Malware Analysis Report

2025-08-05 15:35

Sample ID 241031-y7bflstarb
Target 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
SHA256 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
Tags
discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

Threat Level: Known bad

The file 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 20:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 20:25

Reported

2024-10-31 20:30

Platform

win10v2004-20241007-en

Max time kernel

3s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe N/A
N/A N/A C:\ProgramData\GYcscscY\uMoAcEks.exe N/A
N/A N/A C:\ProgramData\qIUMoEEc\WqAQMwIs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" C:\ProgramData\GYcscscY\uMoAcEks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" C:\ProgramData\qIUMoEEc\WqAQMwIs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo\QcsQYQUs C:\ProgramData\qIUMoEEc\WqAQMwIs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo C:\ProgramData\qIUMoEEc\WqAQMwIs.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\GYcscscY\uMoAcEks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe
PID 3648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe
PID 3648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe
PID 3648 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\ProgramData\GYcscscY\uMoAcEks.exe
PID 3648 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\ProgramData\GYcscscY\uMoAcEks.exe
PID 3648 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\ProgramData\GYcscscY\uMoAcEks.exe
PID 3648 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 1304 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 1304 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 3648 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3912 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3912 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 1864 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 1864 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 1864 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
PID 5044 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\System32\Conhost.exe
PID 5044 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\System32\Conhost.exe
PID 5044 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\System32\Conhost.exe
PID 5044 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

"C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe"

C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe

"C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe"

C:\ProgramData\GYcscscY\uMoAcEks.exe

"C:\ProgramData\GYcscscY\uMoAcEks.exe"

C:\ProgramData\qIUMoEEc\WqAQMwIs.exe

C:\ProgramData\qIUMoEEc\WqAQMwIs.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQEYcsQY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUsYokAU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCIYcEMI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGAgoskE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmossgQY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TegUcUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeoAQgos.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoQIQoYc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgoEUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIQUwkIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMcYkgw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQIoEEMU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwEkwoE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMIEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKQgAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSEcMUoI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiwgUEIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmwsowAc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IckUUQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWkMoksE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkYogswI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoAUowM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuwoAEYI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEsoUIck.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUMgowsI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsIQMAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogEcsYkY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piQcMQUY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiEIEMYo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGAwocoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYcsAAA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWowwcws.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eooQcwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YugQAUYI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEMYgoYg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roUosQok.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcMwgEsY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOoIoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kocIUMwk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YccUgskE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYAwssE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgEEUsUM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOgAIMAY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUQswQIA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWwEUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYwEEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEoQYooQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoYwQIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scYwEMMY.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkEcowwg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOokcgIg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOYkYQkw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkIQwsYA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siEwoQAM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCAEkcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCgUUwcs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQEMUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYIwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAcwsAco.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCEQgokU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZikggwIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgEgwgko.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIcUYsIc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMogIYQo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEIIYMsU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGIEMsII.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsIAAYoo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMgcwAwg.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmsYAsoU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGckYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIwYUgss.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCswocwU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oukoYwIE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcIsMQwA.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUUcwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POYEoAAU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIEQsIgI.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQkcEko.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYEYYAkk.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eewUoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYQEAIs.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWgMQAws.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WewUUcIM.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUcEMogc.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViMcUoMw.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcsIIwcE.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tskUQowo.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAgAYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3648-0-0x0000000000401000-0x0000000000489000-memory.dmp

memory/392-6-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe

MD5 8eb104c10dccc6900bad74ba78d30ead
SHA1 79bfe0f8b9844f2836c8dbfef8c94f0063d6f1f4
SHA256 59d7fd8b94a9165a4e8fbe749933a721f4241caa3c9526c9183ad31fe96b28da
SHA512 cf225214cf7a5e20a59050c930d72d766ebd952895cacaa144a146f1fc6914e3a6334cef58ace60e0b62ed41f7cdb639787236713c5b5f964f83272d83d2a439

C:\ProgramData\GYcscscY\uMoAcEks.exe

MD5 84d7b82bfd831b76dd7c91dbe44c6c63
SHA1 d9d6d9ebf29530986dbe0585fd9918dda3c92cf3
SHA256 b1219222eadb1c2b2c8d4436a0c408bcfa1e4598d9d020fb9aeeb64e6f80f35f
SHA512 2fcc2589789be3ba257090f0b0510e2e3708c921baae3a3767e20eb25343071449ea6d304f23ace3dfe467ebc562b9d5142cf7f146d142044341a48d44b59834

memory/4396-14-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\qIUMoEEc\WqAQMwIs.exe

MD5 7123d85627e947c0b94b57c0adbefa0e
SHA1 1181eb8bd75ea495c8f143ace732e1957b7b7f20
SHA256 0d9d6d9c4bfdda1bcf3af97623b654be14dd3b68a5244e9dd71fab4cceebb91e
SHA512 db80653c4968cb268764af482b5116fe4588503acda9b7aec442a28193b27d9aad185147d1d94d64d28b985561a3af59ef069c49bf4f38915e9fbebb07c4783a

C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

C:\Users\Admin\AppData\Local\Temp\jQEYcsQY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3648-168-0x0000000000401000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUwe.exe

MD5 04a4a30d41f6cb112d6d38cb3185f74e
SHA1 596e64329ce817d5ba297f78e29807b8e6b033e1
SHA256 d9df0dc7b2206581ee2db775d19a182fc7748cbc9497660608245982b056ca08
SHA512 30bf68d538f507c7d92657b0ddfa430f0e754a25f301a01f5cea4c5b3ee9ee3df4437f421dcf2641460d926e677d708afabfd9970cbcbf3ff27e7a27a5019fef

C:\Users\Admin\AppData\Local\Temp\sQkm.exe

MD5 e70fce5175b6046cc34818112420e93b
SHA1 8f652ebe1bd1fe49061ab17c08052ffb86d86a44
SHA256 96b54c98488b7e4718cb16e00672e2986559ef2ed9237ce35fe337f3790cb7b9
SHA512 1a8ca57cfa52b416ed4a1fe1b39e771c0b3178b4d1a352b5118ac69059263ad3dbe8eb7c2911481c09097d81ad8a6d1e12d29ff1647861f4b0f4ec0354133637

C:\Users\Admin\AppData\Local\Temp\goAi.exe

MD5 a4f7ae461c510846ab2c43a4c04db800
SHA1 b36c212bc62478649c24b727c4885386131e3c0d
SHA256 08f97911ab084687d6ff841db5c83a646b799c2884a696a5a57218f4d44d31b6
SHA512 e1b507dd7e19923975f8cbebb17372a35730b66e4856f8e942b55a213afe2430a9ffbbe2a588ddc3c3539233f2687e5e2702e8e7a12f21199cc7ea3ebbb71605

C:\Users\Admin\AppData\Local\Temp\yQgE.exe

MD5 22512c80c3a06d334aac88b2cba03b89
SHA1 591671fab7f26a961518e81ec1b21f5fcdcb647d
SHA256 a2be563d4c24adc18ffb2bef196842f075a7b32d981f64aa88ca139955dd7caf
SHA512 a3a03c8bfdde13c93fa23e47587a9fadbfd228d2338b4321fb283af5b84e630cea62dcb9fe9742294d3f6dfb1fc0d98dc398fb3e240c38b6a9e23c083bf1759f

C:\Users\Admin\AppData\Local\Temp\Ewgc.exe

MD5 477ce77ac2e40a0d658e7aa74e32ad72
SHA1 6b6ebbc427b6466a5930d607164366c91c49b335
SHA256 0db077152a9ee87eb91b769a64ea03a393c4e771f5eb3ef77a82f6d16c74bbb6
SHA512 9dc2beb9ab630d2badb37ff719eb06024db48338f08ba242a12d1e6bde1ae7be4bfa618ed81472e73df127e13902a8cdeca68c8bb312fdc15832795512a868ee

C:\Users\Admin\AppData\Local\Temp\MYMC.exe

MD5 78454d2647ecd30c49f7ee5cb453876c
SHA1 cb31c3f12df23e6fe98c1b95cc3a3ef7f3a43c37
SHA256 b85700d8a11ddedf1118edcf7997aa93b2608fc9efad5a9c37c0853a7d2c017b
SHA512 aa4642fe13f66774b871bb9b0297163d3a52e62b57945efd35f3882e917ee628bf82f9d999fa39c94de49826569497c7d6b3b8c1076061a60c565e8968e2c24c

C:\Users\Admin\AppData\Local\Temp\UcAy.exe

MD5 7fb84a86a84d6c7de6266b4dc7c2ff20
SHA1 36f3e1404b9135a2d2c095cd258c2c0e9fea2e68
SHA256 62176d632b8196e6c0025470025057cb7a8187450f315ffa7cc98a49f0753c39
SHA512 2e8f0df8c57ef5854bdba972f9c0f40233b503756a01a402255b568aed12fcca3d1b4e51bef415758e3c70e9d11846afac4e0cd5f044b460dbe835aa7b8f7a93

C:\Users\Admin\AppData\Local\Temp\GoUm.exe

MD5 60d95b344e9d0550a1d01d5bb3a56bed
SHA1 f4b0a71088eedad13e6408b6075f0e67b2403e56
SHA256 ebe7aaaae97d3fd0eb451a3404366620fa28da6a9b20107593b62b171ed70a2d
SHA512 ea4ae0982ef151a0d69241a2cb64c95b124246fdac0e0ed0841cbbb74f5fc5a5c3bf29211fdf29070bb8349916eabcc8e075895722846eecd34540dae1b50a63

C:\Users\Admin\AppData\Local\Temp\woAc.exe

MD5 beb7e8b8752525eb102236d2aa195e98
SHA1 da48580448cb5eec0bba60c19b95f44d6a256bca
SHA256 a0ab8481bf1d3e1a3bfc2705885af37adffc4103004e525c0cffb209b0afe1b5
SHA512 e6c04d078df7f1bc49c4aa8fedc8f4feda493261d91c67fc337015c156e5050dc18f9bf826e56167d3386013e5f89bc160b234f4a457ac2c1381aa0fd66c0fb3

C:\Users\Admin\AppData\Local\Temp\kQAc.exe

MD5 20259a81edcc99b3d191b19a775971bd
SHA1 c6f7744406d403b42da20aff9fafb8a197db48ca
SHA256 60a3f1831f0bc90adfb26dc36421ea2835497715188f3f8a6d1289a911177144
SHA512 17caf624a99246c8382f9cc813f3315f7fe0d220c1df91e03847af7d6d37f4c230b33b74603950d5fb5f2338b3ca360fdaf108ef490d3051d492ae323ae26d9c

C:\Users\Admin\AppData\Local\Temp\EEIe.exe

MD5 93df63f45174bcd97d1db8a4e91240a9
SHA1 665975427fd9858259d7d00d534a24fb98534cd2
SHA256 f41d91be8b1459ee82e9409de2bb0a5a4b1599a95c3375db172c72cfad404b98
SHA512 8efa24eaaf365ab30a736a202eb82a2da776a170c3799096a1268a36331d40fec27526962994d5d513acdb5285a10f9d7a1e82bdb0c1e9e6fce088b7c3791782

C:\Users\Admin\AppData\Local\Temp\KUky.exe

MD5 efb0f2781fc8d8a88278431a4673b8b8
SHA1 4ed157954c3e74d4da09985ecd6c02d2f543ce67
SHA256 597ea6a6505c48787d32d15d20ff8927fa3bdb97af7c23ed3a9d388edebba3de
SHA512 aa5e0ee7906ca1aa18448b2314a0cf41d12fb1299fe122e99eac0b81162ec06051e8c94132d3afcd60fa54568b43e5e6b8e3d877eeed9ccd793956a03fff58ac

C:\Users\Admin\AppData\Local\Temp\SgYk.exe

MD5 a60d64267e5b18520370d691f2853cfe
SHA1 5f1183bec838d4ff52442f41ad0cd72aef4f9509
SHA256 6705856ccba9e358d231d735ca8ee8472467c027949830b054458096ed6d229f
SHA512 2a3b7c7d0cd15c90b28e812376b858fa4c1aa060a0a1aa65c4eee11206be8c6ea6ca9d92c2a20f189edec9e66e06ad4ba8dacdce7599f45f84166e0d00bdd0ae

C:\Users\Admin\AppData\Local\Temp\wAwC.exe

MD5 1341b7483de6d30e04d39f363a9d7f0b
SHA1 1c7b5de2a2866872a7721b948779a3bf99079dc6
SHA256 a397a11f8ed2e0c628f553871059db5711e358458c724a49ed3659a002a1d458
SHA512 571271c9b955133c4a28f4875733e8d4df60dbcfc3ea90ee3e3610baf7f097f8fa234c58103b32987b028f8d9b97bbaa4e93dd4493af62ebee6657a56507b51e

C:\Users\Admin\AppData\Local\Temp\qYYK.exe

MD5 bb8a9d3c4d430bcbe603a9f9dee9f132
SHA1 92da4a3eecbb21353bb9bf6568c569bed981665e
SHA256 dabf095ed7b8e94fb05b1d464a6fa0ccbdbe5d6ffa6eabd3c585965afff8845e
SHA512 ffaa330714469688ab561fb240a5bf172f164d8da331e5cd1623f4fcc050d613c95d8323693a41e81d80adf40d0e363c7bcd9100f43e321d875cf234f0a48437

C:\Users\Admin\AppData\Local\Temp\IYAy.exe

MD5 65b31b3e6b7d9bc39a872b60bfad26b6
SHA1 92043c420f1f72b1f4ccb1934ecec4b61b2ddb3f
SHA256 832e0bcd5cd5f5e7bcf8783e9a5faf173fcf9c85557489c5e3ef5aae6c8de824
SHA512 df67b01a5e815e5483075c924a225c4c0a7744ab49fb5fbf475d14c772eb2e6e9195dff24797860136086d279f750936b9ab0ca8c598e3aaa266298c44db8eb6

C:\Users\Admin\AppData\Local\Temp\kYkG.exe

MD5 40f755d1344921570dcf67acd49c0929
SHA1 0bd8569fa014cfa40ec79c0e7892bcc31a623006
SHA256 42cd23843d16df0a1f2ab197701bbd773ba886cd9890481d4f3e78e79eeb71d9
SHA512 9280fcb270d280b38c918119370c56fce550e5db320f614d2836a47cfaabfc12d7fa2ad5202b81d325095f2855bf0bfeb8d563f0a6ed4578d5456a4853983f70

C:\Users\Admin\AppData\Local\Temp\Qggo.exe

MD5 889914b559fc4bca79b7aa4d66c3533a
SHA1 67125d21d7110dc126e70b9529ca68f9341a0511
SHA256 27e822f0f9509089130818ff41bb12fada7595fb667c90d4020ea8973d71cbbf
SHA512 c04b62abf50680f6c7fbf17061f73386da5eeb994dbd29f6f0936b43658847dc481b79f98571bb83fe438ece80557cde4ce425ec7bc8c14d13eb0660433f8b11

memory/392-783-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMgQ.exe

MD5 d3b7c673909181d5938b7e33678aaee3
SHA1 e7977620e830a403d7e7f330aab3d820e340b226
SHA256 f36378ca147e2cd9a4dc258046c629ae2d4d0bea787d24af9364d5dae5228c73
SHA512 95e8c3652e7ee3fc88abb050c0fc27d9348f497740d6c6406c1a77a31416b686d6e954dcd6b975ae8b26a364378eed02b571f10fb37de0bd2a551e3d699d37ee

C:\Users\Admin\AppData\Local\Temp\ukUM.exe

MD5 6a9e6431fb9280b4ab2dd9963167f6bd
SHA1 1b435272ede6f86777b1e742f01bf11f782de677
SHA256 38a8bfd33539cfebb4cc3ad4f088d0a6e2e9c568acbddb225ddd66b42acdf559
SHA512 1db20c5c25b51eb554b33878fe2d7c5e1458d2ac784d1ac0e92febb851d3ea9f46ea2aed52c84bced417345abc4e3152bdf0b92384ccb8e09c7fd159fc6bf2b8

C:\Users\Admin\AppData\Local\Temp\QIEE.exe

MD5 a7c0a0320dfde72a5ad562a8af438d52
SHA1 3d29e1fb000f3d404755936dc72fbd56070fee44
SHA256 c386ff7c6ab551dec57a27b5c8bc88a023a36621e0e2f5985c691a4f8e3461ea
SHA512 f16cdee1416d8070c3b04298043d6f407b5687d23d014fe38bb840a8585e9bee694d0e263ff2912187b11011070c6a9733b147779c36d30240867809b73041b3

C:\Users\Admin\AppData\Local\Temp\KoEA.exe

MD5 39f53957f3b348ba6ffe45642baa75d0
SHA1 89bd04b36f84e3fe984636c666c25e8d45dced4a
SHA256 7f44bf3be8b6982f3b3f0392c6e73b68b497a3321de3f9f45a040a70af5c80b5
SHA512 914783a2518d280f6c10c622fef27c9877b57d3207791de2854004923a2cfbc5e763ab87a5d33e0f9d787263ab787d7da672ddfd591775460637d6a52a669a21

C:\Users\Admin\AppData\Local\Temp\IcAc.exe

MD5 f23d60a85d668f62a2bbd3169906fd7a
SHA1 d81908384bb16b943126789bf86ab58019f21803
SHA256 bee0c934b0f6f72c02d00bcb5dffa32dd70bc2708020986d7dc5d5ded3bdbf22
SHA512 79e0d25980120a8f4d3f3e679ee16ab1299bebd8f7fa64172aeafe21967c37559f51a0bdaf55e1f999f35937fb8df1deb52c1a452b0e8486f84d4d46600fe18d

C:\Users\Admin\AppData\Local\Temp\uEAM.exe

MD5 57a18ce73d2ef974bf1001a479c3992c
SHA1 26f035f918054ca4ad660570bee27f0865f24540
SHA256 7134c45850ebfa95dba855311cca97ac33c50aa938a12fe67a831d0bfc330446
SHA512 edfca282e041888ea0b2458f497c2253dad759829e9003bd37ea7baf7af8bc2e86d6c119ecacce08b3c23515257736860226b308ae82e014375be1ecd15a5bef

C:\Users\Admin\AppData\Local\Temp\UwIk.exe

MD5 60c9dde076f29d84f7f9a57746fe12e2
SHA1 24666aeefcc03876275e77b581100e42b8629f4f
SHA256 e04a2755c8ac490d9fbab723c468066562d00cbb5dbf64969b34902855575dd9
SHA512 70bf5b6034d975a5beae0f28f3f6caf0ed8ed5f16d1dd9610ff19f6db0e13e3bc22325eec32f650cb8e5f3c3826c3657779cf1bfbd9490f1ae1e4a55731a3c6f

memory/4396-1041-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYMA.exe

MD5 0b59bc851346cc8af70dfc4a29a15bb9
SHA1 a67d62bd7aee5e7c1a3aa4000d5ffadbb0ec4ce7
SHA256 6bd22049f7f3d31099ea7af1d2a1fb4900cdbe3e53fde749b850210a1e61552e
SHA512 fceaa4c5e010b44b88b25591e497fb853d746701fcccb4fde725d3d3525e362906896d70bcefe41de05e2fcb598a4aa7f1ea01b7af5cc71c711d002aed07d264

C:\Users\Admin\AppData\Local\Temp\mwoo.exe

MD5 14e62406b0a4d6c5752d477617023fee
SHA1 8e1f170e9052f4e901d906d212f918e50d6afe45
SHA256 1925b85622dd926b913866eb4e711cfd8dec87e7337abbd2031961c3ddc340ac
SHA512 8ef00dda570b57421d20f16c9e0de7e5285b1ae103a2b96e7877897a456851f6153f7641ab66d68cd2021c2a5977a7de10b4f45642e9cdc051e8c185009af37f

C:\Windows\SysWOW64\shell32.dll.exe

MD5 22e21fc2b3cae19a0187a4d816d53f98
SHA1 e5f99846c477676d9681a0e7f17dd388b29c0e1b
SHA256 fb037301fb78bd3e1de43981c20b8300ba9be276f520c5043fa8e8cd57446b38
SHA512 e107e59e35e6ede2ccc44d78b703116d69dd230e9928b19c7c5020577d70afb0c2346451a16bd73fc3685110457c024d8dfff153d69fdcbf71cf560750f9cb4d

C:\Users\Admin\AppData\Local\Temp\OAgk.exe

MD5 9d1c7cfe5b2528b7284dd2e325199f07
SHA1 367d69a2324160e38fe21e1e4db9b33756985d1c
SHA256 983458c075b9248fb827850355456b0958908e3f5c827e12cfc98faf6ded40be
SHA512 3ecf9127e70a838c59c700b69fb1ba6204a3bce6c69064bf3c57f7ef641c32f7e0fac8680ea5d162866306b37fe9615e36af5ebe3ba1b5ef245e92cda5970fcb

C:\Users\Admin\AppData\Local\Temp\YQki.exe

MD5 a0a91f2fc7ef9dc7826b2ce7011b3c12
SHA1 6f36deda7fb3d054e77fe97ae05d5a8e85d7e872
SHA256 b29435b50f4472dd5fe942860c2909601a6f4d7225600f2e339affeb47103ff4
SHA512 e28245a77d5b7d1486717e4ae23cf3c51010dacf5a98f1d97927805324321c005b4cede58b593d67caf07e52e170dbd1d1c71c98d3975a7daa2feb5325a469ed

C:\Users\Admin\AppData\Local\Temp\QgYg.exe

MD5 1c55fd3b1dc8691ffc7a22734bb81fc8
SHA1 20a8b2d2f037ddc82e93a836238f0dd5ab101fbb
SHA256 f68ddadd780f97f8cb24da3cee98cecdfe33a055f2853d8b2454f7d683d2fede
SHA512 2f148a29c68cd257740b00d621c6d3d2268a8feb02d0e8ebff0f1d237113fe0606765a14db026512f0f647b3bac2aa6da12568cfe9e90b1a8d35be4b9e7af04b

C:\Users\Admin\AppData\Local\Temp\uwQk.exe

MD5 8a450d4f89d3f59819e27c3f11a8dd43
SHA1 e26d58b16bee97d030750460aeaedcccb31ba24d
SHA256 0e307b2ba7da8a7014dd559fb57d85291167abe2103ad002aee6883a74eac17c
SHA512 8a5b5fae844b7f04a4e4640d721226d2375e19178485ed80b2d47d449a3088fb2761e76a90d4dd0fb3355c2f9c90ad86e55f68fba0b5c288557413ae8ab5d72c

C:\Users\Admin\AppData\Local\Temp\EQIo.exe

MD5 de13cea04d1ce5cf5a5d00f17a17408c
SHA1 ca420cb74e88e240bc489aad56d338b8576d4c96
SHA256 c200700b43411274a416f641538f27620e36d4e2ba2f3dfc493ad311ce89eca4
SHA512 4fb175a194b7bcf62e559ae84a418495cf1dd259afcf560f2e995e4920a912785e3853e6e365de628d3a115ca4b33b3c1de03682ca07b937bf9dc3b210c69370

C:\Users\Admin\AppData\Local\Temp\usgA.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\WEsi.exe

MD5 894ad4d4bb601b574f4ff96cc638cad4
SHA1 b444b8ff332147c74c941c744c00c9763477d520
SHA256 eb683ebcb6479c80a8dc236eecf9073e19f7a6a8020d17759490eb1f74ffd91e
SHA512 96cf4d5f3160915389a64025badb03e8b5514d8c8b2838836bc198b90c250542d1a629d1e9e3c40d8993480660eaab90882ebaf7aaebd0a8fbfd9fbe21a87c0a

C:\Users\Admin\AppData\Local\Temp\EwAs.exe

MD5 5a193afd5ebeb5fc700b8eff96957fba
SHA1 46f88e78125bed336bd99450d382f59a7c3c6a0b
SHA256 052870d672c62ea46ef8c39536894249a988028249a014b41b5472ab09e08154
SHA512 8cabc28c929c38ea0d556900a89f365bfb21e4614d2f477078d3a86681773c8a13cfb1d1d27c29a97d245ab23309f6e03c510ad5b477714da0fc8e0a3a6869a0

C:\Users\Admin\AppData\Local\Temp\QYwA.exe

MD5 573a1fb45157edfcff88ac544a9e799d
SHA1 986011fb2723a685d5cc6c6d0fb9e2151ba33a1f
SHA256 0d840756ad17ed88e9632c3d41d9d0afba78ba23f1d9049d8367b3c6b01c0196
SHA512 ef72d79a6947c0edeb151561077987fcf671e1700a63088b4c7016f0094f48eb3d9e8e407896dda5f6bf1265074d1d01a0c024c9fdaa77f75e7f2eafa8af94a7

C:\Users\Admin\AppData\Local\Temp\goQI.exe

MD5 6248eb2c286e427ce98390e8dff69d85
SHA1 be641dda4a528ec8061846d7815ea8617797db42
SHA256 f0b9b20088c3dc424dd522c03d4db06aa2e1abfff8120aa3484bd3c334083207
SHA512 2256d83a6ac094f83dca3816c7739dcd760b9d6dcfe095e4fa30deaff2c1236063eda45ad89f8b3f1b5589fd05af0d132f3433f2970fd553c690bccf2b7266d4

C:\Users\Admin\AppData\Local\Temp\sMQe.exe

MD5 a75acb9af74a917ac415cbe681ec7962
SHA1 17cdf95e613ff77ae4b009c9bf74b6c54430c4f0
SHA256 49cfa8b168bb1e4ff8e917b983882cd04f7d4e24d605d7d7d329d2922a799a6e
SHA512 d18afafcecb3757f71c437c68b3057dcf3380ff86cb14951659a40611dd7752cc2ae2933f1cb891ac59f1aa1143ba843124428e461cdbbabc0c0079f6243b0ac

C:\Users\Admin\AppData\Local\Temp\uIoO.exe

MD5 0bc5ef4d3a5db731d58955bbbe217757
SHA1 228113dbb1e0a59686b2aa251d63187185c6c7b8
SHA256 08f4028cc1fe5ec03f32191a3b00148b62cb30e7b3bff83bce8ed4018c6f351b
SHA512 f02c052091f2b898371ce038bc12903666c56212d745788f61ebfc8775487b3d67f149373c8aa4755782b302e6ec47dffe4c29331fc98fbf084ff28f7db270dd

C:\Users\Admin\AppData\Local\Temp\OoMM.exe

MD5 40f427417ae5614b656b1de9bfe60b8d
SHA1 d963bbe0ef9139f1f0cb737d242df12f458ddd38
SHA256 7b80e18dae2d68b5169fcdd78c67f26acdbed865aa71749e04a0ba76a8a90ff1
SHA512 2d2d471ae7ff8a0a66ca6d0682634371a1642a051d94f52fb56c5fcd26245f309576215913b22165f7c513a187237b8674d969b6bc533b7dc1356820dfb72698

C:\Users\Admin\AppData\Local\Temp\wIAo.exe

MD5 cf953ca33c2847be95ed09b36dc458cf
SHA1 918f02cd6af80836986c9e28327407ba5cbf4c04
SHA256 3520c9c99161f3f357759582753c1918f5661e5fa8ea9a01ac445fd7e9df04e3
SHA512 873ae3bc975b7361f85762ae8959a633efd76caf73463e875020b2f3d85dc72866cfa96d8b1a4875438b6ad73dfaa09527ba21fd224a8cc71382e92f0b3ab917

C:\Users\Admin\AppData\Local\Temp\cQYq.exe

MD5 340c5d8e6093af311c28a71c7851c7c6
SHA1 313f358f2548a91fe39da9596dcae9998d46b4cc
SHA256 f212dc47f5f334cceb2e14ae4c04a0c4c5add401438c0114589ba2d33526d474
SHA512 f36c546b82c14efb8419405910aa34c128b1046786e19daed2bb6fe9f7810c13ef24beb70ff96823b03e418ac72368f8801d8043f55ad90dcffdb311aa16da26

C:\Users\Admin\AppData\Local\Temp\SwoK.exe

MD5 756c0ce0ae7f9ae33f2edd955cd2605b
SHA1 32d969952fcbc0a79d732e4b320f7c27aa73ea82
SHA256 4abea4092fd7c4015844d3373b8902718c9b02ee8797bafaa28919a0cfc3a7b2
SHA512 8b4c50935bad655250210ef0bf79496ae03c4a85bc4134282c39fe229a31808f8071eb9e130613f5f71fc35490660d96e260b09f56a142397f8d957eb8636a5e

C:\Users\Admin\AppData\Local\Temp\KIoK.exe

MD5 268013dd156f5b2fa517f097720749c3
SHA1 d5028ceb63e2e59cda2760537647d8d7595859d4
SHA256 4e04f43b2c842b05f63cb766d53c51050d9695d40ab8057120a28a92d139aa7c
SHA512 fc869ad03731a3fff9d09ade9c5619986132abc0807f82e7613d885c0e1c320b234e3e271d190364cac9104baf62f0416ab315447de130373b7c3fe0129c4897

C:\Users\Admin\AppData\Local\Temp\Awcm.exe

MD5 ebd0b7ac62e209b1bb3ee1e4386cdc90
SHA1 031c95b43820b56d3e923996b2e82d7866f2043d
SHA256 b83f5f3c815f43cc1dafc33e488edd84c9c1b095c646a09ea91c28fbd5f8b53e
SHA512 56e88ce5eee4f6cbf8c430c44b52fa257eaed3864ba491f0e1927b7d191e9857f09022d564548ab0f4e4572382a0882e46146d25482d3059053118655d9e4517

C:\Users\Admin\AppData\Local\Temp\ggoq.exe

MD5 5712db6b2992357d100b4dc688946e18
SHA1 9682b558070448ae12ed623c47e326796ed5d3cf
SHA256 c8ef2904cce1ecdb3ca0d13b0f2ed177f0b912d00b9b99ff28a6122a4b4c925a
SHA512 f08e2a13933b20f113f977622eae788b3e7531ea66ca2413ccac7e3bf2ef352b0a5c237c085ad7790d7d25f45f6c31eccedbf3e2c2cbaff2acfa8f9e5f0a0bf9

C:\Users\Admin\AppData\Local\Temp\kYoG.exe

MD5 134fdc06663ab8f1210d2aed9e37858f
SHA1 5a679210907ecbbd19f566d418a7382c40fb3e29
SHA256 248466841ac9a52d0941b1b4b5e603e4fdf148d17818143d15829e0241e641e8
SHA512 b444c0a8fbf238a1cf50dea60dc22d8c53a426f9e1c0dba21bc0292707d5df3fa7863795acbe5ea818d01dabea76b07e33272329f301e44cd476a51cdafdd30e

C:\Users\Admin\AppData\Local\Temp\McYG.exe

MD5 52400229ca82323709f42b864c30cdef
SHA1 b4eb59cb6720baf9e9c8732dba5422d985774e14
SHA256 6ed8325e636473e4336da1fad078e648536c9c203aa879a073ee4ad7d704953f
SHA512 1ae03f6cd55ef9cef9a1be88376d3aa6d923cb782bbe9a2197896fb217b11f89b35120636816e81dc818f03334eca3a84fca7e82a4dbb2a5fbec2155ab3af5b3

C:\Users\Admin\AppData\Local\Temp\iIMQ.exe

MD5 67801357fa0234c9046166ac647dd0d6
SHA1 a83a1b102273a045422db70a899fbb7b7af7aa64
SHA256 2557a4191b502c261e6c9d40e50933b6a4b06957a747170bb08879fd18952da3
SHA512 b194747c4653ed7e0dbe09a5e09ebfb9e6ac9ad1b0cff8cb315ec2b0b0891809bccb607bf41c5d862ce9b489ec35e95b628489997ee9e88f0af0cc94c7e8e4ce

C:\Users\Admin\AppData\Local\Temp\eAYo.exe

MD5 4ab7806267b8c0e3bb434f89d0e01e22
SHA1 2c062c39c63a2d663856e6d0bb2f45053cf2495f
SHA256 6f12287fe897a157dea323963089af231558254793c5375bf1abee28865834f7
SHA512 ff79a9984835c2e772a3539cf383256e636b19e5bc3dbfb4e60101431c88949839948c3d0593a5651102bccb020be3b61a084be8e19144141ae715862e6154b6

C:\Users\Admin\AppData\Local\Temp\AwIY.exe

MD5 4218bfa85892297919d3f0b73b70f6e5
SHA1 51d6f502df2fb2664624124ce39710cb7ea36cae
SHA256 5acd4ed0e6e2426ff00bea0efe990e17c51f3ed7b58af08bb1837e1a1217b8b5
SHA512 f40e46d2184dc0e7792bd814b75e783b424978863f2c268a02d81b36f3fe826ba4616b308f991cccef5bdd0ed86259de7a4ef04d052b6a94e84599ae4be01620

C:\Users\Admin\AppData\Local\Temp\AEIU.exe

MD5 0122598825018221c3272d931f3a2112
SHA1 bb0c8f869e75337c342713baa97f1e12efae069f
SHA256 b953505fb5e18586d9084a6a8cc7cd2d838a9f85583f82e80dd664b71aefafa4
SHA512 cd5a79a30a07907a97ee1049b3d48c18e8410b13911e8a8fb1be1571ab4e7e68adf4837288cff70e3333cb83f4461b64caa99c5f06c3139272bd621980ceefe8

C:\Users\Admin\AppData\Local\Temp\MQsa.exe

MD5 09123d6a4c152a08d71123ff9760da9b
SHA1 be6e1c80e332e68720e1c310f795273347fc6172
SHA256 2fc31c85dd38bed66bcc4846be817ae3d3bc24087c2e15ada8e1aa164af5a95d
SHA512 7a1a9285dba9e8fdf9f348fcefe77587503b86e15e7301ec6467c2268d4d55c84d5681f4fe847f70e8ed9efa0ddfc137a7f6dec4202a711ffd54907c675d892b

C:\Users\Admin\AppData\Local\Temp\CsoG.exe

MD5 ab6f3840f8bfecc5454f08ccbbf5f27f
SHA1 343b1c0c1bb98b4b0863f68f98736d5280e408ad
SHA256 ec7eb5d3969dd41460778ea9a45c860a4faacdec733873f3f81b72e61cdb11a3
SHA512 e389a1bb6f7c3b017514cc466bdf3ca93337aa7c6460c78219ebb9842ccf21d199b1efe5b2076a3df778ed37668650aacba0d96c44984df1f341b4729b988a10

C:\Users\Admin\AppData\Local\Temp\IQYm.exe

MD5 859ff7aaa7ad85067fcb9712bf31ad34
SHA1 4d762889ed2a014b492226cdd30436c69a075aff
SHA256 4fb759eb46b1d646389a6f52afae01c3e7d3879c49b83c15429566e1fdb63018
SHA512 4abb9d94c9bcbb07183d87ad6539852596c81d8cf27d4d6a57993c3361ed46104f92e6539eb1fb93c539409c4fc87db5e8fa87a774d5007bd6290a3bbe445298

C:\Users\Admin\AppData\Local\Temp\wQsG.exe

MD5 f3a1e8aa36c3ebf4f5673e1438707741
SHA1 9759ae36d748d5ef37c4c231a50a74666bf5a123
SHA256 c182f01b17c761cfdf13e1a895debc8c6f087fe89c033c75136f563796c41899
SHA512 785ef9acbb7b58bb45b0daf08a0d092d27972189dd8eb685f4f08ff0e70eb2fe6d589f83f7a41dfefc048482073ccfc40870fc16577f6a56c5ef00c32230fe28

C:\Users\Admin\AppData\Local\Temp\AMMa.exe

MD5 e5fa703bd01f775c55555f589e8590c7
SHA1 bc17fdc671a801c6f52cde447f201423605025c5
SHA256 df37738bdde79fce5d700b32f8840bbe46fb50f734eb72682d626a1e1039336a
SHA512 d0e922ce74d2eb2c4b1f4c4e64fa9243afe967f0bce32d51d2fdf50a10b765d02a989af87889c9d5e74b0d14a481e665e8c0d0b6ff99a53c0df893a8f87f1924

C:\Users\Admin\AppData\Local\Temp\wsAI.exe

MD5 9a4813db3790831c1c04cb257e74cb07
SHA1 be1d1a408c8d31020b25d8b829afe2711aeff121
SHA256 aba3b6ff948ce303d69d927b31c0585979ad9e694904147732cdd8f5345dd684
SHA512 6b3e875baddeb929e7650f2556bd17178a7e38b2badf3f5e5a52dc459cc330f19de68ea6f38b83d854510ac78817c0fecc7e828b07814833fb583e45ea68bdb8

C:\Users\Admin\AppData\Local\Temp\QcUo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\AgsO.exe

MD5 debd7e69309813b368859e2bebb6699a
SHA1 986a3db2227c810513d5ee9292c22466269adb91
SHA256 1832e1d1d177780044e9e4cc8d4f9e650018447d87a675f2ff6168f79514b03f
SHA512 9d7cbc0f200bd5dd63188259348603d7ce069106ef2177db3236cbdc0d5fec26d87c83c8ed489620b35745ad5e5b3cb2469c19e1c0e08eade08906c0856057ca

C:\Users\Admin\AppData\Local\Temp\GgIi.exe

MD5 9e800fd1d1db1db8acf03c6fe1fd3fdb
SHA1 b975749e342cf0ef3078da1c94fe357e251b07d1
SHA256 ffc3923886dd10bb2c574ac06cf50abe040948f071c66298c54db81f815d469d
SHA512 bbd388decfa15239f475a77aa05250060efd308c90e59668206ce4d0641b909a310b3e31beae2285153881b2828e3a917f76270e93dc28a3abdd200ab8c5b697

C:\Users\Admin\AppData\Local\Temp\cgsK.exe

MD5 3110b75237117f04be81825fb6731437
SHA1 090f74a37c3874d74ffe387f0e73672ad2624b3c
SHA256 9a51307ef8c5c2332f28540ee6a8be0d79adecfc5d175fc63ed7a21beac57bd3
SHA512 789ee9b309dfc55bee0e45c64a7fd8c0fe6dbda133ba5ac8b109a21e521e06e565a6863c6042c6fb0403d0a86fea2b5379ad9a9b6fa9accd4067d7aa69f10630

C:\Users\Admin\AppData\Local\Temp\kEoO.exe

MD5 38650f557a08ecd157d982c92d360c88
SHA1 a592287b8f56b3049ee4d3b9fab33dc43af7ef4e
SHA256 ee8f4e6786bdc1d003c9e7c49ea0111e00e9e386f1e118665228b93e4b90a3a5
SHA512 675557b9ce99a2ebdc8293048c405e6ba0bceafb526bf99ed2cec83b7cbdc9533e35ff2b230794205fb022782f665bc828a0792276175e5d6953921c76ba5631

C:\Users\Admin\AppData\Local\Temp\OcMG.exe

MD5 bacccfc7b822f0ce4e6f60658a7fcaae
SHA1 5d13ae300a4dd112349e371bdfd5884abe06ba2a
SHA256 160c3c8c2d46469c361a4280780e7112bdac69eba64b5bef539bdc797a2eef72
SHA512 225720d9524d611018e05484c8223961797288d3db6f0e365e67a99447b9cee9214ef8a9598b97c6d5c87af2719be1537291ace2a6472d1b8a52a4356ea02637

C:\Users\Admin\AppData\Local\Temp\qkIK.exe

MD5 6e0cf2982d285c0ce7f86b6fc47927cc
SHA1 463b753eb9357d6fff55d36265daac237d137492
SHA256 eabde6fcb2d1c5b454886ad4fc03d223c9a84b08ae1f2632c078be87a4d94d45
SHA512 b3120dea15fc8f45a1cf2bef9ec9069380bcbde39de3cd1413214d7a4b608aca462c67136b707fdee4eca9da17fcedad96b60667fb1a41ae7b1a6d51f13f5673

C:\Users\Admin\AppData\Local\Temp\wEoY.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\KEYM.exe

MD5 aca4493c8f02f23a5494f415cb63994f
SHA1 482ebf9fbd843113c75f5819f9b25f93566d1bf7
SHA256 c02cf0821fe125418e759d074d34988a91ed57205d82d0b1ff56e647473fe9d8
SHA512 23ddb65310d3c147ab164cebd5a22446d26c7871de1aa613719f58506eab56f773bff2bd1708d614dcbedcf6592f9ef29a804a1d2e7fa42b216e9699015f394d

C:\Users\Admin\AppData\Local\Temp\kAoS.exe

MD5 d693470daeca2b177bdc5e3efd7ab3ca
SHA1 81ad4da9cf69c90f33a5e0e9ffcc29d8fec83481
SHA256 32388c32e6e0223b8e2aa74106036ecdfee40dbd937ba85ed2acf5137511bafb
SHA512 8cd9f094fe0201b88fa208fb66d81cb7bc11fbe5fcd4978615691b9363f5ac48b4a1ebda48107a8f7228c4e905bc34b9fe38da2e3d32aadb55e0e9937ae8a8f4