Analysis Overview
SHA256
0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
Threat Level: Known bad
The file 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2024-10-31 20:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Reported
0001-01-01 00:00
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 20:25
Reported
2024-10-31 20:30
Platform
win10v2004-20241007-en
Max time kernel
3s
Max time network
113s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe | N/A |
| N/A | N/A | C:\ProgramData\GYcscscY\uMoAcEks.exe | N/A |
| N/A | N/A | C:\ProgramData\qIUMoEEc\WqAQMwIs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" | C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" | C:\ProgramData\GYcscscY\uMoAcEks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" | C:\ProgramData\qIUMoEEc\WqAQMwIs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo\QcsQYQUs | C:\ProgramData\qIUMoEEc\WqAQMwIs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo | C:\ProgramData\qIUMoEEc\WqAQMwIs.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\GYcscscY\uMoAcEks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
"C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe"
C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe
"C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe"
C:\ProgramData\GYcscscY\uMoAcEks.exe
"C:\ProgramData\GYcscscY\uMoAcEks.exe"
C:\ProgramData\qIUMoEEc\WqAQMwIs.exe
C:\ProgramData\qIUMoEEc\WqAQMwIs.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQEYcsQY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUsYokAU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCIYcEMI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGAgoskE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmossgQY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TegUcUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeoAQgos.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoQIQoYc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgoEUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIQUwkIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMcYkgw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQIoEEMU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwEkwoE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMIEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKQgAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSEcMUoI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiwgUEIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmwsowAc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IckUUQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWkMoksE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkYogswI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoAUowM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuwoAEYI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEsoUIck.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUMgowsI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsIQMAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogEcsYkY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piQcMQUY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiEIEMYo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGAwocoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYcsAAA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWowwcws.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eooQcwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YugQAUYI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEMYgoYg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roUosQok.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcMwgEsY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOoIoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kocIUMwk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YccUgskE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYAwssE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgEEUsUM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOgAIMAY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUQswQIA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWwEUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYwEEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEoQYooQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoYwQIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scYwEMMY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkEcowwg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOokcgIg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOYkYQkw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkIQwsYA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siEwoQAM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCAEkcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCgUUwcs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQEMUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYIwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAcwsAco.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCEQgokU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZikggwIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgEgwgko.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIcUYsIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMogIYQo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEIIYMsU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGIEMsII.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsIAAYoo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMgcwAwg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmsYAsoU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGckYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIwYUgss.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCswocwU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oukoYwIE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcIsMQwA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUUcwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POYEoAAU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIEQsIgI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQkcEko.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYEYYAkk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eewUoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYQEAIs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWgMQAws.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WewUUcIM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUcEMogc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViMcUoMw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcsIIwcE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tskUQowo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAgAYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3648-0-0x0000000000401000-0x0000000000489000-memory.dmp
memory/392-6-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe
| MD5 | 8eb104c10dccc6900bad74ba78d30ead |
| SHA1 | 79bfe0f8b9844f2836c8dbfef8c94f0063d6f1f4 |
| SHA256 | 59d7fd8b94a9165a4e8fbe749933a721f4241caa3c9526c9183ad31fe96b28da |
| SHA512 | cf225214cf7a5e20a59050c930d72d766ebd952895cacaa144a146f1fc6914e3a6334cef58ace60e0b62ed41f7cdb639787236713c5b5f964f83272d83d2a439 |
C:\ProgramData\GYcscscY\uMoAcEks.exe
| MD5 | 84d7b82bfd831b76dd7c91dbe44c6c63 |
| SHA1 | d9d6d9ebf29530986dbe0585fd9918dda3c92cf3 |
| SHA256 | b1219222eadb1c2b2c8d4436a0c408bcfa1e4598d9d020fb9aeeb64e6f80f35f |
| SHA512 | 2fcc2589789be3ba257090f0b0510e2e3708c921baae3a3767e20eb25343071449ea6d304f23ace3dfe467ebc562b9d5142cf7f146d142044341a48d44b59834 |
memory/4396-14-0x0000000000400000-0x000000000046F000-memory.dmp
C:\ProgramData\qIUMoEEc\WqAQMwIs.exe
| MD5 | 7123d85627e947c0b94b57c0adbefa0e |
| SHA1 | 1181eb8bd75ea495c8f143ace732e1957b7b7f20 |
| SHA256 | 0d9d6d9c4bfdda1bcf3af97623b654be14dd3b68a5244e9dd71fab4cceebb91e |
| SHA512 | db80653c4968cb268764af482b5116fe4588503acda9b7aec442a28193b27d9aad185147d1d94d64d28b985561a3af59ef069c49bf4f38915e9fbebb07c4783a |
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
| MD5 | 9adaf3a844ce0ce36bfed07fa2d7ef66 |
| SHA1 | 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0 |
| SHA256 | d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698 |
| SHA512 | e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5 |
C:\Users\Admin\AppData\Local\Temp\jQEYcsQY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3648-168-0x0000000000401000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YUwe.exe
| MD5 | 04a4a30d41f6cb112d6d38cb3185f74e |
| SHA1 | 596e64329ce817d5ba297f78e29807b8e6b033e1 |
| SHA256 | d9df0dc7b2206581ee2db775d19a182fc7748cbc9497660608245982b056ca08 |
| SHA512 | 30bf68d538f507c7d92657b0ddfa430f0e754a25f301a01f5cea4c5b3ee9ee3df4437f421dcf2641460d926e677d708afabfd9970cbcbf3ff27e7a27a5019fef |
C:\Users\Admin\AppData\Local\Temp\sQkm.exe
| MD5 | e70fce5175b6046cc34818112420e93b |
| SHA1 | 8f652ebe1bd1fe49061ab17c08052ffb86d86a44 |
| SHA256 | 96b54c98488b7e4718cb16e00672e2986559ef2ed9237ce35fe337f3790cb7b9 |
| SHA512 | 1a8ca57cfa52b416ed4a1fe1b39e771c0b3178b4d1a352b5118ac69059263ad3dbe8eb7c2911481c09097d81ad8a6d1e12d29ff1647861f4b0f4ec0354133637 |
C:\Users\Admin\AppData\Local\Temp\goAi.exe
| MD5 | a4f7ae461c510846ab2c43a4c04db800 |
| SHA1 | b36c212bc62478649c24b727c4885386131e3c0d |
| SHA256 | 08f97911ab084687d6ff841db5c83a646b799c2884a696a5a57218f4d44d31b6 |
| SHA512 | e1b507dd7e19923975f8cbebb17372a35730b66e4856f8e942b55a213afe2430a9ffbbe2a588ddc3c3539233f2687e5e2702e8e7a12f21199cc7ea3ebbb71605 |
C:\Users\Admin\AppData\Local\Temp\yQgE.exe
| MD5 | 22512c80c3a06d334aac88b2cba03b89 |
| SHA1 | 591671fab7f26a961518e81ec1b21f5fcdcb647d |
| SHA256 | a2be563d4c24adc18ffb2bef196842f075a7b32d981f64aa88ca139955dd7caf |
| SHA512 | a3a03c8bfdde13c93fa23e47587a9fadbfd228d2338b4321fb283af5b84e630cea62dcb9fe9742294d3f6dfb1fc0d98dc398fb3e240c38b6a9e23c083bf1759f |
C:\Users\Admin\AppData\Local\Temp\Ewgc.exe
| MD5 | 477ce77ac2e40a0d658e7aa74e32ad72 |
| SHA1 | 6b6ebbc427b6466a5930d607164366c91c49b335 |
| SHA256 | 0db077152a9ee87eb91b769a64ea03a393c4e771f5eb3ef77a82f6d16c74bbb6 |
| SHA512 | 9dc2beb9ab630d2badb37ff719eb06024db48338f08ba242a12d1e6bde1ae7be4bfa618ed81472e73df127e13902a8cdeca68c8bb312fdc15832795512a868ee |
C:\Users\Admin\AppData\Local\Temp\MYMC.exe
| MD5 | 78454d2647ecd30c49f7ee5cb453876c |
| SHA1 | cb31c3f12df23e6fe98c1b95cc3a3ef7f3a43c37 |
| SHA256 | b85700d8a11ddedf1118edcf7997aa93b2608fc9efad5a9c37c0853a7d2c017b |
| SHA512 | aa4642fe13f66774b871bb9b0297163d3a52e62b57945efd35f3882e917ee628bf82f9d999fa39c94de49826569497c7d6b3b8c1076061a60c565e8968e2c24c |
C:\Users\Admin\AppData\Local\Temp\UcAy.exe
| MD5 | 7fb84a86a84d6c7de6266b4dc7c2ff20 |
| SHA1 | 36f3e1404b9135a2d2c095cd258c2c0e9fea2e68 |
| SHA256 | 62176d632b8196e6c0025470025057cb7a8187450f315ffa7cc98a49f0753c39 |
| SHA512 | 2e8f0df8c57ef5854bdba972f9c0f40233b503756a01a402255b568aed12fcca3d1b4e51bef415758e3c70e9d11846afac4e0cd5f044b460dbe835aa7b8f7a93 |
C:\Users\Admin\AppData\Local\Temp\GoUm.exe
| MD5 | 60d95b344e9d0550a1d01d5bb3a56bed |
| SHA1 | f4b0a71088eedad13e6408b6075f0e67b2403e56 |
| SHA256 | ebe7aaaae97d3fd0eb451a3404366620fa28da6a9b20107593b62b171ed70a2d |
| SHA512 | ea4ae0982ef151a0d69241a2cb64c95b124246fdac0e0ed0841cbbb74f5fc5a5c3bf29211fdf29070bb8349916eabcc8e075895722846eecd34540dae1b50a63 |
C:\Users\Admin\AppData\Local\Temp\woAc.exe
| MD5 | beb7e8b8752525eb102236d2aa195e98 |
| SHA1 | da48580448cb5eec0bba60c19b95f44d6a256bca |
| SHA256 | a0ab8481bf1d3e1a3bfc2705885af37adffc4103004e525c0cffb209b0afe1b5 |
| SHA512 | e6c04d078df7f1bc49c4aa8fedc8f4feda493261d91c67fc337015c156e5050dc18f9bf826e56167d3386013e5f89bc160b234f4a457ac2c1381aa0fd66c0fb3 |
C:\Users\Admin\AppData\Local\Temp\kQAc.exe
| MD5 | 20259a81edcc99b3d191b19a775971bd |
| SHA1 | c6f7744406d403b42da20aff9fafb8a197db48ca |
| SHA256 | 60a3f1831f0bc90adfb26dc36421ea2835497715188f3f8a6d1289a911177144 |
| SHA512 | 17caf624a99246c8382f9cc813f3315f7fe0d220c1df91e03847af7d6d37f4c230b33b74603950d5fb5f2338b3ca360fdaf108ef490d3051d492ae323ae26d9c |
C:\Users\Admin\AppData\Local\Temp\EEIe.exe
| MD5 | 93df63f45174bcd97d1db8a4e91240a9 |
| SHA1 | 665975427fd9858259d7d00d534a24fb98534cd2 |
| SHA256 | f41d91be8b1459ee82e9409de2bb0a5a4b1599a95c3375db172c72cfad404b98 |
| SHA512 | 8efa24eaaf365ab30a736a202eb82a2da776a170c3799096a1268a36331d40fec27526962994d5d513acdb5285a10f9d7a1e82bdb0c1e9e6fce088b7c3791782 |
C:\Users\Admin\AppData\Local\Temp\KUky.exe
| MD5 | efb0f2781fc8d8a88278431a4673b8b8 |
| SHA1 | 4ed157954c3e74d4da09985ecd6c02d2f543ce67 |
| SHA256 | 597ea6a6505c48787d32d15d20ff8927fa3bdb97af7c23ed3a9d388edebba3de |
| SHA512 | aa5e0ee7906ca1aa18448b2314a0cf41d12fb1299fe122e99eac0b81162ec06051e8c94132d3afcd60fa54568b43e5e6b8e3d877eeed9ccd793956a03fff58ac |
C:\Users\Admin\AppData\Local\Temp\SgYk.exe
| MD5 | a60d64267e5b18520370d691f2853cfe |
| SHA1 | 5f1183bec838d4ff52442f41ad0cd72aef4f9509 |
| SHA256 | 6705856ccba9e358d231d735ca8ee8472467c027949830b054458096ed6d229f |
| SHA512 | 2a3b7c7d0cd15c90b28e812376b858fa4c1aa060a0a1aa65c4eee11206be8c6ea6ca9d92c2a20f189edec9e66e06ad4ba8dacdce7599f45f84166e0d00bdd0ae |
C:\Users\Admin\AppData\Local\Temp\wAwC.exe
| MD5 | 1341b7483de6d30e04d39f363a9d7f0b |
| SHA1 | 1c7b5de2a2866872a7721b948779a3bf99079dc6 |
| SHA256 | a397a11f8ed2e0c628f553871059db5711e358458c724a49ed3659a002a1d458 |
| SHA512 | 571271c9b955133c4a28f4875733e8d4df60dbcfc3ea90ee3e3610baf7f097f8fa234c58103b32987b028f8d9b97bbaa4e93dd4493af62ebee6657a56507b51e |
C:\Users\Admin\AppData\Local\Temp\qYYK.exe
| MD5 | bb8a9d3c4d430bcbe603a9f9dee9f132 |
| SHA1 | 92da4a3eecbb21353bb9bf6568c569bed981665e |
| SHA256 | dabf095ed7b8e94fb05b1d464a6fa0ccbdbe5d6ffa6eabd3c585965afff8845e |
| SHA512 | ffaa330714469688ab561fb240a5bf172f164d8da331e5cd1623f4fcc050d613c95d8323693a41e81d80adf40d0e363c7bcd9100f43e321d875cf234f0a48437 |
C:\Users\Admin\AppData\Local\Temp\IYAy.exe
| MD5 | 65b31b3e6b7d9bc39a872b60bfad26b6 |
| SHA1 | 92043c420f1f72b1f4ccb1934ecec4b61b2ddb3f |
| SHA256 | 832e0bcd5cd5f5e7bcf8783e9a5faf173fcf9c85557489c5e3ef5aae6c8de824 |
| SHA512 | df67b01a5e815e5483075c924a225c4c0a7744ab49fb5fbf475d14c772eb2e6e9195dff24797860136086d279f750936b9ab0ca8c598e3aaa266298c44db8eb6 |
C:\Users\Admin\AppData\Local\Temp\kYkG.exe
| MD5 | 40f755d1344921570dcf67acd49c0929 |
| SHA1 | 0bd8569fa014cfa40ec79c0e7892bcc31a623006 |
| SHA256 | 42cd23843d16df0a1f2ab197701bbd773ba886cd9890481d4f3e78e79eeb71d9 |
| SHA512 | 9280fcb270d280b38c918119370c56fce550e5db320f614d2836a47cfaabfc12d7fa2ad5202b81d325095f2855bf0bfeb8d563f0a6ed4578d5456a4853983f70 |
C:\Users\Admin\AppData\Local\Temp\Qggo.exe
| MD5 | 889914b559fc4bca79b7aa4d66c3533a |
| SHA1 | 67125d21d7110dc126e70b9529ca68f9341a0511 |
| SHA256 | 27e822f0f9509089130818ff41bb12fada7595fb667c90d4020ea8973d71cbbf |
| SHA512 | c04b62abf50680f6c7fbf17061f73386da5eeb994dbd29f6f0936b43658847dc481b79f98571bb83fe438ece80557cde4ce425ec7bc8c14d13eb0660433f8b11 |
memory/392-783-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mMgQ.exe
| MD5 | d3b7c673909181d5938b7e33678aaee3 |
| SHA1 | e7977620e830a403d7e7f330aab3d820e340b226 |
| SHA256 | f36378ca147e2cd9a4dc258046c629ae2d4d0bea787d24af9364d5dae5228c73 |
| SHA512 | 95e8c3652e7ee3fc88abb050c0fc27d9348f497740d6c6406c1a77a31416b686d6e954dcd6b975ae8b26a364378eed02b571f10fb37de0bd2a551e3d699d37ee |
C:\Users\Admin\AppData\Local\Temp\ukUM.exe
| MD5 | 6a9e6431fb9280b4ab2dd9963167f6bd |
| SHA1 | 1b435272ede6f86777b1e742f01bf11f782de677 |
| SHA256 | 38a8bfd33539cfebb4cc3ad4f088d0a6e2e9c568acbddb225ddd66b42acdf559 |
| SHA512 | 1db20c5c25b51eb554b33878fe2d7c5e1458d2ac784d1ac0e92febb851d3ea9f46ea2aed52c84bced417345abc4e3152bdf0b92384ccb8e09c7fd159fc6bf2b8 |
C:\Users\Admin\AppData\Local\Temp\QIEE.exe
| MD5 | a7c0a0320dfde72a5ad562a8af438d52 |
| SHA1 | 3d29e1fb000f3d404755936dc72fbd56070fee44 |
| SHA256 | c386ff7c6ab551dec57a27b5c8bc88a023a36621e0e2f5985c691a4f8e3461ea |
| SHA512 | f16cdee1416d8070c3b04298043d6f407b5687d23d014fe38bb840a8585e9bee694d0e263ff2912187b11011070c6a9733b147779c36d30240867809b73041b3 |
C:\Users\Admin\AppData\Local\Temp\KoEA.exe
| MD5 | 39f53957f3b348ba6ffe45642baa75d0 |
| SHA1 | 89bd04b36f84e3fe984636c666c25e8d45dced4a |
| SHA256 | 7f44bf3be8b6982f3b3f0392c6e73b68b497a3321de3f9f45a040a70af5c80b5 |
| SHA512 | 914783a2518d280f6c10c622fef27c9877b57d3207791de2854004923a2cfbc5e763ab87a5d33e0f9d787263ab787d7da672ddfd591775460637d6a52a669a21 |
C:\Users\Admin\AppData\Local\Temp\IcAc.exe
| MD5 | f23d60a85d668f62a2bbd3169906fd7a |
| SHA1 | d81908384bb16b943126789bf86ab58019f21803 |
| SHA256 | bee0c934b0f6f72c02d00bcb5dffa32dd70bc2708020986d7dc5d5ded3bdbf22 |
| SHA512 | 79e0d25980120a8f4d3f3e679ee16ab1299bebd8f7fa64172aeafe21967c37559f51a0bdaf55e1f999f35937fb8df1deb52c1a452b0e8486f84d4d46600fe18d |
C:\Users\Admin\AppData\Local\Temp\uEAM.exe
| MD5 | 57a18ce73d2ef974bf1001a479c3992c |
| SHA1 | 26f035f918054ca4ad660570bee27f0865f24540 |
| SHA256 | 7134c45850ebfa95dba855311cca97ac33c50aa938a12fe67a831d0bfc330446 |
| SHA512 | edfca282e041888ea0b2458f497c2253dad759829e9003bd37ea7baf7af8bc2e86d6c119ecacce08b3c23515257736860226b308ae82e014375be1ecd15a5bef |
C:\Users\Admin\AppData\Local\Temp\UwIk.exe
| MD5 | 60c9dde076f29d84f7f9a57746fe12e2 |
| SHA1 | 24666aeefcc03876275e77b581100e42b8629f4f |
| SHA256 | e04a2755c8ac490d9fbab723c468066562d00cbb5dbf64969b34902855575dd9 |
| SHA512 | 70bf5b6034d975a5beae0f28f3f6caf0ed8ed5f16d1dd9610ff19f6db0e13e3bc22325eec32f650cb8e5f3c3826c3657779cf1bfbd9490f1ae1e4a55731a3c6f |
memory/4396-1041-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IYMA.exe
| MD5 | 0b59bc851346cc8af70dfc4a29a15bb9 |
| SHA1 | a67d62bd7aee5e7c1a3aa4000d5ffadbb0ec4ce7 |
| SHA256 | 6bd22049f7f3d31099ea7af1d2a1fb4900cdbe3e53fde749b850210a1e61552e |
| SHA512 | fceaa4c5e010b44b88b25591e497fb853d746701fcccb4fde725d3d3525e362906896d70bcefe41de05e2fcb598a4aa7f1ea01b7af5cc71c711d002aed07d264 |
C:\Users\Admin\AppData\Local\Temp\mwoo.exe
| MD5 | 14e62406b0a4d6c5752d477617023fee |
| SHA1 | 8e1f170e9052f4e901d906d212f918e50d6afe45 |
| SHA256 | 1925b85622dd926b913866eb4e711cfd8dec87e7337abbd2031961c3ddc340ac |
| SHA512 | 8ef00dda570b57421d20f16c9e0de7e5285b1ae103a2b96e7877897a456851f6153f7641ab66d68cd2021c2a5977a7de10b4f45642e9cdc051e8c185009af37f |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | 22e21fc2b3cae19a0187a4d816d53f98 |
| SHA1 | e5f99846c477676d9681a0e7f17dd388b29c0e1b |
| SHA256 | fb037301fb78bd3e1de43981c20b8300ba9be276f520c5043fa8e8cd57446b38 |
| SHA512 | e107e59e35e6ede2ccc44d78b703116d69dd230e9928b19c7c5020577d70afb0c2346451a16bd73fc3685110457c024d8dfff153d69fdcbf71cf560750f9cb4d |
C:\Users\Admin\AppData\Local\Temp\OAgk.exe
| MD5 | 9d1c7cfe5b2528b7284dd2e325199f07 |
| SHA1 | 367d69a2324160e38fe21e1e4db9b33756985d1c |
| SHA256 | 983458c075b9248fb827850355456b0958908e3f5c827e12cfc98faf6ded40be |
| SHA512 | 3ecf9127e70a838c59c700b69fb1ba6204a3bce6c69064bf3c57f7ef641c32f7e0fac8680ea5d162866306b37fe9615e36af5ebe3ba1b5ef245e92cda5970fcb |
C:\Users\Admin\AppData\Local\Temp\YQki.exe
| MD5 | a0a91f2fc7ef9dc7826b2ce7011b3c12 |
| SHA1 | 6f36deda7fb3d054e77fe97ae05d5a8e85d7e872 |
| SHA256 | b29435b50f4472dd5fe942860c2909601a6f4d7225600f2e339affeb47103ff4 |
| SHA512 | e28245a77d5b7d1486717e4ae23cf3c51010dacf5a98f1d97927805324321c005b4cede58b593d67caf07e52e170dbd1d1c71c98d3975a7daa2feb5325a469ed |
C:\Users\Admin\AppData\Local\Temp\QgYg.exe
| MD5 | 1c55fd3b1dc8691ffc7a22734bb81fc8 |
| SHA1 | 20a8b2d2f037ddc82e93a836238f0dd5ab101fbb |
| SHA256 | f68ddadd780f97f8cb24da3cee98cecdfe33a055f2853d8b2454f7d683d2fede |
| SHA512 | 2f148a29c68cd257740b00d621c6d3d2268a8feb02d0e8ebff0f1d237113fe0606765a14db026512f0f647b3bac2aa6da12568cfe9e90b1a8d35be4b9e7af04b |
C:\Users\Admin\AppData\Local\Temp\uwQk.exe
| MD5 | 8a450d4f89d3f59819e27c3f11a8dd43 |
| SHA1 | e26d58b16bee97d030750460aeaedcccb31ba24d |
| SHA256 | 0e307b2ba7da8a7014dd559fb57d85291167abe2103ad002aee6883a74eac17c |
| SHA512 | 8a5b5fae844b7f04a4e4640d721226d2375e19178485ed80b2d47d449a3088fb2761e76a90d4dd0fb3355c2f9c90ad86e55f68fba0b5c288557413ae8ab5d72c |
C:\Users\Admin\AppData\Local\Temp\EQIo.exe
| MD5 | de13cea04d1ce5cf5a5d00f17a17408c |
| SHA1 | ca420cb74e88e240bc489aad56d338b8576d4c96 |
| SHA256 | c200700b43411274a416f641538f27620e36d4e2ba2f3dfc493ad311ce89eca4 |
| SHA512 | 4fb175a194b7bcf62e559ae84a418495cf1dd259afcf560f2e995e4920a912785e3853e6e365de628d3a115ca4b33b3c1de03682ca07b937bf9dc3b210c69370 |
C:\Users\Admin\AppData\Local\Temp\usgA.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\WEsi.exe
| MD5 | 894ad4d4bb601b574f4ff96cc638cad4 |
| SHA1 | b444b8ff332147c74c941c744c00c9763477d520 |
| SHA256 | eb683ebcb6479c80a8dc236eecf9073e19f7a6a8020d17759490eb1f74ffd91e |
| SHA512 | 96cf4d5f3160915389a64025badb03e8b5514d8c8b2838836bc198b90c250542d1a629d1e9e3c40d8993480660eaab90882ebaf7aaebd0a8fbfd9fbe21a87c0a |
C:\Users\Admin\AppData\Local\Temp\EwAs.exe
| MD5 | 5a193afd5ebeb5fc700b8eff96957fba |
| SHA1 | 46f88e78125bed336bd99450d382f59a7c3c6a0b |
| SHA256 | 052870d672c62ea46ef8c39536894249a988028249a014b41b5472ab09e08154 |
| SHA512 | 8cabc28c929c38ea0d556900a89f365bfb21e4614d2f477078d3a86681773c8a13cfb1d1d27c29a97d245ab23309f6e03c510ad5b477714da0fc8e0a3a6869a0 |
C:\Users\Admin\AppData\Local\Temp\QYwA.exe
| MD5 | 573a1fb45157edfcff88ac544a9e799d |
| SHA1 | 986011fb2723a685d5cc6c6d0fb9e2151ba33a1f |
| SHA256 | 0d840756ad17ed88e9632c3d41d9d0afba78ba23f1d9049d8367b3c6b01c0196 |
| SHA512 | ef72d79a6947c0edeb151561077987fcf671e1700a63088b4c7016f0094f48eb3d9e8e407896dda5f6bf1265074d1d01a0c024c9fdaa77f75e7f2eafa8af94a7 |
C:\Users\Admin\AppData\Local\Temp\goQI.exe
| MD5 | 6248eb2c286e427ce98390e8dff69d85 |
| SHA1 | be641dda4a528ec8061846d7815ea8617797db42 |
| SHA256 | f0b9b20088c3dc424dd522c03d4db06aa2e1abfff8120aa3484bd3c334083207 |
| SHA512 | 2256d83a6ac094f83dca3816c7739dcd760b9d6dcfe095e4fa30deaff2c1236063eda45ad89f8b3f1b5589fd05af0d132f3433f2970fd553c690bccf2b7266d4 |
C:\Users\Admin\AppData\Local\Temp\sMQe.exe
| MD5 | a75acb9af74a917ac415cbe681ec7962 |
| SHA1 | 17cdf95e613ff77ae4b009c9bf74b6c54430c4f0 |
| SHA256 | 49cfa8b168bb1e4ff8e917b983882cd04f7d4e24d605d7d7d329d2922a799a6e |
| SHA512 | d18afafcecb3757f71c437c68b3057dcf3380ff86cb14951659a40611dd7752cc2ae2933f1cb891ac59f1aa1143ba843124428e461cdbbabc0c0079f6243b0ac |
C:\Users\Admin\AppData\Local\Temp\uIoO.exe
| MD5 | 0bc5ef4d3a5db731d58955bbbe217757 |
| SHA1 | 228113dbb1e0a59686b2aa251d63187185c6c7b8 |
| SHA256 | 08f4028cc1fe5ec03f32191a3b00148b62cb30e7b3bff83bce8ed4018c6f351b |
| SHA512 | f02c052091f2b898371ce038bc12903666c56212d745788f61ebfc8775487b3d67f149373c8aa4755782b302e6ec47dffe4c29331fc98fbf084ff28f7db270dd |
C:\Users\Admin\AppData\Local\Temp\OoMM.exe
| MD5 | 40f427417ae5614b656b1de9bfe60b8d |
| SHA1 | d963bbe0ef9139f1f0cb737d242df12f458ddd38 |
| SHA256 | 7b80e18dae2d68b5169fcdd78c67f26acdbed865aa71749e04a0ba76a8a90ff1 |
| SHA512 | 2d2d471ae7ff8a0a66ca6d0682634371a1642a051d94f52fb56c5fcd26245f309576215913b22165f7c513a187237b8674d969b6bc533b7dc1356820dfb72698 |
C:\Users\Admin\AppData\Local\Temp\wIAo.exe
| MD5 | cf953ca33c2847be95ed09b36dc458cf |
| SHA1 | 918f02cd6af80836986c9e28327407ba5cbf4c04 |
| SHA256 | 3520c9c99161f3f357759582753c1918f5661e5fa8ea9a01ac445fd7e9df04e3 |
| SHA512 | 873ae3bc975b7361f85762ae8959a633efd76caf73463e875020b2f3d85dc72866cfa96d8b1a4875438b6ad73dfaa09527ba21fd224a8cc71382e92f0b3ab917 |
C:\Users\Admin\AppData\Local\Temp\cQYq.exe
| MD5 | 340c5d8e6093af311c28a71c7851c7c6 |
| SHA1 | 313f358f2548a91fe39da9596dcae9998d46b4cc |
| SHA256 | f212dc47f5f334cceb2e14ae4c04a0c4c5add401438c0114589ba2d33526d474 |
| SHA512 | f36c546b82c14efb8419405910aa34c128b1046786e19daed2bb6fe9f7810c13ef24beb70ff96823b03e418ac72368f8801d8043f55ad90dcffdb311aa16da26 |
C:\Users\Admin\AppData\Local\Temp\SwoK.exe
| MD5 | 756c0ce0ae7f9ae33f2edd955cd2605b |
| SHA1 | 32d969952fcbc0a79d732e4b320f7c27aa73ea82 |
| SHA256 | 4abea4092fd7c4015844d3373b8902718c9b02ee8797bafaa28919a0cfc3a7b2 |
| SHA512 | 8b4c50935bad655250210ef0bf79496ae03c4a85bc4134282c39fe229a31808f8071eb9e130613f5f71fc35490660d96e260b09f56a142397f8d957eb8636a5e |
C:\Users\Admin\AppData\Local\Temp\KIoK.exe
| MD5 | 268013dd156f5b2fa517f097720749c3 |
| SHA1 | d5028ceb63e2e59cda2760537647d8d7595859d4 |
| SHA256 | 4e04f43b2c842b05f63cb766d53c51050d9695d40ab8057120a28a92d139aa7c |
| SHA512 | fc869ad03731a3fff9d09ade9c5619986132abc0807f82e7613d885c0e1c320b234e3e271d190364cac9104baf62f0416ab315447de130373b7c3fe0129c4897 |
C:\Users\Admin\AppData\Local\Temp\Awcm.exe
| MD5 | ebd0b7ac62e209b1bb3ee1e4386cdc90 |
| SHA1 | 031c95b43820b56d3e923996b2e82d7866f2043d |
| SHA256 | b83f5f3c815f43cc1dafc33e488edd84c9c1b095c646a09ea91c28fbd5f8b53e |
| SHA512 | 56e88ce5eee4f6cbf8c430c44b52fa257eaed3864ba491f0e1927b7d191e9857f09022d564548ab0f4e4572382a0882e46146d25482d3059053118655d9e4517 |
C:\Users\Admin\AppData\Local\Temp\ggoq.exe
| MD5 | 5712db6b2992357d100b4dc688946e18 |
| SHA1 | 9682b558070448ae12ed623c47e326796ed5d3cf |
| SHA256 | c8ef2904cce1ecdb3ca0d13b0f2ed177f0b912d00b9b99ff28a6122a4b4c925a |
| SHA512 | f08e2a13933b20f113f977622eae788b3e7531ea66ca2413ccac7e3bf2ef352b0a5c237c085ad7790d7d25f45f6c31eccedbf3e2c2cbaff2acfa8f9e5f0a0bf9 |
C:\Users\Admin\AppData\Local\Temp\kYoG.exe
| MD5 | 134fdc06663ab8f1210d2aed9e37858f |
| SHA1 | 5a679210907ecbbd19f566d418a7382c40fb3e29 |
| SHA256 | 248466841ac9a52d0941b1b4b5e603e4fdf148d17818143d15829e0241e641e8 |
| SHA512 | b444c0a8fbf238a1cf50dea60dc22d8c53a426f9e1c0dba21bc0292707d5df3fa7863795acbe5ea818d01dabea76b07e33272329f301e44cd476a51cdafdd30e |
C:\Users\Admin\AppData\Local\Temp\McYG.exe
| MD5 | 52400229ca82323709f42b864c30cdef |
| SHA1 | b4eb59cb6720baf9e9c8732dba5422d985774e14 |
| SHA256 | 6ed8325e636473e4336da1fad078e648536c9c203aa879a073ee4ad7d704953f |
| SHA512 | 1ae03f6cd55ef9cef9a1be88376d3aa6d923cb782bbe9a2197896fb217b11f89b35120636816e81dc818f03334eca3a84fca7e82a4dbb2a5fbec2155ab3af5b3 |
C:\Users\Admin\AppData\Local\Temp\iIMQ.exe
| MD5 | 67801357fa0234c9046166ac647dd0d6 |
| SHA1 | a83a1b102273a045422db70a899fbb7b7af7aa64 |
| SHA256 | 2557a4191b502c261e6c9d40e50933b6a4b06957a747170bb08879fd18952da3 |
| SHA512 | b194747c4653ed7e0dbe09a5e09ebfb9e6ac9ad1b0cff8cb315ec2b0b0891809bccb607bf41c5d862ce9b489ec35e95b628489997ee9e88f0af0cc94c7e8e4ce |
C:\Users\Admin\AppData\Local\Temp\eAYo.exe
| MD5 | 4ab7806267b8c0e3bb434f89d0e01e22 |
| SHA1 | 2c062c39c63a2d663856e6d0bb2f45053cf2495f |
| SHA256 | 6f12287fe897a157dea323963089af231558254793c5375bf1abee28865834f7 |
| SHA512 | ff79a9984835c2e772a3539cf383256e636b19e5bc3dbfb4e60101431c88949839948c3d0593a5651102bccb020be3b61a084be8e19144141ae715862e6154b6 |
C:\Users\Admin\AppData\Local\Temp\AwIY.exe
| MD5 | 4218bfa85892297919d3f0b73b70f6e5 |
| SHA1 | 51d6f502df2fb2664624124ce39710cb7ea36cae |
| SHA256 | 5acd4ed0e6e2426ff00bea0efe990e17c51f3ed7b58af08bb1837e1a1217b8b5 |
| SHA512 | f40e46d2184dc0e7792bd814b75e783b424978863f2c268a02d81b36f3fe826ba4616b308f991cccef5bdd0ed86259de7a4ef04d052b6a94e84599ae4be01620 |
C:\Users\Admin\AppData\Local\Temp\AEIU.exe
| MD5 | 0122598825018221c3272d931f3a2112 |
| SHA1 | bb0c8f869e75337c342713baa97f1e12efae069f |
| SHA256 | b953505fb5e18586d9084a6a8cc7cd2d838a9f85583f82e80dd664b71aefafa4 |
| SHA512 | cd5a79a30a07907a97ee1049b3d48c18e8410b13911e8a8fb1be1571ab4e7e68adf4837288cff70e3333cb83f4461b64caa99c5f06c3139272bd621980ceefe8 |
C:\Users\Admin\AppData\Local\Temp\MQsa.exe
| MD5 | 09123d6a4c152a08d71123ff9760da9b |
| SHA1 | be6e1c80e332e68720e1c310f795273347fc6172 |
| SHA256 | 2fc31c85dd38bed66bcc4846be817ae3d3bc24087c2e15ada8e1aa164af5a95d |
| SHA512 | 7a1a9285dba9e8fdf9f348fcefe77587503b86e15e7301ec6467c2268d4d55c84d5681f4fe847f70e8ed9efa0ddfc137a7f6dec4202a711ffd54907c675d892b |
C:\Users\Admin\AppData\Local\Temp\CsoG.exe
| MD5 | ab6f3840f8bfecc5454f08ccbbf5f27f |
| SHA1 | 343b1c0c1bb98b4b0863f68f98736d5280e408ad |
| SHA256 | ec7eb5d3969dd41460778ea9a45c860a4faacdec733873f3f81b72e61cdb11a3 |
| SHA512 | e389a1bb6f7c3b017514cc466bdf3ca93337aa7c6460c78219ebb9842ccf21d199b1efe5b2076a3df778ed37668650aacba0d96c44984df1f341b4729b988a10 |
C:\Users\Admin\AppData\Local\Temp\IQYm.exe
| MD5 | 859ff7aaa7ad85067fcb9712bf31ad34 |
| SHA1 | 4d762889ed2a014b492226cdd30436c69a075aff |
| SHA256 | 4fb759eb46b1d646389a6f52afae01c3e7d3879c49b83c15429566e1fdb63018 |
| SHA512 | 4abb9d94c9bcbb07183d87ad6539852596c81d8cf27d4d6a57993c3361ed46104f92e6539eb1fb93c539409c4fc87db5e8fa87a774d5007bd6290a3bbe445298 |
C:\Users\Admin\AppData\Local\Temp\wQsG.exe
| MD5 | f3a1e8aa36c3ebf4f5673e1438707741 |
| SHA1 | 9759ae36d748d5ef37c4c231a50a74666bf5a123 |
| SHA256 | c182f01b17c761cfdf13e1a895debc8c6f087fe89c033c75136f563796c41899 |
| SHA512 | 785ef9acbb7b58bb45b0daf08a0d092d27972189dd8eb685f4f08ff0e70eb2fe6d589f83f7a41dfefc048482073ccfc40870fc16577f6a56c5ef00c32230fe28 |
C:\Users\Admin\AppData\Local\Temp\AMMa.exe
| MD5 | e5fa703bd01f775c55555f589e8590c7 |
| SHA1 | bc17fdc671a801c6f52cde447f201423605025c5 |
| SHA256 | df37738bdde79fce5d700b32f8840bbe46fb50f734eb72682d626a1e1039336a |
| SHA512 | d0e922ce74d2eb2c4b1f4c4e64fa9243afe967f0bce32d51d2fdf50a10b765d02a989af87889c9d5e74b0d14a481e665e8c0d0b6ff99a53c0df893a8f87f1924 |
C:\Users\Admin\AppData\Local\Temp\wsAI.exe
| MD5 | 9a4813db3790831c1c04cb257e74cb07 |
| SHA1 | be1d1a408c8d31020b25d8b829afe2711aeff121 |
| SHA256 | aba3b6ff948ce303d69d927b31c0585979ad9e694904147732cdd8f5345dd684 |
| SHA512 | 6b3e875baddeb929e7650f2556bd17178a7e38b2badf3f5e5a52dc459cc330f19de68ea6f38b83d854510ac78817c0fecc7e828b07814833fb583e45ea68bdb8 |
C:\Users\Admin\AppData\Local\Temp\QcUo.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\AgsO.exe
| MD5 | debd7e69309813b368859e2bebb6699a |
| SHA1 | 986a3db2227c810513d5ee9292c22466269adb91 |
| SHA256 | 1832e1d1d177780044e9e4cc8d4f9e650018447d87a675f2ff6168f79514b03f |
| SHA512 | 9d7cbc0f200bd5dd63188259348603d7ce069106ef2177db3236cbdc0d5fec26d87c83c8ed489620b35745ad5e5b3cb2469c19e1c0e08eade08906c0856057ca |
C:\Users\Admin\AppData\Local\Temp\GgIi.exe
| MD5 | 9e800fd1d1db1db8acf03c6fe1fd3fdb |
| SHA1 | b975749e342cf0ef3078da1c94fe357e251b07d1 |
| SHA256 | ffc3923886dd10bb2c574ac06cf50abe040948f071c66298c54db81f815d469d |
| SHA512 | bbd388decfa15239f475a77aa05250060efd308c90e59668206ce4d0641b909a310b3e31beae2285153881b2828e3a917f76270e93dc28a3abdd200ab8c5b697 |
C:\Users\Admin\AppData\Local\Temp\cgsK.exe
| MD5 | 3110b75237117f04be81825fb6731437 |
| SHA1 | 090f74a37c3874d74ffe387f0e73672ad2624b3c |
| SHA256 | 9a51307ef8c5c2332f28540ee6a8be0d79adecfc5d175fc63ed7a21beac57bd3 |
| SHA512 | 789ee9b309dfc55bee0e45c64a7fd8c0fe6dbda133ba5ac8b109a21e521e06e565a6863c6042c6fb0403d0a86fea2b5379ad9a9b6fa9accd4067d7aa69f10630 |
C:\Users\Admin\AppData\Local\Temp\kEoO.exe
| MD5 | 38650f557a08ecd157d982c92d360c88 |
| SHA1 | a592287b8f56b3049ee4d3b9fab33dc43af7ef4e |
| SHA256 | ee8f4e6786bdc1d003c9e7c49ea0111e00e9e386f1e118665228b93e4b90a3a5 |
| SHA512 | 675557b9ce99a2ebdc8293048c405e6ba0bceafb526bf99ed2cec83b7cbdc9533e35ff2b230794205fb022782f665bc828a0792276175e5d6953921c76ba5631 |
C:\Users\Admin\AppData\Local\Temp\OcMG.exe
| MD5 | bacccfc7b822f0ce4e6f60658a7fcaae |
| SHA1 | 5d13ae300a4dd112349e371bdfd5884abe06ba2a |
| SHA256 | 160c3c8c2d46469c361a4280780e7112bdac69eba64b5bef539bdc797a2eef72 |
| SHA512 | 225720d9524d611018e05484c8223961797288d3db6f0e365e67a99447b9cee9214ef8a9598b97c6d5c87af2719be1537291ace2a6472d1b8a52a4356ea02637 |
C:\Users\Admin\AppData\Local\Temp\qkIK.exe
| MD5 | 6e0cf2982d285c0ce7f86b6fc47927cc |
| SHA1 | 463b753eb9357d6fff55d36265daac237d137492 |
| SHA256 | eabde6fcb2d1c5b454886ad4fc03d223c9a84b08ae1f2632c078be87a4d94d45 |
| SHA512 | b3120dea15fc8f45a1cf2bef9ec9069380bcbde39de3cd1413214d7a4b608aca462c67136b707fdee4eca9da17fcedad96b60667fb1a41ae7b1a6d51f13f5673 |
C:\Users\Admin\AppData\Local\Temp\wEoY.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\KEYM.exe
| MD5 | aca4493c8f02f23a5494f415cb63994f |
| SHA1 | 482ebf9fbd843113c75f5819f9b25f93566d1bf7 |
| SHA256 | c02cf0821fe125418e759d074d34988a91ed57205d82d0b1ff56e647473fe9d8 |
| SHA512 | 23ddb65310d3c147ab164cebd5a22446d26c7871de1aa613719f58506eab56f773bff2bd1708d614dcbedcf6592f9ef29a804a1d2e7fa42b216e9699015f394d |
C:\Users\Admin\AppData\Local\Temp\kAoS.exe
| MD5 | d693470daeca2b177bdc5e3efd7ab3ca |
| SHA1 | 81ad4da9cf69c90f33a5e0e9ffcc29d8fec83481 |
| SHA256 | 32388c32e6e0223b8e2aa74106036ecdfee40dbd937ba85ed2acf5137511bafb |
| SHA512 | 8cd9f094fe0201b88fa208fb66d81cb7bc11fbe5fcd4978615691b9363f5ac48b4a1ebda48107a8f7228c4e905bc34b9fe38da2e3d32aadb55e0e9937ae8a8f4 |