5d20b4c55021a4dff0d35 |
| SHA1 | 62e0862fe247cc75c94951221adb3ca09898edfa |
| SHA256 | 6a0d43349e9f6eff228a7d85637ef725fe28786db8ba2c9c80a599cbbf386972 |
| SHA512 | 31593cc3aaa28c9b1ac568b904a59b609a004da8acc7624399c04c3a1c8330e35cc4f76bfdfbfb8d0919f19c1e88e7821c7c73645aad0b0fc86d950a08d10bb3 |
C:\Users\Admin\AppData\Local\Temp\UUsG.exe
| MD5 | 1c7c23fe8be46e746c99ae570b96fbd0 |
| SHA1 | 8fd0c0ea04d8f32a5851524403288be310c0bc71 |
| SHA256 | 33de413b8e64d732270673789c84cc47b500cecd9eb849034af8853d844aba35 |
| SHA512 | 8ef926a74eae4193a6e30157f6b2ce2b1cdf83a936824900d3f2fe8685f2ab44667c6d2aca4cc6b66742f82614bde77e2c3bf7ba41ec070ff298d12b97db058b |
memory/824-1413-0x0000000000400000-0x000000000042A000-memory.dmp
memory/520-1412-0x0000000000400000-0x000000000042A000-memory.dmp
memory/520-1411-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2864-1435-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cQoi.exe
| MD5 | 192f776a876ff20b2c2eb248611879de |
| SHA1 | 517f3d92508deab082dfc221b3f6fba4fb0fa84a |
| SHA256 | b37c72ba619a6d460ecd68e1184267f836f4afe14287db033e0ab6dfbaed973c |
| SHA512 | 6b08fd386b7c786ce3e91400df7de586dbf9604b492a6c4eaadc0bbcaa9de314d5fff77162d59d029cce20c1163d0ade787ed0885df1b035f8633eb414212a5a |
C:\Users\Admin\AppData\Local\Temp\oUgu.exe
| MD5 | 4b3b71fde5063a15ad91dc312b13474a |
| SHA1 | 29506dddc16e475ff26b12b2f439c8fa7b6dd168 |
| SHA256 | f5463424df4aa2ec1cbf3f22ce3ec5a3acf8828fe9c9d0d14a1c82545bd9a4e7 |
| SHA512 | 1aa5407e301ac2c60eb064097d02c8ee26da4629c2c8a5308b8a40dfabad7febb45546a31845155b93cacbf4d4badceb5c51f35c763903779d96c4685baf85a3 |
C:\Users\Admin\AppData\Local\Temp\UUIy.exe
| MD5 | 7d96d7ded0455665ce3a3c6e6549fe6b |
| SHA1 | 6bdc1127804f8997e193e192072c110438245871 |
| SHA256 | 1a4d37f998322ea7dd9a8d7113c72752b103e5010a4bd0e3375dda1b3528c5e7 |
| SHA512 | 1b2a6b5cb11fa0fa4f9e93d0b2b1121e1005fe52cd5982337a2b1cc4e2fb1313be4fe45e7f89ea7741086adf0184a257497788ce1e53fc5c7b937737b5e60f09 |
C:\Users\Admin\AppData\Local\Temp\WowYEccs.bat
| MD5 | 02d19ea7614c1164a4384de228ad4003 |
| SHA1 | 447978b3616d2802b738bc3d1a3ba9db4970a836 |
| SHA256 | 1cc965c10b6bd680503af9d91651090413b8b28565a36594105cf9e60fbd5deb |
| SHA512 | 386d36bf39fa380e7967f1d7eb3edd5cdb4d74be61a6e0f4c9be7afb5e95fd8fe73b00807ac5586939bbb805a5018bd1641559812b367956b4a8ec7e75be2844 |
C:\Users\Admin\AppData\Local\Temp\cgEq.exe
| MD5 | 306c98bd2dd8dbc8d5e62206e64dd1b4 |
| SHA1 | e7efffebfa84cf6c34c2e76dcf3a0e783241bdf3 |
| SHA256 | ab27a8ec1bb59083ccd57745a5dd973dc4f550157e031e52db36d3761a6ab0a6 |
| SHA512 | 3ebd919d1a1d0111a468bd9bd891a82de3c1dc4067b775cf3aa095f101cd24bb53f5551131ba3c351377b5d28f4eccfd3c35f8c6a8b1f4cdd52c325ea119e9a9 |
memory/2372-1487-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-1486-0x0000000000120000-0x000000000014A000-memory.dmp
memory/2520-1485-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2696-1484-0x0000000000120000-0x000000000014A000-memory.dmp
memory/824-1499-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mYoK.exe
| MD5 | 023df06a170ec3f876aca8b0b6cb8085 |
| SHA1 | 2d65155dab4c1e786dd3456c207e5e87f9170a86 |
| SHA256 | dbcb1a11b5f1a38781025f5876bb18d4a77a422cc804f7027f6f7c1f01503d19 |
| SHA512 | 812de70a7b8bcdf35dc0861f0542b3f91441f780c9f28a30523ae688ccaae9922079f2d9a3b300b5240e39323275d5bb3cd73732a0f748119cdb756175a4b7ce |
C:\Users\Admin\AppData\Local\Temp\igoc.exe
| MD5 | 9088a5a6656439bc9637df09e1cc88e0 |
| SHA1 | ecac3331dcf95834a4d1b4aa9544ea17dac95db4 |
| SHA256 | 04ccce3075595a295bf8f0e3b737e5dc6967ac276e036e566c14a751b2ebc89a |
| SHA512 | b32e6fd97131debd6981a5ba7799cdeab19e5106820ce48f4d1f482a6a55ae68d5ee9267ca4d734ecf027112d33b8efa5f247c79dc81533de110ef4f9d35cfb1 |
C:\Users\Admin\AppData\Local\Temp\wIES.exe
| MD5 | 1800fccb5b5b39049f519f357e3c8bd3 |
| SHA1 | 67af0b662dae2e49ea37904664fb44dfd0982b75 |
| SHA256 | eea43a929e9cd36cd22df17c8f47d3f389dbac198871e7d07e781a9ca1400679 |
| SHA512 | 2a367b36c5e7e17c55cbd09a00eab5f3ba37abe2671ba22e8671fed2d246bebe63c6611625e0de3c526a810f2fa282248d8e71254f84f9726a1a5b8186a8839b |
C:\Users\Admin\AppData\Local\Temp\gggi.exe
| MD5 | 614e198d811fe1e47134f83e5e5161b7 |
| SHA1 | de94cbb912ba3ee7ae0ee613c1df57643f9c261d |
| SHA256 | 0cdc1e65960cb92332786d4e03e02ae9ee417f1e92d94292468517dea9bf5cee |
| SHA512 | f461509deba0c116469fcab84a4bf91981f9a716a28e5b2d306538f8ffd3f46c01069a876e8113a695ef60d0cdca1ad4eaef2f615097aeb138bde12bd11b984f |
C:\Users\Admin\AppData\Local\Temp\oCEwgkMw.bat
| MD5 | a51e3df5449f60d26ecaa5ea833f630e |
| SHA1 | e755f6fbf6309072f8bc7aac0b38c693485f9b3c |
| SHA256 | a0a8925e729a7e869c806f3b6d0aa725da2e77ebc9df160848529dfbf440da21 |
| SHA512 | 022ff6b0da65a513ed8286b4c8cd587a87a3d8fb71cf5a268d704d694be79fb89b7574aceaa26760702e9209a6059409638df87615bd3792eb073a92fcf75bf8 |
C:\Users\Admin\AppData\Local\Temp\kkoo.exe
| MD5 | 6070933a4d0d395b263a649e89662048 |
| SHA1 | 4525549a01d72371e351cbf27e98ddeb05ffe4aa |
| SHA256 | 647cb55b958630312248d15ed92c241204beda446050ad70825ddecb59fbd20a |
| SHA512 | 9b1cf03c69a88520cd5ae090a867a924410c03a541323b37c840a46fd4d39b007d250c6c80a899e180593c8e0b0e12ef7483b4e2e4f0c412bf702d36bf643520 |
memory/576-1586-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OAMK.exe
| MD5 | bb995863ce98c9e75eee9fe4f41090fc |
| SHA1 | 137589e27604cc2a69b3846da15fb780e13f2a88 |
| SHA256 | 1b29a6445593c8bdc1e63d3975aaf2708f1fc7c10dd9bfb2e81ce34f8ed8d714 |
| SHA512 | fb605986bee07e798e27bc6bd04ea58107c32d5a26c5d826e9c55b6f1e9db852ddb18e47b2640798ca81816bb66a27c630531aa615f1a8757d671eb650b15a29 |
memory/2372-1601-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\awsQ.exe
| MD5 | 6e5afbf115ef76a96b9e4f995af85c31 |
| SHA1 | f08cb910d26968032e0065dedaa342daf528d5bc |
| SHA256 | 858f0b366d25d383b6c3fcbc92a00b8637c76de0d4e9808dabc0c833f3d3089f |
| SHA512 | d15814fd5954acaebe359a11ecfd3631a7acb6e0868df48c6074a6c89383e91ceb7cb3a5523693ecc4f44ec380ed034f58951f7c406ee00f4ac2451e33a65df4 |
C:\Users\Admin\AppData\Local\Temp\GgAcYwgE.bat
| MD5 | 83c57510d7eadcaf956840d2e44fdad7 |
| SHA1 | 01a02cb95efc2b5bd7418007ea71d2fb87b21cbe |
| SHA256 | dbb18b2ec378455031bf30914eea95f385561582161f6f93a203028add7e0e29 |
| SHA512 | 734e51b580b0503816c1550852e6942400ef08caff982c5e2ec5639e0e8e3677d2529e36c262cb4fc1654932d912acafd918a2baeb70894a19f7a31c26af1f57 |
C:\Users\Admin\AppData\Local\Temp\AkwQ.exe
| MD5 | b5b78b1628246d6ab45d0f20839fe964 |
| SHA1 | 28b22fdb2e49d27b8720fc87ff5f90e6e9b19909 |
| SHA256 | f02a59ea3d7273029cd8c66e97e0b49a79d1fcb9ca8e5626ac300e18620d762b |
| SHA512 | 9a6c4d0dd4df4069d7cd832be95d09bc376a26dc65e24076903f5ccc4e7d90ab0e29aaa1b7ca12988a744557f44ef2fe3130f7c9e36c4b3bedd2e013fdc6b97d |
memory/1788-1653-0x00000000001F0000-0x000000000021A000-memory.dmp
memory/540-1665-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kcca.exe
| MD5 | 86ca0709e1253382f4448ed83a16062d |
| SHA1 | a0c0655af907e840c27147334da0e1c6f64e2c29 |
| SHA256 | 9eb05026fa0b418bb23997c6c15540f372b166dba59161d33af9de9237bb30c2 |
| SHA512 | ca65f4be5a97f55a43fb697e4be1aa6e9cb0611fc40493d5d32ec0f06612362c2dfb460eb7970e1d6bdb4bade51643bcaf8f96cd106d5cd8ce6d7305d6b3b40e |
C:\Users\Admin\AppData\Local\Temp\Gcwo.exe
| MD5 | 79b7085a6e22432fb102ed2a80901d53 |
| SHA1 | bf698aca926326a343ea87e08d6ec0db413ee107 |
| SHA256 | 69ec17f6721094483c29db1bf61fdd49b6b4ac26cb1fd2b129c4a1c7eb2930ee |
| SHA512 | dba20a05b1b47697205c4c6a1ab4dec8a0fbd88258e15a528201029bdb6f220e518ac989840b6fb81354ef1d3731c20cc86a1d7627faec2ecf77d2a779f1b56e |
C:\Users\Admin\AppData\Local\Temp\sMQwoogw.bat
| MD5 | 866371fd995e27e05ec1722979f831ca |
| SHA1 | 2be4276342bc91a0de46479482701a35ba45bc18 |
| SHA256 | d10456d66afe16eb3416be344c1d1b8efc3dc268cdc84cf387e7f6ac14143acc |
| SHA512 | 172de533668b5a09add327074fc1fc6364013f65721353c2cb38f1e1960aef693a06ec24a9f3839dd3fb330ac9dfd9188d425eb8fba75e8ea11a69439e6817f6 |
memory/3004-1708-0x00000000000F0000-0x000000000011A000-memory.dmp
memory/3004-1707-0x00000000000F0000-0x000000000011A000-memory.dmp
memory/2268-1717-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEIc.exe
| MD5 | cd18b253223dfa852f2d4bf2f86826b5 |
| SHA1 | 3a52b0c0c7c187d8a16d002c5ff25372e7e03f71 |
| SHA256 | 7fd3ded795ec983c35e30b8c827308504eb0405c45619070ee9de080a01355e7 |
| SHA512 | 94f665460bbf1f5471ed1cb3e377458e178ccb3c6b4f22ff3667a9549e850c001ff59aa0a704f2af09ad902043322e545ca7455aaf580ddb2e06c976007a6f92 |
C:\Users\Admin\AppData\Local\Temp\CAIg.exe
| MD5 | 9813c0bb9d2c1f280b5652534b35e427 |
| SHA1 | f14c80413a069ac306c476f27f79474315d5db64 |
| SHA256 | 3fbabcd9fa64b0ff206a60fe062f3c284427c7b98f90302337fa06b5e09860dd |
| SHA512 | 9d1780b716477d93c3a46a342130d1cfed7d585ac8fe334372f0540af85e7b04d511c493b45fa4e211795f72f8efdb14e3bfcc995e289208e71efb7521017b77 |
C:\Users\Admin\AppData\Local\Temp\bGUgMEsE.bat
| MD5 | 3ea6f13eee0a89302ebc7091e44de01b |
| SHA1 | 61d666956e20296688f272fd19f9bcc45804749a |
| SHA256 | 52bc3755834cc659fb56965f513d6d241bf05ed79f9741b7b3a8416319191025 |
| SHA512 | 33ac029d681fb52ba50f8a983073af219d2a46c26f4eab19dce8fe2ca9af2986ddd826c1877860d897d8ee06e2ec4491f9149a3aa778487a19cd49e246d6e80d |
memory/3004-1783-0x0000000077A60000-0x0000000077B5A000-memory.dmp
memory/3004-1782-0x0000000077B60000-0x0000000077C7F000-memory.dmp
memory/1032-1784-0x0000000000400000-0x000000000042A000-memory.dmp
memory/328-1781-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gUMg.exe
| MD5 | 593249a80730a1273d402bd9616b1459 |
| SHA1 | 1727d85ab387aa7cff681cef089d765b9db0a2c1 |
| SHA256 | f226f3f6cb96539e58548af872753c3c35ec283c7d2700a9a407afe87919ed9f |
| SHA512 | 08817da5e6fda82128b3a1eb92a5a27481ed1ce169e9872987aa47aa3d56c6f7ca738a31a864b55eade17a218d7683229b6cf9c460e6f0515efed2c7be963379 |
memory/3012-1764-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aUgA.exe
| MD5 | 7f43fd44a0e468ef7a64092c972fc9f4 |
| SHA1 | 50ed7db38047dfd5f5a5f6634a8c92bc7367a182 |
| SHA256 | 1b639acd05ed8e81abb367b93931985a74bd1c920f8b3fd4f360f11622574a8e |
| SHA512 | 6b3dc933a36d035daa342384b67a85b6cbbce73834f08176ccd24f17ba3fd0c5b199db8ab582a508d509938ddeb73dbfc4263266dd9aabdd156fbce280595613 |
C:\Users\Admin\AppData\Local\Temp\raUQQIgU.bat
| MD5 | 9635c84f5b7397699dc1888bb79218ab |
| SHA1 | c276b542b29c13d41df5f78cbe7e6cd7e82856e9 |
| SHA256 | 2402de43ee2b47e3932e81af206ca1affa54ad85522175940bc3fa146e9fa499 |
| SHA512 | 3359a088df035b0d00c71a9f433f4d0b971433ec99a625dfb7f9e9e638d1743fdba8cdfec138ff1fe0852e8b2514771f07901f32818201a15e2ff2965a464f46 |
memory/2772-1815-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2756-1814-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2756-1813-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1032-1837-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YUUw.exe
| MD5 | cc9b5bc6976731e2f81afb9c375137e8 |
| SHA1 | 851f7e2a8ed53e9d276fac9ad04c0373446f8402 |
| SHA256 | bcbc1bbc253ee631b149ed860122627e24be5046d6d4c3fb1c8d149f3ddef0d0 |
| SHA512 | edf94af57feb7a3f850771f03484ac0d97da04da4e62e3f482d078c5770ac3aae4535784be421339c72e37306734788286ec6785415f1e4b186216efbda34fff |
C:\Users\Admin\AppData\Local\Temp\uwUa.exe
| MD5 | c4e6c828dd357bf00c87d99b804495ce |
| SHA1 | a05d087463b378d647654a3bd5d12b2dc29b78a4 |
| SHA256 | a03f75b6d41ee484aacc408204ae9a8ca6504bd7e95833431e080fc3999b16ed |
| SHA512 | dda0a1c2f4bea7535b2213846c78c19443ff2d4c99cc450c2b6c97610bcca23e00f6d3eb8531f4cf04b83d79b4a1ccd70706147f73a1204557a966c2c20f9461 |
C:\Users\Admin\AppData\Local\Temp\oEck.exe
| MD5 | e414817f1dd448d7185496e9b5a39718 |
| SHA1 | 3b3936e92b9381af59333c99df1d0accc6a07aac |
| SHA256 | 9d9701c7a8ff6c038f9fb58b404d31c4c9839e4f27f5654bb0143c296198755c |
| SHA512 | 942a6862bfdf21b534f7d235d89a32c6b0e55cdfd162bd09309f4dcb6e4c07a4eb2b26167541a8e3448166c55dc995d91efb4336c00f0566423f87546ebc24f8 |
C:\Users\Admin\AppData\Local\Temp\DUoEkMwI.bat
| MD5 | f8e4abbc9a89d47db85686c257698b44 |
| SHA1 | f09ddbeb0d7fb1ee7e70328db6656b898b857ab7 |
| SHA256 | 160d85acb139dbd9554d55888cb4a211ebf58177a15b0c1885325e10b29de53b |
| SHA512 | 32bb3ec68da8a52986dc205c77b7ab8d20ae83be55e388c0c89da51fe4492746d277111d68ca9641bc4fc53e2b95ad5dbbfeb16bf42dba4d951b5d090aac7b52 |
C:\Users\Admin\AppData\Local\Temp\wkkY.exe
| MD5 | 1262737f1ed965178fca334da98d0423 |
| SHA1 | 950453727436ef2911c1f7837f5b6e20b2036358 |
| SHA256 | 1f037a2e2ed4625bdeadd78fdb398ab4a7a9300344203aa243c6f08bd8eaf37f |
| SHA512 | ceb3a25560fbff548dd896bf31700eef0fed4280cfe8672cfbd13ea3ccb975da0b7e581759dddcebee7ccf0ec3b9df58ecee08a99afa976fb386f338330daa72 |
memory/2516-1907-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cgsg.exe
| MD5 | b53fd0f2ef0483e00af6c0d63f72d879 |
| SHA1 | 55e240383702f99deb838ca5c02ae2a837978bcd |
| SHA256 | 8a7866eac6c6f434a3c9e0de2f3ff3277f4741198e0fe3dabc05ee3c8348c451 |
| SHA512 | 8f3f214f0380e04dc1b2c0876e656ba5ab25bf99decc5a8f80846038a2552f8c94f4eaf2365e6c3fdfc94d1ccbe5aec6095855e78115ca6ccb7daeff27c1460c |
C:\Users\Admin\AppData\Local\Temp\kAAc.exe
| MD5 | 9caa65b7cb36345bc2109801bf69c6e1 |
| SHA1 | 1826efe71262d836181210f5111e1a44eabc9e57 |
| SHA256 | ce459d23265d78074a68f2a593901e0590376030d32484b8388af837a4481395 |
| SHA512 | 216da91f6c22e883bd82f9e6ec306576a4171ec130b0ef00528a9e8cf61143a0c28ae284ad93eeb66b006f6febeffb8827622f022a6c8f970140a63177de369b |
C:\Users\Admin\AppData\Local\Temp\CMoq.exe
| MD5 | feab99ef6931b232583a1b3d2fff6099 |
| SHA1 | 3b0f55aa82f12123aed145b55037e70ecb82eab0 |
| SHA256 | 4aa4151b9b02a8de89f83d0fb151c1aea548ebd0d514b0027c788c7faaacae71 |
| SHA512 | 11902547b687bde0157043b0b0e34a1430d7b54ca1ca7f8acfa49280c8f4dc0c27c76427071b385463b64130b805ff8d2e2f391314c8a775792cc58ccf5ebe35 |
C:\Users\Admin\AppData\Local\Temp\tiEkwYwM.bat
| MD5 | 573a65b832ef5e14cbe73a99ebf54173 |
| SHA1 | ca120489916e10ceee72f4d9d7a091bf07da9cc6 |
| SHA256 | 77ab318976251f57a040d32287fe9d161b2bac61c8f9be69208ad8f283ade7d6 |
| SHA512 | d2c2caa64e7baf757582759089a661920f7035dd3e1f2228466cb23cdaceeff5cf1d98171086c3ecf8fb1ff9716132ba81fb3df7bc9cbfc3dad33c6fb4e1db01 |
C:\Users\Admin\AppData\Local\Temp\GwsM.exe
| MD5 | a953b17556e56cb9cf4444524990381a |
| SHA1 | cf93b3de496d4b34a5a43beaedea43c1240f8926 |
| SHA256 | a6059e12c4ef557967b7044ce6fa4a8cb7c70f9c906e50674f0ae2e92d8a1da1 |
| SHA512 | 23888800960cb260df3303de0e943aa7a2a6e575ac77346dd6dd69cccacaf1dbee1edbe60b61658bef518808fb9a7fa65c049e20d48a4c93e2ceb59a4e0655a2 |
C:\Users\Admin\AppData\Local\Temp\goYs.exe
| MD5 | b46db70177a778349bc46dab2606529d |
| SHA1 | de8e209c8f377838788f45ccdaadee835a4e7fe4 |
| SHA256 | d850b75554c7d797a38538270aa68b25874ef2b6aad9c19c6df01eb118afee70 |
| SHA512 | c7ffe374a1e1de0c058619e1f57e31ccb46c0bf67ad6380b1ab1cf20ab9621b970928da60758ebd7dd65da9f49feb581a0f87c584e1bda77dfeae71fb9ac72d5 |
C:\Users\Admin\AppData\Local\Temp\ioEs.exe
| MD5 | 5eab16a5d14757642aef7185fdf888f8 |
| SHA1 | af2c64d5f20108a30071c6e7917ebaa489e262a7 |
| SHA256 | 2da3c9a0694f793e73f678ebab10f08bfc2437ecb4c0df6331242f35a9caab44 |
| SHA512 | 883ae834f49c10d574c196ca0bfa8c53db89e0354e93d1a6ca49ea99ed87be39f7d45cfdece02251c3301c830ce7daab3049455d29da73d00fff4c555070012d |
C:\Users\Admin\AppData\Local\Temp\CgMY.exe
| MD5 | a79b5d446b1eb77033c066a71b59ebc4 |
| SHA1 | 543e346372c7fb705b9f5af7af82b11a46dbe90c |
| SHA256 | 39220366f818d487ef61164dc8e513cd1a8a457ea6193f0da0d64d85099b7812 |
| SHA512 | 1afbac7b0159bff778394022aaf8e591b55da37e18c6e8deeda7b92678353f13fed807d20a7ea93859d6491e3d4e4124dc81daa7ae044ff06969dbe53d971912 |
C:\Users\Admin\AppData\Local\Temp\kugggYIc.bat
| MD5 | 1fc90271bf6c78c65bb3df922f13abd4 |
| SHA1 | b09290deaf204bc70010ec979cb0444416591627 |
| SHA256 | 2280ed49503e0cf92f13d16d01cf5195ee26313d5304127cd75ca4df4d36a132 |
| SHA512 | ee4bf3b893c1d86a5ccc31175d42fa1beaffdb4bd60377e284ff0652afa7df183cd520a581b3cb06145d8048d846b985854649d8c9cb139121932520b5aa4966 |
C:\Users\Admin\AppData\Local\Temp\ykww.exe
| MD5 | 891fe832c59ac566c2f0b46e24d8bfea |
| SHA1 | 7bfd14bfe5a45c7c93df303f79d53c4cb198e25c |
| SHA256 | 9cf6e6bf87531ce07dbc58cee59be2e567db9c17682359ec53e4503ad452ea0d |
| SHA512 | 05ac6f1154abefff5a5209b5fe1bac45ebe5f840af4f369eff34517e3ba5ec37ceb5ef385c91a07a120074f1bdb029b61d9726e813e20a238c901fab1b1a9651 |
C:\Users\Admin\AppData\Local\Temp\egMC.exe
| MD5 | 07e699b7e9ef8f9f5e3652621ea59d72 |
| SHA1 | 2324580fca38266727b1b7884a77d5595b136b54 |
| SHA256 | 22da0815ffc589531c8dd659314574f0b4c880d60a4277d82b8eead0dd2558c6 |
| SHA512 | 02aeed7ecf2e33f14015656e42867b2f09811a61efb7d4f626bcf6143e9530327de6b07e3a8e48fbc9f1b4c34457df0900c09dcf8f55fadfe288c22f842970f6 |
C:\Users\Admin\AppData\Local\Temp\UAMY.exe
| MD5 | c9211329e40dc18726a0d767de4c2128 |
| SHA1 | 254d1a21708fd3111d6a3697a0d6deb50a5529fb |
| SHA256 | b69d92b38b819d46d5c25e702e0c63b29ca4b92d2861daaeb2ece81ef313bd98 |
| SHA512 | 52c95bcb468210f826a0e759717a109b058439facdb8f555d9ef06052c1af82241aef35a6fc2855bd9a620381d7ae78c408fe4d8f225ce734b5270c2e6211e0e |
C:\Users\Admin\AppData\Local\Temp\GSEkEIAo.bat
| MD5 | 865289708dbe9934e87229d87dd25a2b |
| SHA1 | 3d6c941735875cb09bf35b9a252e952b6fd85b2c |
| SHA256 | de34497bf1dc03df11ce97a8b75865cc3cfa9f876b52e9198f38acc79a4afdf5 |
| SHA512 | 5e7777dbfa73b1bf888a8d32135493ceccab6d34e96b1af86aaa9b4dc9541ca85cacef4018dadb84b01e9509c998cd61c592acfea54381257548afd1cf8414f7 |
C:\Users\Admin\AppData\Local\Temp\eosY.exe
| MD5 | 3185d2fb81dce52af80d9597f90e77a7 |
| SHA1 | 8cb2bb9c74fd0d8490ed016485c31912630c0daa |
| SHA256 | 00b8c3196d1a85578dd0536c99038734937e1b22e4bdee57158381e0b493e351 |
| SHA512 | b5606cffd851816770fec332ad0bb4a44eef375ca2a50580df6ca21a0848a48bbaaa8d87fe12424aa90fbdeaf0f0ad5227fb8ffbb6e173bcb43ddca2e5926fbd |
C:\Users\Admin\AppData\Local\Temp\WcIC.exe
| MD5 | 7696a3907b27c36a950cab3894224b62 |
| SHA1 | 8d330b533f9b5d689335306283f03b4f414fbbbe |
| SHA256 | 6956f9ccfc105ea083bad0316a181bf2c46d5cd08a9b01ddb487a3af9e6f6308 |
| SHA512 | 9161fc1704f1c9e5b4603a1ee8b7c2b483aa6a437bee93fc1d19c3b4f8cb77a1e69f72b5dc2de64042014aa564bf38b363df6b340feeea62f1ced012ed5ca174 |
C:\Users\Admin\AppData\Local\Temp\ueMQEMYo.bat
| MD5 | 8e244b7e01268baf5542786fb86ec896 |
| SHA1 | 706779fa11ef8aff8dad26e7184221ec5a989419 |
| SHA256 | c5d52f05d0bd61736e02e1836af788520104f59bc8dacf73f38d5a77215f4c1a |
| SHA512 | b546e46d99d88ca98fb013dbcdf3d28a581e15c2a6fe687dd6924857154da3b29c9b9ec1ec08d12d441e48f0f6cdeb49410ebdc5951ee3cdf42b025e11cc4fc7 |
C:\Users\Admin\AppData\Local\Temp\UYYA.exe
| MD5 | 01bff4c6469082f60826064348ac58ab |
| SHA1 | 8c6effc21ebfe735d2876c220e93e8400f22a436 |
| SHA256 | 2544f5c72608b7d11fb952880e3e6590ee2c542643a5bf29c5fc9af7b097a3eb |
| SHA512 | c37682c9007489e865154810a2874dcb85747fcf388c7836b2e2f6a16c9db9e6272e994798a33526e9593a8a8653297a774661371dc18fd474edebafe64a6ea9 |
C:\Users\Admin\AppData\Local\Temp\mMUy.exe
| MD5 | 4e06f2fa59c573d14f028f3e851ba15a |
| SHA1 | 13d3f2db6879730eb507267355f8aec17c908728 |
| SHA256 | 3d1da00603e74b2a7fad9239d00d7094f00af84e93e0d7a2ace4f1808fa453a1 |
| SHA512 | d2414ca9876a444ba57a4279c4167f8c6affd6e45b3f642305d7c1dae4a821853c5a1dcb0e29a7e17afdbc05e62cd44826f2c754f27734013a183f386718279c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | f2ca0be209fc6993995cfab8ad281fe6 |
| SHA1 | a86d5a8b91c7ab815321d1e4a9ffa09cf7937c6c |
| SHA256 | d1a9031e5eb8b8ee3e7dc6d1f929c07868be321b2a706623808f5037d004ca5a |
| SHA512 | c5ac1054929411b0b4e2ccf4ce6ef53c835cae570884df340cf770ebd01e0eca2b57eec59c818ab2213f91e97a1d08d387788272a4a77f2ce7ea3c7467406d83 |
C:\Users\Admin\AppData\Local\Temp\GOoEwIMs.bat
| MD5 | 4e3139d3514f76e4d20a77f2cdf3cda9 |
| SHA1 | 076db7afe400fc0c27959db4ffbba995175df4df |
| SHA256 | af69845f63848c06ceb2755a54fb8a253d107e7edf1d73b4b1d7fc60f6fbe554 |
| SHA512 | b4f6665c9e96bab2a7728d2fde43006b0a161a6132970f08f40682d4175b61499ea2e8dd87ba516f2ff8e68435fff67a2ec8966b06d131f6cef48167c3c74bde |
C:\Users\Admin\AppData\Local\Temp\YoIo.exe
| MD5 | a6d6d14d11bcbe319fd9c8f1a06a2de0 |
| SHA1 | f596dac20c1a4acb671880f66de2bbcdf9aada60 |
| SHA256 | 82dcebe535da4b28551637f599a8e9f00f9ac67539727d856091a2af28fa35ca |
| SHA512 | 8fd679d48d4c012c4cff3c7ba626fb96a60e365cc9e1f78bc84863f39b15b60b2d845578c219c7cfd0e6e6f0391be9409ea2d99ba15e52261038324811fd3820 |
C:\Users\Admin\AppData\Local\Temp\jsIEEMEk.bat
| MD5 | 42a759668360af01a668d700205e1836 |
| SHA1 | 459df14817e541726d7a769521ae4c8ff52ffd68 |
| SHA256 | 373a8d508ce3ba36def88b9bc9a8d7024c8f3371a5c86bb3bfc64cce9d7a870e |
| SHA512 | 6e305effc4ce344ad26796715bf50095e678812e5159254dd862973375211598ac3f6ac067b19963291f9d2218b1efa6f5d34ab945bb07318e8697e4088aa798 |
C:\Users\Admin\AppData\Local\Temp\oQUe.exe
| MD5 | 926a483efc7749c807e4889f39ec4407 |
| SHA1 | 1155a51a6532b092a6dbfee56e64dbe300613fbd |
| SHA256 | 46e2653b14708821bcff074b118abe5fe4834117c1929196421ffb2bbd1fb7c3 |
| SHA512 | f173202fbcf371e17ead14f7fc678750a5dfdc092276045e6d54483793bd7abdcf2002e7d4164e882991f7966bd33eac9c9e283079040a8f7d9c05ec99be8682 |
C:\Users\Admin\AppData\Local\Temp\kAIO.exe
| MD5 | 4cfbded314954df68eac8a07dbb92b61 |
| SHA1 | 9fa403a5e28af5ae2c0124554f67b85527d0d00b |
| SHA256 | 5391aaa97125c0649dda2215951a89f9ff134bc573e35ed4504ba0f9415a1e60 |
| SHA512 | 21f597713d88396f07182a261d131654ace64aabf301e1d0a04133c08a9ee7fd78c01638fc1c9fbb24b92e0429d378dfd90d55d4771e9edc4ff4f0412ee25f01 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | d700054f25f6d1636c3ed9a0801a8dd3 |
| SHA1 | fada6c9f5d82c5144b1e36aa001f70ce13898bda |
| SHA256 | a5be13c44ede17dfe494d2789b8d4590d6831756b681f5edcab534788dc0bdca |
| SHA512 | 8b10b95b02905b47f38b283c0c0a8ae125bdad05142682593e03f32efec970098147259cb35dfc002b3b5be3ab4d88f74c62647a61676d00466c1a0d1feb0f23 |
C:\Users\Admin\AppData\Local\Temp\XGwYcAog.bat
| MD5 | a1284135402c262e886201749decad4e |
| SHA1 | 572695dbbb5033ad1c41cf0d68d591c8509e801c |
| SHA256 | deedfd8673d0c2f6d2b83b3046b581587d63171a9ae1ff7270d096dcf1282ac0 |
| SHA512 | 0068a42337dbb9c54f466c9e007dfe3ddf3f80213ffe88295b558e6e3b8249689aa3b962180ba9c846f0b637f686bfb7a460df8f96d8083509769e380a832235 |
C:\Users\Admin\AppData\Local\Temp\AcsS.exe
| MD5 | 4dd66ddf1ef9964464353c361e6262f7 |
| SHA1 | c86e9605eac1d5ad47dd39255a6dcb38b2f7cb0f |
| SHA256 | 00fe6c25f520d69d84c3b25fc5f93ef4880076a2a05e40ef033f3d414beb9b19 |
| SHA512 | ba2cb78112907f982cdccf2ed36c092fcd2aab5d03076a3978900824d8610b077a12d8043302e9f03965de5ffe809eb09492574aea137f5b1b9088fd89f8d224 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 43a95cdf0decd8e7ad4206d1468ff05c |
| SHA1 | ff43689ad693d8fa352abcce5471c344317e26b4 |
| SHA256 | c8de48d48c4684ffd599f91789c4d14bcb830162f7eaa1848cceeaba6ef82a8c |
| SHA512 | 97160176e5b42612066ee3fa4e0205a75fc6d6ddadf62083549d2650804ade9c823575c36bbd51e7e07ddd1e1df90868726f434dce66edfff036b6a65a985ed3 |
C:\Users\Admin\AppData\Local\Temp\duYEIUQk.bat
| MD5 | 1708e6e722ca809c5fdf8767b1dda523 |
| SHA1 | 476e4d485ab23c19943dfe87ef153ebac75bf5e4 |
| SHA256 | 9b820fd05e1fe21805d17fce01419550f82242ec7c90c4097648978439ddea58 |
| SHA512 | 5913cac22b85d0601fbad29d35c27d310605063b1582cc7b6f4527c1ccd3905bc2e8732e316bde341b68596cae797ed5c43afc05dfbc0765c1dc15c420a41401 |
C:\Users\Admin\AppData\Local\Temp\OUIy.exe
| MD5 | db05b971aa247f65c582a62ef45d6030 |
| SHA1 | ea03eab3555849b2f9cd668d811c7b371e362d15 |
| SHA256 | 2427e599a15db663fc991ecca3396dc35a5f56f9894cd3c8f21407a9fb1ae38c |
| SHA512 | 51183e88d19cb49b85353e1d68c6058a730214d76da151e92d357a5ffa6fe70ec718949c59b99e28c534b6f0423daf5b793874df341a10034df98dd16c991e90 |
C:\Users\Admin\AppData\Local\Temp\XmYUkMso.bat
| MD5 | 1f45e43dbe43c07e11ce0af5f3d2a1b8 |
| SHA1 | 024ec8174dd6a50c396fdf532371bfa398bae5da |
| SHA256 | c8bcdb6344c916896d2b9df26a376c07fe26625bbda5f4d16314468fc7f7306c |
| SHA512 | fdf528d4e92ef78cc224205bc908713a62f87c7cf58ef4bee5161f12ce2f1c4976b49e0307c1b320b970eb37293e7fa7bf404ea4078b77ea9086c8183cc7d01b |
C:\Users\Admin\AppData\Local\Temp\LYEoowAY.bat
| MD5 | 99ed57c711f63ce06216df33488f50e9 |
| SHA1 | 2417541375a1635e1ee3deceb7708b4c6483e72b |
| SHA256 | 4ced059b544a175c5893ddac12891b2ec21fc1bdcd6551ab0c4af9ec0f945f8c |
| SHA512 | a69a1df3e7ed59b2b4bee15c27f1384beb541f5e3ee34fb8fbbf2ce611024baa50a64c93a288f8dcf103fd317414d663b217da3cf95addf4cd91b7d8232d5073 |
C:\Users\Admin\AppData\Local\Temp\YIcG.exe
| MD5 | 699c87342cf045847f049dd570d3f7ff |
| SHA1 | 2f748435eed2c1cebe6b512a48bbe30a1177917e |
| SHA256 | addf524780589898e169ce2b51ede1b6695445e42dc7ae74ddfa8e61f941c1b5 |
| SHA512 | 8c535e187d8b82a2ec35c0a22d0c50a8db0d2ac0c583828acecb699c8bab6c1d3b80cf90d0b77d3739ce0d8ca6acb4936e97af8043dcc08a255658ebc6bfbd24 |
C:\Users\Admin\AppData\Local\Temp\mYkI.exe
| MD5 | 376bca96f568ba275747557b67700294 |
| SHA1 | c20c78d32714cfae82d356ecda884dfbade76acb |
| SHA256 | 2b32ca517c3dbe3d1082212a31d2c2299f704010da7a064a7db993276c538c35 |
| SHA512 | e5dc8f82b3d47d129f831d06be21b8e4580370023934e36ee949faf3923fb351d2f58a30923315938b9ef8bb3d2b767fd8ca8de72f1907fcc4a7a3ff0efe19e5 |
C:\Users\Admin\AppData\Local\Temp\Sscq.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\yKQAMwgM.bat
| MD5 | 3da7fd3e52ff06a65428a010dc66f048 |
| SHA1 | 9c7a33988e9e5073560e1032f4c2266b16aa86f8 |
| SHA256 | de06897376d7607ba24d1a88e65228197ccea8dcf89e1ec8371877f73616d348 |
| SHA512 | db427976a7cdda698996516a9b5d372853d3661e0db1809e1ce4208d928d881a3d9e34055b01a04d202a2d8b2240aefb62fb34b8f074b14e9efde7d397e1e059 |
C:\Users\Admin\AppData\Local\Temp\yEwC.exe
| MD5 | 51487dfeedd423742eed0c0b9cbfd07d |
| SHA1 | f0f372baded48c6412ac4138a95f4ca19f75ad40 |
| SHA256 | b22807b4d0cad766996dba6a1b49ea944e548c7ea057cf092735e9434bcfa765 |
| SHA512 | 9bfd25befe5d42e2b24d0ee7c95d91611c4f44f3ea39204229bde8ef62dd0b3b937f81f1aae779f550ac988c90d8b30b54b10ec36bf7fab620255ce959e920bb |
C:\Users\Admin\AppData\Local\Temp\aiAAwIwk.bat
| MD5 | a7d8daa018c4745a6908389ca7f95c5c |
| SHA1 | 6c3be2756d0c3316fc50f467d36fad7d4b8f2e6a |
| SHA256 | 4a236b9cde009c469ce86d0314673c3b1064cf4c5936a1ca0735f31106c8ff69 |
| SHA512 | 478d3675f7ca1a1b8f2ab186ba6bd43f9c69e60afcc8d967114bf383c38c212d7624cc04572e6320b980062a43762fc49945e0e1519394d175c90e00300740fb |
C:\Users\Admin\AppData\Local\Temp\KccM.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\AosK.exe
| MD5 | 66eb7167995683380c54d467346e4a55 |
| SHA1 | 8afda71d0756557b6521b533efbc8d10b884d3bb |
| SHA256 | 46841a7d55cb5bbcc3cb72692cfc04315ed48f6718fa80403f369d1705dc04fa |
| SHA512 | 686d3611eb7a7b8dfdbe6c4ec27970d1237d35947bc444bcb7146197380dfd342323ca51b65fd60bcf39bacba0cfb0e8bff366d3e6526e2de1763de19d321d09 |
C:\Users\Admin\AppData\Local\Temp\MsUi.exe
| MD5 | 70765a0bbb528679472acd78f91e1d5e |
| SHA1 | 938fb8d7899a7304814cb69bef2419a9b9a07eec |
| SHA256 | 4fc2108a62a32c383dfdfc3029cfa3952f9171cba2580f7af6830d861e904f61 |
| SHA512 | 9ec28cfe5d3ed889f263bae47611d0c1d4403b8f53c844fe53002e78037312a12ec55f10679b9402a7d1766ea86b71d75cd8099de292bf3fe69d18262b3448bb |
C:\Users\Admin\AppData\Local\Temp\Qwwe.exe
| MD5 | b3c28b28aeb89d0077df0c610323c060 |
| SHA1 | fb199a2181e5791640e8991ed31dda99319ad094 |
| SHA256 | e48975b806e6f8e1397fb71ec8aa9ff8a39b46e656b26eb87f2831da77291b33 |
| SHA512 | 3906512de3bc067214be786f19e3266d90d08743c94469ca4e610fddc12712e283c115171d6d84fc5b88628194e40f427372aafb2d348a72f0280b3b886831fc |
C:\Users\Admin\AppData\Local\Temp\CcEa.exe
| MD5 | 26c2680a6a2df4db582a6d2d0f52d7a2 |
| SHA1 | aa43931b98f500a6c0e4f265a365ebf78a17ec6d |
| SHA256 | 2b322dcf22f94c329c727bb8e35b5c2bfd0481e9fa2285b988b9cc43efcbba40 |
| SHA512 | 598785f5519549529760536eecc1ad57eabf746b25faab140c21084c0170bc7e3b50423be7957ac22a11e4e2b7f507e49343def7743ae5b6bd370e94cc4fe4fe |
C:\Users\Admin\AppData\Local\Temp\YcYE.exe
| MD5 | 0d142ec080500814b554df24cb4b84f0 |
| SHA1 | d5c27864d0aa0921fd3131f0fb10b2eaa0da35c7 |
| SHA256 | 7a9559b4482f332eba41671adbb22dcd847694e9793cbca1841ee25dc7fe0b89 |
| SHA512 | fd61e041699f7a340c41c5c92b3ae27e09d2e16052dafd49f302f69d0bbef4df41339b89b3c248673ba88849ae08a4b4d7a0afe74636beec7e066eeb8bb0242b |
memory/3004-2627-0x0000000077B60000-0x0000000077C7F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mcAM.exe
| MD5 | 62a006d51ded3217ace556f0fb7fa9c3 |
| SHA1 | fe239222224410d4fa7d874d449afc203dc40ee5 |
| SHA256 | 29ef88b46026dbbc841cd06dc059e5b45387ddc40f43f4dbc1e58f1d59216de2 |
| SHA512 | e24c97e13b3c57856cf5c33f93d800e1044ee3f98aae2321cee44da797f2531c8c190c867080678f158b27cf089ea1b85cd553ca0050dd0abc85ffd2ed7d674e |
C:\Users\Admin\AppData\Local\Temp\EcsUkIMc.bat
| MD5 | 7a58268639568b817e8f622eeaee847e |
| SHA1 | 73dfc26602513189e8488b56f19bd9a0ec2a02e9 |
| SHA256 | 0c5b338fa331a00aad447b96d05d1d5021159ccbcfb449bf8cb8de1bc3a3cc8b |
| SHA512 | a73557c2cb8b5ec754faacb28eb2ca6ca9a9f8c29b51a1bbc19ac73cd1670dc92fc949da435a3a92fcf3f073bab57a2dec3e610fd8d4bd74d027dbe4f6c79a5d |
C:\Users\Admin\AppData\Local\Temp\YwAa.exe
| MD5 | 2f00c47cc83508642324b76383dd605d |
| SHA1 | 9254b69770ba89a3a28f33560afe5a68a6317198 |
| SHA256 | f5eff9a1560905632738fae2e057a3d67aab224410452284f6e786f25779e642 |
| SHA512 | d9e359975a02295744de780b1999329f600a51f67bfed2a4c1c12b3c3d4085d10f32db41693e92f73f4bab76492aa298892bc111081298476bc0dc706084f74f |
C:\Users\Admin\AppData\Local\Temp\wEAc.exe
| MD5 | 215a5c709dcf201b0675f4fbc082e6d4 |
| SHA1 | 5d8204b2133f8d751324e8008e430dcd422c2b6a |
| SHA256 | 3038ecee2385a5605ecee32ee25873fd4b15e4099cf760625c3c29d8d30ca98f |
| SHA512 | f2ee8bf2406291af2135525cdcbbeeb479b732294c8bc8127ccc6008f9a6e18105848da00ccd26027bdae90f7824de75ecdba4f4a1f8df3696bce67bdaf81f0e |
C:\Users\Admin\AppData\Local\Temp\csYkscgE.bat
| MD5 | bac80f51b36bbf287685b74fd6272fd1 |
| SHA1 | 0fd125145a67c273b3c13110277af029329585e1 |
| SHA256 | b2975855ee48328f272b1d0e700f54662d0455b57b4790ab3810e82827af9f04 |
| SHA512 | 973339720e059629f3a9a99276d79e976e7ec2f048af40c45e4fcafd6d97cb26ae2cda7c0b2e0ee70b69d4d4f2bd3889604e48a71a60523ef08bafe9156a8ea7 |
C:\Users\Admin\AppData\Local\Temp\ZugYYQoc.bat
| MD5 | e1559ece564b977baf70a01996e7b08e |
| SHA1 | 53fd35e444589d739b91e67b6dbb3a6fca074df4 |
| SHA256 | f6ce01de5e1c9941c4c218f8b5f74116c551c17b9f0268d067e50bf5047ba04c |
| SHA512 | 4ef341c1bc5eac4212878491e1fb3f8bf79c5fc8281a27209e04d2a249499d8b1bbff06f08a1276ac4d0e39394ab93add787b0c64d88ec70e66339a7886ed324 |
C:\Users\Admin\AppData\Local\Temp\zwsoQAIw.bat
| MD5 | 8296a19764235e094ee592e2279767c4 |
| SHA1 | b0cb31bd9cca0a0244c71cd568ba09f2511c5121 |
| SHA256 | 5e8d0ad139ff16242831b8262bf83a0a06804a58adda2f3e9799f1a2d339369d |
| SHA512 | b7b0ea7f57e9a51511b9374a46eecc9b2eaeda142d08fe233d15d95d87696bac55792ca497e09efe9108cdce6eeb3a08082a9ecd6cbe2ba09667b1b1c26b7221 |
C:\Users\Admin\AppData\Local\Temp\vqkUYMAw.bat
| MD5 | cccc9e4807c80393ac81980fe4e267a3 |
| SHA1 | cfc8a3a175a46e28b8b56bb99c8c2588ae3591e8 |
| SHA256 | 7374f02ea9e1cc3ab85230d5e421d7d1fd14bcfbf78427529c802d595c7b6df6 |
| SHA512 | c047870b7e848c185926db071311f7438edad3c64bbf767c6ceee2a4e5568d79159270439e7663ce260aa09a6a5e9edacd0840724bc1b040123f9636d5ec09dd |
C:\Users\Admin\AppData\Local\Temp\bokUIcIo.bat
| MD5 | 73d8b8ae68d83468c34dee10f04638ba |
| SHA1 | 3aecd0a00ab09378d9a31e66c99b516f4cc225af |
| SHA256 | 59f0265c86042167702215ab5844291ba6d84f2ccc9a59b3f718216fe54816b1 |
| SHA512 | f181a40f2e1b08ecb1d471104311bb1c84ecea3555e0b20edf9cbf6550fc1270aecc6bb0e24eed49fdb2fc17631b0f71cf035115fad5beb4cab6b3d94dc5f67a |
C:\Users\Admin\AppData\Local\Temp\kAoIkQoA.bat
| MD5 | 89291a78b967d1ff9b3b29b58b693d0c |
| SHA1 | 23d7ed7412199d05c16ad12fa0c8d0baba7c464f |
| SHA256 | 89fac892f2ddad534897a9907f8c7ccb32ea038991e88f746a58286cfca01d35 |
| SHA512 | 56a3f794e26880a4aef84d951d4a7391c96f77144cda8991a478c6955070fe0921e4b0aa6782c4b5c714a0d9972316c32d7e91f46ab588f3773ea2cc018d6037 |
C:\Users\Admin\AppData\Local\Temp\uEcswIQc.bat
| MD5 | 7b323230c82e9ea9e11a901e9fd6e75c |
| SHA1 | a13e0ac3eba9c23ec9808fa8aabc5ca1f3119de2 |
| SHA256 | b822122a27e5841dc77c526331e7866a6c843782e1a6686e63933c3c911abefc |
| SHA512 | fc1e945dbccd767956d3b5823437d4b7cd870663bf5e4393448c15211034dfb4996a09d481326572a2df0f0880c41365e9ab466f316326a38827fd24b8569ca5 |
C:\Users\Admin\AppData\Local\Temp\akgAwoUo.bat
| MD5 | c08dd181cab839c6514ae932093f0f2a |
| SHA1 | b20ecb4819be12f23fd715a1ffd4d10f2b2d7432 |
| SHA256 | 519707784ec71e9999f4ee7e7ca411ddb1a7ec8ebd80cc6ff5024383626c42f6 |
| SHA512 | df977be36624e43feb831608df52cafcbf9dbc59d4acff5ff1c5115c6e2c68106cbc207643ced4c134b1ffeaf6d0b235f4ab69bd54350891f0444fcb10c51a11 |
C:\Users\Admin\AppData\Local\Temp\kusAoUwY.bat
| MD5 | 34e1ad8cdb556063e4040c477f2c9e2f |
| SHA1 | 2f565d8fa5c9301c035efef4d57c03df369fa262 |
| SHA256 | 413a3f4e2f367b0351e4064c23fb12fa8bb42449ce743780d79b3b105a6a9d5a |
| SHA512 | 9dfb2e885f160c838af88fdafd3f0923d64fd33986d40911502caf7c7599c0311bf50f9064b3b7397648b925504b56f7b827c09ed5527dd89859c7c21ba112b8 |
C:\Users\Admin\AppData\Local\Temp\EkwgYkQQ.bat
| MD5 | 9692ea9cdb36ab8b102398309cc429bd |
| SHA1 | eabd90cc58874935db1e324bff88cff251c8fd07 |
| SHA256 | 8ea0d62df0ddaaa748b9bfa976a398b198d0477d6db1b2de85b116969536524d |
| SHA512 | af3f52cec291a51cff89f4d42b6ab8e87ad3924d0ab41039653cf19bd5f81eac0a1a9f07f5680f18a7dd9347211082f8e1b178e1f5ffcb458714635c4a308b8d |
C:\Users\Admin\AppData\Local\Temp\dSQAkAos.bat
| MD5 | 02629a3dfd48c667fb7e4793de183c71 |
| SHA1 | 28530d3303e899ac3c06088e654b3e0fa060035d |
| SHA256 | d6814887843ee8f0ea0fa5a0e1f2af3624af25ca7f9c59c170528ecad8eed3de |
| SHA512 | 4bd78e629216c49b2480ac70cf50cb2ea157db7e44dea4a991e44e113469beed7c63680565b85ae8102f9fea14b1cc3ca4ca06cce5bc69d746a334c7d2b573b5 |
C:\Users\Admin\AppData\Local\Temp\dEUwcgcg.bat
| MD5 | 053376338907c1fb71ef4b35e124b7c3 |
| SHA1 | 3d9e7dbf649304f0137ac7ef86141f9f97c2ff81 |
| SHA256 | 7758e8077d89503b8c6a16033ab3578f5bc421cab17ee90db3c773d8d5c762e8 |
| SHA512 | c6c2c0fec0e68bd9d973e5dbf3e28181a70e611b644aeec4906366abf8be8d01c2c59707cd4cf7392fd5a5573a411e8bc5c16d642c89b1cb5477040a5c9ae685 |
C:\Users\Admin\AppData\Local\Temp\XYUsYMwE.bat
| MD5 | 58156cdb923ef6fab67eeb27230e6c9e |
| SHA1 | 8d5c5af487bb7473d4eeb53e9aedfc38d3c7c78d |
| SHA256 | a8f9becec33b07050ca5865f63704a9a94c652a75c081f701ee004f012618831 |
| SHA512 | 459b8cf4fe00e850bdb08e551ee49251154274285a16a8d0bf2cac6d505f992d370f8aa54ea2e347cc14984f1291f3eeeb40fdb16ac9f6e6a9754527a90fbf6e |
C:\Users\Admin\AppData\Local\Temp\lmUAMAQw.bat
| MD5 | 81d746c98e8410774b0d772a294748ee |
| SHA1 | 8f0d676ffd2e71219dd0c7edd3d88814a06a3590 |
| SHA256 | d8b4e910539c39d5ea8f54f79b76b2b82d1ef1cc8dea27f278a70e3414bec995 |
| SHA512 | 52361faa67e30ba15bd69e079d2b0124e8280b3af4817b06435777e484373e88df3f641c6551972d9e1d91bef6db9b50c30dc077e88fd801dcb948d89c80b2de |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:53
Reported
2024-10-26 04:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (83) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\ProgramData\ASUQUwog\iuAYkIUQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\zIUYsoYY\NWcMgYco.exe | N/A |
| N/A | N/A | C:\ProgramData\ASUQUwog\iuAYkIUQ.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWcMgYco.exe = "C:\\Users\\Admin\\zIUYsoYY\\NWcMgYco.exe" | C:\Users\Admin\zIUYsoYY\NWcMgYco.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWcMgYco.exe = "C:\\Users\\Admin\\zIUYsoYY\\NWcMgYco.exe" | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuAYkIUQ.exe = "C:\\ProgramData\\ASUQUwog\\iuAYkIUQ.exe" | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuAYkIUQ.exe = "C:\\ProgramData\\ASUQUwog\\iuAYkIUQ.exe" | C:\ProgramData\ASUQUwog\iuAYkIUQ.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\ASUQUwog\iuAYkIUQ.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ASUQUwog\iuAYkIUQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe"
C:\Users\Admin\zIUYsoYY\NWcMgYco.exe
"C:\Users\Admin\zIUYsoYY\NWcMgYco.exe"
C:\ProgramData\ASUQUwog\iuAYkIUQ.exe
"C:\ProgramData\ASUQUwog\iuAYkIUQ.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIgEwcsM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAscUUI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWsEkEEI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pegQUgAc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuMQIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoEoAcgA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuowEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guwYIEAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwogoUUg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkIksEw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAQIYgsw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgwkgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQkYYAA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOsQUYwY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYUEgco.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYoYEks.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIgQgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REgcwoAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQsQUYMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMkQQIoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMIcAUoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCgEsEEo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcEIswgY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmcoIkIg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMMwckwo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekUAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAYgUsU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaUQcIgk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMoIMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQQgskEA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOAAYQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgIckcY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fisoccwk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMsckIYs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkQYEgkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMgscMUE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIgwYIoo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqwcUAwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegoUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEccEQg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssIsMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmkwQIgw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSYcQIEA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EukQkAco.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWYEwIEk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQUckQI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOMocsAI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGgUAcEc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYEcskIE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQEkcAoc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYoUAoM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BewkkcoY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkAIcUAI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYwAosc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmQoEAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGUUUckk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YygIIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SakQQMwE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccQoksEU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqcQQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuksMsMM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaUoAYwI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgoYwcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeUcsUgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEEsAsA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYgUcQMY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYkEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkQksoc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgoMcoY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSoAEAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWQcUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiQYoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEQcQoUY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGAcQMcw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEsIEQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgosAMYA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkAsIcMw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIMgQYgk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqMAkMkY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoQQssAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MusgQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMIcQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pccwcsIk.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liskcQgo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGoIIsss.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEAgMwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcUcAoAY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeQEgMQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciUAMkkw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSAMQowE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUQIswwo.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyYcEcYg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUYEAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYsIwUI.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McwMwoQE.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEkMwkMc.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIIQIksY.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmcMEgMg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twsEUYsg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOgIgkwU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IecQgoAw.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUkQQgs.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGQQwUYg.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigYUsgU.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGQIIYsA.bat" "C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea.exe
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/1480-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\zIUYsoYY\NWcMgYco.exe
| MD5 | ae42b24ddeac72799ae7dfa384885d1f |
| SHA1 | cd5729738d49a8037dca3923e97e3cc9493aa151 |
| SHA256 | 805bf32ce2c5bf8b0986fc6940ce0ce26b79e033565af2e0c65193c186ccdb0a |
| SHA512 | a8bc1c17bfe3d58cd569e2240746f694c18654d79519d02bbdafa9882872d280df3ff92c0c8d062a0a04f9340982940f191fab4d8dca33af01ceedf0254d39a3 |
memory/2184-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\ASUQUwog\iuAYkIUQ.exe
| MD5 | 69ead4da2bc9f38c4dd5809d8852e0cb |
| SHA1 | 7a9273b74827ac6f0b02e669eebd589debe81a52 |
| SHA256 | 82239b32497c6760f3e038611e5ccbb467ea0d30be9de1ab3d434b175915cd88 |
| SHA512 | 144428c065f7cd38377c6969bdea14ea2ddb90cca1544064e41dc94ebc73a0b245246073bd2c73a7008c01e33790607838eac43da8d93b3108634539fcfd8995 |
memory/1468-15-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-19-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AIgEwcsM.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\f12a88f032fd94b4bb43496d87a63ad30ae57202738809c0de90a5e44003c8ea
| MD5 | 8850c1f63d9932bb2d8e957ed72d8fdf |
| SHA1 | 44271a436bed981ced2c5f3839733bbaa54dc8e3 |
| SHA256 | 419b5f32629b747ac897aa66acf77ef2320d4f066470d616e21fd248a4a55f29 |
| SHA512 | 8a33601de5ae88e7dc7aac1325514f68c5e8e40fc7514fa1d1542e78fddeb6612b26a04bd109e40efc36efb591f5bef48693a918219b9e56598677cb26e1978f |
memory/4344-30-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2240-41-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4020-52-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4568-60-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3288-64-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4568-75-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3044-83-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-87-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3044-98-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4168-109-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4452-120-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2956-123-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2956-132-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2872-143-0x0000000000400000-0x000000000042A000-memory.dmp
memory/988-154-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2384-165-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3992-176-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-187-0x0000000000400000-0x000000000042A000-memory.dmp
memory/408-198-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4344-209-0x0000000000400000-0x000000000042A000-memory.dmp
memory/376-220-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3260-231-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3684-242-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3996-250-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4808-258-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4212-266-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1080-274-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1052-282-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2108-290-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4432-298-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4780-306-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4788-314-0x0000000000400000-0x000000000042A000-memory.dmp
memory/684-315-0x0000000000400000-0x000000000042A000-memory.dmp
memory/684-323-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5040-331-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3348-339-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2444-340-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2444-348-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3076-356-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1300-364-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3404-365-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3404-373-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2712-381-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4052-389-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4884-397-0x0000000000400000-0x000000000042A000-memory.dmp
memory/780-405-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2264-410-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3624-414-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2264-422-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2244-430-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2224-438-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2424-439-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2424-447-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3876-455-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3084-463-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2688-471-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3244-479-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1044-487-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3616-507-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eMUC.exe
| MD5 | 87195fc65b8f902a9e41344f3a6116e4 |
| SHA1 | 30006918c057bacdb69b23d2e2d652111b344f8e |
| SHA256 | fe6157e3d2493ad9a5d93e9cce1c26d6823c72a0ef00151613934c4131ae57c8 |
| SHA512 | 65e4ed4c83749c0225f1c0c1afb4dd7b72cb2f2acca8eb4e4896a16256213b277c475af0526779eba533a9611a3e31b08c4fdf34c2f895fe3375ac1e0322d470 |
memory/3280-511-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3616-519-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IwsA.exe
| MD5 | e203b7beebfae8940fd39b2eaf1fc890 |
| SHA1 | 761cef5c17c10deb0cb5063c9dd28e726dd41651 |
| SHA256 | bb7ac78858238deadf4cc366024538ce96e79017717148315db13238bd6299bc |
| SHA512 | f6132efd401075cf7630f2ef1afcf095e6eee6bdb12d146a0a7989401f74b34fe1f4e076a1ff61446971be18d40ec4b46f79153d93a444edd96f1a7326168787 |
C:\Users\Admin\AppData\Local\Temp\Scks.exe
| MD5 | f3d47baa8f5d519d280561c7982a8137 |
| SHA1 | 7dd65eb1a8532059806eed2ccf883b6988e5073a |
| SHA256 | 29dc457b57a781fd185c3c3e7b1c76a3b1f61e70051ed3e84f1fa7a18cfb5289 |
| SHA512 | 22cac5245be536f09c286349bf2c855bab2314e9a471fc955f02313d2981b6ea116a210f3284d127870ea3fc05a0ff6236b40760a6196d56820ff13ebb5f08cc |
C:\Users\Admin\AppData\Local\Temp\mAYM.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\KUIa.exe
| MD5 | 9a3f7c4b3643f5fcac7064a5fd6f7f73 |
| SHA1 | d4967e17aae881ae53cac987d8ad4b32ae4b2a81 |
| SHA256 | 0fbe4ab1d582d950a4c2a77ca75f73ba674f3523d69642ee3792b23dc23b94a3 |
| SHA512 | d881f2a5c420b78e960048c9321ee56ce22728c5b3c514c579347ac587c553a1d8d89120ac7deabf7760942c54315a564c1a96e5ef2ffe21ae8fe479a8346f8b |
memory/4680-569-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUEo.exe
| MD5 | 0ad76cddfeb2bfe20c7255977e8aaec8 |
| SHA1 | aef3a194f9daea3fd8d9a5fcbc95375694ba34b3 |
| SHA256 | d1960378f788c9be932cb2090ebc91354cdc7cbaefb001e7b29c07ef58fdbd5c |
| SHA512 | b4b09de6c5b7be8989747b7f41b18a94261b792ac72a211d45013b25905e14b5c691bfd8e17d68acf794e57cfbb107d3fa500477a05ca8a72ac0f09fd30114ef |
C:\Users\Admin\AppData\Local\Temp\WsEa.exe
| MD5 | d80af8f67d924097342b1241259b370b |
| SHA1 | b0e2d9a5276c1ae27ee38d2130274645b462aa41 |
| SHA256 | 4f34828e2527828948ac9258af37f4311060cbe6a4faa3266945b2d1ca9dd9aa |
| SHA512 | c41980808fde26d40fcc99ac3e63419f4bf49996884a5ad6c12af57344b118a614d943ee15195a90c7ab83d713ca2d57dc5ef6e0fe23b3466c25aeab57bbdb9e |
C:\Users\Admin\AppData\Local\Temp\GMEU.exe
| MD5 | bfc44fa3f1854218f513b577afdb2f6e |
| SHA1 | dbb2c1428eff378eba600cf1007a2642bea83b74 |
| SHA256 | 8f21f4bebe825ca4df341a1fbccdac3ad628351597b389c77aeb407a1046d36c |
| SHA512 | 464c2792dfcc46504d4968a1955c57e19439cf3d058fc9edab191e501b3a92ce4fea0220695e6d386f3b738b0806656bb4b6c90cdce78a6e3856c85482ebbde8 |
memory/2420-632-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IQwg.exe
| MD5 | 2bc4d203c9b9532febf86aee10f17f46 |
| SHA1 | 1f73f3895eb69fc86dc07c5a9548bef79ea58ac7 |
| SHA256 | 4cd289911baab72a4bca688a2f0daa1c3b91cda6a9f73757514d5050d86e520b |
| SHA512 | c5dcb5794fbd558f515077446c5dd406a72629bb032bf9496ff8365fbe8a34d26aa7dd74c1e697742945627f6bb087e6389a54dfadc2e69849b1dcae6b3c4e57 |
C:\Users\Admin\AppData\Local\Temp\KooY.exe
| MD5 | 69b16e06b0937ec25eb7587884d1e920 |
| SHA1 | 8b656f7bcf84baf46048ef2132bd07dc59d33e49 |
| SHA256 | e589e94f30bbfafe3064baa854462b44f4004a3a3d9f0f5622b340e1806c351e |
| SHA512 | 871b4a9abc2b15892ccbe3b550307e751c24b94a41376d7c2240350f52be270d267d95cb22f7f61b6bd47ec902e4c8f4743792f5680b083acc981c9404bec5b3 |
C:\Users\Admin\AppData\Local\Temp\WowU.exe
| MD5 | 0d9da40ac968c76db330d276b077755d |
| SHA1 | 1c6fac4d9407d365aba663115201d991c36f9ee0 |
| SHA256 | 27a9ded5c0467eafe36963789b56cb7517218c179d19b80c3880b00b13183d5e |
| SHA512 | 1118d1b1fdfd073778c0e23b75a204cf20b44e171b95e13e7940b930a8a3df8e45edec775f1eb37a7b20246a2b5b9d055570d4d5317235d07d66a663e7de19cc |
memory/3408-669-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gwEM.exe
| MD5 | c4e1542de43e8e16768432d8ffce48e5 |
| SHA1 | 2a5be8a00266b8961005529ae12d423aaef96396 |
| SHA256 | 800c8599da6a06755f9fc3efcf1b78b236a37ea2aca1af61c009fa1b1bae11e1 |
| SHA512 | ce640be5b480cfa003d2d64b842b1e31c4fc75ef14e56590c3bd9ab30ff14cb9927de25e72098e2e046799fa62b829263c873569c0bf032fa4052de4d3d0cf4d |
C:\Users\Admin\AppData\Local\Temp\sAUK.exe
| MD5 | 9a185faed2fbb73a583de09a8087f616 |
| SHA1 | ebaa123a2a62bf4f7f6740ff0fe059537e9b993c |
| SHA256 | 5fe021a818f50ee67a9f835c556cfca473513111995f4713e6421478da7c0ebe |
| SHA512 | 226b58c17c2e67331d8cee629e7ce8c36151bc560c7adeb79b98e0c68add2d874b016bbd05505c7384f7fe657dc1f473c456d1841a61078ff78cb17952ad1a7a |
C:\Users\Admin\AppData\Local\Temp\cMYU.exe
| MD5 | 948306cffb72ef235c14956bce15cd08 |
| SHA1 | 6b9977ed530d0b6f5a8dd36d9c20c47de84f8683 |
| SHA256 | 90e69bc127ec2ff4d62b7e119b26a0b342208dc345d922de25cfabc7f369ee0c |
| SHA512 | 952331a4bfea00f13adbf80e99d6b3833f6838cf920cacc00ceb0b884ea55afb8b9e5359ab3d2fd1b3fe81c67fd2b11da690fbba33511f1d58d55a4ca48f148b |
C:\Users\Admin\AppData\Local\Temp\kUIa.exe
| MD5 | 5f545b9cb8dcd737db5a1af7b9769e4c |
| SHA1 | c562bf94d9173f4998e633286000ff38b3a5f035 |
| SHA256 | 668cc83ad730c8ed2f60288bd85e86ea355245883b695cf538bd24c27a002a26 |
| SHA512 | e97ede6dae885debf0d9eefce270e952f3d4592e6c1b0299ec831990f29c9dbbc2532a19b5b68d93e241da9fc9515687f9bed183e6ff31d3d74c2c584208be36 |
memory/1124-732-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eIEM.exe
| MD5 | cab72857f997a9ea30544c80d8760734 |
| SHA1 | 91adf572bfae0466406906f8392b8d40d6ac7bc4 |
| SHA256 | a10494e6392c4e4e8a86d2e4cee979e3cfb9de0a26dcbe42be9f14b67824540a |
| SHA512 | 69172d11ddba846eed8710e835c5fd62e4a1af3cbae98c1b90148860d8befdb20bc2983dae6097ef86784bdac20ba54769224e0d56269996c2a511ca91b9bbb5 |
C:\Users\Admin\AppData\Local\Temp\UEUq.exe
| MD5 | 61d3c8c56f3217338d194bff22c9323a |
| SHA1 | 84db54e1a9fb237c44f1c7396a4f8032cc56a2ad |
| SHA256 | 2894c5f9a6fecb687c31c910741e1a4211b5bfcb4a9256836565d850554b6d0d |
| SHA512 | 82bc7bb1a74d3548142d53567c3e8502daf982a563d1acc06e88acc0d38b3951ca12c4cbdeaf4c1dc258046c5ccd192f78a5f6f3d060c4c06be830e88d7e173f |
C:\Users\Admin\AppData\Local\Temp\ckYy.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | 19a62ef1650cde8afaa2de68f1b583d3 |
| SHA1 | 9b5c291484df2e616943ca8e265e39d9f1c69329 |
| SHA256 | d9a0c701a2c0a17ef08a6818d2bf87edb169748c0d305cde68ee859c1f01fbac |
| SHA512 | 258f42fa42400c8ffa3467a30445fe98cab11a08139e477ed58bdfce97c331a0dd9498e2b4450b432a0c290036cc936012b9764997ecfc2907c745c99501c907 |
memory/640-796-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WwYm.exe
| MD5 | 34adde583a1368cbfa0b1ad0d77251f8 |
| SHA1 | 3deab728724204e5b49c16254274f2ae392b710f |
| SHA256 | 468fcdfbc2a0f4e0eecfeba1327dfc1017ca0731af9c370e154483b860f48ed3 |
| SHA512 | 8d45a851c3286cbd77f5b814e40b5611f052d53b5b35997fc7b7e184debac7a46c8fdd432e9259fde89ce4d4b72dd87204a773cee8eb1d3864987bf69464343e |
C:\Users\Admin\AppData\Local\Temp\egAI.exe
| MD5 | f0a534944374f543044b2788f999d8f2 |
| SHA1 | 5cf636dc1cfba6aa69c2d410c39379c081eb4a36 |
| SHA256 | e20ae28ebd27e61367b000b146c5c313afab2170eeaf4cf985a8fb8efc5430aa |
| SHA512 | e4896da3e3ff967da2c392a5e4408bf4fc264574e9912266230c9a88f1376f6b3eade4a964e54d13c0c326022b59b57947af0449f15f79bd7092f5d6567f4097 |
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | 69af6144cc9bed0bfc587cc81e784404 |
| SHA1 | 9458d2ef715fbafaf9b0dd9fbdd82c7357bf5d22 |
| SHA256 | 6cf14d1b79154a93726733d66a7342657f73d8f06f717827b8b564965fb561b1 |
| SHA512 | 3237085f13fc2e227a94c2369decce360dd9c751a7262c220ece350d54e6d92e3f2109183f54ac4f32fdb538f0a21168e37664d5fe25cb8253cd4cb90afc1b5a |
C:\Users\Admin\AppData\Local\Temp\aowo.exe
| MD5 | 1dd5e25a644bf6ce57c3506ad8bbfaf6 |
| SHA1 | 9cf1dba95cd778ec06db0703907557322cb9211b |
| SHA256 | 08e1b2960239a3b4cac65f7f50412619450e19eb9288c20ad6d1bf079dd0f460 |
| SHA512 | 2783bae42a43489dbae088ac2520802ebce70bc621dbed15870bff615acac02d76fb19ac78135ae45e5447ad5edd78a57633264d4c5282209153d0de527ac267 |
memory/2836-847-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uksm.exe
| MD5 | 50e33199c0c1eb9ebc92727a5be7b8ad |
| SHA1 | 30e39e806008a632bea2076605e6a76ce81be180 |
| SHA256 | 7aad9237d2146c71bec5165e1397bbdeebe2bc1a73db0d7b50649b70d8e5a0af |
| SHA512 | 6ca339481866d12e6501e6ec27f1ab29a32464333f52f158b9e8f7a3788cf8691e0c0231b69829a5f380f09accb7655c5952e4f5520d884d8b31b055ea80babb |
C:\Users\Admin\AppData\Local\Temp\kIku.exe
| MD5 | 185f9da63fb4388e6f65e572cb3a7a72 |
| SHA1 | a26028b0d7115195ddc691efb58c31409877f9ab |
| SHA256 | 15a3bcc571ac0c5893918b4e50ecaf2c3db9c265139e71d52c9078b6822e7829 |
| SHA512 | f6a62fc159d09c72d5910ee1cdda6c4848a70fba9321d654d3b05e1ba46279ce3cc2643efd92c84475e1e0c4b7e168f415776d3b2014b64eb3ae376d2e0d20dd |
C:\Users\Admin\AppData\Local\Temp\KIEO.exe
| MD5 | 91aa4c5c73b135b31234c1c670a1f9b6 |
| SHA1 | 4d3b52f26d5a924d2af953e39fd25bd951795de7 |
| SHA256 | 50100bf520bb19f024360376459090b3bf0dc24dd8e56cf0d953a4def58da3c7 |
| SHA512 | c400d453efe611bef2a4e8ed3e679881ce0abf1da3464e67db279ea81082292f3b7c79d425dad4ac9ae25b19f75cf3178f64a74f46efa9bcdd2903e5f675cb10 |
C:\Users\Admin\AppData\Local\Temp\Agcu.exe
| MD5 | 8547cfc9ad10a1c08096820e07c23ad4 |
| SHA1 | 0209f291d3c8ed936bf12f70c34bcf4778e73c10 |
| SHA256 | bd81d6162ef458b5f3bd810c341bd4f71afecac182b6f1cae23c989d95d3f765 |
| SHA512 | 014dde60089f23b10bb34175f37dc0ee6eb7ceee702285c062d1e5570e431d868a1ddeff54f299368e2aef8eacee09546220e617f8bb5c81988e5f0f1ab9d104 |
C:\Users\Admin\AppData\Local\Temp\qIEG.exe
| MD5 | 5204b9129efdf1a0c8d0f4c149be3116 |
| SHA1 | 5d61350b724bf0d47b69ea6a7bc9d9a606acf5e6 |
| SHA256 | 34d810b36ddfc8b61cb91f99855783a29df6eee29cad47e5f15d696c2583c8d1 |
| SHA512 | f79a7bef7258ebeeffd66ae91378dedca39a5d3b3a9c5e1466f1b7bca9a595deee377d79b86db2fb197d070f673ce27f2e7b8c30090ccd8705006d47c3616917 |
memory/3792-919-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WIUo.exe
| MD5 | f7a2559445babbbb690757945f87ee9d |
| SHA1 | d8e6b3ad41cf4b4fabdd7f537a12123429548281 |
| SHA256 | 0e2f76bf0bd738461c6cc7d2e0fc306d9f1ac907acd00b0b44abbf90a59198ad |
| SHA512 | 24a6c59f993edf79c45f2b58e19bf2ac1c31f0a051b70c9e0c9329cc1b1666ca55fc14dcaf0f53ac79c961a084e629708f148bef999426675d085db41d93c1d0 |
C:\Users\Admin\AppData\Local\Temp\KokG.exe
| MD5 | f02cfefb0526ef260cb38aa5fd694575 |
| SHA1 | 4a2a04a4e2dbf0bd77ce65f81b726fd4176d5154 |
| SHA256 | 23530bdbcba3757dd23440598050beea6b01b3ab99959d27a45f49c426a64c4b |
| SHA512 | 0ce63bbb0bb4bdbd22b4e8b0cb8530eba682c3c55474f3edca34cf052c6d0aabe65e090a1a3548e8afbd9be60d7f1e419987b7f8a9a26660ee1b36f28785cf88 |
C:\Users\Admin\AppData\Local\Temp\yUMC.exe
| MD5 | 441205983b725bf7770bb3946402032a |
| SHA1 | e50d07f37534accc42959ec823c3694e33e58d7a |
| SHA256 | cd799d4686ead2a495fb84c4b53b599a99a998fc900f67cc36a2c4152396dbbe |
| SHA512 | 1e325e12c02667863f7f0921198a5523d10263c475a59f2e56b1a8b2d7c047f386c4158f166f3eb3419d31cca06000ae71495effeeed3be90d76eaed29e0d536 |
C:\Users\Admin\AppData\Local\Temp\aMYq.exe
| MD5 | ab98c1947b894f302c1777935b831b3d |
| SHA1 | ad340eff5e0776f927db30aca77079be099bf13a |
| SHA256 | 817dba83667089dae30cf5f52940175395bc026aa164b51a4f2a71b32a36fd29 |
| SHA512 | 5705196c5fd609ac09101ee057771ecfdb901bc296e906d36de4f151185ca04a339a691178d388f7816cb210590af63afeba9e3d5c96f9ba20146b10b2cd1f6e |
memory/1776-989-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1300-985-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IgYY.exe
| MD5 | 28a01dda24870cd3ebf83fc1fe325ffa |
| SHA1 | a53b405f8482b2c17cdd7b30e2211fa40ec31801 |
| SHA256 | 6461db6a3a6e20fc45f6412a9eebe7c227898fc046e5561a0f1ee458255740e7 |
| SHA512 | 7aa2f9469c9dcdaf9ac1b761f1d2e60607c2f99c2664b38742b97bfec49051d436d5e79deac45b2bc4b30a1dfb24aaf5751efa9a66a51e348c51133e8a5eb4d8 |
C:\Users\Admin\AppData\Local\Temp\AMQc.exe
| MD5 | 79b7b3c79807e8496828e6208387615d |
| SHA1 | 52672afb7cc81ba52050bd6d1b688fc474523bab |
| SHA256 | 58947d04b67289b4832e5f5eedd88e69d9e329e2e064f26b623de6912742dd30 |
| SHA512 | 3969a98f2fbebfb5470b5985b4dc2d603b6ae5fb3e389f7a6fe7286be97ae39fed6ac50e8441e742e624bdf0b4fe30024ddfb489025adc35e7c84db329c7d09d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
| MD5 | 80fd7a3d7a1ed0b1f5130aa71b995102 |
| SHA1 | 9f09d236ad5580c773dd4e01b364a459c04f1e48 |
| SHA256 | 0a8310b839e1e2bc8e4a85790d51df77258bc34fd37ce2950fca639f8275ba72 |
| SHA512 | 07b64e6e3820c56ef30098951391ff8348ee61f120974e1efa138dd90b71d5e3058b03d7df1cbc96c9f5ef9ff54446358dd559e2a4065615a0c39fc1b4330566 |
C:\Users\Admin\AppData\Local\Temp\EIoA.exe
| MD5 | 7c92d5096fd2d101a376598249009f36 |
| SHA1 | 5a057204b8f193e3c5527720713d52d1fa8fb178 |
| SHA256 | c7e6b1a62310fc83803bbcbc743ecbc2820c35674bd7130ac6e9e31b3c2714a5 |
| SHA512 | 5a038f208c74d1af4c682123b143b314597b5be76afdbd4592a15373d0dcca919c55f9bbfa30c027fad96fdafcdf79ed89a8e21bcaf0c92120550e33fc9fdc77 |
memory/1300-1053-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usMI.exe
| MD5 | 14ae1a793fc55cc3ee8c5710257a47c9 |
| SHA1 | dc88676a776efb4b5f012b8637aefaee7af4fd12 |
| SHA256 | e757dbd8cf0f708e46c0b43270599e82be65317056055adca632bd70e6d12460 |
| SHA512 | 1fab0b0eab01209b2c258b9a54a68cca6a9b0482b5d1dc1e64fbf6fc9af872fcfc8dd99236606a07042c74981c84ec002667c0ce9dda7f60139f6333ceae6ab3 |
C:\Users\Admin\AppData\Local\Temp\Yswg.exe
| MD5 | ce6baf0420f83b3807923ecec89e112c |
| SHA1 | a1605237b4500af647fed936a96f6773030d8842 |
| SHA256 | 9fdcf9b3fc701b6b03d8434792d0155830db21629558631ebc74c844db2545c2 |
| SHA512 | 336c314a3cd02b15e46ca39883a8d7ed7f1c51914cd168f596217187b97edc5fde6cf99da25a0dbf8879850a53808f16b38fcbf309b601afc85a43dbf5003f94 |
memory/100-1089-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YMkg.exe
| MD5 | d3ecd045d26af701c49c94d709b627b5 |
| SHA1 | bb5e2f7b54448ebf9ea84c2c6e1c005a1b9bc35d |
| SHA256 | f8af27b271e2c6ab52fc0622097b13c391209d4c42a4c8b326f9f3e3d6013c5d |
| SHA512 | 29007de9f4d67713c6b2b4e93208b6bb58ff7c071d1fa297220ee1e9a7f8deb18b4f6fcdb1f77c7b2612f26715f61242dea030bfa3af449f691baa2f99bde505 |
C:\Users\Admin\AppData\Local\Temp\OIYE.exe
| MD5 | b1218e8ef5b5b3bacc222ac70695bf30 |
| SHA1 | 002834cb02a0d996f7b9fe1d621b713665802a8e |
| SHA256 | fd0b41ee16442b5b1ce4f635799616a79a8759dd0a09e50ae7ab338b4d46980a |
| SHA512 | 00509ba1e6680563b05d4871edec8495d880148df801d8f2d611fd50e0f9fefb1132bd8d3271de69bc89dfed526e92145a350f10b332a923de0269daf2804b9b |
C:\Users\Admin\AppData\Local\Temp\ccky.exe
| MD5 | 9c7954675ad43af8065f667959bac5df |
| SHA1 | bcf9c74d227a3318d8ccf985f7b597f49ef71c74 |
| SHA256 | d86a208d845190189c2fbddd262ea90337315c08ebc9130591b0852e0edde2ee |
| SHA512 | 91e31cfc255ef30adc48135d532dcbeecc4bf97d13b2255d9f776e4d06a5c3a42d6d6f06130d1e24de82190bf24656f9f6738ecb4f069dd66e2a936e60a03c94 |
C:\Users\Admin\AppData\Local\Temp\WsMW.exe
| MD5 | 4213d54f636cd1294fd5d73ad413b1be |
| SHA1 | 092d948ad4da25519d734ee9a2193588b15e234d |
| SHA256 | 9fe6a037b9cb5ed9ae30b1b8b5b84f2ba9e89fef48a82b2d580172f1d59b787c |
| SHA512 | e641848f12a0c4091177630ce8209b1810ad1664bed12eaf5f374a200fd8e69ed7eea18d34fc522fb9f615b5bfeb315a5d1180ad4871f12a6b1f283b2a18c8c1 |
memory/3056-1153-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIsU.exe
| MD5 | 044c434b92ac47f2a1abdb3079473871 |
| SHA1 | f6570d94c8b7af85fa88f67617518b72c430de30 |
| SHA256 | a98ce7c4bd2f8c5d73c5ab0cccd5b3bca933cda608ee47bd93eea93a313239ce |
| SHA512 | 707bea9362b3c423efc145d793f057266f67756e8e1c825836d6a9d389f945d90d77c71fc044b7898424f454746d9f1dd326f94af0231d24ad6aac2ce2909df3 |
C:\Users\Admin\AppData\Local\Temp\SgAW.exe
| MD5 | faa3c05cc4af0f7ea9ebc9057a8cb364 |
| SHA1 | 6421bf203ea890d8eb62c434990cb3bbccc28f8d |
| SHA256 | 56348afe0a8f2a8f480baa3929086e638b1b106741c50b2c574ed866f5b5a642 |
| SHA512 | b34c0316b2f6119756726b2f1b2390156dba473fcf61bdad1e89d6d99c77ff84c616470d8969333fe17140ca2fef68499a0d379457076804b9848889ef45e486 |
C:\Users\Admin\AppData\Local\Temp\mgoC.exe
| MD5 | 777911a9086bd3e2d9b9b43980bfc67a |
| SHA1 | 7bb1546bfb09c27f9924e26a480b73a43655e4ff |
| SHA256 | 276491ca997220d6cce235e9eaf052ee60e09539cfeb4026f51be7e94c39218a |
| SHA512 | 208ddf7d8181dafab84ec2856c2cb83ff76aead0b50012c1bf7aebc2ac95b0b56be1f81e4d3747ffa9723add059f2822d167400e6876dbfba5eb742ddec4655c |
C:\Users\Admin\AppData\Local\Temp\cswg.exe
| MD5 | 62b0d2b98614e8c964075ee077bedb96 |
| SHA1 | 4f8001341c3b8de0e52da00f5224d5baaac8447d |
| SHA256 | c6380882d684f222fbf5c938268e50e87b68ffdcaefa908f5e0af78564bb7592 |
| SHA512 | 2eb724056624ab2a008276018b36bcd9719cd70c49f4db485991eb9da0b3d36fb4d1895f74810e3f685d99b1204413e5018a9683adcf4261dc1ca3bc3d2d49c4 |
C:\Users\Admin\AppData\Local\Temp\EMoW.exe
| MD5 | 5759e35fead7888dd929fc36500d1ed3 |
| SHA1 | 3960621eba8e20c91f6c974450779a609a38c8a3 |
| SHA256 | dd69f14c16036a86de688e084e922720ba420f91cf6e38fdf1aedbaf14e0c7cd |
| SHA512 | b9e23bfa5faa92cb6b098121260347ebd79a1f07211f6a1521bfae2ba83758d2fa2b6ca0bc5892af15591b0350f8623bcd8d24d34f71a87018ce51eb0c26fdff |
memory/4340-1230-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WwoE.exe
| MD5 | 94be8dc92987cbfdd1558e763c756c6c |
| SHA1 | 6138f1d58f8a79a66bfe05dab8607cc39363158d |
| SHA256 | 2533e3a2a403e2a783bbc66639c6961b091ed2e54bb2b8266cb81a9d78e99bcf |
| SHA512 | efba09ec6f3ce866f453dfbfc06a29665e5c9751c2ab4a36f3a1f0a79a88a6b0ae6b9ec578fb5f50d115e0fc7471505a7b1e814869a4d81078916f655966b69b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe
| MD5 | 2e9e1c5ea6bd77c2b26367ca942718d7 |
| SHA1 | 62298c24a4fd358e3a4e53d0e2d2b8ba0d627a88 |
| SHA256 | 4cdefc6f168d46bcc460db66fb64df4145aab4606d46411b7a8c99f91c2c1856 |
| SHA512 | 74ef39967a5c5b3de897c8a64763e7a2951a3f77f763f314775c315b834b53046e42d0b7d23a4ae60882771df062deb23620978af7ee7de9eb0423f1a8d3df66 |
C:\Users\Admin\AppData\Local\Temp\KAou.exe
| MD5 | 939e7c9d734d43f460723986f986526e |
| SHA1 | 080be391d0670ebb4d3b3ac304282f3b0f6a9458 |
| SHA256 | 0e881ffa3aa90a024ee9e36ded2d27814b9ea30cc830ce0b7183a7becdada9ea |
| SHA512 | 8c8609b986fed9f56159d3909997565e5f0feb49127c5fec9a9327870631f59f23ed9144d61e63e14f12f7dcc87c977548727436f4ec5ed0ffde8b94bdcd0722 |
C:\Users\Admin\AppData\Local\Temp\kkIO.exe
| MD5 | a35df7e59274d8c98af2de63e23b1fa8 |
| SHA1 | 58bedcd99a5f7c4f16acbd5ee32d02affdb06b1a |
| SHA256 | 07c4339a92fa2458558fad57d363e278b471183a4e1aacb5572e16459bb77faa |
| SHA512 | d8dd914713d5e267812716c1d47e8b3faa974fb34a3399d711b19a13f3356de01798b61177b6dc83fcb929459768b5ad70c7aff565f3835187f66476f4397ca0 |
C:\Users\Admin\AppData\Local\Temp\mowk.exe
| MD5 | 4bd2028b884c2ed2950469732b8e7bda |
| SHA1 | 188ae5996e1b043abb3ec58b3dca2f2d3aaae6e5 |
| SHA256 | 87dec7969a1288ba8c0c43210183336b1b7eb0ef7143751c4dc8ec73b2b02846 |
| SHA512 | 3c771634c19bd6440acf2e99fa03081b9528a3141ebdea774b492cdf01eb339d8e308d4a9565d476bdae2cd72abc886aa448d8435de4c78a8c15fc2bdd398659 |
memory/2364-1299-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qAQs.exe
| MD5 | 06c00df8c6c2964ffbd6d8a013870d8e |
| SHA1 | 99623ccd48d41b88c91a9334d9a6513a9fe931c9 |
| SHA256 | 74b5b044c96f95839b98551d22367c4dec11b825884708c1739516cc5c589104 |
| SHA512 | 505f66a8892aa6eea000af3b2b865c5072476d00a037cf322a7a9d978c1b5ec7dde6351ce050b4458a1f475e79616104d9c60a685f5056b404ae699e30a9e6af |
C:\Users\Admin\AppData\Local\Temp\cEkU.exe
| MD5 | 112e233f52f98ec183b0ee5e33f196e7 |
| SHA1 | 5e6c78f7b4586fbdf1dcedf71d56316f3e1c873c |
| SHA256 | 8a5d390c0cef88252ee1ea798e622304f1273caa1799a902c7ade45d770c0fb8 |
| SHA512 | 806a9af04cecdcfebd3cf38ab42fee4375a29cecd6e74cf29fbf2e2dc0a3e12e7022cd89b20f9765e9492ffdc72ec72301cde513255c4909475da8e665d9a3f0 |
memory/1888-1344-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gogg.exe
| MD5 | c580c049ff7c05b52897d3780ba9aa6c |
| SHA1 | 4922c1ea9a2443d4b5532ec5d585dedded09e85c |
| SHA256 | baed7fe29cf49d98d0872d98d723880194a8b445a085f5159460150563cbfc5d |
| SHA512 | 76407fbebf97e9603db1abb36b8d9e6a0bbc3761ff6d97eda7ae6ae3e18a1014ed36b5a58a91af666fac74ceaf0fe7a4eeb4b18800228f71421ca4d4a7f1a11b |
C:\Users\Admin\AppData\Local\Temp\WcgO.exe
| MD5 | ddecaf1bc03bc509de5ad9adbd55461e |
| SHA1 | c0b656dc16c8a16254a202b71b919ef3aeef3070 |
| SHA256 | e1511f246c5438ba4cb332c60552abdd790746f05fe514a05f721709c8113d03 |
| SHA512 | 43d540e4c3751ceb98b17a31c7f0700daef7b187fa0469058595e820d6b9f10acb9ca7d0c8491b5fab648209f7431d99a9ace9e2618c31d83f88c6cf92d0d469 |
C:\Users\Admin\AppData\Local\Temp\AssW.exe
| MD5 | 94f67b5802f942d3bb77ce01d964b1b7 |
| SHA1 | b9adc73700d995c1d32bb1b62e7fe28cfe779b92 |
| SHA256 | 03fb726e85340f735a4d3d2ac5c0b0ceda0013d0efe5bff7358078bcb52c9935 |
| SHA512 | 268ae67ec0f1ee700539933af48488205c3095761f3d9985091eee566432dca455701379e1f227f2c8c252e0046b4c420876ae1d40eb9a1358e31ddf0b43f1d5 |
C:\Users\Admin\AppData\Local\Temp\GwUy.exe
| MD5 | dc8840ccf5f0e42c9e3c5d6ab8d374e1 |
| SHA1 | 267a6dc7ad06efd7603897dbb0f63eeade047afc |
| SHA256 | 807f94dbd0550c06bb4b750daf00752bce50c1c808fa90de3bc820dd82426158 |
| SHA512 | b7a078b8ae9435e0bd4ac7370004a2b579c3e15959790c8dc443c4d96a4086caccdbe747af7b4164d5c9590f5578a80381448e3b16d7b8e9fddd1891f53e4493 |
memory/3012-1413-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CkAU.exe
| MD5 | 2922fc2fe7d07279445ebdc4a846f303 |
| SHA1 | 7660819571d42d785e8d9ac2fada11c4ec473f25 |
| SHA256 | c4d58d9a73e913cb88a62117a08005114eaf6e7ec02dc7c8bfda279867814982 |
| SHA512 | 25aff296f9fdb0b630000564d43e68f04b04a7518b46add5c266494e88dd40c21482e2fcfed2c6bf9ba5eb528f3571c626684eb3062350ba80918326ef619357 |
C:\Users\Admin\AppData\Local\Temp\KAES.exe
| MD5 | bef44fc567e5efba35b6abae57b86056 |
| SHA1 | fa4d875a9e6f975b23544ebba76a367e2d6d419f |
| SHA256 | 11d5374227622d9388915a3d544b2efbe5750016666719c2594b363005b7af2e |
| SHA512 | bde0d96192d69c6d672695f37e5a162b1e99969645168752d775538ce515516f0a0a62c73d6106c8beaed4ee5b6698edbe1081485fba53c22d982bdf1e6ac30d |
C:\Users\Admin\AppData\Local\Temp\ooAe.exe
| MD5 | 70ac51653b58850f63f6c49d3f5da0bc |
| SHA1 | 42b669c848d901c4559fdd99301976547ebc9c2d |
| SHA256 | 7eeb7f6c7c5745577afb68b2d4a68a73d3094a5e52b69e34fc0ddacee2996cf5 |
| SHA512 | 53cffeb4910073ad023f47c33a84d12a87b0f14091ab4351f1a468b5f656c0937cfb9cfaaae7be1e406772fb2e729800db013d73557003c6421237a5793ea658 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | d5ff70d192f0ca53e58e84fc39e1d8ee |
| SHA1 | 3636008929e3cfcc448ee78d10d16b8caacc32c0 |
| SHA256 | b4fcd32f7c6fc9cbede0860b557789c10f467a67b9bc8cad47514ead4776d190 |
| SHA512 | 4e685dabf5febe9c73265c426d3674c2955c071f1119d671add81ad932d81be1ea0091aa7ff21ca75985c042e49a55741dbc7833d598cc92c618429adfe8031a |
C:\Users\Admin\AppData\Local\Temp\MAUe.exe
| MD5 | 371f646a15164c5a82592ec717d8cdce |
| SHA1 | 407ccdb4506bb9cf8782e52cc8120c64102dc605 |
| SHA256 | 644f4ce6b4361c55392485f460571f7294bf85a2e94d4f1ca572ba64f50762ec |
| SHA512 | a8a888fd3ccb95d4fc277b5047931bbf7c9277995df3287ab352dd11cfd377f6bebe98f27600ba89ee3d65894a220db783e2af5505dd96750cf839304cb9459c |
memory/1332-1486-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\okYq.exe
| MD5 | bc59464fe8c054813933f33c0f68ea87 |
| SHA1 | cb323b1282d140271b4ac02b3846eb199a94c79b |
| SHA256 | 3cee776fbc0860db18fe655c8dc8302a491ba936be54c55f74ba8e07ddc64085 |
| SHA512 | eb83ace978e75962a5eb5316ddc3976e70be8256c8623c3624c38cd6348f84f87ea364762fd4125b4cabd5b93a552439ba9b936b89ce465316edfed3d1f4c43b |
C:\Users\Admin\AppData\Local\Temp\sMca.exe
| MD5 | fb4ecd3dcf8d073f498aa8a4f4df9b03 |
| SHA1 | 952690ce5a6b94f0dd3587f143e24db12e4a1be9 |
| SHA256 | aa19d04735c54e4769bf3e06193cb9b0c222117d4ab60bac51516b85936ae79a |
| SHA512 | 9b8ce9f194cdf37705a98fa21270b542e94801a685f5d00068860929a098dd56525d1bf77f42866297530897b75b3c7d099150406d2c41cfc58515822e141038 |
C:\Users\Admin\AppData\Local\Temp\EAky.exe
| MD5 | 0e73bff415da5bf944a892bd43cb4df9 |
| SHA1 | 20b1be6a7eb553a46e2b92e40459871caf6f9364 |
| SHA256 | 8ff00005f4cd2ec7086de53596c4a77ab4b95a9f9df8913582066addae049141 |
| SHA512 | ba97438bdfe3d2caf1f0d4aaca74fbf3a53435d7358dfd8b4dbc7d871b9b1840c3838d12303db5c1eb92b0b92bb4a2d282bcb52303d77f882b0392bb51fd2302 |
C:\Users\Admin\AppData\Local\Temp\iwUg.exe
| MD5 | 1daa0c54833f6b182ff37ac44ce50dd2 |
| SHA1 | bc7ed5156371ac68ade3fa1ff218029a50db98c7 |
| SHA256 | 30c6c258d57c1343c26ae0f5020997f04cd2ff397528f2380f8be74cff7b9a2e |
| SHA512 | 38e153d0039d42e5d649f3032a7e5bf75300a4c1dca2e5106916c5b166a94f033aabadbd923db82656130a74ed8ce95a553ec607f1e934a1b630bdb0598f44ef |
C:\Users\Admin\AppData\Local\Temp\WksU.exe
| MD5 | 23f51424610e6dd99f3559c2773508b3 |
| SHA1 | 18d308d249bf6355a3eca53c265de7f7070e48c5 |
| SHA256 | cbc944dcc52ea7fd8d44cbafc40cc08a2cd3963dea1669107997f94b6a1dfbd4 |
| SHA512 | 60c3daa937b2eed77764638fbc28f9f0bd772e0d452c13cdc68a8da70a71ac8d02c2f10f5ffcc53c73145c605c572b2aa9343f4667701e5a434a98f16dcb4c0f |
memory/4068-1564-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YkQa.exe
| MD5 | ebb93adc3d61d3a7408cfbaae9fb99c3 |
| SHA1 | e7b358b9b28ffbb926a3d74e00b7c7e1a8f2cd45 |
| SHA256 | 59b2ac7e4aff3a29e06b7118f5d62c6d3d5d00c1a582b812fb6f200b7c607aba |
| SHA512 | bd2b4cecd0100478b44d84a5e804203e6ae6975fbb2ceff9a11b01677c157b342bdfb37a45ddffa83497ea5dfc0091415f723fbb4ee66a3f6f7213869540edb5 |
C:\Users\Admin\AppData\Local\Temp\QYIa.exe
| MD5 | f5bb0d718eba54d0e6a027ca18e00d52 |
| SHA1 | 406e9c6fcebece165a8ae1654412f99df6fdc5cc |
| SHA256 | 657add018cfef537808935e7d1af15253281bccd214d4fb171f294827f405e7d |
| SHA512 | f649e03a11810dcfefe18fa6ea13d444a95c457b409f6870787402b58cdb89343ca30790cce3dcd91deb722aaa0cb2ee3be2ee2553dad2c8dec7fe89346e3097 |
C:\Users\Admin\AppData\Local\Temp\EYUs.exe
| MD5 | 93e6f79b3076b59b1dff6bf573953ad9 |
| SHA1 | 417a4e0085022b1b3f99236b50d4f8a04e0091b7 |
| SHA256 | 1a84c1889e2fdce56989b394d137f1fc4b62bb20e599cdfc17e4bc8706f31a23 |
| SHA512 | c8c31520a0e049d6b42b5ef1a0bc715eb988023d7e28a91ab530232d6dd16a1372f22058f779a2c18e1980038253d9d94301d71dc459872ed25505c476c97480 |
memory/4212-1614-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usQQ.exe
| MD5 | d6c8be11ba1af4f38d1f943ee8f99de6 |
| SHA1 | 3f53a71cd7d0d9d6c3289c4fbac128eaf3ee4efa |
| SHA256 | 44ac809835ac38c9dacf521f36ea4f7356e5f39845990f50aa73f81cfc4d0ff0 |
| SHA512 | 86f5ae82cede7d3b57aed4732941dd6f5e264124a693f120613bed6b4234817cbd5b27af0f284f86045bc9d7a1a9cc0c168aa947884dd20119161b1c60a7d44b |
C:\Users\Admin\AppData\Local\Temp\SoQW.exe
| MD5 | 552dff8a1ebe61af3b67c6c2678260f2 |
| SHA1 | dd22e9c764efffc1e851fe1fc8d4f83f331d9cce |
| SHA256 | 2223405e3afbd2eaeb5808aea91940763c4e208a0397a3255a091357c82948a8 |
| SHA512 | 928f62d858aedb7d14802ae42108816563c58f74ecd5f320672ccc793619ea2805eff3e18b5c6e1db4f18340419fb7304649da7bf5b5e8ed2be95b0e88e79b1f |
memory/2544-1663-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ckws.exe
| MD5 | 6fefeba241f7fa9bf173272ce36481b4 |
| SHA1 | 25fe431ddd393d9c95b64fcf1362d76be21670df |
| SHA256 | 31dff1082867bfcc820879a3101019a7f6c11875c9aa513bad867783d2d050a6 |
| SHA512 | f395ed9af305e6ff5f794f46213008a7ed3ee665fb786e44494d88815c78969a8a741e8ccd2b9d70a7dc015bf59977de46601ac72a7e03ed3a348aaae9f82f23 |
C:\Users\Admin\AppData\Local\Temp\uQAU.exe
| MD5 | a3916e767a7ee34227bc5c8d1f55eb83 |
| SHA1 | 6dc1e871157f42be3ca4219314cdd70d484e10eb |
| SHA256 | bbd16a680919cac45617c681a7a4199f5feaac3357a4e532ce0f4b4c53f724a8 |
| SHA512 | fa49dcc43df73f4de6f53bc0d66aec168e4f90b4f8574f5a197591bb9ad9caf93df840aff414b5240305d086da410c2e718dd2aabb06d3005a2ad24d91f38dcd |
C:\Users\Admin\AppData\Local\Temp\WMAU.exe
| MD5 | ac4d38fa58aea47d579d5a44bb897e36 |
| SHA1 | 30ff00911dd519b4bd624f4a239cdd713e92d1ac |
| SHA256 | d640b8985fc0a9dff44f0b61dacf9d29cc1a937d587c63654e259f24b9d15a9d |
| SHA512 | 33b934e6af90c02846cfa0063d539bfd3cefb637cef5945e3166d93e59ae64d868a614c33d60803910d7bc4424f76d54eee52ab4ea62bb8fdf1146f907f50972 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | e67d2e53e54316b4e15b4e1b7c00a0ce |
| SHA1 | 45611a7a5321517adcd17070abed423c2fe2f2b0 |
| SHA256 | 8b2730315911500ee3c8e9ecf50df007dc563c59c07e322902d4b5af6fb16c97 |
| SHA512 | c5f79bbafb4012e932f584c99cf96ec92fbcf257858032b2a15d9ddd1f293a711b20dad86f218f9ebb92d4b446cf34ccbbf413c17942fc9c5f88cf0ae963b981 |
memory/1768-1717-0x0000000000400000-0x000000000042A000-memory.dmp
memory/780-1727-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kEcU.exe
| MD5 | 8cb6f19c88c2a5a200ce12dae2fbba53 |
| SHA1 | f16c812a920083d06672a621c9ac9322f1e8fbb3 |
| SHA256 | 33f38c97d1997bf1d07940d63ea08d0e73d4415b6d51173bf83710d7441b7976 |
| SHA512 | e1585ce453f8d3873dfbf3a2a0bc05e48008d4a817880dc79663e84dac9807a557c07812f191daeac1ebab18933d67f85fbb079f84596fc5dc3e4f6d39779ed7 |
C:\Users\Admin\AppData\Local\Temp\WMEe.exe
| MD5 | 7698f540c81eda51aabfb3e973ff2aa2 |
| SHA1 | df5438ad0cc61aa5079c736a8668cb777a56ab35 |
| SHA256 | 8a8a7e222a31171a6a824fccc8595b144483c446791b7d67b6062be86e96cc26 |
| SHA512 | f206a95929bbede89fd551d52de40698a5333a80ccc87187634b647befa434097327b537158bc1c106d6119d29600bf83c7d36df598dfd0194762a3944208892 |
C:\Users\Admin\AppData\Local\Temp\MUcE.exe
| MD5 | 7c7bb95169775b84c8af476990d68146 |
| SHA1 | 961c5b041dd0c8b1b721ef005d179413bda0902a |
| SHA256 | 66fcaa9a28cb8aaf2c35ea1f9d84f3a6eee3ef39126ac36e3b7b40e23e829861 |
| SHA512 | 419c7b71f64e6e7585186e38c81d8aaef0255c6a9ce9c97c4460ebe152a7e7513fa3822edd3ac758e52a367451e45bf3712e538fdc0736d03babbc27115de836 |
memory/1768-1777-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asEE.exe
| MD5 | b2d2e4f2312db7cf26a599b1c26366ff |
| SHA1 | 7b90e86e3984cb15493db271cc6b04f8645182c3 |
| SHA256 | 9cde79a5e611c09376022a459264b5874bb04911bf8734ec04173834d789f9b0 |
| SHA512 | bf24fc170660edbac2bff728e172ec100222d9a56b618a9354de6abf592ad3d7744432012774b8a92716390f032d21ae41a726c5192b6ff8bb02a5b692ee7750 |
C:\Users\Admin\AppData\Local\Temp\sYsq.exe
| MD5 | e621abdd0fffd0f9e6ff6a682b248b8e |
| SHA1 | f7650944bdc785562303e57cae3811044e22339f |
| SHA256 | 884fac1fbf026f9589db1cd2f6e15209a0b21ecfa152391286c4b4a18b390ba2 |
| SHA512 | 4555b0073d43d1922f59b84561e0a689a24a42d2cfdbfbe94959b42b20333747632a6f8b94f730e8c4d3834a3a67527f8c959aa4db0398e0e1d27e6a578ce87e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | e79eb598be6f0fa478e24ed4040a8e3c |
| SHA1 | a7589c9061d8ea9eb3e5e75b42a9844438147f54 |
| SHA256 | 7cefbcc44de24b02c3f3db662dece149829dadce1aa23a8bde836b3bb64e3998 |
| SHA512 | 96ee5f1719c903958cb668451225862955e1ccf6ca7894a086c74814ef6237d2ed420032222a40d9c14ee0850697464ae01c6fafa4a41bc66be246692d350e53 |
C:\Users\Admin\AppData\Local\Temp\cgUM.exe
| MD5 | 1d47a77ac62ba0baf9bf099ae1bdebed |
| SHA1 | c5d270788d49024d63e559c5b21ce47fa9ae7308 |
| SHA256 | 2faf106c06238ec4127746550796ffa4fe788d9461124b6399ecc28d3ff10c68 |
| SHA512 | efa3e8d93227c4b6ffc7d75453a9d8169d2633265907f7b65cef5913187a0ded8fbc9c356328a6ab9b4f9908f2ef4d0348aebbac402d657a26376efad9ae3463 |
C:\Users\Admin\AppData\Local\Temp\EswM.exe
| MD5 | 87ff9858a0781c8804c4c27ed1439af5 |
| SHA1 | 0ef911927f1ce6205a3c0c996d45a1cf34a0324d |
| SHA256 | ace8de415995f751baf8e3578cec8385fd81911982077c4463dee6fa2e122a88 |
| SHA512 | 8da4c09d1c5803ccb7b422a9abf3d0f79b762b961288a271a928fcd1eb7599641df04ace02ba65bf1fd31b96b98523ce2add2383ad18a5ddc96aada81d675c68 |
C:\Users\Admin\AppData\Local\Temp\ycEq.exe
| MD5 | ad4e3a8ce35fbb99b5cf08d3c32bd57b |
| SHA1 | df04cdc924a1bef5d380b9b69ee44036d7cb1e48 |
| SHA256 | e7f919916a28b568f184321cd15174522b83237ef90f0dbdd85a914a4eb0d341 |
| SHA512 | 9af75d5a387c171658e7617dfb50951c8ab80261244bd70799f0787e796e8c6f353650f41376af2030ae0500296bf4a407289b637292a1d5d5b38ec16d552922 |
C:\Users\Admin\AppData\Local\Temp\wIAM.exe
| MD5 | 64ca84e5332146029c7d55040b0168ed |
| SHA1 | 5aa217138a60dafdf405e679959f0d2504f43486 |
| SHA256 | edbf7b5101f2ec5565827e9f57d35ca8dc52bad5c74f772c9bde8f87bc18a2e4 |
| SHA512 | e24266a357907a7c54259f3e5a5c96bb84a311c3401a550a9e13581f340bed7b2d3a7450a9ef1d59cbc6e61741d65cee0677a7ee9e7886862cde9733108aabc1 |
memory/4060-1860-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GcsI.exe
| MD5 | b128a8240fb31cb71d621a7f03a3ea4d |
| SHA1 | 03e8d200cb25e328c076f8378c51dd4a754207ab |
| SHA256 | ab62bc7d610051e5694a638889629582a3d6b3a0c7a161d74de8355d8f4fd353 |
| SHA512 | 171cf9a12153ce8a825313a6c9ae1424f83fb0bb1151d7d384aa98014e7fc051c586f47dba9dd7ce7fe075d82b416da383a9b0f08f45e3ce7c8eb990275f8fb0 |
C:\Users\Admin\AppData\Local\Temp\gkIk.exe
| MD5 | 4a8a5b07aa612395bf5f513ef7e17056 |
| SHA1 | ce6af71b81190abcac3b521f41233fc5bbbff914 |
| SHA256 | 01bb261d329653c681ce48965329f1db703e2f62c7e9e93988c16b2e465f81ee |
| SHA512 | 7edc831cfd508fc50b0134650cf464e18443ce70520b94885c3a61e4eec6a55faf4ca7bf61042f3bbed49d8802c00c96a7b3ae9ab434df2a8597b727ff4a2ac4 |
C:\Users\Admin\AppData\Local\Temp\UUEQ.exe
| MD5 | dc2fe9586631f59b72e30a6622593bff |
| SHA1 | 2e2aee90b24b81cf08ed35ea4d9fa5996a89fb70 |
| SHA256 | 2f93641728de0deb0838c313499281dbc774570d12d55134f6d09ff3e41350d2 |
| SHA512 | 9b5e77c3a846c484ee4a991cd4cbfec2bd2f7b9aa70a808c71250d5d1b4b29b9334327c10eddc2d294c0d4555ee8cdd696e15e6f696c3e08d2b37faa2a9b05b3 |
memory/3956-1918-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SQMW.exe
| MD5 | 2af5b8190b744d37490223b71ee2913c |
| SHA1 | 52891e1b6b0cbfdb93e77cf29405f0bf88080143 |
| SHA256 | 58e612863cfbf5c62825f0a17566d5d880ca1e9b9bfd7d701bd724938a500871 |
| SHA512 | 7179fb9614673ad5ec891d0bc5c54e60eaf8e2a18f09d6d8e7c19f7b218372a788ceba51124630d4bfca7437e88c1d25a6f08e25d8c1c23065db79ddd990d380 |
C:\Users\Admin\AppData\Local\Temp\KMUu.exe
| MD5 | 1cdb5cf83d308dfaffd781fe3903e3bf |
| SHA1 | b0aadabe1cb6e6f99ff26a2332fc4b94f8a44813 |
| SHA256 | 3da189131768e4934575dd2fd4c4e29299a266c7dd27a0d85f4a4cbc0cc1a415 |
| SHA512 | c91f4524d6fe9b23ec6801dde61d6c2e0ccab20aee5bae563e9198c2c7db39ef763a3afda1320bc66fcb56e8cda851e46bf461f9805ec070030c0b27ad02fac8 |
C:\Users\Admin\AppData\Local\Temp\McEE.ico
| MD5 | c7fffc3e71c7197b5f9daaea510aac10 |
| SHA1 | 23262fb8038c093ac32d6a34effbede5de5e880d |
| SHA256 | 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865 |
| SHA512 | c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c |
C:\Users\Admin\AppData\Local\Temp\KAgo.exe
| MD5 | 30c71d57d880d1130f6b2e9ab213d1bf |
| SHA1 | 44e595db4641e671c91f5535cef50666a8c893f1 |
| SHA256 | 51c83ee34eb2555cd427e4924435cc21c06c86a686b2de60aef09638923071c8 |
| SHA512 | 6a6b79f7a25051c4d67033c4788c41788d24a1c5171ef8197add64c5435820682598cd294cacf6927fc71940388e4c015064af96770abcb4cfd0db2316577a26 |
memory/4856-1967-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wMca.exe
| MD5 | 27e203dd19da1570b21a55026a7c35c1 |
| SHA1 | 82fbaa4223d6972313a0a90554aa66ebaab7dd1a |
| SHA256 | 72e2072440d75f8f3eee3e10aa343d387fc3e0601611ef83e7fe08be6538b5dd |
| SHA512 | df97da1f22d9a9ae442096f0d2de71e9dc4c2131c11fb0ea62d956c280319137ba4dd2cbc18b9e2a2e7590c69c5b348dd7aa3c0657eab6a29fe94e35927a6b11 |
memory/3112-1982-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MwMs.exe
| MD5 | 4479a106e042fc0378227abc1c68761a |
| SHA1 | 825b477ce23a205fc16c39f84fcfe809af5ab596 |
| SHA256 | 5671b8084b2b3160126bafb153135676e71d7ef27e482cb62c135366c2434cb4 |
| SHA512 | b9607d9e931863dabdc3e64119846e62892d4f3ba58052d9d28e0bbb1713eb6416e5a857b545f2e219fe5cb74f6503396ab81af26710dd9d19a4000ec71a4f37 |
C:\Users\Admin\AppData\Local\Temp\gAYS.exe
| MD5 | 1f30e7c2a43c808f69ef789b6bd9b9c3 |
| SHA1 | 8da113552bcd7ca9c8d4819b34fc0e3d71a10675 |
| SHA256 | 5719226818a65e1abb5508d673bc642d6aaf96bd502d5fcd82d273da360720ba |
| SHA512 | bea3d5aae1169bfb72fa84e283cc45c986a98e318219213ccc9eb2c4d6763188262e32733bc03186ef7d8637c80180748ce919936bf4844019450781f14e4a72 |
C:\Users\Admin\Pictures\DisconnectCompress.jpg.exe
| MD5 | 01ffe2e7fc773fc3b2825bdb6760ab07 |
| SHA1 | 4c5c8cbb44d3bb8aed9eb8505546665bd23740f2 |
| SHA256 | fcd35e5d6004aa2548ebc261a1c56c0294be66182543e689b6632cd93621ca06 |
| SHA512 | 4cdd760dbdc31725106943fd2b4c4f7f643b45aab32103a854a03aa3787777347e71ad53e0881153f15495e935b494dea8f5a7b44341af2b8f35c1cd0b86cd88 |
C:\Users\Admin\AppData\Local\Temp\wEEY.exe
| MD5 | c70774ecf21b807be69316b1dd7ebce5 |
| SHA1 | f1c89e1e5fe981f1433603a2744b32e2dc90f620 |
| SHA256 | e0010a2a9ab2cd4a432b97758b8ee1c294095eeb04913fa63afcdcb7b63366f3 |
| SHA512 | 2057e15b78953ffcd8449de9508d48708e64a2ba0a16bc80a760fdd3ac8be686475208145a9c86d17e39caefe0a218b1053a1251d0db6c96e0faac516e32b567 |
memory/3616-2043-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3112-2047-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iYYE.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\cAIY.exe
| MD5 | 87e7a447ea71c9221f3ce626fef977d7 |
| SHA1 | d4676f3e150022b55538bdd5b6e677e7450501b1 |
| SHA256 | 16a217ca06a1f7f87742e88f329c36db4a1671019d96b667f003584c3faeef8e |
| SHA512 | 2989be255f438612705fb1b65db6a5a443c9011fee76627611f043eb339e017f038087e7691ad14aeac6b49ee048c3350c5fb732d72d62d5faf0df07fdcfa9f9 |
C:\Users\Admin\AppData\Local\Temp\YQce.exe
| MD5 | b980c5a4ba1d0c07de3a8d1a73496703 |
| SHA1 | 2431bbc31d40de985b7c5e0823d8234602cb1328 |
| SHA256 | 31be3a875cc1f2a764e82ce9e4a73989f7d3c1419b632a59c43423a8e96f95b6 |
| SHA512 | a16603ae6765004acd03e599ef9c4c6ccee5f635d23ab1210870e8c2b727d725bbcecfa370d70cb64f8c91efa2a0cb9151b724216eea9339037c7398c198813c |
C:\Users\Admin\AppData\Local\Temp\sAAs.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\Pictures\RepairUndo.jpg.exe
| MD5 | 61aacaf37cf5670f6b97f3a03f62c46b |
| SHA1 | 242dc0e948c0ff8584a2c1d789b5ef142ec3537d |
| SHA256 | 0190087a02a7175caf0b3b2230c65836e0d622f489d6d14ce88d71448d4af497 |
| SHA512 | 920a823c904db619044c5ffdfacb8df50df5494e0a2510fd116032cd10a74a20016d4529dcd86379579b4b78c35f4ca461f4800138804bb606568181c7c5b978 |
C:\Users\Admin\AppData\Local\Temp\qEEK.exe
| MD5 | 4de714072dfddc6b17817e65cf565c7e |
| SHA1 | c1a5a862232e06451e8932af943f57432a2db0ed |
| SHA256 | 326c56e07a76581c2d598c5c6bdb761a9f19cfd38aec82ef5519f3808777d46c |
| SHA512 | 9a01b47afc66818078f02091fc88b690c04a727538fd28ad38f88504e1ad68a763c7b45ac76c4bfda30a5d43255b68293cf748585d527b7c819960c5130046ab |
memory/1416-2125-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-2126-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SIwE.exe
| MD5 | e999ecf1166da4e1f15e5da73f8e8b3a |
| SHA1 | 473d66655f106cdaade2e23fa623415f197ab668 |
| SHA256 | 3f26de0e540b64eacf7dda5734bdd4292a6199265d0615bb58c4cadc3e4242b2 |
| SHA512 | 107bb7f70ca79309a83951f1f7f01520e7291c456ce2e26856502b481c53f62a66a31e10f0db77448d744831303564e4d3d815e062c6df1a10c2770e9aef1738 |
C:\Users\Admin\AppData\Local\Temp\ekEK.exe
| MD5 | fd1ea5e42b8834f78b9717fa04010659 |
| SHA1 | 8d2ab09eda32b7cd60b5f5da73a11a51106f3f26 |
| SHA256 | cdb7e21a1b864092e16f0c85bff9038d43a86d375bb2fdaa4c0472649320d458 |
| SHA512 | f0192fbc8ad858b605b1bf2c510683de4aa4a89c3a71fb28f11c93f1dc904aa256ce5ea5cd4e28f752b4b199886a63ef39d1bd8b0aa2376d6078d58a2e0d41ce |
C:\Users\Admin\AppData\Local\Temp\mIkm.exe
| MD5 | ff0b736ec5d18d02952f50ef5282bf94 |
| SHA1 | e21f1b0bd4e47e52cc6cb14ca8725f5ba75f4b20 |
| SHA256 | 69caaf18f6009eed713e6eeb45bf62572bb43ebd7c950bc20447103ede36f729 |
| SHA512 | 4c9f490e5a59fb3e221ed5430831e50980c61b97caf83ea74c7782b370cdcc23833a022ea9d9248a5016216a3935a3b17893822fea1d12b2dd2273239dc658b6 |
C:\Users\Admin\AppData\Local\Temp\UYAy.exe
| MD5 | 1b5ed3edda4470eae27706251ca7e530 |
| SHA1 | fd440c36c556c68415cf9c454f8c4e874e5fc758 |
| SHA256 | 75eae00cbc7d06bbb01b75dff53df8e121b099a8b5af821446d8a6a21422c0b8 |
| SHA512 | cb3d82832b5ad344441442c207243957f904eed0308d898990bbc1ff71ef56013ec2c5366c515bbe4f7be2306fb61dacfffc288c7929e13bdeaefe032bc940a3 |
C:\Users\Admin\AppData\Local\Temp\eAUW.exe
| MD5 | c8c579578982fb15461e61c9cacd96ce |
| SHA1 | 10b9bd856cf295385f9e18fca20352110d4344e9 |
| SHA256 | 71d06c39ee8c3cc9629d4758d5de82ece87bf85319c16d93e22b00099a095da3 |
| SHA512 | 0280600f705cafdc47cf401460f8b21601ee1eda9492a9d341433dd4f2cc6a44d8a47ff9f018ea16e42cf1cebffc46b367dab102ec90da70fec869bce2658b18 |
C:\Users\Admin\AppData\Local\Temp\AEEu.exe
| MD5 | 01d1b43d3b66460865c200b71588ca4b |
| SHA1 | 1065a2cf0d86a5408d301c508ffb876c161098bd |
| SHA256 | 7a8227705c06ee2ba23c30e4ffacb2f345d37b1dcf7ff34e0626944fe9a2ac02 |
| SHA512 | 4667a62126b3008cb35510ee44d60b49ecd4f4010c521b8d639ec1a653f88ec3f3ae8b256fd2ab3475100a8ce5a6aa2097ccd045e9f9186a3146e99df94b5d75 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 1f1eb0d6c784de1c3bb77e96ddcb52ce |
| SHA1 | f07b7b4b983d6f5c9fc698a4482b27d39522ae21 |
| SHA256 | 6ca1de70d443fb74dca14975cf611e5e347c6b7d09f4314ba5f157f7ed967410 |
| SHA512 | d116316ddf72873afe8235142b810aa484b37af9457fbbca36854e26461b6e02b710fcafc1dea636231eecf8281a0dac863dc1961db5423b9354e94ca8b2d7be |
C:\Users\Admin\AppData\Local\Temp\GwYe.exe
| MD5 | 9e47a38ef245c39eeda4110dd0b47860 |
| SHA1 | 2a05b1660742472a71a1cebe3fc643c86356dc7d |
| SHA256 | bcaf7363bec4995d0a3d904db6ed2d88384d351bcad8af1725be0250a8a4d54d |
| SHA512 | 004b12eda63658fb2c38a2b3226c119dbc77a7dfcd3454a01d7d2fbce867c6d9d2b21bee2d85e3084e285277e14cf9fc3ae1e910e9513e976392c834135540dc |